6 replies to this topic

[eburger68]

Hi All:

StopGuard was added to the Rogue/Suspect Anti-Spyware pages on Aug. 30. As Suzi at Spyware Warrior notes ( see http://www.netrn.net...es2/000655.html ), we've seen an increasing number of people coming into anti-spyware forums reporting problems with popups of some sort touting StopGuard. A few examples:

vipfares.com, stopguard.com, more obnoxious popups
http://spywarewarrio...opic.php?t=5101

popups go away!!!
http://forum.aumha.o...?start=0&t=7397

Stopguard, vipfares and winfirewall popups
http://spywarewarrio...opic.php?t=5438

stopguard slow computer help please
http://spywarewarrio...opic.php?t=5421

Stopguard problem: here is my log
http://spywarewarrio...opic.php?t=5296

Stopguard infection: hijack log listed
http://spywarewarrio...opic.php?t=5445

The problem is that we don't completely understand how these popups are being generated, though they do appear to be pulled from the StopGuard home page, where users are encouraged to try the StopGuard "free scan" ( http://stopguard.com/ ). Are these standard web page popups from third-party sites, or are they being generated by a locally installed advertising application? If the latter, which one? And how does that advertising application itself get installed and from where?

Some screenshots of the StopGuard popups and a related vipfares.com popup:

http://www.spywarewa...ub/stopgcpy.jpg
http://www.spywarewa...b/stopguard.jpg
http://www.spywarewa...ub/vipfares.jpg

The StopGuard application itself is a bit odd. The RealScannerInstall.exe from the download page is a stub downloader. It proceeds to download and execute a larger 4 mb RealScanner.exe, which is itself another downloader/installer that downloads and executes six other .exe packages ranging in size from 360 kb to 3980 kb:

DriveCleanerEngineSetup.exe
ComputerCleanerEngineSetup.exe
ContentPatrolEngineSetup.exe
ADPatrolEngineSetup.exe
InternetAntiSpyEngineSetup.exe
VirusGuardEngineSetup.exe

All these downloads are pulled from http://www.genericscanner.com/

Visit that site: you'll notice that it coughs up URLs for a number of other things besides the six packages listed above. In fact, most of the scanning process is driven by URLs listed on that site.

The entire scanning process is divided into 6 stages -- one for each of the packages. See this page for some selected screenshots of two of the StopGuard components in action:

http://www.spywarewa...ns_outcasts.htm

The main app (RealScanner.exe) downloads and executes each of 6 packages above in sequence, then displays the appropriate message using the URLs listed at the genericscanner.com site. Once you finish scanning and exit the app, there's no way to re-start it. Nothing on the Start menu. No desktop icons. Nothing. The whole thing is a one-off deal. Very weird.

On my box it generated false positives on lots of things -- only one adware/spyware component found, though. There are no logs to speak of, and the scan results reporting is quite poor. There's also very little info to be found about the company, Vantage Software (vantagesoftware.com). Not a EULA or privacy policy in sight either. Still worse, there's no uninstaller, so garbage is left in \Program Files that has to be removed by hand.

So, that's what little we know. We'd appreciate any other information that folks here at SpywareInfo.com could provide.

Best,

Eric L. Howes

Edited by eburger68, 04 September 2004 - 08:03 PM.

[WinHelp2002]

Eric,
I guess you know by now those sites are all related and running on the same server (iad1.nssrv.com)

In the HijackThis logs the common denominator is:
O2 - BHO: CATLEvents Object - {random CLSIDs} - C:\DOCUME~1\username\LOCALS~1\Temp\avajc.dat

(Running Processes)
C:\random folder\cjava.exe <--note the reverse spelling of the ".dat" file.
CATLEvents Object = "virtumonde"

From my HOSTS file:

# [Zend Media][Innovative Marketing][popup marketing scam]
127.0.0.1 adserver.affiliatemg.com
127.0.0.1 secure.billingnow.com
127.0.0.1 www.buysmarter.com
127.0.0.1 genericscanner.com
127.0.0.1 www.genericscanner.com
127.0.0.1 alpha.gigaisp.net
127.0.0.1 stats1.iad1.gigaisp.net
127.0.0.1 locator.imagesrvr.com
127.0.0.1 innovativemarketing.com
127.0.0.1 www.innovativemarketing.com
127.0.0.1 internetantispy.com
127.0.0.1 www.internetantispy.com
127.0.0.1 images.kazaaplatinum.com
127.0.0.1 www.kazaaplatinum.com #[server down?]
127.0.0.1 www.mp3u.com
127.0.0.1 ns2.iad1.nssrv.com
127.0.0.1 www.popupguard.com
127.0.0.1 stopguard.com #[Rogue/Suspect]
127.0.0.1 www.stopguard.com
127.0.0.1 supportcs.com
127.0.0.1 www.supportcs.com
127.0.0.1 ads.softwareoutfit.com
127.0.0.1 vantagesoftware.com
127.0.0.1 www.vantagesoftware.com
127.0.0.1 virtumonde.com #[Adware.VirtuMonde][TROJ_AGENT.BV]
127.0.0.1 updates.virtumonde.com #[TrojanDownloader.Win32.Rahitor]
127.0.0.1 www.virtumonde.com #[Download.Ject][CATLEvents Object]
127.0.0.1 http.edge.vru4.com
127.0.0.1 www.winantivirus.com
127.0.0.1 winfirewall.com
127.0.0.1 www.winfirewall.com
127.0.0.1 www.winpopupguard.com

Note: you even get your own searchable "comment" now in my HOSTS file

[eburger68]

WinHelp2002:

Thanks for the advice and info.

We have started to get a steady stream of StopGuard victims in the Spyware Warrior forums, and what they're reporting is not pretty at all:

http://spywarewarrio...opic.php?t=5568
http://spywarewarrio...opic.php?t=5470
http://spywarewarrio...opic.php?t=5537
http://spywarewarrio...opic.php?t=5481
http://spywarewarrio...opic.php?t=5459

3162 has some advice for StopGuard victims:

http://spywarewarrio...opic.php?t=5594

Best,

Eric L. Howes

[suzi]

To update Eric's statistics - I counted 24 HJT logs with Stopguard problems on our forum.

Search engine hits for Stopguard are 2439 total since the first of this month. That's almost 350 per day.

What we don't know yet is where and how people are getting infected. They don't have any idea where they got this. It's similar to the Spy Wiper hijackings of Dec. 2003 and early this year. They are probably getting infected with some kind of time-delayed file that triggers the pop ups minutes or hours later.

Edited by suzi, 08 September 2004 - 01:46 AM.

[3162]

My latest generic fix is this:

This current fix will work on the variants too.

Be really careful when working on these log fixes and check Answers That Work and Google the file. It is clearly designed to appear to be a legit file, and we don't want to make any mistakes.

For Fat32 based machines the file will look something like this, and there could be more than one:
C:\WINDOWS\Registration\anticmd.exe
C:\WINDOWS\Registration\ftpdb.exe
C:\WINDOWS\AppPatch\ftpas.exe
C:\WINDOWS\Web\dvdutil.exe
C:\WINDOWS\Tasks\inetole.exe
C:\WINDOWS\Fonts\bakanti.exe
C:\WINDOWS\Microsoft.NET\winmsvc.exe

and for NTFS machines (I have only seen this appear in the inf folder so far, but that doesn't mean that it can't be in another legit-looking folder):
C:\WINNT\inf\nutbas.exe
C:\WINNT\inf\urlplay.exe
C:\WINNT\inf\maindll.exe

The fix:



DO NOT reboot until you have done all of the items below or until prompted by killbox. If a file is not there, skip on to the next one.

Please Print these instructions, you will not be able to access this page in safe mode.


1)Click on this link http://www.downloads...org/KillBox.zip to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the drop down menu next to the yellow triangle scroll until you see
***********the .exe from processes list*********** and select it. Click the yellow triangle and click yes that you want to end task.
In the 'Paste Full Path of File to Delete' box, copy and paste this entry:
**********the c:/%system%/random.exe from processes list*********


Next, click on the Action menu and choose "Delete on Reboot". Click the button with the red circle with a
white X in it. Close killbox.


2)Enable
'show all files'

3) Reboot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode


4) On the start page of hijackthis, run a new scan and checkmark/fix the following lines:
R0 and R1 strange lines.
O2 - BHO: CATLEvents Object - Random dll
O4 - HKLM\..\Run: [*Name here will be the same as the .exe] C:\WINDOWS\bad folder\bad.exe
O4 - HKLM\..\RunOnce: [*Name here will be the same as the .exe] C:\WINDOWS\bad folder\bad.exe rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren <<or something similar
(ANY OTHER lines can also be fixed here as needed)[/b]


5)Delete the following files if they are still there:
.exe's from Processes List, 04 files and any others

6)Empty your Temp folders as follows:
Open Internet Explorer. You'll get a Page not Found error, but that's normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK
Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.
Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty
**NEW**Empty your recyle bin

7)Reboot back into normal Windows and post a fresh log.

I've seen one other instance where my protocol wasn't followed, but all that was left was some clean up.
The 'key' appears to be to catch this before a reboot, and before a user 'clicks the popup to make it go away'
On the boxes I have cleaned in my shop here, it appears that there may be multiple stages to this infection.

Ordinarily, the initial infection drops a process as:
C:/%randomsystem folder%/random.exe
Secondary infections show:
C:/%randomsystem folder%/%randomfolder%/random.exe and/or in a Temp file

Tertiary infections appear to me to start disabling the OS one step at a time on each successive reboot.
I have no proof of this, as yet, other than that the 04 lines may show [][][] (square boxes, but I don't have time to figure out how to c/p those here) where the running process should be.

[gabrielcool]

I would like add one more, Adware Alert anti-spyware of www.adwarealert.com, A very bad, rascal anti-spyware and just like a which can not be able to do anything, as other anti-spyware do...HUH, their website having no information how to use it, and guidelines etc, they just ask to paying money to download any thing

[Budfred]

I would like add one more, Adware Alert anti-spyware of www.adwarealert.com, A very bad, rascal anti-spyware and just like a which can not be able to do anything, as other anti-spyware do...HUH, their website having no information how to use it, and guidelines etc, they just ask to paying money to download any thing

This topic is several years old and no longer current... If you check here:

http://www.spywarewa...nti-spyware.htm

You will see that AdwareAlert has been delisted as a rogue, but it is still advertising aggressively and it is not known to be a good program... The other programs that use the same code from the same company are still rogue... If you wish to get an antispyware program, I strongly suggest you check the rogue list and/or stick to well known programs that are recommended by trained helpers at legitimate security forums... Remember that anyone can post a recommendation and we are constantly monitoring for SPAMmers who try to advertise their rogue programs here... If a trained helper didn't recommend it, extreme caution is advisable...