Archive for anti-spyware

SpyHeal. Possible successor to SpywareQuake?

July 9, 2006 at 1:11 pm · Filed under anti-spyware, spyheal

On July 7th we were tipped off by one of our members about a new rogue anti-spyware application called SpyHeal was starting to be see on some of the more dubious anti-spyware product pages. Though we are not the first to report on the new rogue anti-spyware application SpyHeal (SunBelt Blog already blogged about it) there is strong evidence that this may be the successor of the SpywareQuake program that has had high visibility. For those who do not know what SpywareQuake is, SpywareQuake is a widely distributed rogue anti-spyware application that uses Trojans and fake security alerts as a scare tactic to make you purchase their full commercial software.

spyheal2.jpg
SpyHeal Screen

There are a few items that make us believe that these applications are tied together. Some of these are:

  • The domains are registered using the registrar ESTDomains. Though this in itself is not that suspicious, you can see from the Spyware Warrior blog entry that ESTdomains is tied to ESThost and other domains/ISPs that are known for hosting malware distribution sites.
  • The commands in the Registry that start all of these variants are in the exact same format: O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
    O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
    O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
    O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
    O4 - HKLM\..\Run: [Malware-Wipe] C:\Program Files\Malware-Wipe\Malware-Wipe.exe /h

    Notice the /h at the end of each command?
  • There is 1 server for both SpyHeal.com and SpywareQuake colocated at the same ISPs: inhoster
    intercafe

    Coincidental or maybe not? If I was a company continuously rolling out products, and making a lot of money on it, I would stick to a solution that I know works.
  • There has been a steadily decreasing amount of Trojan installers for SpywareQuake being released. Maybe they are ramping up to start a campaign with a new product?
  • The additional information given at the bottom of the SunbeltBLOG entry linked above.

Though all this information by itself may not be conclusive evidence that these programs are related, or that it’s a new campaign that they are about to start, taken together it does add more credence to this possibility.

I have put a very basic guide (link below) on removing the SpyHeal program for those that currently have it installed. As far as we can tell, there are no Trojans that are currently installing it via the fake taskbar security alerts. If you do run into one of these variants and it is difficult to remove, then please contact me and I will help you remove it and at the same time update the guide for the new Trojans that may be installing it.

How to remove SpyHeal (Removal Instructions)

Tags: No Tags

Comments (1)

Removal guide for Spyware Sheriff and the Antispylab.com

May 11, 2006 at 9:28 pm · Filed under Spyware, AntiMalware, anti-spyware, antispylab.com, spyware sheriff

Spyware Sheriff and the Antispylab.com infections are starting to get decent visibility in many of the antimalware forums.  Due to this demand we have put together a detail guide on the removal of this infection.  This guide can be found here:

How to remove Spyware Sheriff and Antispylab

Tags: No Tags

Comments

DON’T CLICK ON POPUPS!

March 31, 2006 at 12:03 pm · Filed under Spyware, anti-spyware, popups

If I could hazard a guess, I would say the vast majority of people who surf the web have at one time or another received a popup stating that they are infected with a trojan and to click on the popup to remove it. Want my advice? DO NOT CLICK ON THE POPUP!

The majority of these popups are for antispyware and antivirus software that are of low quality and are not actually able to remove much of anything. These popups are just a scare tactic. Popups are just small bits of html that are displayed in a small window when you visit a page.  The warnings in these popups are just as valid as a stranger calling you on the phone and stating your computer is infected.  How do they know?  They don’t!

For those that may have inadvertantly downloaded one of these products you will find that they will list a whole slew of infections while other more quality products, like the ones listed in the previous entry, state that you are clean. This is done purely as a scare tactic in order to push you into purchasing their product. Go ahead and uninstall the software as it is probably just wasting space on your hard drive.
Be careful on the Internet. Do not click on popups and do not believe what they say. Your computer will stay that much cleaner that way.  If you are in the need of a legitimate and quality antispyware application then you can see the ones listed in the following links:

Diamonds in the Rough
Antivirus and Antimalware Resources

Tags: No Tags

Comments

Diamonds in the rough

March 30, 2006 at 12:52 pm · Filed under anti-spyware

Anti-Spyware apps are a dime a dozen. Don’t believe me? Just type anti-spyware or spyware in google and see what I mean. There are hundreds of individual anti-spyware programs out there to choose from and you, the consumer, have to pick the right one that will be able to keep you safe and secure. Does not sound easy does it? It isn’t. This is a common problem we see in the forums. People are duped every day into purchasing what we call a rogue anti-spyware application, or an application that entices you into purchasing it through deception or other methods.

The reality is that out of these hundreds of programs, there are really only a small amount that are really considered top-notch, legitimate, and worthy to use. The rest are programs that are classified as rogue anti-spyware applications. Some of the criteria used to add an application to this category are programs that:

  • Do not do a good job detecting and removing the malware
  • Install adware, spyware, or malware (Yes there are anti-spyware apps that actually install spyware!)
  • Hijacks users desktops or browsers to display information without permission.
  • Installed through adware or other malware.
  • Adveritised via adware or spyware
  • Installed without a user’s consent.
  • Uses false, deceptive, or misleading scan results to scare you into purchasing the full commercial version.

A full list of rogue anti-spyware applications can be found at SpywareWarrior.

I have included a list, by no means complete, of spyware removal tools that I consider to be quality and trustworthy below. If you have spyware installed, or just want a good scanner on your system, then you can trust any of the ones below. Most of them also include a trial period and some are even free!

Ad-aware - Free personal version!

Pest Patrol

Spy Sweeper

Spyware Doctor

Windows Defender - Currently in development but available for free

Spybot Search & Destroy - Free!

ewido anti-malware plus
CounterSpy

Tags: No Tags

Comments


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides


© 2003-2008 All Rights Reserved Bleeping Computer LLC.

Featured Microsoft Expert Zone Community