| Camtech 2000 |
If you have already read this article prior to 12/13/2002 you can Skip Ahead to the Dec 12, 2002 Update or the June 12, 2003 Update (an email offer I received from them requesting Camtech promote their "product")
A New Spyware Tactic?
I don’t usually publish a Newsletter unless I have a new program to release but in this case I think it’s more than warranted. Thanks goes out to JoeComputer for alerting me about this one.
A program called Spyware Nuker was recently released boasting it can remove Spyware and Adware from your PC that others may leave behind. After testing this I was very surprised by what I found. Am I calling this Spyware? Read on for the results of mt tests and you can decide.
What first caught my attention is that you have to first download a small installer that downloads and installs the main file. As a software developer I can tell you that it’s twice the work to create a file to download a file and unnecessary in my opinion. Most that do this will download to a temporary directory, install the program and then delete the main file. The only reason I see for this is if someone didn’t want you to have or see the main file. I managed to get it anyway and found that their files were compressed by a little known compressor and aren’t readable by standard Windows means. Is there something to hide?
Here are a few excerpts from their 5 page license agreement:
"You acknowledge that "Trek Blue" may, at their sole discretion and for any purpose, provide updates, automatic or otherwise, to the "Trek Blue" Program(s) including but not limited to the advertising or other value-added software and technology.
By installing, downloading, copying, updating or otherwise using the "Trek Blue" Program(s), you specifically agree to include and/or accept the noted software and technology through which "Trek Blue", its subsidiaries, affiliates, partners, divisions, and clients provide value-added upgrades and applications to your computer."
In other words, they can install anything they want, anytime they want without informing you “including but not limited to advertising or other value-added software and technology” on your PC.
"You acknowledge that you desire to receive value-added content and applications as a condition to using the "Trek Blue" Program(s)."
Translation: We’re covering our butts so you can’t sue us.
On running a Domain name check I found that the Domain http://www.spywarenuker.com is actually owned by the following advertising company that according to them “specializes in integrated marketing, media branding and online advertising technologies”
Domain Name: SPYWARENUKER.COM
Organization:
Lions Pride Enterprises, Inc.
1959 Palomar Oaks Way - 3rd Floor
Carlsbad, CA 92009
US
Phone: (760) 496-1600
Fax..: (760) 496-1601
Email: webmaster@lionsprideenterprises.com
Web Site: http://lionsprideenterprises.com/
Note: As of June 12, 2003 the lionspride web site is no longer available. But http://trekblue.com is.
Registrant:
TrekEight LLC
6965 El Camino Real - Suite 105-698
La Costa, California 92009-4195
United States
Administrative
Contact:
WebMaster, WebMaster
hostmaster@trekdata.com
TrekEight LLC
6965 El Camino Real - Suite 105-698
La Costa, California 92009-4195
United States
(760) 443 5715 Fax -- (760) 443 5715
Domain
servers in listed order:
SHARK01.TREKDATA.COM
SHARK02.TREKDATA.COM
SHARK007.TREKDATA.COM
"SHARK01" - an appropriate name.
And of course there's http://trek8.com which looks basically the same as Lionspride did.
Domain
Name.......... trek8.com
Admin Name........... Leasure, Jamie
Admin Address........ 2228 Bancroft St
Admin Address........ San Diego
Admin Address........ 92104
Admin Address........ CA
Admin Address........ UNITED STATES
Admin Email.......... james@rankyou.com
Admin Phone.......... +1.6195018225
Name Server.......... shark01.trekdata.com
Name Server.......... shark02.trekdata.com
Name Server.......... shark007.trekdata.com
There's that SHARK again.
How about that? A Spyware removal program owned by an advertising company that specializes in installing Spyware/Adware on Computers. What’s wrong with this picture?
I found this on the Spyware Nuker web site:
“Some LSP products may overwrite system files such as wsock32.dll”
The file wsock32.dll is written by Microsoft and it’s used to connect you to the Internet and you can't connect without it. Why would they need to overwrite that? As far as that goes, why does a program installed on your PC to scan for files even need to be connected to the Internet to be used? Again, it must be there to download and install their “advertising or other value-added software and technology”.
JoeComputer and I both use Lavasoft’s Ad-Aware regularly (still the best in my opinion) and Spyware Nuker did find 6 more files it tagged as Spyware/Adware. The only problem is that they were wrong on all 6 counts and removing some caused problems. These were perfectly legitimate files and definitely not Spyware. One example is that it tagged a .dll in Microsoft Money as Spyware and quarantined it. After that any time My Computer, My Documents or any other directory was clicked on Windows asked for the MS Money disk. Huh???
Now here’s the kicker, this is Shareware that will show you which files it thinks are Spyware but if you want to remove them you’ll have to fork over $30 to do it. So if I’m right, and I believe I am, not only are they installing Spyware on our PCs but they’re charging us $30 to do it. Does the expression “Brass Balls” ring a bell?
As I said at the beginning, am I calling this Spyware? No, I would never say anything like that! (I can also cover my butt) As Bill O’Reilly on The Factor says, “We report the facts and let the audience decide”.
We finally received a response from Jamie Leasure at Trekdata.com who claimed that Spyware Nuker is not Spyware, the License agreement was an oversight and outdated. The program was just released 11/13/2002 on Cnet so it sure became outdated quick. He also said that they are in negotiations to buy the Domain and program. He failed to mention that Trekdata's business address is exactly the same as Lions Pride Enterprises. By the way, Trekdata's business is mass email marketing. Enough said about that.
I have done a install/uninstall tracking every step of the way and here's the results. The first time I ran the program it immediately tried to connect to the Internet as well as the other Computers on my Network. Of course I blocked it. After uninstall I found that it left these files behind in the Windows\System directory:
argradient.ocx
as-ifce1.ocx
picclp32.ocx
smartsubclass.dll
VB5DB.DLL
I deleted them with no problem. If you have installed it before I would suggest you do the same after uninstalling it. If you are using an NT based Operating System you'll find them in Winnt\System instead of Windows\System.
Of course the real damage occurs after you install the program and it starts downloading their value-added content and those file names can change from time to time in order to avoid detection. For removing those I use and highly recommend SpyBot Search & Destroy. It's an excellent program for getting rid of Spyware and it's free.
http://spybot.safer-networking.de/
It will also install a program in your Windows Startup so it's always running. To remove it click Start/Run and enter msconfig in the box. Then look in the Startup tab for it. It will probably say Spynuker Installer or something similar. Remove the check and restart your computer. If you like you can also use Camtech's Ultimate Startup Manager for managing all your Startup programs. (Yes, that's a plug)
To prevent web based Spyware installations try Spyware Inoculator
They use InstallShield for their installer which I am very familiar with. I can tell you that it does an excellent job of automatically removing all files and registry entries that it installs unless the programmer specifies otherwise so it's no accident that they were left.
Now on to Lion's Pride latest release, NoPop! which is even worse than Spyware Nuker. It's offered at Blazing Logic (nopop.net) and according to a quote on their site
"Blazing Logic is a division of Lions Pride Enterprises, Inc."
The License Agreement for it is 6 pages long and I won't bore you with the details but here is just a small sampling of it.
You grant No-Pop permission to add/remove features and/or
functions to the existing software and/or service, or
to install new applications, at any time, in its sole
discretion with or without your knowledge and/or
interaction. You also grant No-Pop permission to make any changes to the
software and/or service provided at any time.
IN NO EVENT SHALL NO-POP BE LIABLE TO ANYONE FOR...
THE INTRODUCTION OF COMPUTER VIRUSES, INVASION OF
PRIVACY AND ANY RISK ARISING OUT OF ANY CONTENT
TRANSMITTED OR RECEIVED IN CONNECTION WITH THE USE OF THE SOFTWARE...
YOU ASSUME THE ENTIRE RISK!
Now, it does block Popups but it displays it's own popup windows whenever you're Surfing until you pay them $25.00. Lion's Pride main business is Popup Advertising so this is just what I needed, a Popup Blocker from a Company that makes Advertising Popup Windows such as Blazing Logic, Rankyou, Twisted Humour, Leedgread and Naughty Body. You may have seen their Cookies on your PC. I'm sure you've seen their Popups.
On my install/uninstall tests I found that at run time it tried to connect to the Net and my Network just like the 'Nuker' did and also leaves files behind. The difference is that it leaves it's updater that starts every time you start your Computer. I guess they just want to 'Reach out and touch someone'.
Here are the files it leaves with instructions on how to safely remove them if you have tried this program.
After using their uninstall you must first delete the Registry entry that starts their updater. Windows won't let you delete the file while it's being used.
How To:
Click Start/Run and type regedit and click OK. Using the left pane navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane you'll see the Name "updater" with the Data "C:\WINDOWS\Update-Nopop.exe" or "C:\Winnt\Update-Nopop.exe"
Right click on the Name "updater" and delete it. Now you must restart your Computer before deleting the files. When your Computer restarts go to these Directories and delete the files.
Files left in
Windows (or Winnt)
Update-Nopop.exe (installs new applications with or
without your knowledge, runs at start up)
Files left in Windows\System (or Winnt\System)
mousenp.dll
msvcr70.dll
Nopi17.dll
It seems that with the decline of banner supported software due to all the bad publicity and Law Suits, advertisers are turning to new tactics.
I'll leave you with a quote from Lions Pride's web site concerning NoPop!
"In pursuit of developing the perfect Internet user experience, LPE proudly presents NoPOP!, the anti-pop ad software. No Pop! is the first of three Internet aids designed to give power and freedom back to the Internet user."
Give the power and freedom back to who????
Update - June 12, 2003 I just received this email from Trek8.
From: John
Ford [john@trekblue.com]
Sent: Thursday, June 12, 2003 4:52 PM
Subject: We Want to Advertise on Your Site.
Hi,
I’m the Media Director with Trek8.com. We are currently promoting our latest
product, SpyWareNuker, www.spywarenuker.com - It’s a spyware/adware removal
software that retails for $19.95, $29.95, or $49.90 contingent upon which
package your user purchases. We’re prepared to pay you 4/10 of the purchase
price per sale for each sale generated from your site. We can place either a
pop-under on your site or a banner whichever you’d prefer. If you’re
interested, all you need to do is send me the following information:
Your Name
Business Name (DBA)
Address
Phone Number
Url where the ad will be shown
There is some urgency to get started as quickly as possible, as we need to
close out our third quarter ad budget.
I look forward to hearing from you.
Sincerely-
John Ford
Media Director
Trek8.com
john@trekblue.com
"retails for $19.95, $29.95, or $49.90 contingent upon which package your user purchases"
I guess that means the more you pay the more Spyware you get. I'm sure you can imagine my response to the offer.
Other 'Products' by Trek8 I have not tested and don't intend to:
Error Nuker
Spam Nuker
Popup Nuker
Regards,
Jerry Campbell