Written by Jerry Stern

There was a power failure here a few months back. 14 hours with no power, and then there were lights outside my window in the dark, and there was a power company truck with cherry picker, a portable lighting truck, and cable truck, all lined up at the power pole, and working in cold rain at 3am. And then the next morning, a fire on same pole took out the other leg of the 240 volt service, just not the 120-volt service I depend on here. I thought I had my communications reasonably well-diversified; now, I still think so, but I made changes, and will consider more.

There was a time when I had no problem turning off the internet, and replying to emails a week later, if that’s when I got back to my desk after a vacation. That was 15 years ago; the world has gotten considerably faster since then. Now, if my business is offline, I can’t monitor websites–can’t really edit them offline because of all the Content-Management Systems (CMS), can’t get to email, can’t get to voicemail, can’t do much at all.

To protect myself from outages, I have backups and redundancies. My business phone is a traditional land line, sometimes called POTS as an acronym for ‘plain old telephone service’, but my personal phone line is from the local cable company, where it is half the cost, and just having it results in a discount on my internet service, so the net cost is that it reduces my bill by $8 a month to have it. OK, the business line stayed up in the outage; cordless phones failed, but there’s one corded phone on each floor of the house. The personal phone line failed, despite having built-in battery backup and being plugged into an Uninterruptible Power Supply; when the system dies at the pole, there’s nothing to do.

Internet is another matter; when power came back on, the internet and the private phone line stayed down. The cable company was able to reset the phone remotely after I called in on the land line, but Internet was still down, and they scheduled that repair for four-days out. In typical clueless-cable fashion, they neglected to find the regional outage, which was fixed some 12 hours later, but still, I had no internet, and a promised 4-day outage, on a Monday of what was going to be a very busy week.

Backups Chosen

I added a smart phone with a good data plan. That gives me options that don’t rely on any cables coming into my office, either internet or power. It’s not a fix for every problem in an outage, but it’s a start. Next: How to filter spam on a smart phone. (to be continued…)

From today’s mail, slightly sanitized enough to protect the companies whose names or contact data are being abused:

Hello, We want to place an order for 500 units new Western Digital Caviar Blue 500GB SATA/600 (WD5000AAKX) 7200RPM 16MB Hard Drive (OEM).
Do get back to us with your price quote which should include FedEx next day A.M shipping to our I.T location in Deerfield Beach, FL ____.
Method of Payment would be net 10 terms. We look forward to your immediate response.
Thanks,
Kevin Douglas
Puchase Manager
The Twister Group
________
Glenview, IL 60025
Phone: 855-_________ext 374 Fax: 877._______
Email: _______

Yeah, right. 500 hard drives, net 10 terms, shipped to Florida by early-day overnight delivery–hot rush, but billed to Illinois on credit terms to an unknown company, when your web site looks like this:

The fax number provided goes to a real electronics distributor in Indiana, no relation.

So I’m just wondering…. Are there companies stupid enough to ship this order?

For anyone selling computer hardware on the internet, expect orders for hardware to fall from the ‘net, and expect them to be fake. I had one last year that needed 6 notebook computers and 3 network routers with VPN support, drop-shipped to Florida, with a credit-card billing address in Georgia, and would you please bill it to these three credit cards in equal amounts? What? The numbers are consecutive? Really?

I called the bank on that one, after looking up the first 4 digits of the card numbers to identify them, and had a chat with their fraud department. They told me, short version, “Unbelievable. Impossible. Felons.” Words to that effect.

Fraud on the Internet goes both ways. It’s not just shady Internet vendors–every possible opportunity to have a transaction is being attacked.

OR: Creating Avatars with Toolbars and Search Hooks

by Jerry Stern
Webmaster, Startupware.com

OK, I look like this now.

Well, maybe only kinda.

This project started out with a web ad. It told me that I could look like a character from the movie ‘Avatar.’ I’ve seen the ads before, clicked through to see what it was, and then shut down the page fast when I saw that there was a Flash plug-in and a membership form to agree to. This time, I said, well, let’s check it out. On my test machine, not the production box. With extreme caution.

OK, off to the XP test box. At the moment, it’s running XP Pro, Service Pack 3, fully-patched, and Microsoft Security Essentials Anti-Virus, and has no other security in place, no data, and no significant software other than patched versions of Adobe Flash and Sun Java.

The link from the ad was to mycartoon(dot)info, which immediately redirected to imakemoolah(dot)com, which then immediately redirected to home(dot)zwinky(dot)com. Note the past tense; as I write this, a week later, the link has changed, and the final step now goes to home(dot)mywebface(dot)com.

Neither of these sites contains the promised ‘Avatar’ look. The ad also implies that I can convert a photo. That’s not there, either. What was there is Zwinky, apparently an online ‘community’ using cartoon avatars. It invited me to create my Zwinky character. OK, so I did. There is a required sign-up for a membership in the online Zwinky site, and an email address is required (I used one of my temporary emails, and it has not been spammed, so far). Here’s what I found along the way, in case you find this on a computer during a cleanup.

First off, Internet Explorer 8 warned me of an Active X control installation. There is a basic warning that I’m installing the MyWebSearch toolbar. Note that the page is from Zwinky, but the download is from imgfarm(dot)com, while the source of the download is from their SmileyCentral project. It’s all very spread out over multiple sites.

Next, there is a clue that multiple products are included. The Internet Explorer Security Warning identifies the download as being from Fun Web Products, and includes “Zwinky, My Web Search, Search Assistant, and Easy…” The line is cut off; could go on for a ways yet.

Finally, my screen begins to show something that’s closer to what I clicked on:

And done:

OK, I UNCHECK both boxes, and click finish. The mywebsearch toolbar appears anyway, and I’m taken to the Zwinky page to create a character.

OK, now let’s look at what else is happening in the background.
I ran HijackThis, and checked the log; and it’s immediately apparent that this product is startupware–all these items are new:

R3 – URLSearchHook: (no name) – {00A6FAF6-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: mwsBar BHO – {07B18EA1-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 – Toolbar: My Web Search – {07B18EA9-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
-runkey
O4 – HKLM\..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=2 /w /h
O4 – HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 – HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 – Extra context menu item: &Search – http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000338&p=ZJxdm3802MUS&si=40699&a=..bh6qJGzk7dFMyFxzxTDA&n=2010061710
O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O23 – Service: My Web Search Service (MyWebSearchService) – MyWebSearch.com – C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe

In order, note the URL search hook in group R3, the two toolbars (group O2, Browser Helper Objects), and the installed service in group 23. Big product, by any measure.

Next, I took a look at the C: drive. Under Program Files, there’s 6Mb of files under ‘MyWebSearch’ and ‘0.6 Mb’ under ‘FunWebProducts’ that contains 4 folders and only 1 file. Over in Control Panel, there is one new entry, for “My Web Search (Zwinky)”, listed as 6.29 Mb. I’ll run that later.

Next, I go back into Internet Explorer. It opens to my usual home page of ‘about:blank’, so that’s OK–remember, I did decline the home page change earlier. I tried to turn off the toolbar, and here’s the result–I chose to disable :

OK, back to Control Panel. Ran the uninstaller. There’s one confirmation screen, and I chose to remove all features. A reboot is needed, OK. There’s a file left behind in c:\Program Files, so I delete ‘Uninstall Fun Web Products.dll’. A second pass through HijackThis shows one straggler autostart item–I removed it manually:

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab

Now, as invasive as this product is, their online drawing program does work easily. In case my readers are tempted to go there, and create an avatar, like I did–be warned. The avatar can’t be saved or exported, it’s only usable on Zwinky, and you can create only one, so it’s pretty limited overall. The images I’ve created were done using creative and major browser zooming on the page, then screen captures, imports of the captures into Corel Draw! X4 for a bitmap-to-vector conversion, more tweaking and editing, isolation of the head for some versions, and so on. I invested 90 minutes, and someone with less familiarity with drawing software would not end up with a usable avatar.

So what is all this? It looks like a URL search grabber, with a major content delivery system of cute drawing programs that can’t save files. Zwinky.com does, at least, have a visible means of financial support in the ads on their site, but they also have a link on the footer to their affiliate program, where they claim no spyware (right, just a search hook), no adware, high industry payouts, and association with webfetti, CursorMania, and “in partnership with neverblue”.

Let’s make this clear–these items are misleading, invasive, and possibly not quite fraudulent (in the legal sense), but they are clearly not drive-by downloads, except in one sense: The names are all mismatched. I click on mycartoon(dot)info, and pass through imakemoolah, to zwinky, download from imgfarm, and end up with FunWebProducts and MyWebSearch. Many end users aren’t watching that closely.

As far as cleanups go, when I have an infected PC on my desk, the usual situation is that there is some malware that was of unknown origin (didn’t see any on these sites, as of June 2010), so I go looking, and I find there are 10 autostart entries for one web application that my customer doesn’t remember installing, plus a variety of other items of similar unknown origin, so they all come out. For me to leave them alone would require that the install did not include a search hook, a toolbar, or an installed Windows service, and this combination of mismatched web sites delivers all three, and there is no need for a web page to run 10 autoplays. Delete that.

And that’s a shame, too. If these programs ran without the toolbars and autostarts, with no associated search hook baggage, and could save images easily, they would be worth paying for. Oh, well.