Adware question

[ms]

I normally find maybe 1-2 suspicious files in running Adaware or Spybot.

Yesterday, I downloaded several screensavers from a link in the FWT post. I ran
each exe only to the point I saw the install screen, cancelled the install, (never
installed). I emailed the author, he sent me several *.scr files, I ran them.

Shortly after that, strange things started happening on my hard drive. I ran
Adaware, found 154 objects, quarentined them. Ran Spybot, found 3 objects, deleted
them. Still had a strange dll file popping up in my Download folder, finally ran
scanreg/restore (thanks Karen) and loaded a registry from 2 days ago. Things are
back to normal, except a certain loading delay issue is now even worse.

I looked at the other files I downloaded yesterday, they were from Pablo VanMeer
and NirSoft, both sites I trust. So I ran one of the screensavers again, ran
Adaware, got 3 dataminer objects, so it was the new screensaver.

Finally, the question: How was the adware installed?
I killed the install sequence before it happened, so the adware was part of the
scr executable files themselves?

Mike Sa

 

[me]

-snip-
I looked at the other files I downloaded yesterday, they
were from Pablo VanMeer and NirSoft, both sites I trust. So
I ran one of the screensavers again, ran Adaware, got 3
dataminer objects, so it was the new screensaver.
-snip-

Hmm, nirsoft.net/ contains some less-'n-kosher html.code.

J

 

[Anti_Freak_Machine]

Finally, the question: How was the adware installed?
I killed the install sequence before it happened, so the adware was part
of the scr executable files themselves?

Similar situation here. I installed a SS to the point where I got the
license agreement. In the agreement, it mentioned that 3rd party
software would be installed. I cancelled the install and lo and behold
it installed the third party software anyway. I ran ad-aware and spybot
and it cleaned a bunch of crap out (I run them regularly and never find
aything so it must have been from the SS). After cleaning the garbage
out, I lost my internet connection. I had to use LSPFix to restore it.
The moral is, just because you cancel an install, doesnt mean that
it won't install things. It's trivial for a programmer to create a
custom install screen that does the opposite of what it displays. I
don't know what dataminers were installed (the might have just been
cookies), but it just goes to show you need to be careful when it comes
to free software (screensavers included)

 

[ms]

Similar situation here. I installed a SS to the point where I got the
license agreement. In the agreement, it mentioned that 3rd party
software would be installed. I cancelled the install and lo and behold
it installed the third party software anyway. I ran ad-aware and spybot
and it cleaned a bunch of crap out (I run them regularly and never find
aything so it must have been from the SS). After cleaning the garbage
out, I lost my internet connection. I had to use LSPFix to restore it.
The moral is, just because you cancel an install, doesnt mean that it
won't install things. It's trivial for a programmer to create a custom
install screen that does the opposite of what it displays. I don't know
what dataminers were installed (the might have just been cookies), but
it just goes to show you need to be careful when it comes to free
software (screensavers included)

I normally try not to even download installs, but these days, I find a 50 KB
executable file is not just the program, it is an install program. The older MS
Install Shield program was about 800 KB by itself, so it was easier to guess what
kind of program I was looking at.

Mike Sa