After scanning for spyware I have been informed by pest patrol thatn-lite carries 180solutions zango software
and that pest patrol considers n-lite to be a risk - it lists zango as being by 180solutions. This wasnt infected by my computer it was carried into the computer on a download of n-lite

I got the file from this page here
http://www.nliteos.com/download.html

and it was the top link on the "self extracting archive" menu (not the mirrors from the site itself)
I just tested the ones from the mirror sites and they are OK
I retested the top link and its definitely infected

You might be wondering why I dislike 180solutions so much, well when you realise that they scam 2billion a year out of spamming the internet (or used to - personally I think they still do) and when you have had entire business networks go down because of them - perhaps you will realise.
Nlite has infected your computer - check the registry for the word "sodoku" and then read on
http://www3.ca.com/securityadvisor/pest/pe...px?id=453100325

you may like to read up on the following
There are problems you will probably encounter with any title by 180solutions, just bear in mind the FBI threatened the directors with a legal case and also informed them they would press for custodial sentences unless they co-operated in making a case against other fraudsters - perpertrators of spyware viral code and other malware. Now considering they were making spambots at the time - do you want to take the risk - read on.
full story here at Ben Edelman's website - Edelman helped the FBI track these... "people" down

http://www.benedelman.org/spyware/180-affiliates/
http://www.benedelman.org
news item here
http://www.xbiz.com/news_piece.php?id=11111
Before you read any further see this page
http://www3.ca.com/securityadvisor/pest/pe...px?id=453100325
and find out if your registry or any files in unattended installations are infected
also
google for +180solutions +fbi

basically 180solutions is company that was raking in around 2 Billion dollars a year frrom infecting computers and networks with trojans and other malware designed to get advertising onto your desktop

My point being that its up to you whether you trust this software but I know for a fact that 180solutions is one of the most corrupt companies in existence and if I were you I'd think long and hard about using anything that was ever anything to do with them in a corporate environment or on my own home network.
You just cant trust it. I want to know what zango software is doing in n-lite ?
180 solutions is now spending a great deal of money to tell people they went to the FBI and that theyve cleaned up their act- infact the FBI basically went to them and threatened them with many years behind bars - also do you really believe anyone is going to give up 2Billion a year that easily?

i have scanned the file
here
hxxp://www.virustotal.com

here
hxxp://virusscan.jotti.org/

And here
hxxp://housecall65.trendmicro.com

The sites report the file as clean , either this has been silently fixed or you have made mistake

theres no mistake - if I download the self extracting archive from nliteos.com (not the ones from the mirror sites but the top one on the menu ) it definitely adds to my registry the zango software - theres no mistake - its that one file is infected FOR DEFINITE - dont rely on a scan - download the file and check the registry for the word "sudoku" then when it infects your computer edit it out and try a different download site for nlite - it wont do it. Then go back to the top link install n-lite and its there again - I'm not making this up !

you on drugs?

infact I just re-tested it and its still infected !!!!!



and youre asking me that ?

look its pretty simple - you go to nlite os
http://www.nliteos.com/download.html
download from a mirror site the self extracting archive
install it
run it
search your registry does it contain an entry with the word sudoku? No
now get the version thats not on a mirror site
install it
run it
search registry
now the signature for the 180solutions software will be there

if you need to know full details of the signature read up on
180solutions zango software
the last time there was a mass infection there were 400,000 computers in one spambot network

If necessary I will get Edelman to test it for me - he is quite willing to do that, I have
had corespondence with him before now.
Incase the implications arent that obvious to you - anyone thats installing a disk made with the software will have to be careful they arent creating a spambot or spyware network

"finished searching through the registry"

you on drugs?

i didnt know u are a guru in spyware and u found it just by scaning manually after some word u made up.....go party or other activities ....i scaned nlite with a lot of av and antispyware.....
and by the way if u dont like it cause its infecting you pc with the word u said DONT USE IT!!!!!1

Did that,but the word did not appear in my registry, Maybe your already infected before?
this do not need to be a flame war

well now you do know !

erm infact several anti spyware programs I just ran confirmed what I have been saying - I have been looking into the problem since 4am uk time and - All I have is the fact that on a fresh install downloaded from the nlite site they reported the error I'm not trying do anything but alert you to a problem - if you dont take it seriously enough thats your luck out

It was not a false positive and it was reported by my antispyware as zango software by 180solutions
which puts its signature in the registry and that signature contains the word sudoku
now I dont know what your problem is ! but I can tell you 2 things 1) this happened exactly as I reported it
and 2) the problem is now not occuring as of about 15 minutes ago (13:18 uk time)

two other facts are that it occured also using a download I took at around 7am yesterday morning
the other fact being that I tested it at 7am on a completely fresh install this morning on a computer not interfaced with the internet and got the same results as at 4:30am

also just FYI - there is little chance this could have come from anywhere else I am hooked up to a firewall and all my http traffic is scanned for malware before it gets to me by a subscription service - all my ports are closed and none of my antivirus scanners on any of the security behind the firewall picked it up till I rebooted and scanned the registry but my antispyware scanners saw it straight away

your crazy.... Nuhi has been doing this for a long time... no need to go and destroy the community.

I scanned aswell, CLEAN

i cant seem to find spyware in it anyware

Is anyone actually reading anything thats written or do you just reply to the first post

I'm telling you this happened and that by scanning the file that you download you would not have found it - also the file that infected my computer came from one single link on the download page - not the others
the only way to detect the infection is when it enters the registry and places registry values there
you cannot scan the file and detect it - you have to look in the registry
but since its stopped now and the file appears to have been cleaned - its largely academic now

I'll say it one more time - jeez
you can only find the infection in the registry not by scanning the file
for people who havent found the references to it
http://www3.ca.com/securityadvisor/pest/pe...px?id=453100325

http://research.sunbelt-software.com/threa...;threatid=69482

http://www.pctools.com/mrc/infections/view/2500/

anyway - I've had enough - you do what you want with the information but I havent had any reason to say this other than to tell you to be careful - if you dont take that advice its up to you

what software are you using it scan it with, lol

well why are you interested - it strikes me that youre pretty fast to deny anything was wrong - surely it would have been better to ask what the values were in the registry. Its pretty much ineffectual to ask what software I used if the way to verify the infection is by scanning the registry
by typing "regedit" into a command prompt and looking for the signature
if it was a false positive or a faulty scanner the signatures wouldnt have been there
Since they were in the registry and only got there after installing the software its obvious the software n-lite carried them there
now why you cant accept this I dont know but I GOT A PRETTY GOOD IDEA WHY

Same here. Picked the one you said, installed, ran spyware scanner (something I never bother with), and it found absolutely NOTHING at all. No "sudoku" anywhere in my registry either. Stop spreading lies!

Don't take my word for it either:


Not that I'm nlite user, but I figured that just couldn't be true.

If you have spyware problems just ditch IE already, don't blame 'em on nlite.

Youre havin a laugh aint ya ?
have you read three posts above yours
I TOLD YOU IT STOPPED SOMETIME AROUND 1300hrs UK TIME -

jeez ok that really is enough
next time I'll just let let you people get on with it
if you want infected computers and networks just go ahead I wont bother anymore - just dont bother replying to this forget it

A+++++++++++++++++ THREAD. WOULD READ AGAIN!!!!!!111one

All clear here, using version of nlite 1.2rc downloaded on 02.10.2006. Are you sure that the problematic soft is nlite?

i ask becuase some of the really lame ones report fake problems to trick you into buying their product

No, not AT ALL. I'm taking this rather seriously (the wrongful accusations). This is pure and simple libel.



Check the Last-Modified date:

Last-Modified: Mon, 02 Oct 2006 16:49:48 GMT

So no, it hasn't changed in the last half hour, it's more than 3 weeks old. It's just your own spyware problems that did stop a half hour ago...



That's the first such claim I ever see about nlite, and honestly, there's lots of knowledgeable ppl using it, you'd think we'd have figured it out already. nlite's not going to infect other ppl's computers, no matter what you say or think. It's as clean as it gets.

@RyanVM: LOL. Been eBay'ing a bit much lately?

Thanks for the laffs guys. We haven't had a "The sky is falling, THE SKY IS FALLING" thread in a while.

There is a simple explanation for this. That is that the link was hijacked and someone added spywear to nlite 12.rc file.

Last I checked thats not impossable. Files on webpages are always getting updated. This was just a fluk. Nuhi obviouslty had no part of it and its some lame-o trying to take advantage of nlites popularity.

This is about as lame as it gets. You're either completely full of it or you got infected because you're busy surfing for porn. diddle diddle...

oh good, at least thats more of a sane response than just denying it had anything to do with n-lite
at least theres a fact in there to work with.

Ok so what could it have been since my approach was this

yesterday I downloaded nlite - made a install disk and run it
then sometime later added in a spyware scanner - one that I trust (IE one that is kept on a cd and only installed on computers I am checking offline)

another fact I know is that the situation only occurred if I downloaded n-lite
which I did several times to clean computers with only official MS software on there
further to that it never occured other than immediately after installing n-lite
also this behaviour only occurred if the n-lite install was got from 1 link on the nlite website

It did not occur if the nlite was taken from anywhere else

have you got any explanations for how the exact same version of nlite might not infect my computer from one source but from another source it does - even though no other webpage was visited except the msfn page for nlite?

Uhmm. NO. Files and links on webpages don't get hijacked just like that. And I've NEVER heard of a hack being done to infect a download with spyware like that (and then the individual checking forums 24/7, and on the minute someone says anything, hacks the server again to restore the right files -- with the same timestamp no less). And if they wanted to get spyware spread, they wouldn't have picked nlite. It's relatively well known, but I doubt it's getting very much downloads (relatively speaking), and most of those are coming from users advanced enough to recognize and eradicate spyware, so it would be pointless. That theory makes NO sense whatsoever.

And like I said before, the file's timestamp has NOT changed in over 3 weeks. NOTHING's changed! And I just compared the download with the one I downloaded nearly a month ago when there were news about it, and it's identical bit for bit.

It's just him having spyware issues, and blaming them on nlite. Nothing more.

I have a copy of the infected file - and its definitely infected - I just installed a copy of bit defender and it pickd it up as I opened the file -
I mean if anyone is an expert in viral infection they may like to take a look at it I can zip the file and put it to a host somewhere

I know for a fact this could have only been infected outside of my system -

I have used nLite for the last two years, and I know that there isn't any spyware within the program. To end it all, simply state which file is causing this infection. Ad-aware results, as was posted earlier, have a detailed log which explains what is causing the spyware related infections on a computer.

No need for hostility, but it's not nice to accuse nuhi, who has been dedicated for at least two years to delivering a product of unprecedented quality to allow extranneous files and features to be removed permanently from Windows XP.

It is events like these that discourage people from sharing their hard work with the world, desiring to avoid the harsh scrutiny of the envious and the unappreciation by the selfish.

ok.. well i figured it was at least a feasable explanation. I've used nlite since 04 and never had anything infect my system so I'm not standing with this guy. The possibility of a nlite release going up somewhere and him being redirected to that link and that file being infacted is remote but still possible.

I havent accused anyone and if you'd just read what I been saying and actually correlate it to the facts then you would see a pattern - its not like I'm a friggin noobie in technology I been working in IT systems and security for the past 25 years and I havent once before now found a site where people are so eager to praise a product that they forget the real world out there is getting more devious by the minute at manipulating technology for financial and malicious gain - I know nlite is a good product - I know the people who make it are good but believe me some of the best systems in the world are compromised on a regular basis

Look I didnt want to get into a shouting match I presented the facts after doing a great deal of analysis on the problem I checked out everything from whether it was some sort of virus on my computer to whether there had been a redirect of the data packets along the way.
All I can sy is that I am telling the truth and if any of you experts want the infected file so you can analyse it I will gladly submit it for your inspection.
We could have got here sooner if you could have taken the issue seriously - my best advice is this - if someone shouts about security - deal with it from both ends of the chain - its no good getting your arse tight about someone saying theres a problem - best stay loose and actually see if there is a problem huh?


yeah I thought of this and checked but I cant see that it happened - one possible explanation that I havent discounted is that the proxy server assigned by my isp (cuz Im at home this week) contained an instance of this file and it could be that I got the file from the proxy rather than the site - I dont know if they store anything other than html pages on their proxy but thats an explanation too however slight


WILL POST LOGS ETC VERY SOON

if you take a look at the date the file became infected it was release date 13/10/2006

which is approx 9 days after a poster above said the file was put on the server and 10 days before I downloaded the file

It looks more and more like something somewhere needs to be investigated - after some of the comments above I dont even know why I'm bothering to do this except for the fact that spyware and spam and the thought of what it has done to the internet really gets me down - all I'm trying to do is help people - I would have thought that was obvious

retox -

First, many thanks for the concern you've shown in bringing this issue to a public forum. I know it can be very stressful to be a whistleblower, but I also know something else:

Once a system has been compromised, any number of tests, checks, scans or investigations can go awry due to the nature of rogue processes and invisible services that control the system.

You've already told us you found evidence of corruption on your computer. What you haven't put forth (yet) is the methodology and procedure you've used to insure that system has been totally and completely cleaned.

Since some infections REQUIRE a hard drive wipe and complete reinstall, I would ask yhou to verify your own research and do whatever it takes (beyond a shadow of a doubt) to verify that your system is now totally free of corruption. Perhaps use the tools we use here (Ad-Aware, Hijack This, MS Defender, etc.) to see what you can find.

As experienced and concerned as you are, you owe it to yourself and your constituents to be ABSOLUTELY POSITIVE that when you're blowing that whistle, we can all take it to the bank.

Thank you for your dialogue here, and because of you I became interested and involved, as well. That can only be a GOOD thing.

Best wishes, always. I look forward to hearing what your extended investigation reveals. Please keep us posted.

I'm reporting a negative result following the steps posted earlier as well. The word 'sudoku' was not found in my registry.

I won't be so courteous about it.

retox, you're an id***.

You've come to the wrong place to insult nuhi. I respect and will stand to defend nuhi anytime.

I've always used adaware/spyware scanners.
And I strongly believe your log is a real and honest one.
Your downloaded file is apparently infected.

I searched my Registry and searched my %ProgramFiles% directory.

I didn't find any traces like yours.

I could not say you're lying. Your downloaded file is apparently infected.

can you give me the file and i will check it?

Man I can't believe you never experienced false antivirus alert.

Regarding Winrar selfextracting exe every other antivirus will report as some trojan, then you just report that to the antivirus author and they will correct, happened before.

Let me know what they say, but I assure you that nLite is clean and don't make me close this topic, so no insults please.

Send us your installer, then we can compare hashes and look if you get that file already infected from another site.

I do use nlite and I did NOT find anything on sudoku in my registry. That is good. However, when using the Mcafee SiteAdvisor tool and when I go to the website www.nliteos.com, it does give me the following warning:

When we tested this site we found links to german-nlite.de, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs.

Therefore, there is reason to be careful and to be worried that nlite does introduce something bad in your system.

nuhi its good to talk to you but this isnt a false positive - I'm sorry I posted here first but on the nlite site I couldnt find where to send such a concern.

I know its not a false positive on these terms

1) the file infected came from a single source - no other source of the nlite software dropped registry entries
into my registry that were as written by the infection

2) I saw the registry entries myself and did a test without using any scanners but searching the registry - before and after installing the file that infected the machine

2.5) I did this on clean isolated computers and also on computers interfacing to the internet -

3) I downloaded several times instances of the installer - both infected and not infected from
different sources and still the only infection came from that one link

4) when I checked the ssource of html on the nlite site I saw nothing that would indicate it was a problem with the site

5) As you are confident of the integrity of your site and software there must or may be another explanation and I would like very much to help find that explanation but obviously sitting here I cannot see what you see behind those servers etc. - my aim is to help prevent a horrendous discharge of 180solutions viralware

I will take the advice of the others and do a full test and post full results - I will post the file to a filehost so others may see it

I am honestly not trying to undermine the softwre its creators or anything like that - I seriously had only good intentions and on reflection perhaps I could have been more subtle but I cant change that now and will remember in future that obviously this post is stressing others out as well as me.
but the thought that people might even now be loading entire networks with software that may have been compromised is horrendous - I am only thinking back to when I have had such awful problems with any malware that has infected files thats written by 180solutions - I was also thinking I couldnt just say nothing

Look everyone I am trying to be honest and to get a job done on your behalf for your benifit
If I've done something wrong I apologise sincerely give me 24 hours as I am really tired now and I will see if I can put a decent report together

OK - enough is enough.

retox, please upload the file that's supposed to be infected and i will scan it with bit defender plus v10.
you say your bit defender alarmed positively, let's see what mine says then.

you may upload the file on rapidshare and tell us a link.

hopefully this test will finish all that embarrassing thread.

ok give me a few mins I'll put a link to the file
here

http://s10.quicksharing.com/v/2272368/nLit...taller.rar.html

retox, if no one else reports it then what am I to think other than it's on your side somehow.

Thousands of people use nlite and no one ever complained about injecting reg entries, nor does nlite do it even for saving settings (it uses ini files).

I can only explain this by you having some infection already on your os prior installing nlite and somehow it triggers it to reapply that reg.

I tried the "infected" installer you uploaded. It's identical to the official one on the web site and the one I downloaded a while ago. I installed it, still no references of sudoku in registry, nor any spyware found...

Your spyware's coming from elsewhere.

Capricorn... nice reference. 1 post. Yea, ok.

Well this is why I posted here I knew some people who developed the program come here - so I thought we could have solved it if people had been more willing to say " hey so what happened"

Man I have no doubt the software is good - I'm going to use the uninfected version I have -
but surely you agree that with a program like nlite I am not wrong to bring this up for discussion - some critical machines could depend on it -
believe me I am neither insulting you or the software - I am glad there is no infection on your servers but mystified strongly puzzled about how this could have happened now.
I totally agree it does seem odd that I should say such things but all I can say is please believe me I am not lying and not trying to make anyone or any product look bad
I am geniuinely sorry if I have offended anyone and deeply concerned about networks and computers I take my job seriously and when at a forum like this I try to take a responsible attitude and get involved

It is such a mystery but please allow me back here tomorrow about the same time I will try to present you with a detailed description and analysis properly written up so you may be able to hazard a better guess at how it might have happened - can I ask a question
just supposing I was right and somehow either I was tricked into downloading from a non nlite server - or the nlite server had been compromised - that would be cause for concern wouldnt it?

impossible !! OK I will get some experts in data and network forensics to help -
end of story I desist

I tried using the installer you posted. Scanned it with Nod32 and installed it and searched the registry and (drum roll here) NOTHING!

I could see the spyware if you clkick on one of the Google ads on the page, but that's not their fault, they can't control the ads....

lmao.. ditto

I also compared the md5hashes with the one you uploaded and the one I downloaded the day it was released and they are the same so yea I agree with everyone else you are a fracking moron!

LOL someone has to be punished for spreading bul***** and that's not nuhi that's for sure

This reminds me of a song:

Ban ban, I shot you down
Ban ban, you hit the ground
...