Tech Support Forum - View Single Post

sUBs · 07-14-2005, 11:45 AM

Let's ignore ZeroSpyware for the moment. I found some disturbing news about it. You may be interested to read it..

Quote:

This message is intended as a warning to those out there who have both Lavasoft Inc.'s Ad-Aware SE product and FBM Software's ZeroSpyware product and run them in conjunction.

The Issue:
If you have scanned with Ad-Aware SE and removed the false detections ascribed to ZeroSpyware and then uninstall ZeroSpyware there is a high chance of damaging your Windows installation beyond repair.

Who is affected:
Potentially anyone who is running Ad-Aware SE with definitions newer than August 2004 and any ZeroSpyware product (ZeroSpyware 2004, ZeroSpyware 2005, ZeroSpyware Lite) at the same time.

Background:
Lavasoft Inc.'s Ad-Aware product has been classifying ZeroSpyware as a "Possible Browser Hijack Attempt" since approximately August of 2004. If you have a ZeroSpyware product installed and scan with Ad-Aware you will receive 14 "Possible Browser Hijack Attempt" warnings, all of which relate to Registry keys found within your system. These keys contain mostly just CLSID's and the Uninstall strings ZeroSpyware creates when it is first installed.

If you follow Ad-Aware's directive to remove these Registry keys it can have a deleterious effect on ZeroSpyware's uninstall process. ZeroSpyware uses a popular third-party installation management utility called InstallShield to create its installer files. There is a known issue in the InstallShield program that if it can't find the uninstallation log the uninstaller will simply assume that the Windows directory is what is being uninstalled. This error means the uninstaller will start deleting Windows files until the system crashes irrecoverably. Since Ad-Aware will remove the Registry keys in which ZeroSpyware stores this information, uninstalling ZeroSpyware after an Ad-Aware scan/remove can literally delete your Windows directory.

(InstallShield known issues - http://www.installsite.org/pages/en/bugs_is6.htm search for “cancelling setup leaves install in undefined state”)

How to tell if you are affected:
There are two simple ways to diagnose if you are susceptible to this issue.
1. Check the Add/Remove Programs entry in the Control Panel. If you are certain that ZeroSpyware is installed on your system (e.g. it's running as you check) yet there is no Add/Remove entry for it this means that some agency has removed ZeroSpyware's Add/Remove Registry entry.
2. If you are of a technical inclination you can confirm the existence the registry itself using RegEdit or another utility:
Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6E676F9-A28C-4EF0-B138-002AB9A56A24}

If the above Registry is not present then Ad-Aware has likely removed it in a previous scan.

It's important to note that Ad-Aware doesn't have to be present on the system at the time; even if you've only scanned with it once and removed the ZeroSpyware detected objects you may be susceptible to this problem.

Remedy:
If you believe you are effected due to the diagnosis above - DO NOT UNINSTALL ZEROSPYWARE. The only way to proceed is to repair the damaged Registry entries. The 'whole' Registry key should look like this:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6E676F9-A28C-4EF0-B138-002AB9A56A24}]
"UninstallString"="RunDll32 D:\\PROGRA~1\\COMMON~1\\INSTAL~1\\PROFES~1\\RunTime\\0701\\Intel32\\Ctor.dll,LaunchSetup \"D:\\Program Files\\InstallShield Installation Information\\{A6E676F9-A28C-4EF0-B138-002AB9A56A24}\\Setup.exe\" -l0x9 "
"DisplayName"="ZeroSpyware"
"LogFile"="D:\\Program Files\\InstallShield Installation Information\\{A6E676F9-A28C-4EF0-B138-002AB9A56A24}\\setup.ilg"
"ProductGuid"="{A6E676F9-A28C-4EF0-B138-002AB9A56A24}"
"InstallLocation"="D:\\Program Files\\FBM Software\\ZeroSpyware"
"DisplayVersion"="3.01.0018.0004"
"Version"=dword:03010012
"MajorVersion"=dword:00000003
"MinorVersion"=dword:00000001
"LogMode"=dword:00000001
"DisplayIcon"="D:\\Program Files\\FBM Software\\ZeroSpyware\\ZeroSpyware.exe"
"HelpLink"="http://www.ZeroSpyware.com"
"Contact"="support@ZeroSpyware.com"

Note that you will need to edit this information to accurately reflect where ZeroSpyware is installed on your system. For example, if the program path above disagrees with the actual installation location you would need to edit it to reflect that difference. This is a short term emergency 'as needed' solution. We are working to prepare a new uninstaller that will respond to this situation and repair the damaged Registry keys. This will likely be released in a day or so. We will also be offering a downloadable .reg file on our site to fix the problem. Lastly, we will continue to pressure Lavasoft to either explain or remove this extremely damaging classification.

If you are uncertain how to create a new Registry key or use the information above please wait until we have released an automated solution before attempting to resolve this problem yourself.

Prevention:
If you wish to continue using both products in conjunction it is possible to place the ZeroSpyware detections on 'Ignore' from within the Ad-Aware application. To do this you must have an unaltered installation of ZeroSpyware.

Scan as you normally would in Ad-Aware and when the results come up 'check' the checkbox next to every ZeroSpyware "Possible Browser Hijack Attempt" line item (there should be 14 unless you have multiple versions of ZeroSpyware installed). Now Right-Click on the selected items and choose "Add selected to Ignore list". This will move these detections to the Ad-Aware "Ignore List", which means that you have instructed the program to not detect them.

You can also continue to use Ad-Aware and ZeroSpyware without taking any action as long as you are careful to not let Ad-Aware delete the ZeroSpyware Registry entries at any time.

Apology:
FBM Software, and the ZeroSpyware team specifically, apologize for creating the unlikely chain of events that resulted in this issue. When producing retail software there are many, many, many facets of a product to test and this specific aspect (destructive testing of whether or not someone has removed our Registry keys) was not adequately addressed. We are striving to rectify the problem as quickly as possible with as little system impact as possible. Testing this problem, and several others related to it are now a concrete part of our Quality Assurance checklist moving forward.

Commentary:
Lavasoft has never given an explanation or even a simple reason for classifying ZeroSpyware this way. This detection has been in place for over seven months, over four of which I have been trying to have this classification lifted. Lavasoft has not provided concrete information as to what a "Possible Browser Hijack Attempt" is, how it can be classified under their TAC system, or even what specifically ZeroSpyware does to be classified as such. It has taken over four months for me to get a response from Lavasoft on this issue, after both forum postings and email, and even that response has been minimal and informal.

This classification has clouded our reputation, prevented us from being reviewed by certain media, prevented us from being listed on certain download sites, and has now contributed to the degradation of our customers systems.

Summary:
If you have any comments or issues please don't hesitate to contact us, either by email to info@fbmsoftware.com or by entering our LiveChat support application (The "Chat with us" link found on http://www.fbmsoftware.com/ ).

If you disagree with Lavasoft's position on ZeroSpyware or want to make your opinion known you can see a variety of means of contacting them at http://www.lavasoft.com/about/contactus/ . You can also visit their very responsive support forum at http://www.lavasoftsupport.com

Thank you for your attention,

Chris Denschikoff
Product Manager
FBM Software
chris@fbmsoftware.com

Please continue with the fix. Ignore all references to ZeroSpyware.