Category Archives: Definitions

What’s startupware?(tm)
The source for all definitions of startupware.

Virgin Windows Report–Win XP Home, SP2 OEM

Definitions, Identification

Just finished building a new box for a client. Took the opportunity to grab the task list. The list below is what Windows Task Manager reported as running processes immediately after installation, after hardware detection, but before any drivers were installed. No patches, no antivirus, no software installs of any kind, no exposure to the internet, or even to a CDROM other than Windows itself.

OS version: Windows XP, Service Pack 2, OEM edition
Motherboard: MSI M8M Neo-V, with AMD Sempron 2800+ processor.
Any hardware support below, if any, was autodetected during install–no software or driver installs had been run when this process list was captured:

alg.exe
csr.exe
Explorer.EXE
lsass.EXE
msiexec.exe
services.exe
smss.exe
svchost.exe (5 instances running)
System
System Idle Process
taskmgr.exe
winlogon.exe
wmiprvse.exe
wpabaln.exe
wuaudit.exe

As I (or others), build more systems, we’ll post more of these “Virgin Windows Task Lists”.

I didn’t have a chance to grab a HijackThis log of the box in this condition, but that I will next time, and get a more complete picture of just what is part of the default configuration.

If All Software was this Good

Definitions

I’ve been looking, as always in recent months, at a lot of computers that don’t run right. Most have massive infections that include from a few dozen to several thousand spyware and adware bits and chunks, including files, autorun shortcuts, folders, processes, and registry entries.

Two computers were a little different last week. The first was for a client I visit regularly, and there was already autorun-blocking software in place. Two new items had gotten past the blocks. One was routine, and then there was yet another “I’m not spyware, no, really!” toolbar. Nothing strange there; although the program was designed not to be removable by Spybot or AdAware. What’s new is that the program has a functional add/remove entry, which really did delete the program, although it did pause for a marketing pitch to keep the product, and then took me to a marketing web page afterwards in the hopes of adding some other product to the system. Good marketing.

The second computer had a massive infection, and multiple passes with multiple cleanup tools were needed just to reduce the boot time from seven minutes. The usual tools, plus some surgical intervention in the registry, took care of most of the usual suspects. There was still clearly an infection, and a leftover message at shutdown, telling me that a program was not responding.

Looking a little closer, and examining the running services, I found the name of the process that matched the shutdown error. And I was able to end it, no problem, no error. Went back into the process list. It’s back! Did some Google searches, and found that the program included two processes. OK, ended the other one first. It came back, too, instantly. Hmmm. This program just
can’t be crashed. This is like the Klez virus of a few years back; it had two programs running that each repaired the other, and each repaired the autostart entries of both, on the fly, withing having to wait for a reboot. All our software should be so stable.

These programs, and more that aren’t as smoothly done, are competing with commerical software for system resources and CPU time. Consider looking at programs like a spyware producer, and ask: Can the program self-repair its settings? Does it include uninstall marketing? Can it survive an automated removal program? All software should be this good. Or evil. Sometimes I get those two mixed up.

Spyware and the Federal Trade Commission

Definitions

The results of the Federal Trade Commission’s spyware conference have been released. The workshop took place in Washington DC on April 19, 2004, and I wrote two position papers that were submitted as public comments 68 and 352.

There is a press release on the report: www.ftc.gov/opa/2005/03/spywarerpt.htm
The report itself is here: (68 page PDF): www.ftc.gov/os/2005/03/050307spywarerpt.pdf

Overall, everyone involved in the industry will find the “Government Responses to Spyware” section of the report interesting, on pages 19-24. The earlier sections, describing spyware, its detection, and industry responses, is thorough and very readable, and after that are supporting documents, footnotes, example screen captures, and the event handouts.

Although the FTC did not call for new legislation, the report does state that existing legislation gives them enough tools to prosecute the creators of spyware and adware right now. That’s an interesting change from what I heard last year from FTC staffers at the workshop. Then, spyware was the question, and adware wasn’t on their radar. Now, the report makes it clear that the line between spyware and adware isn’t clear, and that these two wares can’t be treated separately.

It has been a year since the workshop. Some things have changed. Then, the Microsoft representative talked about Service Pack 2 for Windows XP, and how that would help prevent spyware installations. Now, we know that it discourages downloading of our own products. Then, we heard from companies like Lavasoft that a formal definition of spyware was needed so that the anti-spyware companies could delete problem products without threat of lawsuit. Now, there have been reports at C|Net’s www.news.com that the larger adware publishers have become extremely active against companies that identify their products as spyware.

Then, it appeared that a consortium of adware publishers (Consortium of Anti-Spyware Technology vendors, or Coast) might help to control the problem. Now, Coast is shrunken and likely to be dead soon, and Lavasoft and PestPatrol, which has now been purchased by Computer Associates, use their own in-house point systems for identifying spyware, and aren’t waiting for government definitions.