Apparently, the folks that killed Usenet, and are trying their damndest to kill email, have a new method of attack -- the trojan program. See XRLQ for one example.
Unlike a virus, which can be detected fairly easily, a trojan is packaged with some other useful program that one might well want to install. One example is popupswatter which purports to kill popups, and possibly does. But if you read the End User License Agreement, you find the following:
ALL OF OUR APPLICATIONS COME WITH THE MYWEBSEARCH™ BROWSER PLUGIN -- A CUSTOMIZABLE BROWSER TOOLBAR WHICH PROVIDES END USERS WITH EASY ACCESS TO SEARCH RESULTS FROM THE BEST SEARCH ENGINES ON THE INTERNET IN JUST ONE CLICK AND ENHANCES YOUR BROWSER EXPERIENCE BY PROVIDING RELEVANT LINKS AND RESULTS IN RESPONSE TO MISSPELLED OR INCORRECTLY FORMATTED BROWSER ADDRESS REQUESTS.What this means in plain English is that in order to use FunWebProducts' "popupswatter", you agree to have your Windows search function, and possibly other web functions, hijacked, and that they may "update" this functionality and/or install further "applications" on your computer, without notice at any time. And you have agreed to it by clicking OK on that EULA you didn't read.
THE APPLICATION ALLOWS YOU TO EASILY ACCESS ALL OF ITS FEATURES AND FUNCTIONALITY DIRECTLY FROM YOUR BROWSER. IT IS ALSO HIGHLY CUSTOMIZABLE AND ALLOWS YOU TO CREATE YOUR OWN BUTTONS AND LINKS.....
You further understand, acknowledge and agree that in consideration of the Applications, services and information provided to you by FWP, and in order to make our services functional and robust, the Application will communicate with our servers. Such communication may occur, for example, in connection with product updates and fixes, verifying and updating your settings, processing search queries or requests made by you through use of the Application and as otherwise required to maintain and operate the Application. The Application does not report back to FWP with information about the sites you visit on the Internet or collect any information that you provide you to any such web sites. If you wish to withdraw your consent to the communication and data usage as described herein, uninstall any and all Applications from your computer.
A more famous name that does things of this sort is KaZaa (and other file-sharing networks are similar). Here is a choice portion of the KaZaa EULA:
9.1 During the process of installing Kazaa Media Desktop, you must install software from third party software vendors pursuant to licences or other arrangements between such vendors and yourself ("Third Party Software"), including without limitation those software components noted in Section 9.4 below. Please note that the Third Party Software may be subject to different licences or other arrangements, which you should read carefully. By installing and using this Third Party Software you accept these Third Party Software licences or other arrangements and acknowledge that you have read them and understand them. Sharman does not sell, resell, or license any of this Third Party Software, and Sharman disclaims to the maximum extent permitted by applicable law, any responsibility for or liability related to the Third Party Software. Any questions, complaints or claims related to the Third Party Software should be directed to the appropriate vendor.Note that several of these programs have, themselves, further EULA's that you accept by accepting the KaZaa EULA.
9.2 Sharman makes no representations or warranties of any kind concerning the quality, safety or suitability of this software, either express or implied, including without limitation any implied warranties of merchantability, fitness for a particular purpose, or non-infringement to the maximum extent permitted by applicable law, in no event will Sharman be liable for any indirect, punitive, special, incidental or consequential damages however they may arise and even if Sharman has been previously advised of the possibility of such damages.
9.3 There are inherent dangers in the use of any software available for downloading on the Internet, and Sharman cautions you to make sure that you completely understand the potential risks before agreeing to install any of the Third Party Software. You are solely responsible for adequate protection and backup of the data and equipment used in connection with any of the Third Party Software, and Sharman will not be liable for any damages that you may suffer in connection with using, modifying or distributing any of the Third Party Software.
9.4 Embedded Third Party Software
9.4.1 Cydoor. The Software includes a Cydoor Technologies advertising delivery program, which may display web content such as banner ads, e-commerce offers, news headlines and other value-added content. The Cydoor component uses your Internet connection to update its selection of available ads and stores them on your hard drive. For information on Cydoor Technologies and their software, go to http://www.cydoor.com. For information on their privacy policy, go to http://www.cydoor.com/Cydoor/Company/CompanyPrivacy.htm.
9.4.2 Topsearch. The Software includes the Topseach software provided by Altnet. The Topsearch component regularly downloads an index of available Altnet content through your Internet connection. This index contains a list of available rights managed files which can be displayed in your search results. For information on Altnet and their software, go to http://www.altnet.com. For information on their privacy policy, go to http://www.altnet.com/privacy/.
9.4.3 Bullguard P2P. The Software comes with a virus protection feature provided by Bullguard Technology, which is designed to guard your computer from virus attacks by quarantining and deleting files downloaded via P2P that may have a virus. The BullGuard P2P component will update its virus definition file through your Internet connection. . For information on Bullguard and their software, go to http://www.bullguard.com. For information on their privacy policy, go to http://www.bullguard.com/privacypolicy.aspx
9.4.4 GAIN AdServer. Kazaa Media Desktop incorporates a software component called the GAIN AdServer, which is provided by GAIN Publishing. The GAIN AdServer software identifies your interests based on some of your computer usage and uses that information to deliver advertising messages to you. This software helps keep Kazaa Media Desktop free. The GAIN AdServer is provided pursuant to the GAIN Publishing End User License Agreement and Privacy Statement (located at http://www.gainpublishing.com/help/psdocs/kmd/privacy-help51.html), which you acknowledge that you have read and accept. If you would like to stop receiving advertisements through the GAIN AdServer, you will need to remove all GAIN supported software from your computer, including Kazaa Media Desktop, using the Add/Remove Programs Control Panel. For further information on GAIN Publishing and the GAIN AdServer, go to http://www.gainpublishing.com/.
9.4.5 PerfectNav. Kazaa Media Desktop comes with a software program called PerfectNav, which is provided by eUniverse, Inc. PerfectNav is designed to redirect your URL typing errors to PerfectNav's web page. This software helps keep Kazaa Media Desktop free. The PerfectNav software is provided pursuant to the PerfectNav End User License Agreement (located below as Exhibit A), which you acknowledge that you have read and accept. For further information on eUniverse, go to http://www.euniverse.com/.
10. Applicable Law
10.1 This Licence as well as all disputes arising out of or in connection with this Licence shall be governed by the laws of the New South Wales, Australia, without regard to or application of choice of law rules or principles.
Great post! Everyone should know this info. Hopefully we bloggers can help spread the word. Thanks for the heads up too.
Posted by: suzi at November 30, 2003 02:01 PMhaha i loved how you closed your blog...
Posted by: mookie at December 9, 2003 08:35 AMHi, great post. These "add-in" software do 'mess up' windows and deter performance of the computer with the blame going on Microsoft (Bill Gates).
Posted by: Rahul at December 9, 2003 07:22 PMgrr...... (yeah, that was a really great post) I got rid of kazaa, perfectnav just won't die........ anyways, there is also this spyware or w/e that changes words such as " love ", " loved ", and " cash " (I've left spaces just incase it decides to do it again and other people can tell if they have this spyware), anyways, I just want to know what this spyware is called and ways to get rid of it. also, there is this ad that keeps popping up, ad-aware says there are no suspicious files or folders, and yet this ad pops up that says and I quote, "New offer for you! - Microsoft Internet Explorer" in the title of the pop up, and it is an offer for... some sort of mp3 player called nomad, I'd also like to know how to delete that, I've searched and searched, but I haven't found any ways to get rid of it yet, please help.
Posted by: Lee at December 25, 2003 10:07 AMheh heh, sorry, I just remembered something I forgot, I tried to uninstall perfectnav with the uninstall button, but it doesn't uninstall, the setup window opens, but not even a second later it closes.
Posted by: Lee at December 25, 2003 10:14 AMLee--
If the popup window is a small grey box, what you are getting is a "Windows Messenger" hack. This is different from MSN messenger. Unless you are on a business network, and require the sysadmin to send you messages like that, you will want to disable Windows Messenger.
To do so in Win XP, go to Control Panel, Add/Remove Programs, Add/Remove WINDOWS COMPONENTS (left hand side), uncheck Windows Messenger. OK, etc.
Posted by: Kevin Murphy at December 25, 2003 11:29 AMTO remove some programs you may need to be in SAFE MODE. Safe mode must be selected at boot time -- start tapping F8 when the machine boots. You will get a menu of startup options. It will take a while to enter the mode, be patient. Then do the remove process. Then run ad-aware and Spybot S&D.
Suzi (comment above) has several other good pointers and links, and may be current on you particular problem -- it's a pet issue of hers.
Posted by: Kevin Murphy at December 25, 2003 11:32 AMok, I finally found out how to get rid of perfectnav, (for everyone out there that wants to know), first you must follow these directions exactly, (I cannot be held responsible blah blah blah, you do this of your own free blah blah) press control alt and delete at the same time (once, and only once unless you want to restart your computer), then once the task manager is up, click the Processes tab, then close the Process "IEXPLORE.EXE" (make sure you don't close explorer.exe) and once you close that, (if you had windows open for the internet then they'd close) and once that is closed, then just go to the folder and delete it. and voila, no more perfectnav....but I still can't get rid of the ads I told you about earlier......there are some odd Processes in my task manager right now, some that I know must be adware...such as alg.exe, DlvL.exe, Klndr.exe, hkcmd.exe, KBD.EXE, and WATCH.exe. not sure what those are for, but I know they aren't usefull....and when I close them, they open up again.
Posted by: Lee at December 25, 2003 10:24 PMI find that if I google "blahblah.exe" there is almost always something somewhere that tells me what it is (Windows component, application task, or crapware). If the last, there is usually instructions on killing it.
You might also look through the Admin Tools for Component Services and see what starts with Windows. Things can be turned off there, but you DO want to know what's what.
If anything you do causes harm "the secretary will deny knowledge of your actions."
Posted by: Kevin Murphy at December 26, 2003 10:04 AMI still can't get rid of the ads, plus this thing clear search, I want to get rid of that too, but it keeps telling me it is in use, how can I remove this?
Posted by: Lee at December 28, 2003 09:07 AMalg.exe is a windows system thing
hkcmd.exe and KBD.exe are keyboard tasks
WATCH.exe is a scanner task
the others are unknown to me
Have you tried the uninstaller at http://www.clear-search.com/
or read this
http://sarc.com/avcenter/venc/data/adware.clearsearch.html
or this
http://www.safersite.com/PestInfo/c/clearsearch.asp
or this
http://uk.mcafee.com/virusInfo/default.asp?id=description&virus_k=100777
Posted by: Kevin Murphy at December 28, 2003 09:59 AMI got perfectnav to quit loading as it was taking over when I started my browser by itself without KaZaa active. I went into the registry editor to the local machine\software area and found the perfectnav key and deleted it also to the current user\software key found the perfectnav key and deleted it as well then I went to my computer c:\program files\perfectnav and deleted the folder.
Posted by: Walt at January 2, 2004 03:51 AMI am so glad I came across this info!
I, too had Kasaa. I deleted it because
I came across info saying it was the cause of
Gain Adserver.
This Gain is so rude. It will suddenly appear
on top of the window I am working on or reading.
Constantly, these huge ads on my computer
interrupt me. They even hold my computer
from shutting down sometimes, until I delete
the ad.
Even though Kazaa is gone, all the other stuff
stays.
One day I found a web site address. And sent
a not very nice email to Gain saying How dare
you infiltrate my computer, and you are
invading my privacy and violating my rights
and take all your stuff off my computer.
I didn't know I had accepted this through the
agreement (I never read).
About a half hour later I was bombarded with
huge ads from Gain. They were lined up behind
each other. Everytime I clicked the x to
delete one another was there. I was furious.
I was clicking and clicking, deleting like
mad. And you could see more lining up.
I couldn't escape these ads or use my computer.
I had to close down with the on/off button.
This went on for 2 days.
And Kazaa wasn't listed in my add/remove
programs. I could only delete any file I could
find.
I did a search for Gain Ads or Adserver or
Gain Adserver Software and came up with nothing.
Thank you. I am going to try all these things
that are listed here.
This whole thing is driving me crazy.
Posted by: Jeanne OHalek at January 26, 2004 07:29 AMTry Bazooka from www.kephyr.com, It's another free adware removal tool that seems to be good
Posted by: Nick at January 31, 2004 10:07 AM