4 edits | MyNetInfector
Screenshot 1 | 
Screenshot 2 | 
Screenshot 3 | 
Screenshot 4 |
We've seen some rather incredible things on the anti-spyware front in the past few weeks: from RoboCyberBabe scaring the dickens out of users ( »Pushing Anti-Spyware: A New Low... ), to a rogue application using a definitions database stolen from Spybot S&D ( »forums.net-integration.net/index···ic=21166 ), to useless programs that kick out hundreds of false positives and then demand payment to clean that non-existent spyware ( »www.spywarewarrior.com/family_re···es.htm#3 ).
Suzi at Spyware Warrior stumbled across an anti-spyware application that takes the cake, however, for sheer brazenness. It all starts with a visit to the home page for MyNetProtector, an alleged anti-spyware application:
»www.mynetprotector.com/landing.php?hop=0
Visitors are greeted with a deceptive popup claiming that spyware has been detected on their systems (see screenshot # 1). The web page itself talks up the dangers of both spyware and adware, and urges visitors to download the free scan application (MNPASSetup_cb02.exe, 1058 kb).
Things get rather interesting once you start to install MyNetProtector, though. The license contains more than a few eyebrow-raisers:
said by MyNetProtector EULA:
1. LICENSE
The "MyNetProtector"software and/or programs (the "'"MyNetProtector"' Program[s]" or "program[s]"), documentation and any fonts accompanying this License whether on disk, in read only memory, on any other media or in any other form are licensed to you by ""MyNetProtector"." The program(s) may include added software and technology which allows "MyNetProtector"to provide advertising content or so-called "value-added" applications which compliment or enhance the "MyNetProtector"application(s). You own the media on which the program(s) is recorded but "MyNetProtector"retains title to the "MyNetProtector"Program(s). The "MyNetProtector"Program(s) and any copies that this License authorizes you to make are subject to this License.
(...)
4. ACKNOWLEDGEMENT OF ADVERTISING CONTENT AND VALUE-ADDED APPLICATIONS
You acknowledge that the "MyNetProtector"Program(s) include added software and technology which allows "MyNetProtector"to provide advertising content directly to your computer. Additionally, you acknowledge that you wish to receive software and technology as updates at the discretion of "MyNetProtector"for the purposes of complimenting or enhancing the "MyNetProtector"Program(s). By installing, downloading, copying, updating or otherwise using the "MyNetProtector"Program(s), you specifically agree to include the noted software and technology through which ""MyNetProtector"", its subsidiaries, affiliates, partners, divisions, and clients provide advertising content and/or value-added applications to your computer. You acknowledge that you desire to receive advertising content and value added applications, if any, from ""MyNetProtector"", its subsidiaries, affiliates, partners, divisions, and clients. You acknowledge that you desire to receive advertising content and value-added content as a condition to using the "MyNetProtector"Program(s).
Still later in the EULA one encounters licenses and privacy policies for:
eZula TopText iLookup
BargainBuddy
WebHancer
StatBlaster
PurityScan
At-Games.com
Consumer Software Labs (TurboDownload)
Users who don't bother to read the EULA will never notice anything is amiss, however, until it's much too late.
Somewhat hilariously, MyNetProtector greets you with a welcome screen in preparation for your first free anti-spyware scan. Unannounced, however, is the fact that in the background a whole raft of spyware and adware is being downloaded and installed on your system even as you prepare to hit the "Scan Now" button (see screenshot # 2).
The scan itself is quick enough -- no surprise because MyNetProtector reports scanning only three files (see screenshot # 3). A more useless anti-spyware application could scarcely be imagined. And you would be a fool if you actually believed the report of no "infected files" found.
In fact, by this point in time your system is absolutely infested with spyware and adware, including:
eZula TopText iLookup
BargainBuddy
WebHancer
StatBlaster/MediaUpdateStats
PurityScan
Consumer Software Labs (TurboDownload)
DelfinProject/PromulGate
VX2/At-Games.com/NetPal
URLBlaze/IEDriver
That's quite a load, and it includes at least one Winsock LSP hijacker -- meaning that your network connection is definitely at risk.
Still more hilariously, when you attempt to close MyNetProtector, it protests, asking you "Are you sure you want to stop protecting your system?" (see screenshot # 4) One hardly knows whether to laugh or weep at that kind of brazen nonsense.
Not surprisingly, it is a major chore to clean this mess off your system, and no single anti-spyware program will do the job completely.
Folks, this is as bad as it gets: a company that uses deceptive, scare-mongering advertising to push a broken anti-spyware application that installs a raft of spyware and adware itself. Needless to say, MyNetProtector has easily earned itself a spot on the Rogue/Suspect Anti-Spyware page:
»www.spywarewarrior.com/rogue_ant···ware.htm
Best,
Eric L. Howes |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | Hey Eric,
They forgot to add CoolWebSearch in the EULA  |
|
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to eburger68
Just when you think you've seen it all, the bottom of the barrel sinks deeper 
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
| reply to eburger68
And the inquisitive looking guy with the beard has been probably napped from Google's images cache.
--
From the GSV "Ethics Gradient" |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to eburger68
OK so this company sets an all time low for dirt bags and scum, but what to do about it. The companies site is located in the US (hosted by American Information Network which is a questionable bunch to begin with), and I would suspect the company/person is located in the US as well. So are there not some laws in the US about false advertising, fraud, misrepresentation of services or such that could be used to take these guys down legally or do we need to do it the old fashion way? Time for governments to get up to speed on these guys and start chucking some chlorine into the gene pool.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
| Link Logger:
There are such laws in the U.S., however, there would be several problems in using them against this company.
First, the biggest complication would be the EULA (End User License Agreement). The company would likely argue that they had provided clear notice to users of the bundled software, making this a bit different from the SpyWiper/SpyDeleter case, where users' home pages were hijacked and software installed on their computers without adequate provision of notice and choice.
Second, in the "business friendly" regulatory environment in which we are now, the "powers that be" are reluctant to impose the "heavy hand" of government regulation on market forces, esp. in cases that are muddied by such things as the EULA mentioned above.
So, the best we can likely do right now is to shine a bright light on their practices, such as is being done with another company, the one behind Ad-Eliminator -- see:
»www.netrn.net/archives2/000625.html
»spywarewarrior.com/viewtopic.php?t=4907
Best,
Eric L. Howes |
|
|
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to eburger68
NOTE: The pop-up stopper product called MyNetProtector is not related to our company. Go to their website at www.mynetprotector.com.
»www.modemlock.com/contactus.htm
NetProtector® is protected by U.S. Patents.
NetProtector® is a registered trademark.
Conditions of Use and Privacy Notice
»www.modemlock.com/index.htm
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to eburger68
The best hope we have is that some congressman's system gets corrupted with this and causes consternation. It seems that unless they are affected they will continue to sit with their collective thumbs in their butts.
I will share the product and EULA information with my friends and highlight the relevant areas for their review.
roaches tend to scurry from the lights
--
Gaudeamus igitur, Juvenes dum sumus |
|
suziPremium
join:2004-05-01
1 edit | reply to eburger68
I downloaded this piece of crapware tonight too for fun and games and had a slightly different experience with it than Eric did. The license agreement portion was blanked out. I scanned using the "high security" option, (what a joke) and it flagged 662 files out of 662 scanned. All were cookies.
It did not flag any of the spyware/adware it downloaded into my system. In addition to the junk Eric listed, I was blessed with Roings Search Enhancement according to Ad-aware SE. I'm on the 4th scan with removal tools and I'm still getting a warning from my AV. 
Blog post with screenshots here:
»www.netrn.net/archives2/000642.html
--
aka Suzi, Spyware Warrior |
|
 SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to eburger68
I can't add anything to this thread - what can I say? It makes me sick?
Just giving it a bump for others to see.
Thanks again Eric and Daphne. |
|
 eliasPremium,VIP
join:2000-07-24
Miami, FL | reply to eburger68
What are the Domain Names and/or IP Addresses to this crap?
I'd like to add it to the hosts file; hopefully SpyBot's Immunization feature will be updated to block this garbage.
-- Elias
--
Crunching the Midnight Oil |
|
Stumbles
join:2002-12-17
Port Saint Lucie, FL | reply to eburger68
Does anyone know of a site that keeps a running list of sites as shown in this thread that are IMO hostile? |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand
1 edit | said by Stumbles:
Does anyone know of a site that keeps a running list of sites as shown in this thread that are IMO hostile?
»Security »How can I tell if an anti-spyware program is legitimate?
Also a front page BBR article here »Spyware Scare Mongering. |
|
| reply to elias
Elias:
MyNetProtector can be found at this domain:
mynetprotector.com
SpywareBlaster will be unable to block the download of MyNetProtector because it's not distributed as an ActiveX control.
Stumbles:
As for a list, see the Rogue/Suspect Anti-Spyware list here:
»www.spywarewarrior.com/rogue_ant···ware.htm
Eric L. Howes |
|
Stumbles
join:2002-12-17
Port Saint Lucie, FL | Ahhh thanks, that's what I was looking for but didn't know what to google on. |
|
Reviews:
 ·Bell Sympatico
| reply to eburger68
I was bored today so downloaded this rotten piece of crap. My antivirus went nuts and so did spysweeper. I finally thought to disconnect from the net to keep more stuff from pumping onto my machine. The mods should put this in the news section to warn as many as they can. Anyways--I'll post the logs from Adaware,Spysweeper and hijack this. AVG found 3 trojans---EZ.Stub, Turown.F, Dropper Small.5.J. Here's the logs: |
|
Reviews:
·Bright House
| reply to Name Game
said by Name Game:
NOTE: The pop-up stopper product called MyNetProtector is not related to our company. Go to their website at www.mynetprotector.com.
»www.modemlock.com/contactus.htm
NetProtector® is protected by U.S. Patents.
NetProtector® is a registered trademark.
Conditions of Use and Privacy Notice
»www.modemlock.com/index.htm
Thanx Name Game. In addition to being of interest for the Malware related issue of the thread, the IT group where I work had a security dicussion yesterday regarding outside vendors' laptops. The NetProtector (modemlock) product is of immediate interest!
 |
|
lordsegan
join:2002-04-16
Palos Verdes Peninsula, CA
2 edits | reply to Rifleman
A WHOIS reveals that they use a "proxy" registrant for their domain name.
Contact info for the registrant is on this page:
»domainsbyproxy.com/LegalAgreemen···prog_id=
Prohibitions: Domains By Proxy will not do business with you,
nor protect your identity, if you:
• Transmit spam, viruses or harmful computer programs;
• Violate the law or infringe a third party’s trademark or copyright;
• Engage in morally objectionable activities, including but not limited to those which are child pornographic, defamatory, abusive, harassing, obscene, racist, or otherwise objectionable
Anyone want to try contacting these guys and filing a complaint? I've done this in past cases, but I'm too busy to get very involved with this right now.
Here is the godaddy.com abuse contact as well.
Web: »www.godaddy.com/gdshop/spamrepor···port.asp
Email: abuse@godaddy.com
UPDATE:
FOUND THE ACTUAL HOST USING VISUALROUTE AND ANOTHER WHOIS:
205.134.161.89
---------------------------------------------------------------------------------- ---------- ---------------------------------------------------------------------------------- ---
| Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network |
---------------------------------------------------------------------------------- ---------- ---------------------------------------------------------------------------------- ---
| 0 | | 161.58.180.113 | WIN10115.visualware.com | Dulles, VA, USA | -05:00 | | | Verio, Inc. VRIO-161-058 |
| 1 | | 161.58.176.129 | - | ?Englewood, CO | | 0 | | Verio, Inc. VRIO-161-058 |
| 2 | | 161.58.156.140 | - | ?Englewood, CO | | 0 | | Verio, Inc. VRIO-161-058 |
| 3 | | 129.250.28.206 | xe-1-2-0-3.r20.asbnva01.us.bb.verio.net | Ashburn, VA, USA | -05:00 | 0 | | Verio, Inc. VRIO-129-250 |
| 4 | | 129.250.2.61 | p16-5-0-0.r01.asbnva01.us.bb.verio.net | Ashburn, VA, USA | -05:00 | 0 | | Verio, Inc. VRIO-129-250 |
| 5 | | 206.223.115.83 | WASHDC5LCE1.3.0.wcg.net | Washington, DC, USA | -05:00 | 0 | | Equinix, Inc. EQUINIX-IX-ASH |
| 6 | | 64.200.95.117 | hrndva1wcx3-pos15-0-oc48.wcg.net | - | | 0 | | Williams Communication IP Services WLCO-HRNDVA1INTERN-30 |
| 7 | | 64.200.95.94 | washdc7lce1-pos4-0-oc48.wcg.net | Washington, DC, USA | -05:00 | 0 | | Williams Communication IP Services WLCO-HRNDVA1INTERN-30 |
| 8 | | 64.200.94.230 | washdc7lce1-yipes-gige.wcg.net | Washington, DC, USA | -05:00 | 0 | | Williams Communication IP Services WLCO-HRNDVA1INTERN-30 |
| 9 | | 209.120.218.2 | - | ?San Francisco, CA | | 0 | | Yipes Communications, Inc. YIPES-BLK4 |
| 10 | | 205.134.161.89 | hodur.ai.net | Columbia, MD, USA | -05:00 | 0 | | AiNET Hosting Operations AINETWEB-BLK177 |
---------------------------------------------------------------------------------- ---------- ---------------------------------------------------------------------------------- ---
CustName: AiNET Hosting Operations
Address: 6470 Freetown Road
Address: Suite 200-39
City: Columbia
StateProv: MD
PostalCode: 21044
Country: US
RegDate: 2002-12-03
Updated: 2002-12-03
NetRange: 205.134.182.0 - 205.134.182.255
CIDR: 205.134.182.0/24
NetName: AINETWEB-BLK182
NetHandle: NET-205-134-182-0-1
Parent: NET-205-134-160-0-1
NetType: Reassigned
Comment: Hosting Infrastucture
RegDate: 2002-12-03
Updated: 2002-12-03
TechHandle: AI-ORG-ARIN
TechName: American Information Network
TechPhone: +1-301-497-9620
TechEmail: nc@ai.net
OrgTechHandle: NETWO142-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-800-779-6938
OrgTechEmail: noc@ai.net
# ARIN WHOIS database, last updated 2004-03-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
OrgName: American Information Network
OrgID: AI
Address: 6470 Freetown Road Ste 200-39
City: Columbia
StateProv: MD
PostalCode: 21044
Country: US
NetRange: 205.134.160.0 - 205.134.191.255
CIDR: 205.134.160.0/19
NetName: AINET-BLK
NetHandle: NET-205-134-160-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: DNS9.AI.NET
NameServer: DNS6.AI.NET
NameServer: DNS8.AI.NET
Comment:
RegDate: 1995-04-27
Updated: 1998-09-29
TechHandle: AI-ORG-ARIN
TechName: American Information Network
TechPhone: +1-301-497-9620
TechEmail: nc@ai.net
OrgTechHandle: NETWO142-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-800-779-6938
OrgTechEmail: noc@ai.net
# ARIN WHOIS database, last updated 2004-03-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
OrgName: American Information Network
OrgID: AI
Address: 6470 Freetown Road Ste 200-39
City: Columbia
StateProv: MD
PostalCode: 21044
Country: US
Comment:
RegDate: 1995-04-27
Updated: 2003-01-21
AdminHandle: AI-ORG-ARIN
AdminName: American Information Network
AdminPhone: +1-301-497-9620
AdminEmail: nc@ai.net
TechHandle: NETWO142-ARIN
TechName: Network Operations
TechPhone: +1-800-779-6938
TechEmail: noc@ai.net
# ARIN WHOIS database, last updated 2004-03-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
|
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to Rifleman
said by Rifleman:
The mods should put this in the news section to warn as many as they can.
Posted above - it's on the Front Page of BBR: »Spyware Scare Mongering
--
Security Forum FAQs..♥.. AV Complaints?..♥..Raj karega Khalsa!..♥.. Athens 2004 |
|
 keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to eburger68
So Suzi at Spyware Warrior tells you that stumbled across an anti-spyware application that takes the cake.
She tells you that It all starts with a visit to the home page for MyNetProtector, an alleged anti-spyware application, and that the home page is:
www.mynetprotector.com/landing.php?hop=0
You go there. You see a deceptive pop-up claiming that spyware has been detected on your system.
You think that people visiting the home page are getting a spurious pop-up.
But in fact the homepage is
»www.mynetprotector.com/
and Spyware Warrior has successfully spread a lie about a competitor.
I have no idea about the MyNetProtector, I see the junk in the EULA, so it obviously comes with a lot of hidden ad-ware, but obviously also, assuming I read Eric's post correctly, we can't trust Spyware Warrior to be honest about its competitors.
I mean, since when do home pages end with landing.php?hop=0 ??? |
|
