StopGuard was added to the Rogue/Suspect Anti-Spyware pages on Aug. 30. As Suzi at Spyware Warrior notes ( see http://www.netrn.net...es2/000655.html ), we've seen an increasing number of people coming into anti-spyware forums reporting problems with popups of some sort touting StopGuard. A few examples:
vipfares.com, stopguard.com, more obnoxious popups
popups go away!!!
Stopguard, vipfares and winfirewall popups
stopguard slow computer help please
Stopguard problem: here is my log
Stopguard infection: hijack log listed
The problem is that we don't completely understand how these popups are being generated, though they do appear to be pulled from the StopGuard home page, where users are encouraged to try the StopGuard "free scan" ( http://stopguard.com/ ). Are these standard web page popups from third-party sites, or are they being generated by a locally installed advertising application? If the latter, which one? And how does that advertising application itself get installed and from where?
Some screenshots of the StopGuard popups and a related vipfares.com popup:
The StopGuard application itself is a bit odd. The RealScannerInstall.exe from the download page is a stub downloader. It proceeds to download and execute a larger 4 mb RealScanner.exe, which is itself another downloader/installer that downloads and executes six other .exe packages ranging in size from 360 kb to 3980 kb:
All these downloads are pulled from http://www.genericscanner.com/
Visit that site: you'll notice that it coughs up URLs for a number of other things besides the six packages listed above. In fact, most of the scanning process is driven by URLs listed on that site.
The entire scanning process is divided into 6 stages -- one for each of the packages. See this page for some selected screenshots of two of the StopGuard components in action:
The main app (RealScanner.exe) downloads and executes each of 6 packages above in sequence, then displays the appropriate message using the URLs listed at the genericscanner.com site. Once you finish scanning and exit the app, there's no way to re-start it. Nothing on the Start menu. No desktop icons. Nothing. The whole thing is a one-off deal. Very weird.
So, that's what little we know. We'd appreciate any other information that folks here at SpywareInfo.com could provide.
Eric L. Howes
Edited by eburger68, 04 September 2004 - 08:03 PM.