Grokster Sending Executables

[JackSpratts]

i've just gottten six executables, programs like "downloadware" and "movienetworks" installed and running in startup (without my permission needless to say). anyone getting these? ad-aware isn't catching a thing and my cd_clint.dll is fine. something's up and it's not good. there must be a pgm that's calling them but what and why right now? i get that "your security's been compromised" pop-up, which naturally i close using ctrl-alt-delete but they're still getting in, and fast. if i can't figure this out it's good-bye fastrack. it's that bad.

- js.

[BuzzB2K]

Quote:

Originally posted by JackSpratts
i've just gottten six executables, programs like "downloadware" and "movienetworks" installed and running in startup (without my permission needless to say). if i can't figure this out it's good-bye fastrack. it's that bad.

- js.

It took a while to find this (It was buried in your Clean Grokster Post) Did you ever check this program out?

Quote:

One program I find I can't do without (It's one of the first I install if I re-load Windows) is Mike Lin's StartupMonitor. Here is a quote from Mike Lin's Home Page.

quote:
--------------------------------------------------------------------------------
StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents those utterly useless tray applications from registering themselves behind your back, and it acts as a security tool against trojans like BackOrifice or Netbus.

--------------------------------------------------------------------------------

[TankGirl]

It seems like somebody is eagerly pushing new software through the uncontrolled FastTrack channel (through supernodes and the automatic software upgrade function of the FastTrack engine). In the 'better' scenario that would be Kazaa/BDE, perhaps securing a way to access your computer even in case you decided to uninstall Grokster/Kazaa (I wouldn't be surprised at all to see them doing something like this). In the worse scenario a hacker has already found out how to abuse the mentioned uncontrolled channel to get an easy bridgehead to millions of computers. Considering the late publicity on FastTrack security the latter scenario would not be a big surprise either - who knows if there is an unofficial hacker competition going on who will be the one to 'own' the network. Of course there is also the possibility that some of the third-party spyware delivered with Kazaa/Grokster has been left intact despite your use of Ad-Aware and now the vendor of that spyware is quickly strengthening its own hold on your machine.

I repeat my recommendation: do not use FastTrack-based software anymore, not even the 'neutered' versions if they connect to the FastTrack network. Unless the automatic upgrade mechanism itself is neutered you are no more safe than with the official versions. Clean your system with the latest Ad-Aware. Learn to use alternative p2p programs and wait for the open source giFT client to enjoy the FastTrack functionality in a safe manner.

- tg

[BuzzB2K]

Quote:

Originally posted by TankGirl
I repeat my recommendation: do not use FastTrack-based software anymore, not even the 'neutered' versions if they connect to the FastTrack network. Unless the automatic upgrade mechanism itself is neutered you are no more safe than with the official versions. Clean your system with the latest Ad-Aware. Learn to use alternative p2p programs and wait for the open source giFT client to enjoy the FastTrack functionality in a safe manner.

- tg

I appreciate your recommendations, however, until I see any attempt to install any unknown software on my own system, I will take all recommendations under advisement only... And shall continue to use Grokster (But I wouldn't touch KaZaA with a 10ft pole)

BTW I do use alternative p2p programs (eDonkey, WinMX, audioGnome)

[petriburg]

Well thanks, TG, I know this post was not directly intended as a reply to my plea for advice on selection of p2p software, but it certainly bolsters my resolve to remain abstinent from FastTrack's sneaky little games. I guess in the meantime, I'm just going to have to endure the slow downloads and (oftentimes) endless queues of WinMX and Blubster. Something good is sure to come along soon

[JackSpratts]

i found this file under windows | temp - it' called "WebPoolFileFile". i tried adding .bak but it it was in use, so i did it in safe mode. as soon as i rebooted in normal mode it readded itself. i've no idea what it is but i think it may have something to do with what's going on, tho obviously there's another program calling the shots.

unfortunately it's gotten beyond grokster now. i could stop using it but this stuff would still be here. if i can't pull it out (and i don't even know what to look for) i'm going to have to do a full restore. course i'll lose 30 gigs of data - it's an excercise in futiliity saving the files if you don't which one's corrupt. but there's absolutely no way i'm living with this junk. well at least i was planning a restore anyway for an upgrade to xp.

needless to say, if i have to do this then the present fastrack system will never find it's way back to my pc unless it hacks it's way in.

let's hope it doesn't come to that. but the way things are going you never know.

this whole system of unbalanced dependence on ad-aware for my entire pc experience leaves me way too vulnerable for my taste. eventually a day arrives when ad-aware won't cut it, like today for me, and then you've dropped off the deep end. the process needs rethinking. it's too unstable to expect people to take seriously.

- js.

[TankGirl]

Quote:

Originally posted by JackSpratts
i found this file under windows | temp - it' called "WebPoolFileFile". i tried adding .bak but it it was in use, so i did it in safe mode. as soon as i rebooted in normal mode it readded itself. i've no idea what it is but i think it may have something to do with what's going on, tho obviously there's another program calling the shots.

Google found some info suggesting that this particular file might be a temporary created by McAfee Anti-virus:

Quote:

I asked McAfee Anti-virus "How to get rid of WebPoolFileFile" Their answer is as follows:
CAUSE: This file is part of the ActiveX and Java scanner in VShield for VirusScan 4.0.0 and above.
FIX: There is no need to delete this file because it is a temporary file for VShield's internet scanning. The file will disappear if you exit VShield but cannot be deleted because it is in use by VShield.

Hope this helps.

As this is second hand information from a discussion forum it is hard to say whether it is reliable. Anyway, the unexpected EXEs popping up on your machine are more worrying.

- tg

[BuzzB2K]

TG

That is the same info I have been reading so far... Still searching.

It's hard to find any info on the McAfee site...

Quote:

This file is part of the ActiveX and Java scanner in VShield for VirusScan 4.0.0 and above. There is no need to delete this file because it is a temporary file for VShield's internet scanning. The file will disappear if you exit VShield but cannot be deleted because it is in use by VShield.

Here is some totaly useless results from AltaVista

Extend Your Search:
Comparison shop for WebPoolFileFile
Find WebPoolFileFile at eBay! Register now!
Search for WebPoolFileFile in your local yellow pages

[Snarkridden]

--------------------------------------------------------------------------------

One program I find I can't do without (It's one of the first I install if I re-load Windows) is Mike Lin's StartupMonitor. Here is a quote from Mike Lin's Home Page.

Totally agree with Buzz, brilliant program, installed on every PC here, keeps popping up on the most unexpected occasions, even on known safe utilities, shows you how often they try to place themselves in STARTUP, even when you think (Msconfig) you have stopped them.

Snark...

The War is ON, wear Armour at your PC

[TankGirl]

I know that my recommendation of not using any FastTrack clients may sound almost harsh to many of you who have enjoyed the fast downloads and the plentiful content in the network - not to talk about you who have put a lot of work into building great utilities and add-ons for the FastTrack clients. It sucks big time to see all this happening - the members of the so far biggest p2p community being treated as shit in the power games of venture capitalists, our online privacy and security being no more than a nice topic in the Orwellian speech of those who are responsible for what has happened.

Those of you interested more in detail in the issue of FastTrack security, read this security analysis by Nicholas Weaver who is a researcher in Berkeley university. Hackers have already read it, you can count on that.

Quote:

Buzz: (hi buzz! )
And shall continue to use Grokster (But I wouldn't touch KaZaA with a 10ft pole)

I wish it was that simple. If you have to choose between Kazaa and Grokster the latter is naturally a better choice as it has less spyware bundled to it. But you can not avoid touching Kazaa as the p2p engine that powers Grokster and even Kazaa Lite is made by Kazaa and once you connect to the FastTrack network it is also under Kazaa's full control. To be able to use your client you have allowed it full access through your firewall so that security door is wide open for whoever controls the FastTrack network. And the automatic upgrade mechanism built into the p2p engine sees that the owner of the network can push any software they wish to your computer through supernodes, effectively owning your computer. Now you may ask how this differs from you having a trojan on your computer. The answer: it doesn't.

- tg

[twinspan]

I've been running Grok almost 24/7 lately and am not getting any of these self-installing progs.

NOTE: I keep IE's security levels insanely high for the Internet Zone (Tools > Internet Options > Security > Internet Zone > Highest, then Custom and disable everything. EVERYTHING. Active Scripting, File Download, Active X, the full monty)

As Kazaa/Grok rely on IE and its settings, they can't pull any shit on you if you do this. I never even knew Grok caused pop-ups until one time I'd enabled Active Scripting and forgot to turn it back off.

For ordinary surfing, I use Opera now, which isn't disabled by these settings and seems to be immune to all these self-installing progs, Browser Helper Objects etc. (When still using IE, I'd add particular sites to my Trusted Zone so they wouldn't be too hampered. But even then I keep a lot of options disabled in Trusted Zone too).

[TankGirl]

Quote:

Originally posted by twinspan
As Kazaa/Grok rely on IE and its settings, they can't pull any shit on you if you do this. I never even knew Grok caused pop-ups until one time I'd enabled Active Scripting and forgot to turn it back off.

This applies to the outer layers of the client programs that utilize IE integration in their user interfaces and possibly in some other functions. My guess is however that the p2p engine itself is IE-independent. The core designers have hardly wanted to put such a portability limitation and Microsoft dependence on themselves.

Anyway, your security advice and approach is sound, twinspan. I myself have also started to use Opera more and more, especially on sites that are plagued by pop-ups.

- tg

[Smoketoomuch]

OMG, sorry to hear what happened Jack... I'm not sure this would help, just a couple of ideas probably you already tried.

First, I'm sure you know regcleaner - I mean this one:



The important part now is not the regclean, but the software part - it has a list of the softwares on your puter, you might check it out, maybe you can see something that should not be there... (if ad-aware could not find it, I think its regclean part would not find those buggers either...) I'm often puzzled by some stuff I have on my puter, which I would not know of were it not for that list...

The other thing that occured to me is to run Evidence Eliminator with safe restart mode... Its easier than to back up those 30 gigs... Something tells me that EE should help...

Then there is this amazing page MikeHunt posted in bytebits: http://www.cexx.org/ (Counterexploitation) - I was reading some stuff they wrote there, you might want to take a look, they have good advices for situations like yours, with step by step description of what to do... scroll down and "How to remove StartUp Spam" would be your section I guess... But there are many related topics...

I hope some of this would help...



ps - and don't upgrade to XP ... yet.

edited to relocate image ...

[zombywoof]

If you are going to run on the fast track network, why not run the latest adaware v5.71 and run Kazaa lite build 3 1.60 with the dummy clint file already installed.

Like JS said though, its going to get to a point where adaware won't cut it. It sucks that with today's p2p apps, you gotta constantly update and run adaware to try and keep up the scumware thats constantlly being put out there.

[JackSpratts]

Thanks for all your sound advice guys; I’ll be running the monitor. Nice work on the file source TG & Buzz. Makes sense, I did a full McAfee virus scan last night and now I can eliminate it as the problem. IE security settings are back to "insanely high" again. I had lowered them to do some actual internet "work" on this pc, something I need to do occasionally (pity the poor folks who must do so everyday). It’s more than possible these pgms came thru IE, but if so they came in last night as pop-ups during a grokster session, and my “closing a page” probably loaded the first program, the unknown one which then brought in all the rest. Of course it’s the not knowing that prevents me from removing it. But this is no mark in groksters' favor, the fact that it might not have been delivered via altnet or something similar. When a company allows it's partners to reprogram their customers pc's and surreptitiously force completely unwanted and even destructive products into their machines, regardless of the delivery system utilized, this can hardly be seen an endorsement. The best they can say is that the porn industry does it too. Indeed. Take that thought to congress guys.

I just keep coming back to the millions of regular users struggling with these issues everyday. Children who visit their favorite sites, kids looking for knowledge, teens racing around the net in a surfing frenzy just to stay current and older people trying for some relevance in the eyes of those they love. All of them washed by this hidden river of polluted and bankrupt commercial attacks, into a decaying swamp of greed and mendacity. And all of it in secret, being fought against in darkness by the unknown throughout the world at small outposts like this one at NU and others still deeper in shadow, by people, some of whom I’ve known for years who will never reveal their identities while this struggle continues. Seems somehow wrong all this. But to let it slip away, to let them win, to give this all up to the soulless, would be an even worse assault to our ideals.

- js.

[napho]

Instructions to remove MediaCharger, Movienetworks, and Downloadware unauthorized programs/spy-adbots

limited disclaimer, use at your own risk, nothing should be able to be affected by these actions, but in case you mess up (or god forbid I missed something) then the mess is all yours. I'm just trying to help but I am human and do make mistakes (which is why I double check everything)
I've used these exact actions to remove the programs from my computer

ok first, open IE go to tools->internet options->security->and click custom for each zone, and make sure to check prompt for both of the first 2 options(download signed activeX and unsigned activeX) this is the only way to keep this mess out... you are likely to see a lot more warning windows pop up while you are browsing now) click ok. on the first tab, choose delete temp internet files. close IE

next, open c:\program files\ and see if there are folders for 'movienetworks' and/or 'downloadware' as well as MedCh, if found delete the movienetworks folder and MedCh, leave the downloadware folder for a moment if found, and go to the control panel->add/remove programs , click on downloadware, and click remove. it may open a webpage, just close it (or feel free to complain in the provided space) then go back and make sure the folder is gone too.

next is c:\windows\downloaded program files, there should be a file that looks like this {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} right click the properties, if the general tab has 'codebase: http://download.mediacharger.com/movinetworks.' that is the one you want to remove.

next open start->run and type msconfig and hit ok, move to the start up tab and look for WebInstall2, (go ahead and uncheck the box next to it we'll remove it completely in a second.) next to that it will tell you the filename, located in c:\windows\temp\ named something like ins1234.tmp, go to that folder and delete that file, and any others with a similiar name (always ????????.tmp mostly starting with ins, rem or tem followed by numbers) if it won't delete, press ctrl+alt+del 1 time, and if it's running select it and choose end task, then go and delete it. click ok in the msconfig panel, when it asks if you want to restart now click no.

next is for semi experienced users. if you have never edited your windows registry, or are unsure of yourself at all dont do it, just restart your computer. making a mistake here could make your computer unbootable.

go back to start->run and type in regedit and press ok. press ctrl+f and enter 'downloadware' make sure to search for keys, data, and values. press find next, if it finds it right click the folder(key) it finds and select delete, click yes to delete, then press f3 to keep searching, keep doing that until you get 'finished searching the registry' or 'not found'. then scroll back to the top, click on my computer (in regedit) and search (and destroy) the following words in the same manner (without the quotes)

'mediacharger'
'movienetworks'
'webinstall'
'{EB6AFDAB-E16D-430B-A5EE-0408A12289DC}'
'{1F84A44F-9E80-4BED-954A-16337FBB5414}'
'conflict.17'

afterwards close regedit and restart your computer. done

http://pub46.ezboard.com/fcybermalls...opicID=5.topic

[JackSpratts]

ok napho, thanks a lot! will try this soon.

- js.

[thegame412]

I also unwillingly recieved the program downloadware while using grokster last night. And to doay while looking in the add removes programs folder, I found that bd3 projector was in there. I really think that it came in with the downloadware program. I think it's time to ditch fastrack and move on to winmx or another network. I know that they are not great but fastrack is just no longer safe. Anyone who has been using grokster for the past few hours or so should check their add remove programs folder to see if they have bd3 projector installed.

[Mowzer]

My grokster hasnt given me any extra spyware lately.

Mostly I think cause I have it firewalled up so tightly through advanced rules.

However last night during start up I did get a prompt to donwload and save to my computer a file named "index.html"

Any one else had grokster asking you to install index.html?

[snowman]

FastTrack has in it a technique to auto-download-install files on its own behalf.

These could be .EXE, .COM, .DLL's or just a good old MP3.

This ability is/was called the auto-update feature. It was turned off at version 1.3 because of complaint's from the user comunity in Morpheus, Grokster. I can't remember if Kazaa did also.

If you run FastTrack in any form you are not safe because the communication is done via the permitted channel on port 1214.

A firewall will not save you from this plague.