by Jerry Stern
Webmaster, Startupware.com

OK, I look like this now.

Well, maybe only kinda.

This project started out with a web ad. It told me that I could look like a character from the movie ‘Avatar.’ I’ve seen the ads before, clicked through to see what it was, and then shut down the page fast when I saw that there was a Flash plug-in and a membership form to agree to. This time, I said, well, let’s check it out. On my test machine, not the production box. With extreme caution.

OK, off to the XP test box. At the moment, it’s running XP Pro, Service Pack 3, fully-patched, and Microsoft Security Essentials Anti-Virus, and has no other security in place, no data, and no significant software other than patched versions of Adobe Flash and Sun Java.

The link from the ad was to mycartoon(dot)info, which immediately redirected to imakemoolah(dot)com, which then immediately redirected to home(dot)zwinky(dot)com. Note the past tense; as I write this, a week later, the link has changed, and the final step now goes to home(dot)mywebface(dot)com.

Neither of these sites contains the promised ‘Avatar’ look. The ad also implies that I can convert a photo. That’s not there, either. What was there is Zwinky, apparently an online ‘community’ using cartoon avatars. It invited me to create my Zwinky character. OK, so I did. There is a required sign-up for a membership in the online Zwinky site, and an email address is required (I used one of my temporary emails, and it has not been spammed, so far). Here’s what I found along the way, in case you find this on a computer during a cleanup.

First off, Internet Explorer 8 warned me of an Active X control installation. There is a basic warning that I’m installing the MyWebSearch toolbar. Note that the page is from Zwinky, but the download is from imgfarm(dot)com, while the source of the download is from their SmileyCentral project. It’s all very spread out over multiple sites.

Next, there is a clue that multiple products are included. The Internet Explorer Security Warning identifies the download as being from Fun Web Products, and includes “Zwinky, My Web Search, Search Assistant, and Easy…” The line is cut off; could go on for a ways yet.

Finally, my screen begins to show something that’s closer to what I clicked on:

And done:

OK, I UNCHECK both boxes, and click finish. The mywebsearch toolbar appears anyway, and I’m taken to the Zwinky page to create a character.

OK, now let’s look at what else is happening in the background.
I ran HijackThis, and checked the log; and it’s immediately apparent that this product is startupware–all these items are new:

R3 – URLSearchHook: (no name) – {00A6FAF6-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: mwsBar BHO – {07B18EA1-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 – Toolbar: My Web Search – {07B18EA9-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
-runkey
O4 – HKLM\..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=2 /w /h
O4 – HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 – HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 – Extra context menu item: &Search – http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000338&p=ZJxdm3802MUS&si=40699&a=..bh6qJGzk7dFMyFxzxTDA&n=2010061710
O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O23 – Service: My Web Search Service (MyWebSearchService) – MyWebSearch.com – C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe

In order, note the URL search hook in group R3, the two toolbars (group O2, Browser Helper Objects), and the installed service in group 23. Big product, by any measure.

Next, I took a look at the C: drive. Under Program Files, there’s 6Mb of files under ‘MyWebSearch’ and ‘0.6 Mb’ under ‘FunWebProducts’ that contains 4 folders and only 1 file. Over in Control Panel, there is one new entry, for “My Web Search (Zwinky)”, listed as 6.29 Mb. I’ll run that later.

Next, I go back into Internet Explorer. It opens to my usual home page of ‘about:blank’, so that’s OK–remember, I did decline the home page change earlier. I tried to turn off the toolbar, and here’s the result–I chose to disable :

OK, back to Control Panel. Ran the uninstaller. There’s one confirmation screen, and I chose to remove all features. A reboot is needed, OK. There’s a file left behind in c:\Program Files, so I delete ‘Uninstall Fun Web Products.dll’. A second pass through HijackThis shows one straggler autostart item–I removed it manually:

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab

Now, as invasive as this product is, their online drawing program does work easily. In case my readers are tempted to go there, and create an avatar, like I did–be warned. The avatar can’t be saved or exported, it’s only usable on Zwinky, and you can create only one, so it’s pretty limited overall. The images I’ve created were done using creative and major browser zooming on the page, then screen captures, imports of the captures into Corel Draw! X4 for a bitmap-to-vector conversion, more tweaking and editing, isolation of the head for some versions, and so on. I invested 90 minutes, and someone with less familiarity with drawing software would not end up with a usable avatar.

So what is all this? It looks like a URL search grabber, with a major content delivery system of cute drawing programs that can’t save files. Zwinky.com does, at least, have a visible means of financial support in the ads on their site, but they also have a link on the footer to their affiliate program, where they claim no spyware (right, just a search hook), no adware, high industry payouts, and association with webfetti, CursorMania, and “in partnership with neverblue”.

Let’s make this clear–these items are misleading, invasive, and possibly not quite fraudulent (in the legal sense), but they are clearly not drive-by downloads, except in one sense: The names are all mismatched. I click on mycartoon(dot)info, and pass through imakemoolah, to zwinky, download from imgfarm, and end up with FunWebProducts and MyWebSearch. Many end users aren’t watching that closely.

As far as cleanups go, when I have an infected PC on my desk, the usual situation is that there is some malware that was of unknown origin (didn’t see any on these sites, as of June 2010), so I go looking, and I find there are 10 autostart entries for one web application that my customer doesn’t remember installing, plus a variety of other items of similar unknown origin, so they all come out. For me to leave them alone would require that the install did not include a search hook, a toolbar, or an installed Windows service, and this combination of mismatched web sites delivers all three, and there is no need for a web page to run 10 autoplays. Delete that.

And that’s a shame, too. If these programs ran without the toolbars and autostarts, with no associated search hook baggage, and could save images easily, they would be worth paying for. Oh, well.

OK, I’m ready for Spring now. I’ve notified the resident groundhogs that they’re responsible for all this mess, and had better get things moving. They dig holes in my lawn, they eat my plants, they had better earn their keep this time. Done. Spring. Now.

His talk was all about Open Source; it would have worked just as well at a developer’s event as at government talk. His main point: Sun makes money giving away all their intellectual property, and then selling services and contracts. There are five public reasons he pushes open source. A sixth, unmentioned, is surely that expanding markets for open source expands markets for Sun Microsystems–they’re clearly a large enough player to benefit from that type of marketing.

1. There is no barrier to entry for users of open source products. Selling a prototype project to a corporate purchasing department shouldn’t start with requests for funding for software, just to see if what’s needed is possible. Just download it, and get started.

2. Increased interoperability. The source is out there, so there are no proprietary formats; every competitor is free to copy how you’ve done processes, and link into them, or add functionality.

3. More Research & Development. A closed source development project might have 5 programmers, or 30, working on it, he says. In open source, testing and bug fixing is open to a world of interested parties. It’s all extra help for the R&D staff.

4. More Secure. For the same reasons, open source is tested and hacked by the world before being declared as ‘done.’ There are no hidden secrets, it’s all out there to see, before deployment.

5. No barrier to Exit. There are no service-level agreements forcing years of product upgrades to future versions, site-unseen, and no site licenses in open source; there are no contracts to tie down a corporation or a government to continue using a product that’s last year’s bad news.

Sun is making money, lots of it. McNealy’ opening joke was that he stopped by Washington DC to pickup his $600 tax rebate check, and to deposit a few million $ for his 2007 tax bill. Open Source is clearly working for Sun–they claim to be the world’s largest provider of it, and they’re profitable even after spending huge amounts to defend themselves and their clients against software patent claims. They don’t start law suites over intellectual property, but they do defend, vigorously, and half their winnings go back to an open source legal defense fund.

Sun competes on the basis of providing service to clients. Their model sounds closer to that of a service company than to a software publisher. Scaling their model down to the level of a microISP is clearly challenging; some software developers are already working on the basis of custom installations and ‘whatever-you-need for a fee’ service. More will clearly have to work that way in the future.

McNealy closed by giving away a large stack of software CDs to every attendee, but remember that this is to a US Government audience that can’t accept gifts valued above $20. “It’s worth $8 for all the plastic. The content is available for free at developers.sun.com. I’m just saving you download time.” He doesn’t stop selling. Ever.

Those of you who attended the Shareware Industry Conference during the years it was in Florida around ten years ago will remember that SAAS, or Software as a Service, was really big back then, but it resulted in very little. Now, bandwidth and connectivity for business users is good enough and fast enough that SAAS may be practical for specific applications.

Putting documents into the cloud is already what Google is living on. All their documents, spreadsheets, slide shows, etc, are hosted live on the Google Apps site (www.google.com/a). Nothing is stored on workstations, and their technology now includes sharing of documents between collaborators, with tracking of edits and changes.

Girouard reports that lots of business notebooks are lost worldwide, usually with business data. He had one stolen from a parked car the day before a big meeting. The next morning, he stopped by the Google IT department, picked up a new notebook, switching to a Mac while he as there, logged in to Apps, and was up and running immediately, with less than half an hour lost.

This isn’t just Google eating their own brand of dog food. Girouard showed an impressive list of Fortune 500 companies that are using Google’s GMail with Postini spam filtering for 100% of their email storage. It’s all online, manageable and controllable by corporate management.

This year, the main hall of the Convention Center was busy, but only at about 2/3 capacity. This show has never filled the new convention center–the old one was retired a few years back and two blocks south, and that one was always full. But this is a bigger building, and the show is smaller than it used to be. Actually, the show floor covers two city blocks, below ground, and if you go up to the registration area or up another floor to the keynote and conference rooms, it’s clear that it’s really two buildings. There’s even a DC Metro train stop at one end of the building, shared with Mt. Vernon Square.

For the last two years, the dominant items on the show floor have been removable storage devices with security features, and eGovernment systems for converting agencies with actual people into web sites with actual forms and automation. That’s progress in the US capital, maybe.

This year, regulations have changed regarding the destruction of personal data. And the US military is being more careful too. So, the item that wasn’t visible in previous years, that was everywhere this year, is demolition of computer hardware, shown by at least seven companies. First, there was a degaussing machine (OK, three different machines), that rotate a hard drive through a massive magnetic field. I fed in a hard drive, but there was no visible change–their demo didn’t actually show that the drive had lost all formatting, including servo tracks.

Degaussing isn’t visible enough for government use, apparently. They want to look at a device and SEE that it’s not readable. In the dark, apparently.

That means there was a vendor that sells a machine (with a hidden sound-muffled hydraulic compressor) that folds hard drives in half, the long way–it’s a clean 90 degree bend. Another had a hard drive destroyer that pushes a 2″ blunt cone down into the center of the drive until it becomes visible on the far side, shattering the platters. Again, it’s pneumatic, using a compressor.

There was another machine that folded drives, but electric or hand-crank operated for field use in a battlefield. There was a truck-mount hard drive shredder that reduces the drives to 1″ or smaller chunks–that one wasn’t on the show floor–it’s driven to clients for mass destruction of drives. And another portable device snipped the drives in half with a hydraulic claw.

Not to be outdone, another vendor had samples of what comes out of their computer shredder. Yes, the entire computer. But wait, there’s more… one supplier to the US government is actually doing it right–they shred the entire computer, grind it into fine dust, sort it both magnetically and by density into its component bits of metal alloys, plastic, gold, all the good stuff, and recycle it. They showed off clear containers of the various sorted powders.

So, your next appliance may contain 5% recycled US military computer parts and data. Guaranteed unreadable by the current level of technology.

Elsewhere at the show, there were the usual vendors, a mixture of the software companies you know, and the government specialists that build their offices around the edges of DC–locally, they’re called ‘Beltway Bandits.’

Last year, Google had a shared area in a small booth, showing off their hardware search technology that they install on client sites for searches of private networks–it’s called a ‘search appliance.’ This year, they had one of the largest areas on the floor, with seating for seminars in groups of around 50 people, and they gave introductory lessons on buying adwords, and showed what Google Earth could do for the military, and demonstrating the new real-time Google Earth weather alerts.

More tomorrow…

Well, the yellow box was followed by a silent install of ContraVirus 2.0, which launched and started an apparent “scan” which resulted in “finding” 27 infections. I had the customer do an online spyware scan, which found and removed the problem, but it came back within a minute or two. Also had him uninstall ContraVirus from the add/remove list. That worked, too, but the flag came back, reinstalled, rescanned, and found the same infections each time, even though the system had been fully scanned by two other programs between the two CV “scans.”

OK, in the car, down the road… I had already looked up ContraVirus online–the reports describe it as either rogue antispyware, or being installed as a drive-by download by an affiliate. RogueRemover, from MalwareBytes.com, was said to take it out, so I took that with me, along with my usual software tools.

Here’s what the screen looked like when I arrived.

Took a look… Yes, it’s really easy to remove this, or so it appears; it heals. Ewido.net’s online scan takes it out, or RogueRemover, or add/remove programs, but it won’t stay gone; it reinstalls in less than 4 minutes, immediately if an Internet Explorer window is opened; there’s a browser helper object involved.

HijackThis reported this:
O2 – BHO: IEExtension Class – {DBE5BEE8-F032-11DB-826A-C4BB56D89593}
– C:\Program Files\ContraVirus\secieaddin.dll
O3 – Toolbar: Ad-Protect Toolbar – {EA038DDD-0FE0-41f5-BA60-FC3660529E71}
– C:\Program Files\ContraVirus\ToolBand.dll

But this one appears to be the self-repair program:
O4 – HKLM\..\Run: [Windows Updater Servc]
C:\WINDOWS\system32\xpuupdate.exe

It was this xpuupdate.exe that RogueRemover and all the other cleanups missed. I ran a drive search for ‘xpuupdate’–there was also a reference in the prefetch folder. I moved the files off c:, ran one more cleanup immediately with RogueRemover and this time, the cleanup stayed cleaned.

Back to the computer owner: He recognized that the yellow popup box looked like a Microsoft message, and also thought the system tray icon was from Microsoft, but also knew that advertising message puffery and bad English isn’t quite what to expect in a legit warning message.

Well, it gets stranger. The background music is fun to listen to. It’s catchy. It’s the first verse and the chorus of a song called “Catch My Disease” by Ben Lee. Now I have nothing against the song. It does make the commercial fun to watch–it wouldn’t work without the music. But the lyrics, as applied to selling a computer, are more than odd; they’re bizarre.

my head is a box filled with nothing

OK, I’d like to buy a Dell computer filled with nothing. Just Windows, hardware drivers, please. NO, DON’T push that button!!!

and thats the way i like it

Oh, and don’t forget the subliminal sales pitch, of course.

my garden’s a secret compartment
and thats the way i like it
and thats the way i like it

Um, OK, let’s add a hidden folder for my garden pictures. Yeah, that’s the ticket.

your body’s a dream that turns violent
and thats the way i like it

No, downloading that stuff is what made the Bonzi gorilla turn violet.

so please
baby please
open your heart
and catch my disease

Right. Spyware gorilla, subliminal sales pitch, catch the disease, empty head for a box. Just who is this notebook targeted at? And has the ad agency for Dell gone ape? Or maybe they’re just two bananas short of a bunch?

Here’s the scenario for the new Dell television ad, apparently targeted at the ‘Back to College’ crowd. A young man is sitting on a sofa, calling Dell. Voiceover: “Thanks for calling Dell. What can we build for you?” The living room wall rotates around, like the magic fridge in the SuperBowl beer commercials, and suddenly he’s riding a supermodern golf cart with a Dell staffer, visiting a Dell manufacturing floor that looks like a cross between the airport in the Tom Hanks movie ‘The Terminal’ and the end of ‘Star Wars III’ where the heros have to dodge the dangers of an assembly line at high speed. Yes, there is a battle robot hanging from the line. And a purple gorilla. The customer points at what he wants, and yes, it’s the dancing gorilla from Bonzi Buddy. He also chooses a college professor, and, OK, what the heck, decides he wants it all. Yes, there’s a button for that. It’s apparently the ONLY button that’s used, as the others aren’t labeled. We see the purple gorilla climbing into the new Dell notebook–it’s an Inspiron e1505, and the closing credits show the tag, “Purely You.”

Separated at Birth?

This is apparently the second ad in the “Purely You” series. Dell is showing the ads in this series online, and will probably put the gorilla ad up soon.

You would think that associating Dell notebook computers with the infamous spyware program Bonzi Buddy is a bad thing. Apparently having the speed and power to run a notebook loaded with spyware and startupware is the the most important concept that has to be promoted in their marketing. It’s apparently also a good thing to load every piece of software available. I bet that half of what they load is startupware–it surely serves some purpose for all that junk to autoplay, so it’s not evil, or no more so than trying to eat too much peanut butter all at once–who remembers the “stick to da wuf of ma mouf” commercial? Of course, much of that junk is a based on a subscription model, and Dell will receive a commission on anything you click that results in a purchase, a renewal, or an upgrade, so if the entire computer is adware, adding a purple dancing spyware gorilla isn’t really all that out of place.

Should you buy a Dell? I’m admittedly biased–you should only buy computers from local system techs who actually build systems specifically for you. Like, um, me.

But a Dell? Really? Well, read reviews first–this isn’t one. But they do claim they’ll build it purely for you. Ask for the dressing on the side. They should load Windows, and hardware drivers, and put everything else on a DVD for you to choose to install yourself, or not at all. (Really. And report back here with the result when you make your request…)

Hint: Windows XP, when first installed, has only ONE icon on the desktop; it’s the recycle bin. If your new PC has anything else on the desktop, it wasn’t put there by Microsoft. When ordering most PCs by phone, it’s either ‘the works’ or it’s just a cluttered mess that runs like a doorstop on a thick shag rug.

Anyway, whatever you do, DON’T ask for the purple dancing gorilla.

Evidence found of PC Gremlins… Film at 11

Our Crack Technical Team Inspects the Site

This does explain the entire concept of lost files.

Well, after a quick low-pressure intervention with a Shop Vac, the patient has had a full recovery, and is being monitored for any further signs of invading colonies of gremlins.

Anyone who disabled the Windows fax viewer can restore it like this:

To re-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

The WMF abort process security hole doesn’t affect Windows 98. Microsoft has stated that it is a ‘non-critical’ problem in Windows Me, but has not released a patch. In other words: to be continued…