Spyware in Audio Galaxy

LintMan and a zillion other people wrote in about the story on Portal of Evil discussing spyware bundled with Audio Galaxy that seems to be even more nasty than usual. Others have written about it as well - there's Counterexploitation and Wired stories. Frankly, we're kind of bored by all these spyware/shareware stories (don't people learn?) so we let it sit around in the submissions bin for a few days, until, say, a slow Saturday night.

Remove it easily

[DiveX]

Hopefully Ad Aware (http://www.lsfileserv.com/index.html) will include it in their list soon, but until then it is an easy remove (http://www.vx2.cc/uninstall.html)

The VX2 software is a single program file in the system directory called VX2.dll.

To remove VX2:

1) From the Control Panel select ADD/REMOVE programs. Select "VX2 RespondMiter" and "Remove".

If VX2 RespondMiter is not present:
2) Close all internet explorer browsers.
3) Search your "C" drive for VX2.dll
4) Delete VX2.dll

If the system does not permit the file to be deleted proceed as follows.
5) Select "Start" and then "Run" and type "regedit"
6) Find the and delete the entry named "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}".
7) delete the {00000000-5eb9-11d5-9d45-009027c14662}entry.
8) Reboot computer.
9) Search your "C" drive for VX2.dll
10) Delete VX2.dll

It seems to just plug itself in IE, so as usualy Netscapers are pretty safe from this one....for now.

A bit late on the story

[Trepidity]

This story is not very timely, as the entire issue has been resolved for at least a week now. Audiogalaxy did include the VX2 spyware in their application, was thoroughly lambasted for it, and finally gave in to user complaints and removed it. The current version of audiogalaxy available on their website has no spyware in it (or at least no VX2 spyware, and no mandatory-install spyware; it might still include Gator or something as an optional install, I haven't checked).

Who's behind "VX2 Corporation"

[Animats]

After searching state corporation records, we find "VX2 Corporation" in Nevada. Address is "PO Box 21703, Las Vegas, NV, 89107", which isn't too helpful. The company president is listed as "Maurice O'Bannon".

Looking up "Maurice O'Bannon" in Google, we find that name associated with a major Internet fraud case in Nevada and California involving $37 million of phony credit card charges which resulted in jail time for some of the participants.

Uh oh. Spyware from people involved with credit card fraud is big trouble. This needs to be followed up with law enforcement.

Re:Who's behind "VX2 Corporation"

[theancient2]

This one seems to be a lot worse than the other spyware programs I've read about. Most just track things like the URLs you've seen. This one "collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself." (I love the way they word this thing. Save me the time and trouble. Thanks guys.)

The spyware doesn't even stop collecting data when you're on a secure (SSL) site -- they'll just encrpt the data they collect. (Is their no end to VX2's thoughtfulness?) We're told to look for the "secure" icon before giving away personal information, and to deal only with reputable companies... but what good does that do when a very popular software program has installed a trojan which may or may not be sending credit card numbers to someone who may or may not be a convicted criminal?

Adding popups to any random site you visit is along the lines of those programs that replace ad banners with their own, hijacking the site's revenue stream and making it appear that the site owner supports an advertiser they have no relationship with.

To top it all off, they have the right to update their software in the background, and possibly install third-party applications without the user being aware. Does accepting this licence agreement mean I accept the licence agreements of any third-party software that may be installed at a later time?

onflow

[kz45]

We know nothing about VX2," Merhej said. The VX2 program file (called vx2.dll) was part of an advertising graphics enhancer made by the Onflow Corporation, he said. Audio Galaxy offered the Onflow program as part of its software package from Oct. 1 through Nov. 4, 2001, Merhej said. The partnership was cancelled due to unpaid bills.

Onflow is the worst company I have ever dealt with.

Our company (which shall remain nameless) used onflow technologies in our product for about 2 years. They paid us for the first few months of operation, but when they owed us a total of about $30,000, we received a letter claiming they had lost overseas investments, and they couldn't pay us.

Funny enough, it look like they are still in business.......

Re:This is an excellent case for free software

[Boiling_point_]

Something you might have missed: the Audiogalaxy Sattelite software IS open source - GPL'ed, in fact. They produce their own compiled binary with an installer avec spyware, but anyone's free to roll their own.

And as all good cooking show viewers will know, here's one prepared earlier... I hope you find this useful.

Re:This is an excellent case for free software

[Genghis+Troll]

Only the user interface (ui.dll) is GPL'ed. They could put spyware in the actual, closed-source, executable.

My ad hell

[hyrdra]

It may be bad popping up ads when you're surfing the web, but what about just whenever. That's what happened on my system.

I, like Chet & Eric of the linked article do support programs having internal ads to support themselves as free software. However, monitoring users behavoirs is another story -- that's your computer and most contracts (as I have heard from a lawyer friend) cannot "sign" that away; for example your landlord cannot include a clause stating he has the right to monitor your mail, who you talk to, etc. and by living in the property he owns, you forfeit those rights, and if you do not agree with them you cannot live there. Well, folks, this is exactly what most of these programs are having you agree to. The fact is, they're illegal contracts. You cannot gather personally identifiable information (it's identifiable because they are able to deliver targeted advertisement thus they must have a system to know who you are) if you signed the rights away or not.

I have accepted that companies do this and there really isn't a way of getting around it (heck, I don't really care what they do with the info, I'm not going to buy something from any ads they use and that'll be my contribution). So I have tolerated these commercial bombardments. That is until something strange happened.

All of a sudden while I would be at my desk in the same room (this is at work mind you), I would notice activity on the monitor. Going over to look at it, I would notice an ad window had mysteriously popped up, when no programs were running and I hadn't been using the computer for hours. In the morning I typically had several windows to close after the nights ad-popping fun.

Thinking it was a web site which some how introduced a popup delay, I dismised it at first. But it got worse. It was impossible to work on a Word document without having an ad popup and steal focus from my document. I also came to the realization when you close a browser window, its process ends and thus a delay javascript wouldn't work.

I finally decided that it must be some program launching these ad windows. Searching the running process list, I noticed an interesting program happily running. Savenow was the culprit. This program was actually popping up windows on my personal desktop, on my computer (yes, I do own it) and collecting web browsing data in the background, even when its associated product wasn't running! Deleting the savenow executable, I was free of the ads yet outraged of how this company violated my privacy and my computer, and also comprimised the security of my employer. What if they could learn something about our project based upon my web browsing habits and sell that to another company?

After that incident, I went in with a resource editor on every single ad-supported program on my computer and removed the ad resources. I also installed ad-blocking software. Still though, I do occassionaly get ads and various brandings. I have since persuaded my boss to let me put my Linux box on the network, but still, how long until we see these ads and tactics on Linux? How long until these ad programs start embedding ads in your paid for software, or interfacing with your printer driver to print a banner ad out on every page?

The point I'm trying to make is I am all for advertising and realize it does support free products quite nicely, but when it invades my privacy and makes me sign illegal contracts, I get angry. Anyone would. And something should be done about it. I don't have the resources, I can only not buy the products they force on me and put a dent in their success rate thus no ads. But someone with the resources and time should go after these bastards.

VX2 Corporation Info followup

[Animats]

OK, let's recap what we now know about VX2 Corporation. Some of this info is corrected from the last posting.

The Nevada Secretary of State Corporation Search gives us.

• President:MAURICE O'BANNON
• 
  Address: PO BOX 27103
  LAS VEGAS NV 89126

Checking "vx2.cc" with Network Solutions WHOIS:

• vx2 (VX52-DOM)
• 
  po box 27103
  Las Vegas, NV 89126
  US

  Domain Name: VX2.CC

  212 255 1008 fax: 123 123 1234

The post office box addresses match, so the Nevada VX2 Corporation is the correct business.

"Maurice O'Bannon" is mentioned in several legal documents related to the J.K. Publications scam. In that case, O'Bannon was on paper an officer or director of several dummy Nevada corporations which were fronting for a multimillion dollar phony credit card billing scam operated by Kenneth Taves of Malibu, CA. (Mr. Taves is currently Inmate #12289-112 at the Los Angeles Metropolitan Detention Center). O'Bannon, though, appears to be some guy in Nevada who just signed whatever was put in front of him. In the judge's words [large .PDF] "Maurice O'Bannon had an informal agreement with Nevada Corporate Headquarters, Inc., an incorporator, to act as a nominee for their client-corporations and sign whatever documents Nevada Corp wanted him to sign." The judge was bothered by O'Bannon's actions, but the FTC didn't have enough evidence that he had control of or profited from the scam to put him away.

The J.K. publications scam involved obtaining a database of 3.6 million valid credit card numbers and charging them small amounts each, supposedly for use of a porno site. The mess involved offshore bank accounts in the Cayman Islands and Vanatu, but much of the money has been recovered. Company names involved were JK Publications, Inc., MJD Service Corp., Netfill, N-Bill, Webtel, Billing On Line, Fun On Line, and Discreet Bill.

We're not at the bottom of this yet, but it looks very suspicious.

AGstreme

[eries]

Here's a plug for AGstreme, which I switched to after I heard about this latest round of spyware nonsense. It's a GPL AudioGalaxy client replacement, which a boatload more features. My favorite: it can read CDDB entries and then request download of one or more tracks from a given CD. Pretty darn cool:

http://www.ractive.ch/gpl/AGStreme.html