My Anti Spyware

Mirar Toolbar - Unwanted Tool ? YES

Sunbelt have finished review process.

They concludes that the Mirar Toolbar product does, in fact, satisfy Sunbelt’s objective criteria for a Potentially Unwanted Installation.

Currently Sunbelt classifies the Mirar toolbar as a “moderate risk” “adware toolbar.” Mirar toolbar is marked by a number of problems including:

• poor installation practices resulting in inadequate notice and disclosure
• the display of unrequested, undisclosed advertising on the users’ desktops
• undisclosed addition of NetNucleus sites to the Internet Explorer Trusted sites zone
• poor uninstallation practices, including the use of an uninstaller available only online

Read more here: Our response on the Mirar Toolbar

Found new fake codecs - SilverCodec and BrainCodec

Sunbelt blog and Bleepingcomputer reported about two new fake codecs: SilverCodec and BrainCodec

This is so new in fact, that though the BrainCodec has its own domain and its own braincodec.107.exe, they forgot to change the web site itself. As you can see the web site is still showing the layout and image for Gold Codec.

Links: Silver, Gold… but you’re not getting platinum, scumbags
From precious metals to body parts?

More fake codec sites

As always, DO NOT download these fake codecs.

They do not improve video or audio, and installing them under the premise of “free video” or any other reason is a very bad idea.

MovieCodec

TV Codec

WatchFree

SuperCodec

Perfect Codec

Thanks to SunbeltBlog.

More fake codec sites or story continue…

The story continue… some days ago Sunbeltblog reported about fresh fake codec sites.

Codec is actually a trojan download installer, It will change your home page to one of the current security scam site used like iupdate.com. It produces unwanted popup to sell rough security software or open to porn content type pages like adultfriendfinders[dot]com.

The codecs also install one of the Anti-spyware rogues currently spywarequake and virusburst. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.
These sites:

IP: 85.255.118.195
vccodec(dot)com

IP: 69.50.188.109
hqcodec(dot)com

IP: 69.50.188.109
powercodec(dot)com

IP: 69.50.188.109
medcodec(dot)com

IP: 216.255.183.202
ptproject.com (currently offline)

All of these sites, except for ptproject(dot)com, have installers confirmed on their sites, even if the main page is not loading.

October 26, 2006 on 7:59 am | In Adware | No Comments |
Submit to: Digg | SlashDot | Del.icio.us

MSN Worm Used to install Backdoor

F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

lol check http://peopleonline.pe.funpic.de/[REMOVED].pif

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer - detected as Softomate toolbar.

More fake codec sites

Sunbeltblog reported (1, 2) about two fresh fake codes sites.

Strcodec

MP Video Codec

Add both sites in to your blocklist. Use follow info:

69.50.160.58 Mpcodec.com
85.255.118.194 strcodec.com

SmartBrowser have smart EULA

Spywareguide reported about site enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along! The site is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words “live now” next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt.

The name of the executable continues the baiting strategy - “open for instant access“. At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. However, when you install it, IE opens automatically and you see a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the “videos” mentioned on the frontpage - in fact, they don’t seem to exist. And as far as “watching the videos on the frontpage” goes, installing Smart Browser serves no purpose whatsoever.

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

“YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND”

- “YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON’T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS.”

What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a “substitute” at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a “bonus”. Even if the end-user doesn’t choose to download any Zango videos, they’ll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

Browsezilla - next internet generation - Web browser that contains malware

PandaLabs has discovered that Browsezilla, a free web browser available on several web pages, infects computers with the adware PicsPlace, without users’ knowledge. This adware, which activates whenever a user starts up the infected PC, opens a series of adult web pages, although they are not visible to the user. This tactic is aimed at artificially increasing visits to these pages.

Browsezilla is an application similar in appearance to the widely-used Mozilla browser, and also uses a dinosaur as a logo, no doubt to encourage users to trust the application. Ironically, the creators claim that Browsezilla offers safer Internet use than other browsers, as it supposedly does not store the history of pages visited or favorites lists. To encourage users to install it, the official page offers an Internet search service. However, the search always results in a page advising that it is necessary to download the browser in order to obtain the requested information.

Browsezilla is detected as adware due to the following reasons:

• It is automatically downloaded to the computer when carrying out a search using it, without asking for user permission.
• It installs itself without user’s explicit permission and knowledge.
• It does not display an EULA (End User License Agreement) during its installation.
• One of its components downloads and runs automatically a file without asking for user permission.
• It offers links to adult content without clearly asking for user consent.

Browsezilla can be voluntarily downloaded when visiting certain websites for adults, and from the website belonging to the company that has developed it.

Note: although a former version of Browsezilla downloaded a copy of the adware PicsPlace to the affected computer, a newer version has been released, which does not carry out this action.

How to remove NEED2FIND and RXToolbar

Need2Find is an adware promoted by Ask Jeeves.
Ask Jeeves distributes a variety of programs that offer users some trinket of apparent value (e.g. smileys for email programs) while also adding an extra toolbar to users’ web browsers. Ask Jeeves promotes these programs in ways that do not entail meaningful user consent. This article examines one such installation, its methods, its (purported) license agreement, and its effects. Notable characteristics:

- Installation at a site targeting kids.
- Euphemisms used in place of plain language.
- Failure to affirmatively show a license agreement. On XP SP2, failure even to alert users to a license agreement.

Read more: Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download and install CCleaner.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Need2Find
RXToolBar

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis:click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O8 - Extra context menu item: &Search -
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

If after that you have a problems, then please post a new HijackThis log, the Ewido log, the Panda ActiveScan log to the Spyware Removal Forum.

YapBrowser is back online

Some time ago we`ve reported about the adware:

YapBrowser, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site. Read more: YapBrowser and Yapsearch(dot)com

now yapbrowser site back online.

The website claims:

YapBrowser is a browser which will make searching for any information online much simpler. Download YapBrowser for free and forget about getting to sites containing harmful exploits. Your computer will be free from viruses breeding online. Attention! You can download a 100% free adult version of YapBrowser. Using it you will be able to search for and browse adult content for free. There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities. Now you can download it for no cost at all. So it is an adult version this time around and the user is getting a warning upfront and you guessed it- it’s free and now backed by a 100% guarantee you won’t experience a system infection.

Read more about yapbrowser on Spyware Guide: Return of The Yap Browser