Before the install, I ran Hijack This and added everything to the ‘ignore’ list, and ran CCleaner, and accepted every registry issue found–it’s a clean test box, so there wasn’t much.

Started the install:

I chose all the default options:

At the truly arrogant file options, I made no changes–Nero wants to be your program for everything related to content. Apparently it’s more than a DVD burning program, in the opinion of the publisher.

At the install options, I again made no changes. Note the “Nero Scout” item at bottom left, unchecked by default.

The install completed without problems. I restarted the computer, and went looking. No new system tray icon appears, and no indication that I’ve installed anything more than a DVD burner. But wait, there’s something–in the Windows menus, in the Nero group, I see Nero Scout. Ooh, options. Here’s the view–it’s ON by default, and installed without asking:

Ran HijackThis again. There are only two new entries:
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O23 - Service: NMIndexingService - Nero AG -
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

So my DVD burner software includes a full indexing scan for files, also called ‘desktop search’, on by default, of all types (it’s on that ‘Files’ tab), with no system tray icon, and no obvious place to type in a search. What does this have to do with burning a DVD? (Nero, if you’re reading this, send me an answer–I’ll post it.)

I won’t comment much on the functionality of the product, except for one item: DVD-video functions (Nero Vision and some other areas) work for 30 days, then display an expired message. OK, I have no problem with a vendor trying to upsell, but announce that the product is half real and half 30-day trial in advance, and give me an option to uninstall the dead software chunks–I don’t need all this clutter.

Uninstalled. No error messages. Restarted the PC. Ran HijackThis a third time, and both autostart entries have been removed–good so far. Under C:\Program Files, there’s a leftover folder “Nero” containing 4 files and 2 more folders. Sloppy, but not unusually so. There’s a file left in the c:\WinNT folder, “NeroDigital.ini”.

Ran CCleaner, and checked the registry. Remember, I cleaned it before the install. There are now 380 registry errors. These are in the categories of:

‘Unused File Extension’ mostly for graphics still formats,

‘ActiveX/COM Issue’ for ‘AppCore.MediaSource,

‘Invalid or empty file class’ for CDmaker, and

several hundred “Open with Application Issue’ entries, pointing to “HKCR\NeroExpress.Files7…”

Overall results:
Is it startupware? Absolutely. It adds two autoplay entries, one totally unrelated to the program’s function, doesn’t ask permission before adding the unrelated functions, and turns on a processor-intensive application by silent default.

Recommendations–

First, don’t install with the defaults. Uncheck every file format on ALL the pages in the install options, except those that you’ll really use the program for. If in doubt, uncheck it.

Second, check off that box: “Configure Nero Scout on first usage” and then disable it.

Or find the autoplay entry for Nero Scout, it’s in Control Panel, Administrative Tools, Services, NMIndexingService–choose stop, and disable. Then find and delete the file:
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

And finally, consider some other program. This install doesn’t inspire trust.

But maybe they’re done something right. Never know. Random roll of the dice, and all that. The Vostro will, according to the press release from July 10th, be somewhat free of what they’re calling Trialware.

New York, July 10, 2007

Dell today extended its commitment to customers with a new brand of notebook and desktop computers designed for small businesses. The VostroTM branded products feature no trialware and simple to use tools that address top-of-mind problems such as data back-up, PC performance and health, and specialized networking support for customers without dedicated IT staff.

The Vostro (Latin for “yours”) product and services family is a milestone in the company’s strategy to reduce the cost, time and complexity of managing information technology for customers of all sizes.

OK, now this sounds good. Then again, they don’t really understand what their customers want:

Regardless of geography, small businesses told Dell that tools to help accomplish common, time-consuming tasks associated with backing up data and optimizing system performance, and easy support options rank among their top IT needs. To address these needs, Vostro customers receive automated support tools customized for small business at no additional cost for the first year (minimal charges may apply in some countries).

The tools include Dell Automated PC Tune-Up, which reduces more than 30 tuning, performance, security and maintenance tasks to one click; Dell Network Assistant, which simplifies the set-up, monitoring, troubleshooting and repair of a customers’ network; and Dell DataSafe Online for online backup of up to 10GB of user data and protects against data loss resulting from disasters, theft or damage.

Translation: Dell isn’t going to include Trialware, which is the word they’re using to describe free trial software that they get paid for any time a PC user clicks through and buys, upgrades, or views ads from the icons and pre-installed software on all their other machines. Instead, they’ll provide up to one-year versions of their own private-label clutter that changes standard Windows functionality to favor their own system, and auto-runs at startup. Prices for these “solutions” after the first year’s free trial weren’t announced.

Good? Well, maybe. Depends on implementation. If the startupware they install is designed to work together, it’s a smaller burden on the system than the usual combination of startupware, trialware, and bloat. But calling these boxes ‘clean’ would still be false–they’re still loading products beyond Windows and hardware drivers.

Have you bought a Vostro? Post a comment back and report if the configuration is an improvement.

More information: Here is Dell’s press release.

Well, the yellow box was followed by a silent install of ContraVirus 2.0, which launched and started an apparent “scan” which resulted in “finding” 27 infections. I had the customer do an online spyware scan, which found and removed the problem, but it came back within a minute or two. Also had him uninstall ContraVirus from the add/remove list. That worked, too, but the flag came back, reinstalled, rescanned, and found the same infections each time, even though the system had been fully scanned by two other programs between the two CV “scans.”

OK, in the car, down the road… I had already looked up ContraVirus online–the reports describe it as either rogue antispyware, or being installed as a drive-by download by an affiliate. RogueRemover, from MalwareBytes.com, was said to take it out, so I took that with me, along with my usual software tools.

Here’s what the screen looked like when I arrived.

Took a look… Yes, it’s really easy to remove this, or so it appears; it heals. Ewido.net’s online scan takes it out, or RogueRemover, or add/remove programs, but it won’t stay gone; it reinstalls in less than 4 minutes, immediately if an Internet Explorer window is opened; there’s a browser helper object involved.

HijackThis reported this:
O2 - BHO: IEExtension Class - {DBE5BEE8-F032-11DB-826A-C4BB56D89593}
- C:\Program Files\ContraVirus\secieaddin.dll
O3 - Toolbar: Ad-Protect Toolbar - {EA038DDD-0FE0-41f5-BA60-FC3660529E71}
- C:\Program Files\ContraVirus\ToolBand.dll

But this one appears to be the self-repair program:
O4 - HKLM\..\Run: [Windows Updater Servc]
C:\WINDOWS\system32\xpuupdate.exe

It was this xpuupdate.exe that RogueRemover and all the other cleanups missed. I ran a drive search for ‘xpuupdate’–there was also a reference in the prefetch folder. I moved the files off c:, ran one more cleanup immediately with RogueRemover and this time, the cleanup stayed cleaned.

Back to the computer owner: He recognized that the yellow popup box looked like a Microsoft message, and also thought the system tray icon was from Microsoft, but also knew that advertising message puffery and bad English isn’t quite what to expect in a legit warning message.

News.com

Other news reports have been identifying this stuff as ‘craplets’ or ‘crap applets’. Some craplets are also startupware, if they’re pre-loaded software that runs at startup. Not all. Some craplets are just desktop icons to advertising links. There’s no programming code there, so it’s just a link to delete, and not startupware.

Well, it gets stranger. The background music is fun to listen to. It’s catchy. It’s the first verse and the chorus of a song called “Catch My Disease” by Ben Lee. Now I have nothing against the song. It does make the commercial fun to watch–it wouldn’t work without the music. But the lyrics, as applied to selling a computer, are more than odd; they’re bizarre.

my head is a box filled with nothing

OK, I’d like to buy a Dell computer filled with nothing. Just Windows, hardware drivers, please. NO, DON’T push that button!!!

and thats the way i like it

Oh, and don’t forget the subliminal sales pitch, of course.

my garden’s a secret compartment
and thats the way i like it
and thats the way i like it

Um, OK, let’s add a hidden folder for my garden pictures. Yeah, that’s the ticket.

your body’s a dream that turns violent
and thats the way i like it

No, downloading that stuff is what made the Bonzi gorilla turn violet.

so please
baby please
open your heart
and catch my disease

Right. Spyware gorilla, subliminal sales pitch, catch the disease, empty head for a box. Just who is this notebook targeted at? And has the ad agency for Dell gone ape? Or maybe they’re just two bananas short of a bunch?

Here’s the scenario for the new Dell television ad, apparently targeted at the ‘Back to College’ crowd. A young man is sitting on a sofa, calling Dell. Voiceover: “Thanks for calling Dell. What can we build for you?” The living room wall rotates around, like the magic fridge in the SuperBowl beer commercials, and suddenly he’s riding a supermodern golf cart with a Dell staffer, visiting a Dell manufacturing floor that looks like a cross between the airport in the Tom Hanks movie ‘The Terminal’ and the end of ‘Star Wars III’ where the heros have to dodge the dangers of an assembly line at high speed. Yes, there is a battle robot hanging from the line. And a purple gorilla. The customer points at what he wants, and yes, it’s the dancing gorilla from Bonzi Buddy. He also chooses a college professor, and, OK, what the heck, decides he wants it all. Yes, there’s a button for that. It’s apparently the ONLY button that’s used, as the others aren’t labeled. We see the purple gorilla climbing into the new Dell notebook–it’s an Inspiron e1505, and the closing credits show the tag, “Purely You.”

Separated at Birth?

This is apparently the second ad in the “Purely You” series. Dell is showing the ads in this series online, and will probably put the gorilla ad up soon.

You would think that associating Dell notebook computers with the infamous spyware program Bonzi Buddy is a bad thing. Apparently having the speed and power to run a notebook loaded with spyware and startupware is the the most important concept that has to be promoted in their marketing. It’s apparently also a good thing to load every piece of software available. I bet that half of what they load is startupware–it surely serves some purpose for all that junk to autoplay, so it’s not evil, or no more so than trying to eat too much peanut butter all at once–who remembers the “stick to da wuf of ma mouf” commercial? Of course, much of that junk is a based on a subscription model, and Dell will receive a commission on anything you click that results in a purchase, a renewal, or an upgrade, so if the entire computer is adware, adding a purple dancing spyware gorilla isn’t really all that out of place.

Should you buy a Dell? I’m admittedly biased–you should only buy computers from local system techs who actually build systems specifically for you. Like, um, me.

But a Dell? Really? Well, read reviews first–this isn’t one. But they do claim they’ll build it purely for you. Ask for the dressing on the side. They should load Windows, and hardware drivers, and put everything else on a DVD for you to choose to install yourself, or not at all. (Really. And report back here with the result when you make your request…)

Hint: Windows XP, when first installed, has only ONE icon on the desktop; it’s the recycle bin. If your new PC has anything else on the desktop, it wasn’t put there by Microsoft. When ordering most PCs by phone, it’s either ‘the works’ or it’s just a cluttered mess that runs like a doorstop on a thick shag rug.

Anyway, whatever you do, DON’T ask for the purple dancing gorilla.

Evidence found of PC Gremlins… Film at 11

Our Crack Technical Team Inspects the Site

This does explain the entire concept of lost files.

Well, after a quick low-pressure intervention with a Shop Vac, the patient has had a full recovery, and is being monitored for any further signs of invading colonies of gremlins.

Data backups are still a great idea. That is, if you can talk Windows into keeping all your business data in one place that isn’t on the C: drive, then that’s great, and easy. I do that here; all my data is on a D:\ partition of the hard drive, and I have a batch file that I run before major backups that copies my Internet Explorer shortcuts from c:\Documents and Settings (etc, etc, etc…) over to a folder on d:. Then I burn an uncompressed DVD disk, and store that away.

And then there’s the operating system itself. For that, the best bet is a disk image program. A disk image program creates a compressed snapshot of a drive, usually created from a boot disk or CD, and some burn it directly to multiple DVDs. Ghost is the best known of these programs, but there are others, including some from ASP authors. With an up-to-date disk image, restoring an entire partition or drive takes only a few minutes.

All right, so those steps are all very traditional, and bring us up to around 2003. And then came spyware and adware. When an adware infection gets past your software blocks, it can suddenly bring along dozens of its cousin programs, and it may not be possible to start any software for burning a new data backup. An image program is still a good idea at this point, to be sure that no data is lost during the cleanup process, but that’s not prevention.

So just what will you need to have ready to do a spyware cleanup? As a cleanup technician, I would just love to have a process list of the computer as it was when it was built or when it was known to be clean. That’s a list of every program that autoruns on the system. That would save a lot of searches; the automated cleanup tools are good, but everything that depends on a detection database is out-of-date 100% of the time, and if there is a list of what should be on the system, everything else can be removed.

Method 1, rough but helpful: Press Control-Alt-Delete, go to the task list for processes, press Alt-PrintScreen (nothing will appear to happen), exit the task list, go a word processing program or a good graphics application, and paste the new image of the task list, and then print it. If the list was too long to fit on one screen, be sure to repeat the process, after scrolling down
in the task list, and capture all the entries.

Method 2, more complete, but requires special software. Download the latest version of ‘HijackThis’. It doesn’t need installation; you can run it from a USB pocket drive. Although this is a cleanup program, it is also useful to use to create a record of your startup processes, and it is much, much more complete than the printout from Task Manager–it includes startup entries and registry keys affecting startups and security settings for Internet Explorer; not just Windows. Run the program, tell it to scan and create a log file, and print the log file.

Don’t rely on saving these lists; you’ll want a printout during any cleanup, and when you really need the lists, you probably won’t be able to print them.

All this is part of the general security environment we have now. Windows, by cause of its evolution from DOS and Windows 3.1 through to 32-bit code, has had a long-standing tradition of “no code left behind.” All the old stuff runs, if it doesn’t involve graphics or peripherals. But the result is patch recalls on patches to patches. And the spyware issue is just a commercial method of doing what big business always does: it waits until a new industry gets big enough to be profitable, and then it finds a way to monetize it. Right, monetize was not a word until recently, but now that’s what we do to make money on information web sites–we add ads to it. So that’s what is happening now–spyware is the venture capital approach to making money from computer viruses and trojans, by using them to distribute and display advertising. Some of you have already seen my earlier post on the definition of startupware, but I’ll review the main one here:

stärt’-up-wãre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software. Startupware isn’t automatically good or evil, useful, or destructive. The definition is based on easily-verifiable action, mostly during installation, and never on the contents of license agreements, external documents, or off-site servers. It autoloads, or it doesn’t.

So startupware is a bigger category than spyware. It includes everything that autoplays. That means spyware, adware, viruses, trojans, toolbar accessories, system tray utilities, application software pre-loaders, application software phonehome-for-any-reason applets, and hardware drivers that substitute software for chips. Everything that autoplays that is not part of a default operating system configuration. Every program, process, or browser trigger. Everything in that category slows down our computers, most of it is installed by silent default, and most of it should be removed. I don’t need five autostart entries to run a color inkjet, thanks, anyway. No, I don’t want an autostart program to upload my photographs to the web. No, I don’t want a daily update check on checkbook software that’s five years and six versions out of date.

The problem is that even retail boxed software is getting into adware behavior in a big way, and if you buy a notebook computer, expect to spend hours unweaving a web of autoplaying software, all of which was installed without permission, where most does nothing for you–it just loads and tries to sell you wireless access subscriptions, or web photo service, or online this, and more of that. It’s a mess, and messes need management.

And of course, there is always the free antivirus software that doesn’t detect spyware, because the adware publisher has threatened legal action if the antivirus vendor dares to label it with such an evil label. The result is that on any one computer, we need to have antivirus software, antispyware software, popup blocker software, patches, more patches, and so on. And on. This model is too profitable for the publishers, and for me, too–I clean this stuff up, and charge by the hour. I and my clients would rather that I be paid for setting up new computers and new productivity tools, and not all this cleanup. But the tools are scattered.

OK, so what’s the programming challenge? Simple enough: create a startupware management and cleanup tool. Such a program would include these features:

• Record all currently-running programs and processes for comparison on next run, including full file paths, where applicable.

• Record user comments for all entries, such as “camera software–only needed for cable sync”

• Report all startupware currently set to run on the system.

• Report all startupware that’s new since the last run, with options to remove it, add it to a commented ‘OK’ list, or add it to an ‘unknown, pending identification’ list.

• Must be usable in safe mode.

Optional features:

• Scan for viruses, trojans, and other malware based on a list of known bad products.

• Block installation of startupware, with an option to add a new entry and comment to the ‘OK’ list.

Now, chunks of these programs exist. There are startup managers–that’s the closest category. But the programs currently out there can’t be used by anyone with less training than a system tech. You have to already know what every program is before you can do much of anything. Surprisingly, the closest program I’ve seen to a startupware manager is Microsoft’s MSconfig.exe. It doesn’t uninstall startupware, but it lists settings, and can temporarily block programs. There’s no record of previous settings, or commenting features.

A startupware manager is not antistartupware. Remember, startupware is neither good nor evil. Some users want popups of weather alerts. Some need reminders to get up and stretch. Some may need their software to be no more than 1 hour out of date. Well, very few, but some.

I’ll give a free mention here to at least the first five startupware managers that I find about that match the definition above, and that are usable by average computer end-users.

Anyone who disabled the Windows fax viewer can restore it like this:

To re-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

The WMF abort process security hole doesn’t affect Windows 98. Microsoft has stated that it is a ‘non-critical’ problem in Windows Me, but has not released a patch. In other words: to be continued…