Spyware Blog

The usual recommendation in removing spyware on MicroSoft Windows is to update all the anti-spyware and anti-virus programs first, then disable system restore and reboot into safe mode.

# To disable system restore, right-click My Computer and click on Properties. This should open up the System Properties window. Click on the System Restore tab, and check the Turn off system restore on all drives checkbox. Click on OK and you may be presented with a message box asking if you wish to restart your computer to apply the changes. Save any changes you have made in other programs, then click Yes or Restart Now.

# Once your computer starts to reboot, start hitting the f8 button (about twice per second) until the Boot Options screen is displayed. Use the arrow keys on the keyboard to highlight Boot to safe mode and hit the Enter/Return key.

Once in safe mode run the programs one at a time, and delete/quarantine any detections. The majority of anti-spyware programs backup the objects deleted (usually by encrypting them) in case they are a False Positive (the program detected something which in fact did not need to be deleted).

After running all the programs, restart the computer normally (from the shutdown menu). It should automatically boot back into normal mode. Login and check that the existing problems are no longer present. Occasionally the anti-spyware programs are unable to detect or delete some spyware. In this case there are some anti-spyware forums with people that specialize in spyware removal. Experts in spyware removal forums normally ask for a hijack this Log. hijack this is a program that displays all the settings that spyware and hijackers (software that “hijacks” the internet browser, usually changing it’s homepage and preventing it from being changed back) and is also able to save these settings in to a log file that can be uploaded or pasted to a website or forum.

While it is not possible to eliminate the risk of identity theft completely, measures can be taken to reduce the chances of your personal information falling into wrong hands. Here are some simple, but highly effective tips to protect yourself from identity theft:

# Don’t carry your Social Security card in your wallet or write your Social Security number on a check.

# Never provide your Social Security number to anyone unless required by law.

# Share personal information only if you initiated contact.

# Always confirm that you are dealing with a legitimate organization.

# Beware of mail or telephone solicitations that offer prizes or awards.

# Avoid “phishing” scams, in which criminals send email, text, or pop-up messages that appear to come from a government agency, or organization with which you do business.

# Select intricate passwords. Place passwords on your credit card, bank, and phone accounts.

# Change your passwords regularly, at a minimum, every 90 days.

# Keep your security software active and current.

# Keep your operating system and Web browser up-to-date.

# Report lost or stolen credit cards immediately.

# Teach your child not to give out personal information to strangers or online.

If you have any problem, always contact the authorities for help.

Following the latest update to its Malicious Software Removal Tool (MSRT) on 11th November, in just 10 days Microsoft has cleared almost 1 million PCs of “scareware”. Scareware programs and websites produce phony warnings saving that the user’s PC has been scanned and is infected; they are aimed at inducing users to purchase fake anti-spyware and anti-virus products.

Such programs usually do not actually do any scanning or removal at all; on installation, they just report successful disinfection of the PC – even if it is actually riddled with malware. The software is cheap to develop, as it doesn’t actually do anything apart from display a few pre-programmed messages. Worse still, several of these dummy programs actually carry a payload of real malware to infect the gullible users’ computers, meaning that they earn money for their promoters. This dishonest but lucrative “business model” has led to a large wave of such schemes.

According to Microsoft’s figures, Americans are particularly susceptible to such scare tactics. 550,000 of the deleted scareware installations were on US computers. This was followed by the United Kingdom with 74,343, France with 47,581 and Germany with 43,347.

The most recent MSRT update for the first time included signatures for the scareware family FakeSecScan, which markets itself to users under such enticing names as Vista Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus 2008 and XPert Antivirus. Microsoft has launched legal actions in the US against scareware producers.

VIA: HEISE.DE

More information on MSRT

The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from Microsoft Update, Windows Update and the Microsoft Download Center.

Note The version of the tool delivered by Microsoft Update and Windows Update runs in the background and then reports if an infection is found. If you would like to run this tool more than once a month, use the version on this Web page or install the version that is available in the Download Center.

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine. You should also use up-to-date antivirus software to help protect your computer from other malicious software.

To download the latest version of this tool, please visit the Microsoft Download Center.

There are some spyware-removers that are absolutely free to download. Quite a few of these tools perform almost the same as and many times even better than many of the paid ones. Why choose a pay version when you can find the same protection for free? If you want to download free spyware removal programs, search in MSN Live for keywords like “free spyware removal tools”, or something similar and you can find a good number of tools. Nonetheless, take care before downloading spyware scanners as there are a large number of malicious spyware removal tools.

Caution! Many “rouge” spyware removal tools themselves are spyware or viruses. For this reason, always install spyware removers from reputed repositories like Download.com. These sites provide software only after a complete analysis. In addition to this, they also offer user opinions which help in giving you a better idea about the software application you want to download and install.

When you down-load any software from websites, please scan with a antivirus software before opening. Most questionable spyware scanners can be discovered by scanning with anti-virus scanners. This will stop fake anti-spyware tools from getting installed on your PC. Sometimes you may also see pop up advertisements or fake system dialog boxes saying “WARNING! Your computer is infected! Buy [some software] to remove it!”. Many a time these are rogue spyware removal programs that infect your computer with trojans and spyware if you install them.

One of the popular free spyware remover is Micro Soft Windows defender. It is included by default in the latest OS–Vista but is also available as a free download for Xp. You should have a genuine Windows OS to download and use it. It helps protect your computer from popups, slow system performance, and security issues caused by spyware and adware by detecting and removing known malicious programs from your system in real-time.

Another popular spyware scanner is Ad Aware Free version. This edition is free for personal use only and it should not be used for profit purposes. The latest edition has many new additions like advanced malware sensing against spyware, ad-ware, trojans & browser hijackers, fraud tools & fake applications, key loggers and improved root-kit removal system. It is also very light on memory usage.

* For more information check out the free spyware removal web site.

Advanced Call Recorder is a software that can be used to record phone calls. It stores calls as standard Windows sound files. If this software is installed on a user’s computer without his/her knowledge, it can be used to spy in the activities of a user. For this reason, most security software detect this program as a potential security threat.

Files related to Advanced Call Recorder

• acr.exe
• acr_hook.dll
• unins000.exe

Registry Keys

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Call Recorder_is1

Despite several claims of security vulnerabilities in the Apple iPhone, to date no serious virus programs or spyware have been written for the iPhone. In November 2007, F-Secure predicted that  “It’s 80-90% likely that we will see malware targeting the iPhone”. However, about 1 year has passed since that prediction and we are yet to witness a serious virus or spyware that is targeted at the iPhone.

This said, a Trojan horse targeting the iPhone has been discovered. This program targets  “jailbroken” iPhones (which have been modified to allow the installation of third-party applications). It causes little harm - it simply prints the word “shoes” to the screen. However, uninstalling it removes certain files from the iPhone’s /bin directory, making it impossible for various applications to function correctly.

More information on this iPhone trojan can be had here: www.macworld.co.uk/

MPack is a PHP-based malware kit developed by Russian malware writers. It was first released in December 2006. New versions regularly released roughly every month. Security analysts estimate that it might have been used to infect up to 160,000 PCs with keylogging software. In August 2007 it was believed to have been used in an attack on the web site of the Bank of India which originated from the Russian Business Network.

Unusually for such kits, MPack is sold as commercial software (costing $500 to $1,000 US), and is provided by its developers with technical support and regular updates of the software vulnerabilities it exploits. Modules are sold by the developers containing new exploits. These cost between $50 and $150 US depending on how severe the exploit is. The developers also charge to make the scripts and executables undetectable by antivirus software.

The server-side software in the kit is able to customize attacks to a variety of web browsers including Microsoft Internet Explorer, Mozilla Firefox and Opera. MPack generally works by being loaded in an IFrame attached to the bottom of a hacked website. When a user visits the page, MPack sends a script that loads in the IFrame and determines if any vulnerabilities in the browser or operating system can be exploited. If it finds any, it will exploit them and store various statistics for future reference.

Included with the server is a management console, which allows the attacker deploying the software to view statistics about the computers that have been infected, including what web browsers they were using and what countries their connections originated from.

Experts at Spy-Ops have estimated that the market for hacker toolkits such as MPack has exploded into hundreds of millions of dollars USD annually. Malware packing kits are now being hosted in China and Taiwan.

3D Flying Icons is an adware bundler application. An adware bundler is a downloadable program that is typically “freeware” because it is bundled with advertising software. These adware display popups and other forms of advertisements and generate revenue to compensate for the “free” nature of these applications.

Files related to 3D Flying Icons:

• 3D Flying Icons.scr

Related Registry keys:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\3D Desktop\3D Flying Icons Screensaver
•  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58EFBCA1-A637-4438-966A-C5E65F7B69F6}_is1

If you have installed this program, we recommend you to scan your system with SpywareTerminator or a similar spyware removal tool. More information on SpywareTerminator.

CodeClean is a fake spyware-removal tool. It is marketed by a Korea based company. CodeClean produces false or exaggerated reports of system errors. This is a scare tactic designed to force users into buying the full version of the software.

Files related to CodeClean:

• CCDTB.exe
• CCExp.dll
• CCIntro.exe
• CCSkin.dll
• CodeClean.exe

Websites related to CodeClean:

• hxxp://www.codeclean.co.kr

More information on CodeClean:

• Symantec.com

There are many good peer-to-peer clients on the Internet. Many of these and free and many of them are also open source projects. However, there are certain p2p clients that contain adware or spyware. These clients should be avoided by all means if you want to keep your system clean.

Here is a list of p2p clients that contain spyware or adware:

• Ares Lite [Spyware]
• Bearshare [Adware]
• Bearshare Lite [Adware/Spyware]
• BitTorrent Ultra [Spyware]
• Blubster [Adware]
• eDonkey/Overnet [Adware/Spyware]
• Exeem [Adware/Spyware]
• Grokster [Adware/Spyware]
• Kazaa [Adware/Spyware]
• Imesh [Adware/Spyware]
• MediaSeek [Adware/Spyware]
• Morpheus [Adware/Spyware]
• Piolet [Adware, but not bundled]
• RockItNet [Adware/Spyware]
• Warez [Adware/Spyware]

More information on p2p clients and spyware