Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Installed Spyware with Dot Net 3.5 SP1


  • Please log in to reply
3 replies to this topic

#1 GTK48

GTK48

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:39 AM

Posted 08 February 2009 - 07:00 PM

Source

May I call this thing spyware? I think I can. Because spyware fits two clear definitions:

* Installs without explicit user consent.
* Cannot be uninstalled using its own uninstaller or via Add/Remove.

So, the story begins with a Microsoft .NET Framework 3.5 SP1 update (KB951847) recently launched. In case you decide to download this update, either automatically or manually, you will end up with a new Firefox extension (if you're using this popular browser), which you have not asked for. OK, no problem, uninstall it. Ah ...

Posted Image

I decided to test this quite worrying story and verify the results for myself. And then, write an article / tutorial that explains how the problem occurs and how you can solve it.
Statement of problem

Claims are as follows: Microsoft / Windows .NET Framework 3.5 SP1 update (KB951847) will install a new extension, specifically .NET Framework Assistant 1.0, to your Firefox browser, if you have it installed, without user consent. Furthermore, to make things worse, this extension cannot be uninstalled.
Is this true?

Let's see ...
Test case - install .NET 3.5 framework

I went to the Microsoft website and downloaded the package. Double-clicked to install.

Posted Image

The installation begins. I used System Safety Monitor (SSM) to monitor all system and registry changes that .NET 3.5 installation makes to see whether I'll see anything suspicious, especially related to Firefox.

The installation seems to proceed well, except the constant alerts from SSM, informing of numerous registry changes. So far, there's nothing major happening.

Posted Image

A thousand SSM alerts later, the installation is complete. I fired up Firefox to see whether new extensions have been added. Nope.

Posted Image

Windows Update

Indeed, there's a high-priority update (first on the list) for .NET Framework, our beloved KB951847. It has been automatically selected and would have been automatically offered had I been using automatic updates.

Nothing mentions Firefox in any way. Furthermore, if you check the KB951847 page, it lists the changes introduced in the Service Pack, but nowhere does it mention Firefox, either.

The download is a whooping 250MB, which raises a question whether you should be using this in the first pace. But let's proceed.

Posted Image

After an age of prompts, the installation is complete. I did not notice any prompt from SSM telling me of any change about to happen with Mozilla Firefox, but I could have easily missed it in the torrent of changes. Well, following a restart, I check my Firefox browser and:
Microsoft .NET Framework Assistant 1.0 has been installed

Notice that the Uninstall button is grayed out. I was not asked to approve or even confirm this installation. There is no mention that this thing was going to be installed, neither on the Microsoft pages or during the installation itself. And now, it seems, it cannot be removed.

Spyware, anyone?

Posted Image

How to remove Microsoft .NET Framework Assistant 1.0 spyware

Luckily, this thing can be removed, rather easily.
Solution 1: Simply delete a few files

This is relatively easy and takes only about 2 minutes. There's no need to be specially savvy about computers. Anyone can do this.

First, close Firefox.

Now, navigate to the following folder:

How to remove Microsoft .NET Framework Assistant 1.0 spyware

Luckily, this thing can be removed, rather easily.
Solution 1: Simply delete a few files

This is relatively easy and takes only about 2 minutes. There's no need to be specially savvy about computers. Anyone can do this.

First, close Firefox.

Now, navigate to the following folder:

Posted Image

Posted Image

Move, rename or delete the files inside this folder. If you want to retain some sort of a backup, then zip or rar the files away. You can also delete them or rename them. But make sure once your job is done to leave this folder empty.

Start Firefox. The spyware should be gone.

Posted Image

Optional:

The next step is to clear away the user agent the .NET Assistant leaves behind. If you don't know what a user agent is or how to use the Firefox configuration tab called about:config, you can skip this step.

In Firefox, in the address tab, type about:config and hit Enter. This will take you to a Firefox configuration page, where you can control different aspects of behavior of your browser. The use of this page should only be done by skilled users.

Search for the following string: general.useragent. One of the results that will come up will be general.useragent.extra.microsoftdotnet. We want to reset this string.

Posted Image

Job done.

I would like to thank chrisretusn for this solution. It's simple, fast and elegant.

Solution 2: Registry hack

If you are skilled enough to edit the registry, then you can try this method, too. Again, first close Firefox. Then, open the registry editor (regedit):
Start > Run > regedit.exe

Now, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions

Here, you will find an entry named {20a82645-...}. Under the Data column in the right pane, you can see and verify that it belongs to Microsoft .NET 3.5. Now, simply right-click this entry and delete it. If you want, export the key first as a sort of backup.

Posted Image

Job done.
Conclusion

I like Microsoft products overall, but I cannot and will never condone blatant misuse of corporate power to distribute useless, unasked-for software to masses who do not have the skills to tell part good from bad or how to handle issues like the above.

The Assistant, if at all, should be an optional package, with clear user consent granted before any installation. Furthermore, the installation should be fully 100% revocable, so that anyone using the computer can do it, via the standard Add/Remove panel.

This is a very serious breach of user trust. Not only is this package delivered without explicit approval, it's also made difficult to remove. Moreover, its use is not clear. Lastly, the change affects third-party software, not one of Microsoft products, so the question is, what the hell did Microsoft want to achieve with this nebulous, spyware-like update? Animosity from a few trusted users? Force people not to install updates or use older versions of their products?

Anyhow, I leave big questions to big people. If you want this thing off your computer, then you have two rather fast and simple methods. Enjoy. And tell your Firefox friends.

Cheers.

As a footnote I had to go back to:

Posted Image

And delete the dll that returned after a reboot. Now Firefox is faster, and MS should not be doing this.

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 08 February 2009 - 07:50 PM

The "uninstall" option was grayed out, but the "disable" option was not. Could you not just disable it and possibly uninstall it after it is disabled?

#3 GTK48

GTK48
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:39 AM

Posted 08 February 2009 - 10:22 PM

The "uninstall" option was grayed out, but the "disable" option was not. Could you not just disable it and possibly uninstall it after it is disabled?


No, it won't let you. You can just leave it disabled if you wish. I have found that by removing it, Firefox ran faster. If you want to get rid of it from Firefox , the best way is the following.

if you really want rid of the thing, which is part of windows now to start with.....


Open Regedit (Start > Run > “regedit”)
Goto “HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions”
(or “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\extensions” for 64-bit versions of Windows

You’ll see “{20a82645-c095-46ed-80e3-08825760534b}”. Right click it and click Delete.
Restart Firefox.



#4 Guest_fuzzywuzzy6_*

Guest_fuzzywuzzy6_*

  • Guests
  • OFFLINE
  •  

Posted 04 March 2009 - 11:35 PM

Very interesting article, GTK, you are to be commended. I will give it another, closer reading. Since adding the MSN/Windows Update option in Firefox, I cannot contact the download center through Firefox anymore, as it insists on reading the IE7 installed in my alternate browsers (being IE7 and MSN/IE7) as IE5. That has been a frequent complaint at BC over the past 2-1/2 months by many puzzled and frustrated users: the inability of IE7 to be detected correctly by MS/Windows download sites.

Edited by fuzzywuzzy6, 04 March 2009 - 11:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users