virtual - Dexpot carries malware?

08
2014-07

Таня

Dexpot appears to have a lion market share as far as virtual desktop managers go. It also seems to have a rep for adware/bloatware or worse; at least the dexpot.de site does:

https://www.mywot.com/en/scorecard/dexpot.de/comment-68802081#comment-68802081 http://www.calendarofupdates.com/updates/index.php?showtopic=16109&p=105170 http://download.cnet.com/Dexpot/9241-2346_4-13143779.html?messageID=10922154

Some of the bloatware listed is Conduit, MyFreeGames, OpenCandy

I've been trying to figure out whether Dexpot is safe to install; but since someone said it's is an opinion-based question, I'll be more specific:

Is Dexpot shipped with malware?
What is the malware's payload? Would it do something as malicious as install a keylogger or steal a credit card?
Can the malware be removed?

phearce 09/16/2013 Malware or viruses Potentially unwanted programs The Desktop Clock software came "bundled" with the nearly-impossible-to-remove Conduit and MyFreeGames- toolbar malware.

Very disappointing: the wallpaper clock is such a well executed idea. "

"All benefits are undone by coupling with malware" September 23, 2013 | By justajiggolo The version I downloaded (vie dexpot's own site, dexpot.de) came bundled with conduit "Search hijacker" - > giant PITA to remove, and you have to remove it from ALL browsers that you use.

Answers

Wutnaut

You are correct to assume that no malware scan finds all malware... but there ARE sites that multi-test programs.

http://dexpot.en.lo4d.com/virus-malware-tests has tested Dexpot May5 2014 (2 days ago as of this post) and found it is clean from 27 different tests.

Таня

Deskpot may be all kinds of things, but "clean" is not one of them.

I just posted a question on adware on Deskpot forum:

http://dexpot.de/forum/viewtopic.php?f=12&t=5534&p=35736#p35736

To summarize:

Yes, they still install adware, or programs that claim to do something useful but silently install adware. They claim you can opt-out. They've claimed it before, but users had a different experience, as seen from the links in my Q. Maybe you can opt-out for real now, I don't know.

They said they stopped installing Conduit products and all toolbars. They won't provide the list of programs they do install (I'll update this answer if this changes). They do still install TuneUp Utilities 2014, which has bad rep on CNet and, according to wikipedia, silently installs adware. (Wikipedia does not say whether it uninstalls cleanly, including the adware; in the past, that was not the case with Dexpot's third pa>rty bundles, but this may have changed). They do allow you to opt-out of TuneUp, or so they say.

It's a good thing Dexpot maintains a forum and answers questions instantly if/when they choose to, but one difficult question (such as "do your programs ever call home?"), and they stop answering - this has been my impression from looking at the forums.

I'll stay away from Dexpot and stick to VirtuaWin until I can see if someone can get them to do a public statement about what the software does NOT do. (Think about it this way: would not a legit company be eager to make such a statement?)

Related Question

Removing malware of a particular kind

malware-removal

Cyclone

I need to remove some malware from my computer. It is a trojan, and very annoying. It blocks access to Google and search sites. The trojan, with its name spelled out on each line cause it seems to block sites when i reference it in a url, is

a r t (some text to mess it up) e m (more text i s

First off, what is it, what does it do? Second, why can't I access google or yahoo or any other search sites at all?

Third, can it be removed via McAffee? It says it quarantined it when I scanned

I found a suspicious process "c"s"r"s"s".exe and it will not let me terminate it, and this is what Mcaffee says it is. Why on earth isn't Mcaffee getting rid of it? I even blocked internet access for this program.

Thanks so much, I get kinda freaked out with things like this...

Here is my entire Hosts file:

127.0.0.1   go.mail.ru
127.0.0.1   nova.rambler.ru
127.0.0.1   google.ad
127.0.0.1   www.google.ad
127.0.0.1   google.ae
127.0.0.1   www.google.ae
127.0.0.1   google.am
127.0.0.1   www.google.am
127.0.0.1   google.com.ar
127.0.0.1   www.google.com.ar
127.0.0.1   google.as
127.0.0.1   www.google.as
127.0.0.1   google.at
127.0.0.1   www.google.at
127.0.0.1   google.com.au
127.0.0.1   www.google.com.au
127.0.0.1   google.az
127.0.0.1   www.google.az
127.0.0.1   google.ba
127.0.0.1   www.google.ba
127.0.0.1   google.be
127.0.0.1   www.google.be
127.0.0.1   google.bg
127.0.0.1   www.google.bg
127.0.0.1   google.bs
127.0.0.1   www.google.bs
127.0.0.1   google.com.by
127.0.0.1   www.google.com.by
127.0.0.1   google.ca
127.0.0.1   www.google.ca
127.0.0.1   google.ch
127.0.0.1   www.google.ch
127.0.0.1   google.cn
127.0.0.1   www.google.cn
127.0.0.1   google.cz
127.0.0.1   www.google.cz
127.0.0.1   google.de
127.0.0.1   www.google.de
127.0.0.1   google.dk
127.0.0.1   www.google.dk
127.0.0.1   google.ee
127.0.0.1   www.google.ee
127.0.0.1   google.es
127.0.0.1   www.google.es
127.0.0.1   google.fi
127.0.0.1   www.google.fi
127.0.0.1   google.fr
127.0.0.1   www.google.fr
127.0.0.1   google.gr
127.0.0.1   www.google.gr
127.0.0.1   google.com.hk
127.0.0.1   www.google.com.hk
127.0.0.1   google.hr
127.0.0.1   www.google.hr
127.0.0.1   google.hu
127.0.0.1   www.google.hu
127.0.0.1   google.ie
127.0.0.1   www.google.ie
127.0.0.1   google.co.il
127.0.0.1   www.google.co.il
127.0.0.1   google.co.in
127.0.0.1   www.google.co.in
127.0.0.1   google.is
127.0.0.1   www.google.is
127.0.0.1   google.it
127.0.0.1   www.google.it
127.0.0.1   google.co.jp
127.0.0.1   www.google.co.jp
127.0.0.1   google.kg
127.0.0.1   www.google.kg
127.0.0.1   google.co.kr
127.0.0.1   www.google.co.kr
127.0.0.1   google.li
127.0.0.1   www.google.li
127.0.0.1   google.lt
127.0.0.1   www.google.lt
127.0.0.1   google.lu
127.0.0.1   www.google.lu
127.0.0.1   google.lv
127.0.0.1   www.google.lv
127.0.0.1   google.md
127.0.0.1   www.google.md
127.0.0.1   google.com.mx
127.0.0.1   www.google.com.mx
127.0.0.1   google.nl
127.0.0.1   www.google.nl
127.0.0.1   google.no
127.0.0.1   www.google.no
127.0.0.1   google.co.nz
127.0.0.1   www.google.co.nz
127.0.0.1   google.com.pe
127.0.0.1   www.google.com.pe
127.0.0.1   google.com.ph
127.0.0.1   www.google.com.ph
127.0.0.1   google.pl
127.0.0.1   www.google.pl
127.0.0.1   google.pt
127.0.0.1   www.google.pt
127.0.0.1   google.ro
127.0.0.1   www.google.ro
127.0.0.1   google.ru
127.0.0.1   www.google.ru
127.0.0.1   google.com.ru
127.0.0.1   www.google.com.ru
127.0.0.1   google.com.sa
127.0.0.1   www.google.com.sa
127.0.0.1   google.se
127.0.0.1   www.google.se
127.0.0.1   google.com.sg
127.0.0.1   www.google.com.sg
127.0.0.1   google.si
127.0.0.1   www.google.si
127.0.0.1   google.sk
127.0.0.1   www.google.sk
127.0.0.1   google.co.th
127.0.0.1   www.google.co.th
127.0.0.1   google.com.tj
127.0.0.1   www.google.com.tj
127.0.0.1   google.tm
127.0.0.1   www.google.tm
127.0.0.1   google.com.tr
127.0.0.1   www.google.com.tr
127.0.0.1   google.com.tw
127.0.0.1   www.google.com.tw
127.0.0.1   google.com.ua
127.0.0.1   www.google.com.ua
127.0.0.1   google.co.uk
127.0.0.1   www.google.co.uk
127.0.0.1   google.co.vi
127.0.0.1   www.google.co.vi
127.0.0.1   google.com
127.0.0.1   www.google.com
127.0.0.1   google.us
127.0.0.1   www.google.us
127.0.0.1   google.com.pl
127.0.0.1   www.google.com.pl
127.0.0.1   google.co.hu
127.0.0.1   www.google.co.hu
127.0.0.1   google.ge
127.0.0.1   www.google.ge
127.0.0.1   google.kz
127.0.0.1   www.google.kz
127.0.0.1   google.co.uz
127.0.0.1   www.google.co.uz
127.0.0.1   bing.com
127.0.0.1   www.bing.com
127.0.0.1   search.yahoo.com
127.0.0.1   ca.search.yahoo.com
127.0.0.1   ar.search.yahoo.com
127.0.0.1   cl.search.yahoo.com
127.0.0.1   co.search.yahoo.com
127.0.0.1   mx.search.yahoo.com
127.0.0.1   espanol.search.yahoo.com
127.0.0.1   qc.search.yahoo.com
127.0.0.1   ve.search.yahoo.com
127.0.0.1   pe.search.yahoo.com
127.0.0.1   at.search.yahoo.com
127.0.0.1   ct.search.yahoo.com
127.0.0.1   dk.search.yahoo.com
127.0.0.1   fi.search.yahoo.com
127.0.0.1   fr.search.yahoo.com
127.0.0.1   de.search.yahoo.com
127.0.0.1   it.search.yahoo.com
127.0.0.1   nl.search.yahoo.com
127.0.0.1   no.search.yahoo.com
127.0.0.1   ru.search.yahoo.com
127.0.0.1   es.search.yahoo.com
127.0.0.1   se.search.yahoo.com
127.0.0.1   ch.search.yahoo.com
127.0.0.1   uk.search.yahoo.com
127.0.0.1   asia.search.yahoo.com
127.0.0.1   au.search.yahoo.com
127.0.0.1   one.cn.yahoo.com
127.0.0.1   hk.search.yahoo.com
127.0.0.1   in.search.yahoo.com
127.0.0.1   id.search.yahoo.com
127.0.0.1   search.yahoo.co.jp
127.0.0.1   kr.search.yahoo.com
127.0.0.1   malaysia.search.yahoo.com
127.0.0.1   nz.search.yahoo.com
127.0.0.1   ph.search.yahoo.com
127.0.0.1   sg.search.yahoo.com
127.0.0.1   tw.search.yahoo.com
127.0.0.1   th.search.yahoo.com
127.0.0.1   vn.search.yahoo.com
127.0.0.1   images.google.com
127.0.0.1   images.google.ca
127.0.0.1   images.google.co.uk
127.0.0.1   news.google.com
127.0.0.1   news.google.ca
127.0.0.1   news.google.co.uk
127.0.0.1   video.google.com
127.0.0.1   video.google.ca
127.0.0.1   video.google.co.uk
127.0.0.1   blogsearch.google.com
127.0.0.1   blogsearch.google.ca
127.0.0.1   blogsearch.google.co.uk
127.0.0.1   searchservice.myspace.com
127.0.0.1   ask.com
127.0.0.1   www.ask.com
127.0.0.1   search.aol.com
127.0.0.1   search.netscape.com
127.0.0.1   yandex.ru
127.0.0.1   www.yandex.ru
127.0.0.1   yandex.ua
127.0.0.1   www.yandex.ua
127.0.0.1   search.about.com
127.0.0.1   www.verizon.net
127.0.0.1   verizon.net

Related Answers

Phoshi

Can you locate the executable? If so, boot into a linux LiveCD and blast it off the face of your filesystem. It may well recreate itself, if it's got hidden agents hiding around, so grab a copy of Autoruns and check what's loading behind your back.

edit: And have you checked your Hosts file?
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
That's where Pre-DNS level filtering happens, worth a look.

tvanover

With out deeply inspecting your computer with a wide range of tools I doubt you will be able to manually remove the malicious software entirely. If you miss even a piece of it, as @ChrisF mentioned, it will probably try and undo any of your attempts to remove it. And in the age where viruses will not only hide themselves in system files but will corrupt your machine multiple instances of themselves and other viruses as well, it is almost impossible to manually clean a machine with any level of confidence that it is once again secure.

The only way to assure the virus is gone is to format the hard drive and do a clean reinstall of the OS. Now if you need to get your data off I would get a USB hard drive or some other external drive and an Ubuntu live CD (you can download an ISO and burn a copy to a CD).

Boot to the live CD and use Ubuntu to transfer your files to the external USB drive.
Once the files are backed up reformat the machine and reinstall the OS.
Once the computer is fully functional:
- Install anti virus,
- Disable autorun of CD's and USB drives
Plug in your backup drive and do a thorough virus scan of the drive to make sure none of your data is the source of the virus. It does no go to re-image when the source of the virus is a corrupted pdf, video, image, document, or other file.
Once the virus scan reports your backup as clean of infection move your files back over and reinstall your applications.

Good luck and good hunting.

ChrisF

The reason you can't get to Google and the other search sites is because the virus has added all those lines to your hosts file. The line:

127.0.0.1 google.com

will mean that all requests to google.com will be redirected back to your machine, which obviously can't serve them.

As Phoshi says you should remove these lines from the hosts file. However, I would guess that the virus will try to recreate them the next time you boot the PC. By making the file read only it won't be able to update it again and you'll be able to connect to the sites previously blocked.

Seasoned Advice (cooking)

Try Combofix It works well with problem such as this, best run it in safemode http://www.combofix.org/download.php

Home

virtual - Dexpot carries malware?