Spyware Warrior

[suzi]

I got this comment on my blog tonight -

[suzi]

Well, I think the question has been answered. Another comment from the same IP address was posted

[Nick]

So I put this url into IE

http://spyware.removal.nospyx.com/free/spyware-scan/

which I have locked down to see if it is on any block lists. It isn't, but the picture of the ninja holding the flashlight pretty much told me it was flaky at best.
_________________
Nick's Security Ticker

[Nick]

Through picking around with links on that 2nd url, I found this board.

http://www.spywareboard.com/index.php?s=3a2257ff9a3601092a7070a3a2260d05&

Looks like crap to me and the web bug in the lower left corner according to AD Shield leads to this url hxxp://extreme-dm.com/
which is on IE Spy Ad's list.

Looked around their support forum, if you want to call it that, and was not impressed. Seems kind of vacant too.

Oh yeah, be careful clicking on the links.
_________________
Nick's Security Ticker

[suzi]

Here is the whois look up for spywareboard.com.

Registrant:
Data Tanks Inc
2756 N. Green Valley PKwy. # 4
Henderson, NV 89014
US
7022708299


Domain Name: SPYWAREBOARD.COM

Administrative Contact:
Hosting, Data Tanks info@datatanks.com
2756 N. Green Valley PKwy. # 4
Henderson, NV 89014
US
7022708299


Technical Contact:
Hosting, Data Tanks info@datatanks.com
2756 N. Green Valley PKwy. # 4
Henderson, NV 89014
US
7022708299


Record last updated 06-14-2004 01:06:22 AM
Record expires on 05-21-2005
Record created on 05-21-2004

Domain servers in listed order:
NS0.INTERESOFT.COM 69.42.89.141
NS1.INTERESOFT.COM 69.42.89.142

Webhelper or anyone, do you know anything about this site?
I've seen that spywareboard somewhere before but I can't remember where - maybe in another blog comment.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[webhelper]

Investigating now
The Nevada address is to a agency that incorporates businesses out of state and keeps their identity a secret.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004

[webhelper]

Before I start you only need to ask your self one question. Would you give money to porn peddlers for software that is supposed to help protect you? Also, who and how are they making their updates?

**
The software has a reference file that looks as if it is written in Czech. The Author is in the version properties.

**
NoSpyX.exe
Author: Mladen Bajic, baja@yunord.net
ponto.subotica.net 212.200.136.37
**
Live Update.exe
Author: Mladen Bajic, baja@024w.net
024W.NET 213.244.228.46
**
Part of the reference file: DataBase.ref
**
Xeytokp 8/7" 994,7.91600 92@,2
B1@34-885y4t
B1984t0x5y
Bx5y4t0x
%Tybigknn!Ikqkpfy
Eovloa~07G{j~Tybigknn!Ikqkpf
Eovloa~171nkv|[sg_miuh&?qorjk
Eovloa~1?1Yknu{juju|[sg_miuh&?qorjk
Eovloa~1@14_qmƒUx]ekpomEovloa
Eovloa~1zuHhczl}Znccrjtc"Cvpqeg
Eovloa~2874-935381~Tybigknn!Ikqkpf
Eovloa~2;8Safih}Znccrjtc"Cvpqeg
Eovloa~2;8XaclTfjec|[sg_miuh&?qorjk
Eovloa~2v8‚Ptajloji Jpugke
Eovloa~6=/=,028/>,~Tybigknn!Ikqkpf
Eovloa~7ZfgnehƒUx]ekpomEovloa
Eovloa~Aip{p0cvn‚Ptajloji Jpugke
Eovloa~AjdkjfoƒUx]ekpomEovloa
Eovloa~Ak.LhqwƒUx]ekpomEovloa
Eovloa~Swjt>qxƒUx]ekpomEovloa
***************************************************8
http://spyware.removal.nospyx.com/free/spyware-scan/
spyware.removal.nospyx.com 69.42.89.135
InerEsoft.com (Bogus)
2756 N. Green Valley PKwy. 4
Henderson NV 89014 US
7022708299
nospyx.com 69.42.89.135
InerEsoft.com
2756 N. Green Valley PKwy. 4
Henderson NV 89014 US
7022708299

spywareboard.com
spywareboard.com 69.42.89.136
Data Tanks Inc
2756 N. Green Valley PKwy. 4
Henderson NV 89014 US
7022708299

datatanks.com 216.110.35.129
Data Tanks Inc
2756 N. Green Valley PKwy. 4
Henderson NV 89014 US
7022708299

64.237.60.41 jtproject.com
3 Gumbas Entertainment INC
9420 Reseda Blvd 821
Northridge CA 91324
US
818701224

64.237.60.42 3gumbas.com
3 Gumbas Entertainment INC
9420 Reseda Blvd 821
Northridge CA 91324 US

64.237.48.6 ELITEPLANET.NET
64.237.60.41 jtproject.com
64.237.60.41 fuall.com
64.237.60.42 3gumbas.com
64.237.60.48 titsexe.com Alias: 64.237.60.48.gigabits.us
IP: 64.237.60.41 redirects to: 64.237.60.43 drunkdorm.com

69.42.71.249 drunkdollars.com (porn)
69.42.71.249 clubdrunk.com (porn)
69.42.89.135 spyware.removal.nospyx.com
69.42.89.135 nospyx.com
69.42.89.136 spywareboard.com
69.42.89.137 updates.nospyx.com
204.251.15.151 vainflood.com
216.130.191.9 WEBAIR.NET
*************
Nevada State Corporation Data

Name: DATA TANKS, LLC

Type: Limited Liability Company
File Number: LLC14320-2003
State: NEVADA
Incorporated On: September 19, 2003
Status: Current
list of officers on file
Corp Type: Limited Liability Company
Resident Agent: NEVADA CORPORATE PLANNERS, INC. (Accepted)
Address: 7469 W. LAKE MEAD BLVD STE 200

LAS VEGAS NV 89128-
Manager or Member: SIMON FLYNN
Address: PO BOX 28909

MANAGER
LAS VEGAS NV 89126-
Manager or Member:
Address: PO BOX 28909

********************************



F.U. All inc.
1616 mockingbird lane
beverly hills CA 90210 US
818-701-1873
Domain Name: FUALL.COM
Administrative Contact:
W.K. Andrew andy@drunkdollars.com
1616 mockingbird lane
beverly hills CA 90210 US
818-701-1873
Technical Contact:
W.K. Andrew andy@drunkdollars.com
1616 mockingbird lane
beverly hills CA 90210 US
818-701-1873
Record expires on 08-26-2004
Record created on 08-26-2002
Domain servers in listed order:
NS1.ELITEPLANET.NET
NS2.ELITEPLANET.NET
**
Name: F U ALL, INC.

Type: Corporation
File Number: C22982-2002
State: NEVADA
Incorporated On: September 16, 2002
Status: Default (NO GOOD)
Corp Type: Regular
Resident Agent: NATIONAL REGISTERED AGENTS INC OF (Accepted)
Address: 1000 E WILLIAM ST STE 204
CARSON CITY NV 89701-

President: ANDREW LUCAS
Address: 4542 EAST TROPICANA AVE. #5050
LAS VEGAS NV 89121-

Secretary:
Address: 4542 EAST TROPICANA AVE. #5050
LAS VEGAS NV 89121-

Treasurer:
Address: 4542 EAST TROPICANA AVE. #5050
LAS VEGAS NV 89121-

**
Registrant:
Elite Planet
8252 Louis-Quatorze
Montreal Quebec H1R 3G3 CA
(514) 573-9175
**

69.42.71.249 drunkdollars.com
Registrant:
Fuall Inc
4542 E Trpoicana Ave
Suite5050
Las Vegas NV 89121
US
702-391-4868
Domain Name: DRUNKDOLLARS.COM
Administrative Contact:
Inc. Fuall drunkdollars@yahoo.com
4542 E Trpoicana Ave
Suite5050
Las Vegas NV 89121
US
702-391-4868
Technical Contact:
Inc. Fuall drunkdollars@yahoo.com
4542 E Trpoicana Ave
Suite5050
Las Vegas NV 89121
US
702-391-4868
Record last updated 11-20-2003 12: 57: 48 PM
Record expires on 11-17-2004
Record created on 11-17-2001
Domain servers in listed order:
NS.WEBAIR.NET
NS2.WEBAIR.NET
***************************
DNS Hosting Server
216.130.191.9 WEBAIR.NET
WEBAIR INTERNET DEVELOPMENT INC
333 JERICHO TURNPIKE
SUITE 200
JERICHO, NY 11753
US

Domain name: WEBAIR.NET

Administrative Contact:
Christopher, Michael mike@webair.com
333 JERICHO TURNPIKE
SUITE 200
JERICHO, NY 11753
US
+1.516.938.4100 Fax: +1.516.938.5100

Technical Contact:
Christopher, M okproduction2003@aol.com
PO Box 572
setauket, NY 11720
US
516.938.4100 Fax: 516.938.5100

Registrar of Record: TUCOWS, INC.
Record last updated on 07-Apr-2004.
Record expires on 25-Nov-2009.
Record created on 26-Nov-1998.

Domain servers in listed order:
NS.WEBAIR.NET 216.130.161.1
NS2.WEBAIR.NET 216.130.161.6
*********************
TITSEXE.COM
Vainflood Multimedia LLC
9420 reseda blvd 821
northridge CA 93062 US
8888888888
Domain Name: TITSEXE.COM
Administrative Contact:
Vainflood Multimedia LLC domain@vainflood.com

******************
spyware.removal.nospyx.com/free_nsx.exe
Authors Domian info

NORDNET (YUNORD-DOM)
Nordnet d.o.o. Adolfa Singera 12
Subotica, VO 24000
YU

Domain Name: YUNORD.NET

Administrative Contact, Technical Contact:
Zuzic, Branko (BZ570) zuzic@VTS.SU.AC.YU
NORDNET
Nordnet d.o.o.
Adolfa Singera 12 Subotica, VO 24000
YU
+381 24 600 100 fax: +381 24 551 900

Record expires on 16-Jun-2004.
Record created on 17-Jun-1998.
Database last updated on 15-Jun-2004 15:35:06 EDT.

Domain servers in listed order:

MUNGO.YUNORD.NET 62.108.123.35
PEREGRIN.041NORD.NET 216.40.224.208

**
Domain: 024W.NET

Registrant/Owner: 000-ZJ24423
Zoran Jager
Gunduliceva 22
Subotica Serbia, 24000
YU

Administrative Contact: 000-ZJ24423
Zoran Jager
Gunduliceva 22
Subotica Serbia, 24000
YU
+381.63518466
suonline256@yahoo.com

Technical Contact: 000-ZJ24423
Zoran Jager
Gunduliceva 22
Subotica Serbia, 24000
YU
+381.63518466
suonline256@yahoo.com

Created on 2003-04-03
Updated on 2003-11-06
Expires on 2007-04-03

Nameservers:
PIANO.SUONLINE.NET
FORTE.SUONLINE.NET

Webhelper
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004

[suzi]

Good grief! Well their domains are on the blacklist for my blog now, so they won't be dropping any more of their links.

I'm going to put a warning about this on the blog too, especially that bogus forum.


Sounds like these URL's need to go in IE-SPYADS & the various hosts files lists.

I clicked on the link for the free scan and it goes here:

https://secure.interesoft.com/access/nx/10/access1.php?r=304&subid=sea


Domain Name: INTERESOFT.COM

Administrative Contact:
Manager, Domain domains@interesoft.com
2756 N. Green Valley PKwy. # 4
Henderson, NV 89014
US
7022708299


Technical Contact:
Manager, Domain domains@interesoft.com
2756 N. Green Valley PKwy. # 4
Henderson, NV 89014
US
7022708299


Record last updated 04-29-2004 11:50:04 PM
Record expires on 04-12-2005
Record created on 04-12-2004

Domain servers in listed order:
NS0.INTERESOFT.COM 69.42.89.141
NS1.INTERESOFT.COM 69.42.89.142
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[webhelper]

I installed and tested the free scan and that is how I got their ref database that is written in Czech or serbian. So they run porn and peddle security software that comes out of Eastern Europe..when getting the IP's for you, they do take you to porn sites and that means when they get hungry for money what is to stop them from installing things like the xxxtoolbar with their software or move into exploits like the CWS porn site do?

Any site to me that deals in the areas of porn and other shaddy operations should not be trusted to sell security software that is supposed to protect users.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004

[suzi]

[wawadave]

i,m glad you posted this!! thx.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[Doug Taylor]

Thank you Suzi and Webhelper! This is appreciated.

With our Lord's blesisngs,

Doug

[DeleterFX]

For every legit site and/or product that pops up about 4 illegit and bad products/companies pop up. Sigh, fighting an uphill battle is never easy.
_________________
You've Been Deleted
CCSP Website

Member of The ASAP Since 2004

[webhelper]

Here is a compar with nospyx and Adaware:

Nospyx

http://spywarewarrior.com/files/webhelper_nsx-log.txt

Adaware: I will only show all the twaintech transponder variant installed.

http://spywarewarrior.com/files/webhelper_aaw-log-1.txt

The nospyx shows no processes and didn't catch all I have installed plus it ran it's update but my firewall showed no file download as it does with the other updates, so I don't think it really even updated their *.ref file.

Edit: removed logs to separate downloadable files. (Aug. 5, 2004)
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004

[baja_yu]

Hi to all...

Let me introduce myself. My name is Mladen Bajic and my email is baja@yunord.net ...and the other one (@024w.net) is changed to baja@024wifi.net

I made the application you are talking about, and I made the reference file you mentioned (the satring one). I made it for Datatanks (InterEsoft).

I dont know why you hit on it so bad here. I can assure you personally that the app is clean. At least right now, as I did one update to its code yesterday. I am not sure about the database updates as I did not handle that.

I made it for them as a one time job, I am not employed there (as someone mentioned I am from Serbia), so I really dont know why are you bashing me here, and even more, why are you putting down two of my ISPs (also from Serbia) Yunord.net and 024wifi.net (Suonline - Wireless division)... They have no part in this project, and arent even aware of it...

As I said, I can guarantee that the app and the database are clean, for now. I dont know what they plan to do with it or if they do porn or what ever.

I am not defending them or anything, I dont know what they do befind the scene, and I dont care. I am only here to defend the app I made, as I am sure that it is clean. But as I already said twice, I am not sure where they will take it, and what they will make of it in the future as they can hire someone else to make new modifications.

Thank you for your time.

Regards,
Mladen

[eburger68]

Mladen:

Thanks for visiting Spyware Warrior. I don't think any of the previous posters were "bashing" you personally. From the looks of it, most of the posters' issues lie with the company for whom you built the software -- Interesoft. Unfortunately, we've seen too many companies trying to play both sides of the street lately, and the corporate associations that WebHelper and others have turned up do raise concerns because, as you recognized, the software and what is done with it lies in the hands of Interesoft.

As for whether or not the software you built is "clean," I can vouch that it is -- at least in the various distributions that I've encountered or heard about. I know of no reports that NoSpyX or the others who are distributing variants or re-branded clones actually install malware themselves. And your software does seem to be much less prone to false positives than many other anti-spyware apps that I've encountered.

That said, I am curious as to whether you were aware that there are now at least two variants of the software you built for Interesoft, one of which appears to have "issues" (meaning, it seems to be partially broken)?

SpyVest ( http://www.spyvest.com/ )
SpywareStormer ( http://www.spywarestormer.com/ )

The SpyVest scan results are occasionally broken -- meaning that the software reports X number of spyware components "identified," but the detailed scan results window shows nothing. Any idea what could be causing that?

Finally, why did you so closely model your software on Lavasoft's Ad-aware 6.0? Was that a requirement specified by Interesoft, or was that your own idea?

Thanks for any information you could provide.

Best,

Eric L. Howes

[baja_yu]

Hi,

Thanks for your response. Regarding the variants, I am aware of them. I did them both. Spyvest is similar to NoSpyX (NoSpyX has a registry manipulation app with it, which I didnt make), and SpyVest has some different functions... Spyware Stormer is much more different than the other two, some basic things are the same (like, there is no point in rewriting code for loading files, for example) but the scan and clean portion of it was rewritten, interface and registration schemes changed.

Regarding the interface, they are (almost) always a request of the buyer, and the images for the GUI themselves are not made by me. Unfortunatellym, I'm not that good with graphics

Regarding the other two, the SpyVest problem, I am not aware of it, or if any changes were made that could have caused it, but it might as well be my fault. I have to say that I often dont have time to do thorough testing myself, most of the testing is done on the buyer's side, and of course corrections are made based on user feedback of course.

Regarding the Spyware Stormer, I can guarantee here that it is clean, because all of maintenance is done by me, and I have a contract to maintain it. It is an exceptional application. One thing that can remotely pass into the grey area is that the app loads for images (1x1 pixel in size) the very first time it is started after install. I was told this is to keep track of affiliates. Other than that, it is definitelly clean.

Hope this helps. If you have any other questions I can answer I will be glad to help.

Regards,
Mladen

[eburger68]

Mladen:

Thanks for the informative response. I have a few other questions (if you're up to answering them).

First, who is responsible for building the definitions databases for these variants? Do the companies themselves build the updated definitions, or are you involved with that?

Second, do you know of any other variants besides the three we've discussed (NoSpyX, Spyware Stormer, SpyVest)?

Third, not so much a question as a suggestion: I would recommend taking a look at the SpyVest code again because of the problem with the scan results that I reported. I can supply screenshots if necessary (though I don't know how informative those would be). The test box on which I experienced that problem was a P4 1.8 Ghz, Windows 2000 w/ SP4, Office 2000, Internet Explorer w/ SP1.

Fourth, what is this "registry manipulation app" with NoSpyX that you mention? What's the purpose or functionality of that?

Fifth, how did you get into building anti-spyware applications? Is this an interest or hobby or yours, or was this just code done to order? Any previous experience building anti-malware apps?

Best,

Eric L. Howes

[baja_yu]

Hi,

I built the starting databases of those apps. Regarding updates, I am doing updates for the SpywareStormer app (starting from July 25).

One more variant, also difference in some functionality and in scanning methods. NetSpyProtector. As with others, I have recompiled the app and the installer 2 days ago, so it is clean.

I will check out the SpyVest app. Thanks for the info.

Regarding that registry app, I dont know exactly what it does. I saw it, but didnt use it much. As I remember, it is to plug some registry places where spywares install themselves in the registry. At least that is what the app says. I dont know what it actually does, I didnt code it.

Regarding the fifth question, well it is an interest, hobby and a work thing. I have built a lot of applications for internet security like Popup Blocker, Privacy Eraser, Spyware remover etc. I am planing to start to build several more apps like Firewall, Uninstaller etc.

Regards,
Mladen

[webhelper]

[baja_yu]

Hi,

as I said, I will do the updates from 25th. They have not yet started.

Regarding searching, the app is not yet capable of searching in compressed files, that will come in future version of the app (it has just been released recently). One more thing about scanning, it can find items that are in their regular place (folder, key or what ever) so if you moved them to another folder it will not be able to pick them up (yet). And the database was built some time ago so there are chances that some items are not in it.

And one more comment for the forum programmer, it would be good if we had an option to include attachments, that way we can post a file, large posts like the above can make the thread hard to read.

Regards,
Mladen

[webhelper]

That don't cut it for a product that is sold as for security.

The amount of new threats and older ones with new variants that use different methods changes almost daily and you can find dozens of new ones each day. That means if you are in the business of selling security for users, then you have to keep updates coming out almost weekly.

For compressed files and in different locations, Adware and especially the CWS groups are not going to put their files where you want them just because your program isn't designed to find them that way. Come on now, in that marketing world, they have one goal and that is to get as many people infested with the software in order to collect profitable marketing data. If a user paid money for your software and got hit with CWS, they would need Adaware and Hijackthis along with other utils just to get clean, so you may as well properly inform the buyers that your software cannot detect all. The twaintech.dll that wasn't detected has been out since the begginning of 2004, I know as I got it put into the Adaware reference file and alert sent out on the Internet back then.

Bottom line is your software lacks the needed security that todays threats present and that being said along with the fact that who ever owns spyware stormer that hides behind domains by proxy's registration information as a business is not to be trusted and a risk at best if the purchase the software from them.

For you, you have placed your name in all the different versions so you take the ultimate responsibility for your creation. If it is used at any time for the purpose of adware/spyware/exploits/ or like others that are doing it right now, you will be listed as indirectly supporting the install of the very things that your software is supposed to protect users against.

Since it still doesn't catch half the stuff it should my conversation with you is now at an end as I have more important work to be done in finding and letting the public know of what the bad guys are up to.

webhelper
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004

[suzi]

[eburger68]

Mladen:

One more question for you, if I might. I just revisited the home page for NetSpyProtect and noticed that they have a "free scan" that wasn't there when I first visited a few weeks ago. This is an ActiveX-based scanner. For some reason it won't work properly on my box (it hangs right at the end of the download of the definitions). Suzi tried it, though, and reports that it generated numerous false positives on one of her boxes.

My question is: did you have anything to do with the "free scan" application that's being used on the NetSpyProtect home page? Is it based on your code at all? Or is that "free scan" application something that was done separate from your work?

Best,

Eric L. Howes

[baja_yu]

Hi,

no, this is the first time I hear about this. So, I dont know if it's based on my codes. I wasn't aware of those developings and had no part in them whatsoever.

Regards,
Mladen

[baja_yu]

Also, I forgot to mention one important information, all the applications have been developed for different buyers (companies), so there is (guaranteed) no connection between the apps and their distributos.


-Mladen

[suzi]

I made a blog entry about the NetSpyProtector free scan results including screenshots of the false positives.

http://www.netrn.net/archives2/000619.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[suzi]

MAC, I moved your post so you would get help. It's here:

http://spywarewarrior.com/viewtopic.php?t=5136
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.