Spyware

• Determine if you have access to your Task Manager
  To see if it works press Ctrl-Alt-Del. If it opens a window then you know it works and you can now close it.
  
  
• Make sure you have a Run command in your Windows Start Menu
  Note: Windows Vista's Run command has been combined with the Search box. So if your instructed to execute a Start-Run command, then just type whatever your told into the search field and press enter.
  
  
• Determine if you have access to your Registry Editor
  Using the Start-Run command type (without quotes): "regedit" and press enter or click ok. If it opens a window then you know it works and you can now close it.
  
  

• Whatever the Microsoft-based operating system, presssing the F8 key, about once a second, after you hear a single beep, when the computer is restarting or just after it is turned on will get you into "Safe Mode". Only a few computers will have the BIOS configured to bring up a Boot-Selection menu, if your pressing F8 at startup. If it does, just select the main hard drive from the list and then immediately begin pressing F8 again.
• When it brings up a white menu on black background you will be able to use the arrow keys to choose the different options, and when you have selected "Safe Mode" press Enter.
• If you see a logon screen, then enter the username and password for the main user of the computer (not the Administrator account).

• Alexa Spyware Installed Whenever You Install Any Microsoft Product
  Alexa is a free, ad-based product which installs itself into your Internet Explorer or Netscape browser. It ads a bar which has a series of links into your browser which gives quite a bit of information about each web page that you visit. For example, the contact information, related links, reviews of the site, traffic and some other information is displayed.
  
  Alexa has an additional purpose, however, as is explained in their privacy policy.
  
  "ALEXA COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW, THE DATA YOU ENTER IN ONLINE FORMS AND SEARCH FIELDS WHILE USING THE ALEXA SOFTWARE, AND, WITH VERSIONS 5.0 AND HIGHER OF THE BROWSER COMPANION SOFTWARE, THE PRODUCTS YOU PURCHASE ONLINE. ALTHOUGH ALEXA DOES NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY ALEXA USER, SOME INFORMATION COLLECTED BY THE SOFTWARE IS PERSONALLY IDENTIFIABLE. ALEXA AGGREGATES AND ANALYZES THE INFORMATION IT COLLECTS TO IMPROVE ITS SERVICE AND TO PREPARE REPORTS ABOUT AGGREGATE WEB USAGE AND SHOPPING HABITS."
  
  So what does this and the remainder of a very long privacy policy translate to in plain English? Alexa watches you surf the internet and transmits the URLs of the sites that you visit back to their computer system. Their stated intention is to build up a list of related links for each page that you visit. They also watch your shopping patterns to get an idea of what you are purchasing online, and presumably where you are purchasing things on the internet.
  
  It's very interesting that Alexa is owned by Amazon.Com, and one of the "great" features of their browser bar is something they call a "shopping feature". This allows Amazon (and other business partners) to offer you comparative shopping advice while you surf through other sites.
  
  Alexa now has a well written and lengthy privacy policy, but it was not always that way. In fact, there is a pending (as of May) class action lawsuit because Alexa didn't have a privacy policy posted on it's website at all. This meant that people who downloaded and installed the bar were not made aware that their movements through the internet were being watched and recorded.
  http://www.internet-tips.net/Tanstaafl/spyware_alexa.htm

• Invalid Page Fault Error Messages If You Run Internet Explorer 5.5 and Aureate Radiate.
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;q259684 (i. e. 4, 5, 6. W95/98/se/ME/XP/NT4 Apr. 4, 2002)

• BHO Cop (Browser Helper Object)
  An additional tool to complement Ad-aware, listed above.
  The integration of BHOs with IE offers rich opportunities but can cause trouble. Poorly written BHOs can bring about IE crashes. Also, BHOs can conflict with each other, causing problems with IE that can be very difficult to diagnose and fix, because there's no way for you to know that a BHO has been installed.
  http://www.pcmag.com/article/0,2997,s%253D1478%2526a%253D4453,00.asp
  
  
• How to Disable Third-Party Tool Bands and Browser Helper Objects
  This article describes the steps to disable the third-party Tool Bands and Browser Helper Objects features that you installed for use with Internet Explorer. You may have to disable these features when you have to troubleshoot Internet Explorer problems.
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;q298931
  
  
• BHO Demon
  BHO Demon, from Definitive Solutions, Inc., lists the BHOs that are currently installed. You can then disable those you don't want to keep
  http://www.siena.edu/antivirus/spyware/bhodemon.asp

• Anti-Spyware Coalition
  The Anti-Spyware Coalition (ASC) is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies.
  Composed of anti-spyware software companies, academics, and consumer groups, the ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies.
  http://www.antispywarecoalition.org/



• Spy Checker
  An alphabetically maintained list of know Spyware programs.
  http://www.spychecker.com/



• Pest Patrol
  Anti-Spyware software vendor with an excellent research section.
  http://www.safersite.com/



• SpywareInfo, Home of the Spyware weekly.
  http://www.spywareinfo.com/
  
  
• Sandra Hardmeier's contribution to Spyware.
  http://www.mvps.org/inetexplorer/Darnit.htm
  
  
• System wide filtering and blocking
  An introduction to eDexter. You can modify your HOSTS file to filter unwanted sites.
  http://www.pacificnet.net/~bbruce/
  
  
• Gorilla Design Studio Presents: Using the Hosts File
  You can begin blocking ads and help keep yourself from being tracked by using the Hosts file in Windows and other operating systems.
  http://www.accs-net.com/hosts/
  

• Kazaa, not only installs several spyware applications, but it also installs Brilliant Digital's software. During Kazaa's installation you asked to agree to the following in the user licence agreement, which you must accept in order to install Kazaa.
  
  You hereby grant BDE (Brilliant Digital Entertainment) the right to access the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorizes this use without the right of compensation.
  
  How to uninstall Brilliant Digital's software
  CNET's News.com has posted instructions for removing the Brilliant Digital software. While these instructions do work now, KaZaa or Brilliant Digital could change the installation at any time to make these instructions fail. http://news.com.com/2100-1023-875274.html



• Spyware Bundled With Kazaa 1.9
  New.Net
  SaveNow



• Spyware Bundled With Kazaa 2.5
  This version comes with Peer Points. Configured to run at startup. Whether you want it to or not. What's more, that's not ALL you get.
  
  "Peer Points Manager" includes a number of program and data files, mostly installed in the C:\Program Files\Altnet folder," say the guys. "Some software components (DLLs used by Peer Points Manager and other Altnet applications) are installed to the Windows\System or WinNT\System32 directory. Installing Altnet applications will not modify any existing files on your computer.
  
  "Peer Points Manager" includes the Altnet Download Manager, a program that allows you to download Altnet files from the Altnet P2P network when clicking download links on supporting web sites.
  
  "Peer Points Manager" uses PeerEnabler, a P2P networking component from Joltid (www.joltid.com). PeerEnabler is also used by other 3rd party applications, including Kazaa Media Desktop. If PeerEnabler is not already installed on your computer then it will be installed as part of Peer Points Manager installation.
  
  By agreeing to the Altnet EULA at installation you also agree to the installation of ‘My Search Toolbar’ provided by The Excite Network, Inc.The My Search Bar is a customizable browser toolbar which provides end users with easy access to search results from the best search engines on the Internet in just one click, including results based on websites, directory listings, images, news, and FTP files.


For removal you can use the Add/Remove Control Panel to remove Pier Points Manager, and ADAware 6 can remove the Brilliant Digital spyware, but removing Cydoor will cripple Kazaa so that it requires Kazaa to be fixed (which will re-install cydoor) or re-installed (which will re-install all the programs). To disable Cydoor (the advertising window built into Kazaa) the "C:\WINDOWS\SYSTEM32\AdCache" folder needs to have its Inherit From Parent permissions unchecked and the Permission entries are blanked out (so no-one has permission to the folder), this program does cannot run (NTFS file system only - Windows NT 2000 XP 2003). Kazaa still works, but the advertisments area will be blank


• Spyware Bundled With Kazaa 2.6
  This version also comes with Peer Points. Configured to run at startup.
  
  You can use the Add/Remove Control Panel to remove the My Search Bar; however, most spyware removal programs will cause Kazaa to insist that it be re-installed with all the spyware (i.e. they now check to see if the spyware is running before allowing Kazaa to load).
  
  This version also introduced a pay version, which they claim includes no advertising content.
  
  
• Spyware Bundled With Kazaa 2.7
  This version comes with fsg_4104.exe, known as Claria, which is a utility that may be used to interfere with spyware removal and protection programs. It will appear in several locations. Initially it will show up in your WINDOWS\TEMP folder, but then it uses part of the registry to rename the file on reboot to the current users temp folder e.g. "C:\Documents and Settings\CurrentUsersName\Local Settings\Temp". After deleting these files they will re-appear the next time you run Kazaa, or the next time you reboot if you left the default option to Start Kazaa when you start Windows. Blocking this application will not succeed. If you locate each file named fsg_4104.exe and each folder fsg_tmp and set Inherit From Parent permissions to unchecked and the Permission entries are blanked out (no-one has permission to access the files or folders), this program will then not be able to run under the filename fsg_4104.exe (NTFS file system only - Windows NT 2000 XP 2003). However, the next time your run Kazaa it will re-appear as fsg_4104a.
  Also installed is the P2P Networking program, and they probably want you to think that it is part of Kazaa; however, if the "C:\WINDOWS\SYSTEM32\P2P Networking" folder Inherit From Parent permissions are unchecked and the Permission entries are blanked out, this program does not run (NTFS file system only - Windows NT 2000 XP 2003). Kazaa still works, after you do this, so does it really have anything to do with Kazaa or peer-to-peer file sharing?
  Ad-aware 6 can remove the EUniverse spyware.
  Spybot can remove the SearchForIt spyware.
  To disable Peer Points the "C:\Program Files\altnet" folder needs to have its Inherit From Parent permissions unchecked and the Permission entries blanked out (NTFS file system only - Windows NT 2000 XP 2003). Kazaa still works without the peer points.
  To disable Cydoor (the advertising window built into Kazaa) the "C:\WINDOWS\SYSTEM32\cache329" folder needs to have its Inherit From Parent permissions unchecked and the Permission entries blanked out, the program will then not run (NTFS file system only - Windows NT 2000 XP 2003). Kazaa still works, but the advertisments area will be blank
  If after all that your Kazaa still works, then congratulations, but after each time you start it, you have to remember to stop the fsg_4104 process, and after your finished you'll have to manually remove or run Ad-aware to get rid of the reg keys associated with Claria:
  • HKEY_CLASSES_ROOT:Clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\
  • HKEY_LOCAL_MACHINE:Location\Software\Gator.com\
  • HKEY_LOCAL_MACHINE:Software\Microsoft\Windows\Currentversion\Run\Trickler

• What is Spyware?
  Spyware is ANY SOFTWARE which employs a user's Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.
  Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use.
  ANY SOFTWARE communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware.
  
  
• OptOut
  If you are concerned of what is being gathered about your habits on the WEB then you MUST download this OptOut program to delete any unwanted requests.
  http://grc.com/optout.htm

• If you have an earlier version of RealPlayer, it probably installed a troublesome little thing called Comet Cursor without you knowing it.
  See if you have the file c:\windows\system\comet.dll on your system. If you do, it may be the reason behind some errors you are getting.
  
  
• Comet Cursor's Web Site
  http://www.cometsystems.com
  
  
• CometSystems Pest Patrol Report
  http://www.pestpatrol.com/pestinfo/c/cometsystems.asp
  

• Is a piece of code placed on your PC without your knowledge by Broderbund (now Mattell Interactive). You can read about it and get a patch that safely removes it from you PC (and other files and cleans up your registry)
  
  
• Error Message: DSSAgent Caused an Invalid Page Fault in Module Unknown
  DSSAgent caused an Invalid Page Fault in module unknown
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;q296077 (ME Jul. 12, 2001)

• What it does:
  1. Your DEFAULT LINK to your Home page will take you to Go Hip
  2. Your SEARCH DEFAULT will take you to the Go Hip search.
  3. A BOOKMARK feature will be added to your file. This feature will add additional BOOKMARKS to your directory.
  4. Your SIGNATURE LINE on all of your out bound e-mails will be modified to promote the GO HIP Video Update, making your e-mail recipients eligible for video at no cost.
  

• Morpheus by StreamCast Networks counts the number of times its file swappers visit high-profile shopping sites. The company has begun installing a Web browser add-on that sends some Morpheus users on an invisible Web detour aimed at capturing data about file swappers' surfing habits.
  http://www.safersite.com/PestInfo/M/Morpheus.asp

• MSIPCSV.EXE is, from what I can tell, part of what is known as "Spyware".Otherwise known as the stuff that comes attached to lots of "freeware" that shows advertising while you are using the product, and/or collects marketing info. Aureate, etc. All I can tell you is that my "Spyware" removal program looks for that file (among many others) and suggests removing it.
  Look at OptOut for more information on SPYWARE.

• NewDotNet
  There does not appear to any obvious spying taking place by this browser plug-in, which intent is to add support for some new high level domains, ".shop" etc... However, the New.Net plug-in downloads and installs updates to itself silently, with no crypto-based integrity checks that can even bypass firewall protection. It also integrates itself into the operating system through it's re-configuration of your winsock applications, which are critical to your computers ability to access the internet. If New.Net is un-installed incorrectly your internet connection will be lost. Even though your actual harware is connected, and it can be shown that the internet connection is live, all of your applications will indicate that pages are not found or could not connect to the server. Leaving it installed, at least for some versions has been known to cause Internet Explorer to crash regularly.
  http://www.pestpatrol.com/pestinfo/n/new_net.asp



• Iexplore Caused an Invalid Page Fault in Module Unknown with SaveNow or New.net Installed
  SAVENOW executed an invalid instruction in module Unknown at address...
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;q302463



• Manual NewDotNet foistware removal
  If you have experienced problems with the New.Net uninstall using Add/Remove Programs, it is recommended that you contact New.Net tech support for assistance. The information below is provided FOR REFERENCE ONLY, and could make things worse if used improperly. Do not attempt unless you are a guru and willing to accept the possibility of your computer losing Internet access, and hold New.Net and CEXX.ORG harmless for any results.
  
  WARNING WARNING WARNING
  
  This procedure from New.Net techs is intended to manually restore your previous Winsock settings. Do not use without advising by New.Net support.
  
  Go to HKEY_LOCAL_MACHINE\CurrentControlSet\Services\WinSock2\Parameters.
  You should see 2 folders, "NameSpace_Catalog5" and "Protocol_Catalog9". Click the small "+" (plus) signs next to both of them.
  Inside both folders, you should see a "Catalog_Entries" folder. Within each of those folders are numbered folders (i.e. 000000000001,000000000002, etc.)
  
  For the "NameSpace_Catalog5" numbered folders:
  
  A. First, make note of how many folders there are
  B. Highlight the first one
  C. On the righthand side, locate the line "Library Path"
  D. In that line, the rightmost column should begin with something similar to "C:\windows" or "%SystemRoot%".
  E. Locate any of the numbered folders that read "C:\windows\newdotnet2_90.dll" or similar in the "Library Path" line
  F. Delete each of those folders referring to "newdotnet"
  G. Rename each numbered folder so that they are all consecutive. For example, if there were 4 folders and you deleted 2 of them, you will need to rename the remaining folders "000000000001" and "000000000002".
  H. Do this by right-clicking the folder name, left-click Rename and then type in the new number (be absolutely sure you don't delete any of the zeros).
  I. Next, highlight the "NameSpace_Catalog5" folder on the lefthand side.
  J. On the right, locate the "Num_Catalog_Entries" line. At the end of this line is a number in parentheses.
  K. Edit that number by doing the following:
  i. Double-click "Num_Catalog_Entries"
  ii. In the small pop-up window, select "Decimal"
  iii. Edit the value of the number on the left to reflect the number of remaining folders (in the case of the example in step G above, you would enter 2)
  iv. Click OK
  
  For the "Protocol_Catalog9" numbered folders:
  
  A. First, make note of how many folders there are
  B. Highlight the first one
  C. On the righthand side, you will see a line beginning with "PackedCatalogItem". Double-click on that word and a small window will pop-up.
  D. In the "Edit Binary Value" window, several columns appear with numbers and letters. In the last column appears a path that will look something like, "C:\WINDOWS\NEWDOT~.DLL" or "%SystemRoot%" followed by a long list of characters.
  E. Locate the numbered folders that make reference to "newdotnet" in the "Edit Binary Value" window described above and DELETE each of them. This is done by closing the "Edit Binary Value" window, highlighting the folder, and pressing the DEL key.
  F. Rename each remaining numbered folder so that they are all consecutive. For example, if there were 13 folders and you deleted 2 of them, you will need to rename the remaining folders "000000000001" through "000000000011".
  G. Do this by right-clicking the folder name, left-click Rename and then type in the new number (be absolutely sure you don't delete any of the zeros)
  H. Next, highlight the "Protocol_Catalog9" folder on the lefthand side.
  I. On the right, locate the "Num_Catalog_Entries" line. At the end of this line is a number in parentheses.
  J. Edit that number by doing the following:
  i. Double-click "Num_Catalog_Entries"
  ii. In the small pop-up window, select "Decimal"
  iii. Edit the value of the number on the left to reflect the number of remaining folders (in the case of the example in F above, you would enter 11)
  iv. Click OK
  K. Close the Registry Editor. Your changes will be automatically saved.
  L. Restart your computer and then try accessing the Internet as you would normally.

• SaveNow
  It tracks where a person goes online and then pops up separate browser windows with targeted advertisements or special offers... continuously downloads updated information about new offers and keeps a record of where a person surfs on that person's own computer. It runs continually--even when the program it came with is not operating.
  http://www.pestpatrol.com/pestinfo/s/savenow.asp



• Iexplore Caused an Invalid Page Fault in Module Unknown with SaveNow or New.net Installed
  SAVENOW executed an invalid instruction in module Unknown at address...
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;q302463

• Trojan-Spy.HTML.Smitfraud.c is a wide spread Trojan Virus. Popup windows saying you are infected! Backgrounds are changed to display Virus alert messages! The system Clock in the taskbar says Virus Alert! System tray icons with virus alert messages! The task manager may be disabled. The registry editor may be disabled. The Logoff option may be disabled. My Computer, My Pictures, Control Panel, All Programs etc.. may have disappeared from the Start menu. The worst part may be that Routing and Remote Access may have been enabled, and your computer has turned into a slave computer or botnet to be spied upon by the perpetrators. Your computer can then be used to hide themselves while performing their nefarious activities on other computers.



• Do not be fooled by their slick pop-ups that claim to be able to remove the problems they have found with your computer. It's a lie. They want your name, your address, phone number, mothers maiden name, credit card numbers and any other personal information for use in identity theft.



• SmitFraudFix Removal Tool is a Windows 2000, XP tool we have had some success using to repair systems infected with this Trojan.



• SmitRem Removal Tool is a Windows 9x, Me, 2000, XP, removal tool we have had some success using to repair systems infected with this Trojan.



• SmitFraud goes by various names, and once your computer is infected the names will change almost every week. The following is a list of names they have used in the past:
  
  AdwarePunisher, AdwareSheriff, AlphaCleaner, AntiSpyCheck, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, AntivirusGolden, AVGold, Awola, BraveSentry, IE Defender, MalwareCrush, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareRemover, SpywareSheriff, SpywareStrike, Startsearches.net, TitanShield Antispyware, Trust Cleaner, UpdateSearches.com, Virtual Maid, Virus Heat, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Win32.puper, WinHound, Brain Codec, ChristmasPorn, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, IECodec, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, LookForPorn, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, NetProject, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SearchPorn, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, Vista Antivirus 2008, WinAntiSpyPro, WinMediaCodec, X Password Generator, XP Antivirus 2008, X Password Manager, ZipCodec..

• Webhancer Customer Companion
  It's reported that this software is installed on more than 10 million systems all accross the world, and like many other spyware is bundled with many free software applications, and it provides a traffic measurement service that uses a client agent that is installed on user machines, gathering detailed data about sites visited, their performance and, most important, what the user actually does while there.
  The WebHancer install will alter critical Registry keys relating to Windows Sockets, causing the system's Internet connection capabilities to break if the user tries uninstalling it.
  The running WebHancer process will appear on the Ctrl-Alt-Delete list (Task List) in Windows as Whagent. Customer Companion files are installed in C:\program Files\WebHancer\
  The files webhdll.dll and whwsdc.dll are known to cause some Windows errors.
  http://www.pestpatrol.com/pestinfo/w/webhancer.asp

• Description of the Win32.DlDer Spyware Trojan Program
  Trojan programs are programs that pretend to do one thing while secretly doing something else. DlDer.exe (also known as Win32.DlDer) is supposed to be an online lottery game with advertisements. It also includes a component that spies on your Internet activities and reports them to a Web site.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;q317013