MalwareTeks Blog

While perusing Digg, reading various postings I came across this interesting post: Remove Winantivirus-2007 from your PC which links to an article on Anti-Spyware 101’s blog. Now the information they present in the article is not inaccurate. However they offer a download in the form of a Free Anti-Spyware Scanner. There are several links on the page for this FREE scanner, funny thing is the file name changes several times.

I’ve been aware of this tactic for awhile and immediately suspected that the download in question is actually SpyHunter by Enigma Software Group (ESG); a former “Rogue” Anti-Spyware application. So, I went ahead and downloaded the file. Being slightly suspicious I first ran the file by VirusTotal for a in depth malware scanner. I wasn’t suprised when the file came back clean. I didn’t really expect the file was infected in the first place. These downloads of SpyHunter never are infected.

Now, how is it I am sure this is SpyHunter? Well just to confirm my suspicions, I ran the installer for Free-Spyware-Scanner-Install. Here’s what I saw:

Looks like the SpyHunter Setup License Agreement screen. Even says it’s SpyHunter. Copy of full End User License Agreement

The file I downloaded:

Free-Spyware-Scanner-Install.exe
File size: 3535408 bytes
MD5: e9870c6048dfc0524b426a31af4f3f17
SHA1: aec51c2b740bd35eea575fef9f279038e3f9dc08
packers: UPX
packers: UPX, BINARYRES
packers: UPX

Out of curiousity I wanted to see who claims ownership of Anti-Spyware-101, whois information:

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: ANTI-SPYWARE-101.COM
      Created on: 13-Jun-06
      Expires on: 13-Jun-08
      Last Updated on: 

   Administrative Contact:
      Private, Registration  ANTI-SPYWARE-101.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Technical Contact:
      Private, Registration  ANTI-SPYWARE-101.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Domain servers in listed order:
      NS5.SECURESERVER.NET
      NS6.SECURESERVER.NET

Hm, nothing useful there. Another site registered through GoDadday, via Domains by Proxy.

Domains By Proxy® was conceived to deal with one of the biggest shortcomings of the Internet — the loss of privacy. We believe you should be able to keep your personal information private when you register a domain — and now you can, by switching your “public” registration to a “private” one, using our patented private registration process.

Now why in the world would you want to keep your identity “Private” if you are operating a legitimate service? I can’t think of a single reason, unless you are involved in some shady dealings. Looking around their site I could not locate any contact information what so ever. Again not really suprised by that. The about page lists the following:

About Anti-Spyware 101

Do you feel like you’re clueless when it comes to spyware? Is your computer the boss of you?

Spyware is the biggest threat that Internet users are facing today; therefore, it is important to know how to safely remove spyware, adware, trojans, keyloggers, worms and other malware from your computer.

Anti-Spyware-101.com is your guide to the latest news on spyware detection and removal. With Anti-Spyware-101.com, you will be directly linked to up-to-date spyware resources and tips on helping you remove pesky parasites.

Remember, only YOU can protect your machine from spyware!

Other articles listed on the site:

Latest Spyware Threats: SpyLocked | SpywareLocked | SpyLocker | SpyDawn | SpyAway | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | MalwareAlarm | MalwareWiped | AntiVermeans | Zlob | PopCorn.net | MovieLand | Antivirus Golden | SpySoldier | MalwareWipePro | VirusBlaster | TagASaurus | PestCapture | BraveSentry | AntiSpyware Soldier | DeluxeCommunications | Toolbar888 | VirusBurster | VirusBuster | Zlob.MediaCodec | SystemDoctor | VirusRescue | MalwareWipe | TitanShield | SpySheriff | Smitfraud | WinFixer | AntivirusGold | PestTrap | MediaCodec | AlfaCleaner | Mirar | DriveCleaner |

Other Spyware Threats: Starware | VirtuMonde | Seekmo | Trojan.Dropper-Delf | SafeSurfing | DyFuCA | Contextual Toolbar | KeenValue | ADWareBazooka | Adware.SideBar | Pest Trap | ISTBar | PopMonster | PowerStrip | Vx2/Transponder | SaveNow |

If you have any of the above listed applications or infections; do yourself a favor, don’t download this Free Anti-Spyware Scanner from Ant-Spyware 101, or similar sites. This is a tactic meant to scare you into paying for a “Full” version of SpyHunter. SpyHunter is not and never has been an effective tool at removing any of the above listed “Rogue” Applications or infections.

SpyHunter is engaged in “Deceptive” practices. This is a practice that got them originally listed on Eric Howes list of Rogue/Suspect Anti-Spyware Products & Web Sites maintained at Spyware Warrior.

Only seek help from reputable sites; like those lised at Alliance of Security Analysis Professionals.

If you find yourself infected by one of these applications please follow our generic Malware Cleaning Guide.

Start a thread in our Malware Removal Forum where one of our approved volunteers will be happy to assist you.

You must be a registered member of our site; in order to post in the Forums.

If you are not registered you may do so now, by Clicking Here!