Useful information, interesting links, and much more.
You are visiting  
Please choose a

Use the menu to view your

Choose an article with these menus. To return to your last choices use your browser's BACK button.
Special Links
American Patriotism
Short Cut Menu
God Bless America
 
Home Page

Click Picks
Internet & Security
Loading

   • Enter search text below.
   • Press the "Search" button.
   • Click "X" to return here.

Phony Malware Cleaners

Windows pops up an announcement of impending doom, which can be avoided by "clicking here". Should you do it? In a word: NO!
Prior
 | Intro | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
Next
The ploy
 

Imagine your surprise and shock when you see a pop-up notice in your system tray advising you of a computer problem. Notices in this area are generated by software on your computer so naturally you would tend to trust them, right? Don't be so certain any more.

The level of low life scum skulking about on the Internet seems to be on the increase. By now most people are aware of the existence of malware (spyware, adware, trojans, zombies, etc.) A number of tricksters are trying to entice unsuspecting souls to load malware on their computers by warning them they have been infected with — you guessed it — malware. Amazingly, their ploy seems to be working.

Some of the links below will open in a new "pop-up" browser window. To close this window click the "X" at the upper right hand corner.

If the links do not open, turn off your pop-up blocker and / or your ad blocking software, or use the "Alternate Link" to view the pages.  

A message in the system tray advises that your computer has been infected with spyware. You are given a link that will correct the problem. Alternate Link
Your browser takes you to a Website offering anti-malware software. It is not possible to get the browser to default to your favorite page any more. Alternate Link
A message warns that a specific computer has gained full control of your computer and offers to correct the problem. Alternate Link

In all of these scenarios you are presented with a scare, followed by a solution. In this case the recommended cure will take you to a Website where you can download anti-malware software that will, for a price, correct the problem.

Our guess is that this software will take care of the problem very nicely since the outfit pedaling it is probably the one that infected your computer with the malware that displays the warning messages in the first place!

If you don't comply with their wishes, you may find that your browser is "hijacked" to one of their Websites, which give similar warnings and offer similar solutions. You may be switched to different Websites each time. The usual methods of setting the default home page will no longer work. If you thought you were safe because you use Mozilla, Opera, or Firefox instead of Internet Explorer then you are only partly correct.

We first encountered the SystemWarning and SpyAxe worms on 01/02/06 when a friend reported that his computer had been taken over by another computer.

This worm first appeared in mid-December 2005. As of 01/04/06 the major anti-malware vendors were developing removal tools and Microsoft was promising to release a Windows security patch on 01/10/06.

So, for 2-3 weeks after the worm was first detected there was still no cure for it. Worse, there may not be any patches forthcoming for Windows 98 or ME.


Perhaps an annoying message or a hijacked browser is not a major concern to you. Well, the surrendering of your personal information, credit card information, and passwords probably are. This worm is set up to do that or worse. The only problem is, no one has yet defined what "worse" is because this worm is still evolving.
Uncovering the source of the problem
 

Let's say that your computer has started behaving oddly. Take note of any error messages or other tell-tale signs. This could be an error message Cannot find Program.dll or a program name or a process name BlueHippo.Exe that was identified by your firewall or malware catcher.

Then head for Google and search for significant portions of the error message or symptom. In our case we searched for SystemWarning and found several hundred relevant articles. Any of the search terms below might work; just be sure you do not "clean up" any typographical or grammatical errors since that may cause the search to fail.

  • SystemWarning
  • 227.4.167.118
  • Yor PC is infected with spyware
The name of the error or program
The alleged IP address of an attacking computer
A scary warning message

Just enter a significant portion of the error message into the search field. Often, dozens or hundreds of articles related to the problem will turn up. Sometimes Google will produce so many hits that you must narrow down the terms of the search, i.e., BlueHippo.Exe + "Incorrect Version".

Unfortunately the low life forms that produce this sort of worm have their ways and that includes sneaking into Google searches. For example, the top hit for "SystemWarning" was a Website affiliated with this worm. A number of the sponsored links on Google turned out to be sites that offered minimally useful, or potentially harmful, anti-malware software.

Click here to see one Google page we found. Your mileage will vary. Batteries not included. Alternate Link
Dealing with the infection
 

One way this worm is reaching people is by visiting Websites that have posted "damaged" graphic images. A flaw in Windows allows graphic images to contain program code that executes on the computer. So, you don't have to open or click on anything; seeing a banner ad could cause an infection.

Some of the methods for cleaning up after a malware infection can be rather complex. Others involve running your favorite anti-malware scanner.

As of this writing (01/04/06) the major anti-malware vendors were still identifying the many strains of the worm and beginning to develop remedies for them. Microsoft was preparing to release a patch for the Windows flaw that permits the worm to function.

Once those are in place that may be the end of this problem. Unfortunately, there will probably be plenty of others to take its place.

Some quick fixes
 

If you have the infection you can try this partial cure. It is NOT guaranteed to work. It is a stopgap measure until a proper fix if finally released. Click here to learn more about this and other fixes.

  1. Click Start, click Run
  2. Type the following: regsvr32 -u %windir%\system32\shimgvw.dll
  3. Click OK to start the process.
  4. A dialog box should appear to confirm that the un-registration process has succeeded.
  5. Click OK to close the dialog box.

If your browser is being redirected to a "foreign" Website try the following:

  1. On the browser menu bar click Tools.
  2. Click on Manage Add-ons. You should see a list of browser helper objects (BHOs).
  3. Look for an object named HomepageBHO. If it is present, disable it.
  4. Exit and restart the browser.

To get an idea just how pervasive this problem is becoming click here to read a security blog.

Microsoft decided to release their patch early and they did so on 01/06/06. Once our system was update we lost the ability to view thumbnails of pictures. There was no mention of this issue on the Microsoft site.

Regsvr32 %windir%\system32\shimgvw.dll

 

Postlog - with tongue in cheek
 

We believe that the people who have given the world such programming gems as SpyAxe and SystemWarning should be treated with compassion when they are finally brought to justice. Our definition of "compassion" includes the following:

  • Burial in sand, honey, and plenty of fire ants.
  • Hanging by thumbs.
  • Hot coals, pokers, and the removal of fingernails.
  • Electrical stimulus of the genitals.
  • A bath of beef broth in the presence of some very hungry pit bulls.
  • Bullets, but only to graze and maim.

Survivors should be prosecuted, tortured, and jailed with a number of hardened criminals who are told they are pedophiles. Upon release from prison, they should treated to the following < g >:

  • Visits by a number of insurance salesmen who are members of a religious cult.
  • A savings of 15% on their car insurance.
  • A free Lexmark printer.
  • Permanent assignment of AT&T as their long distance carrier.
  • Hemorrhoids
  • Calls from politicians and pollsters, who are exempted by law from the "Do Not Call" list.

If they can survive all of that they should be required to read and quote from all of the pages posted on Eagle-Wing.Net. Now, that is cruel and unusual punishment.

Resources
 
  • Click here for a listing of popular anti-malware products.
  • Steve Gibson has an ongoing dialog about this problem. In the event Microsoft will not provide a patch for Windows 98 and ME he plans to do so. Steve's Website is an excellent security resource.
  • Bleeping Computer has a removal tool for SpyAxe and others fraud software for advanced users.
  • Infopackets has some highly technical information for advanced users.

Prior
 | Intro | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
Next


01/04/06

   
www.Eagle-Wing.Net