StopGuard was added to the Rogue/Suspect Anti-Spyware pages on Aug. 30. As Suzi at Spyware Warrior notes ( see http://www.netrn.net...es2/000655.html ), we've seen an increasing number of people coming into anti-spyware forums reporting problems with popups of some sort touting StopGuard. A few examples:
vipfares.com, stopguard.com, more obnoxious popups
http://spywarewarrio...opic.php?t=5101
popups go away!!!
http://forum.aumha.o...?start=0&t=7397
Stopguard, vipfares and winfirewall popups
http://spywarewarrio...opic.php?t=5438
stopguard slow computer help please
http://spywarewarrio...opic.php?t=5421
Stopguard problem: here is my log
http://spywarewarrio...opic.php?t=5296
Stopguard infection: hijack log listed
http://spywarewarrio...opic.php?t=5445
The problem is that we don't completely understand how these popups are being generated, though they do appear to be pulled from the StopGuard home page, where users are encouraged to try the StopGuard "free scan" ( http://stopguard.com/ ). Are these standard web page popups from third-party sites, or are they being generated by a locally installed advertising application? If the latter, which one? And how does that advertising application itself get installed and from where?
Some screenshots of the StopGuard popups and a related vipfares.com popup:
http://www.spywarewa...ub/stopgcpy.jpg
http://www.spywarewa...b/stopguard.jpg
http://www.spywarewa...ub/vipfares.jpg
The StopGuard application itself is a bit odd. The RealScannerInstall.exe from the download page is a stub downloader. It proceeds to download and execute a larger 4 mb RealScanner.exe, which is itself another downloader/installer that downloads and executes six other .exe packages ranging in size from 360 kb to 3980 kb:
DriveCleanerEngineSetup.exe
ComputerCleanerEngineSetup.exe
ContentPatrolEngineSetup.exe
ADPatrolEngineSetup.exe
InternetAntiSpyEngineSetup.exe
VirusGuardEngineSetup.exe
All these downloads are pulled from http://www.genericscanner.com/
Visit that site: you'll notice that it coughs up URLs for a number of other things besides the six packages listed above. In fact, most of the scanning process is driven by URLs listed on that site.
The entire scanning process is divided into 6 stages -- one for each of the packages. See this page for some selected screenshots of two of the StopGuard components in action:
http://www.spywarewa...ns_outcasts.htm
The main app (RealScanner.exe) downloads and executes each of 6 packages above in sequence, then displays the appropriate message using the URLs listed at the genericscanner.com site. Once you finish scanning and exit the app, there's no way to re-start it. Nothing on the Start menu. No desktop icons. Nothing. The whole thing is a one-off deal. Very weird.
On my box it generated false positives on lots of things -- only one adware/spyware component found, though. There are no logs to speak of, and the scan results reporting is quite poor. There's also very little info to be found about the company, Vantage Software (vantagesoftware.com). Not a EULA or privacy policy in sight either. Still worse, there's no uninstaller, so garbage is left in \Program Files that has to be removed by hand.
So, that's what little we know. We'd appreciate any other information that folks here at SpywareInfo.com could provide.
Best,
Eric L. Howes
Edited by eburger68, 04 September 2004 - 08:03 PM.