Sunday, 20 July 2008

Basic computer security

Anyone who works in an office where there is a computing network will know that it is impossible to install software on the computers there, not just because it is against company policy but because the computers themselves won’t allow staff to. The same is true for those using a PC in such locations as a public library. This is because software installation rights are restricted to the computer administrator who accepts the responsibility for the system. Although many do not realise it, Windows XP and Vista both offer the same facility, and if computer owners want to keep unwanted and potentially dangerous software off their machines (such as the Platte software that is the current subject of so much debate) they should avail themselves of the facility. And each user of the PC should have their own account; if there is a problem it makes it far easier to determine who was responsible. I’m giving specific instructions on how to do this at the end of the post.

Nobody (not even the administrator) should be routinely browsing the internet through the administrator’s account, so owners will need to set up a second account for themselves (this is advice from Microsoft, not just me). It is very important that the administrator account is protected with a safe password that is never shared with other users of the PC under any circumstances. It takes two people to put Platte or similar software on a computer; the person who carries out the install and the owner who has been foolish enough to let them do it.You should not rely on any antivirus package to protect you either; they can do no more than flag up a warning against a deliberate installation of software by a determined user with administrator privileges.

Children often represent the biggest problem, not least because they often know far more about computers than their parents.But this is all the more reason to stop them having any access to an administrator account. Children's approach to the home computer is simple - they’ll download anything they like without any regard to the consequences of doing so, whether it’s screwing up the computer or seriously compromising the security of the information stored on it. The parents job is to pick up the bills and little more. Sound familiar? Nor should parents underestimate the likelihood that their children will seek a site such as getfilmsnow out, not because they want to watch a tired old Popeye cartoon but quite specifically because they want to watch material with a sexual content.Boys are genetically programmed to have an interest in such matters, and links to such sites will be circulating among them by email, creating peer pressure to view such material even when the child doesn’t particularly want to. In my youth it was ‘Health & Efficiency’, a publication which appears laughably innocent in this day and age. But of course even without downloaded software there is a lot of sexual content that can be viewed on the internet. While you can limit a young child’s exposure to such material by adjusting the settings for the browser, the most effective way to keep an eye on what the child is viewing without intruding too much is to keep the computer in the regular family room, not tucked away in an office.This can be inconvenient for the adults, but it does enable them to exercise reasonable control over the computer's use. I'm afraid that it is simply not possible to protect a child from the irresponsibility of their parents. You wouldn’t give them unrestricted use of your car, would you?

There are other sources of information on how to manage your computer, not least of which is Google. If you’ve got a problem, someone else will have had the same and there’ll always be plenty of helpful advice. If you’re asked to install software make sure that it’s you who does the download after googling the software you plan to install (since that will flag up any obvious concerns). If a few more people had googled ‘Platte Media’ before installing it there’d be a lot less grief right now. Do check any small print in licence agreements even when they’re written in difficult to follow legalese. If in any doubt, don’t put it on. Very little software is really needed on a computer beyond an office suite and an antivirus package other than the supplied software for your other hardware, printer, camera, scanner iPod and the like. The less software you load on a computer, the less likely it is to go wrong.

The children will moan of course, starting with ‘none of my friends parents...’ (you should just tell them to go and install their software on their friends computers in that case). Don’t give in, not even once. Because once you do you’re on a slippery slope and soon you’ll find yourself right back where you started. The ubiquity of the games console means that it is not even necessary to install games any more and it’s best not to. At least then you’ll no longer have to endure your child playing ‘Rape and Pillage III’ while you’re trying to get on to do your online banking.

Sooner or later you’ll no doubt feel your child is responsible enough to have administration rights. But he should be administrating his own computer, not yours, and accepting the full financial responsibility for doing so – repairs, upgrades, and all the bills that arise from injudiciously downloaded software. If he wants to let passing pornographers access his computer that’s up to him, at least they won’t be accessing yours. Nor do PCs require regular replacement. Mine has lasted 10 years and it is quite reasonable to expect the same of his. If he wants to replace it, let him shell out for the privilege.

So, how do you set up an administrator account? I’m going to give you detailed illustrated instructions here. Take your time, don’t allow any distractions, and read the instructions through carefully to make sure you understand them before you start. You will want to use your existing account as your day-to-day account since it has all your passwords and personal settings, so I am going to call the new account ‘PC Administrator’ – you can’t just call the account ‘Administrator’ since Windows already has a hidden account of that name. These instructions presume that your existing account is set as an administrator account already; if not you will need to log in to one that is. You should note that I will shortly be putting up full instructions for removing all the files left behind by Platte's uninstaller, and these will be written on the assumption that you have followed the advice in this post. So here we go...

1. Open the control panel (click start, 'Control Panel' is in the right-hand column):




Where it invites you to pick a category, select 'User Accounts':




Click on 'Create a new account':




And insert the name for your new account (I've called it 'PC Administrator':




Now you are asked to pick an account type, you should pick 'Computer administrator', before clicking 'Create account':





Now you can set the password. Click on the new account:



From the list of options, select 'Create a password':




Now you have to choose a password. It should not be one you use elsewhere, nor one that will be easily guessed. I've used the registration number of my parents' first car, and put up 'Austin 7' as a clue. Then click on 'Create Password':




If the other users do not already have separate accounts, you should create new ones for them now, repeating the sequence above, but setting the accounts as 'limited', not 'computer administrator'. Now you can log off, before logging in to your new account:





This will take some time to set itself up, but once it has, exactly as before, open the control panel. Now select your original account:




And select 'Change the account type' from the list:




Select 'Limited' and then click on 'Change account type'




Now you repeat that, changing all the original accounts on the computer bar the 'PC Administrator' account to 'Limited' accounts. If you take the time to do this, and keep your password secret, other users will not be able to install any software that poses any risk to the computer.

It's best to insist that all the accounts use passwords (these are set up in User Accounts via the control panel) but each user can set their own. By default, Windows leaves the Guest account turned off, and it is best to leave it that way, unless you want to run the risk of visitors having (limited) unauthorised access. You can set up a separate limited account called 'Visitor' that has its own password for people to whom you allow occasional access.

No computer is impregnable, but these precautions minimise the risk of uninvited software being installed. Owners who prefer not to take them should be prepared to shoulder some responsibility for the consequences of that decision.

Saturday, 19 July 2008

Platte - I've been sent a bill

I have received several emails about the Platte software, asking for my advice on whether people should pay the £29.99 that Platte are billing them for, particularly from those who say that their computer was not in use at the time. It would be helpful if I answer that here.

Firstly, anyone who enters into a contract with Platte should (as I said in an earlier post) honour that contract. As I've made clear, I'm not enthused of Platte's business model or the nature of their software but the claim that a computer was not in use at the time the software was downloaded simply cannot be true. Unless a computer is connected to the internet and being used for browsing at the time no unsolicited software can download, whether it is with the owners permission or not. Windows does not permit the installation of Active X controls (a component of the Platte software) without specific consent. Nor do I believe that the software is downloaded entirely unknowingly; there is no need for it to given that there are enough damn fools in this world prepared to agree to just about anything regardless of liability or consequence in order to access pornographic material, particularly with the offer of a free trial.

Here's the warning displayed by Windows at the commencement of installation of the software:



And here's a subsequent Active X warning:




If you are the owner of a computer and find that the Platte software was installed without your consent, you should examine the browser history logs that are on your PC since you will be able to determine what site the download came from and hopefully also identify the culprit - in that case you should present the person concerned with Platte's bill (unless of course they are a minor). Whether you are yourself liable for the bill in those circumstances appears (and I must emphasise that I am no lawyer) to be unclear; you should go to the MBS/Platte Media Victims' Forum if you want to take the advice of others who found themselves in the same position. It is unfortunate that there appears to be no legal judgement yet (at least not one that can be found online) that settles the question of liability definitively in cases like this.

I will put up a post giving basic instructions on how to recover your browser history logs; computer owners owe it not least to themselves to determine who has been using their computer and installing software of this nature. At the very least this establishes that the computer concerned was indeed used to enter into a contract involving a financial commitment to Platte, and the user account that was used to do it.

If I found that the Platte software had been installed without my permission on my own PC by an adult, my anger would be directed at the person concerned rather than at Platte, and I would certainly ensure that they met the costs they had committed to. Having signed up myself, primarily for the purpose of determining the clarity of the contract at the time of the download, I can only say I found the current terms to be entirely clear (although my subsequent experience was of course that Platte failed to honour their side of that contract following my cancellation). Unless I had consented to the download, I doubt whether I would feel in the slightest obligated to settle the bill myself, but that is a matter where individual computer owners have to make their own decision and might be best obtaining legal advice.

I find pornographic material singularly distasteful but it is legal, and those who wish to access it should settle any financial liability they commit to. If you signed up with Platte, you should accept the responsibility you foolishly took on in doing so. So please, no more requests for advice of this nature.


Go to my next post on Platte Media

Friday, 18 July 2008

Platte and that billing software VI: further file found

I've found one further file that the Platte software installs. I've added it to the full list and am only posting it here for the benefit of those who have already copied out that earlier list. The latest uninstall tool appears to remove it. Sorry I didn't spot it before.

C:\WINDOWS\system32\pinf.sys


Go to my next post on Platte Media

Tuesday, 15 July 2008

Platte and that billing software V: a third uninstaller

I am pleased to say that Platte are responding to this blog's exposure of their hidden files and there is now another new uninstall tool up for download. This removes all bar one of the hidden files (although the remaining visible files are untouched) and is therefore an improvement on earlier builds.

Many people are having difficulty accessing the uninstall utility; this link will take you directly to the download.

I 'll explain here exactly what still gets left behind; those who feel that they had an unwelcome intruder in their computer (or don't have their uninstall instructions any longer - you would need to use the supplied code again) will probably still want to seek professional assistance and achieve a full removal. It is to be hoped that Platte are still working on this and finally offer an uninstaller that actually does the job before too long (don't hold your breath though).

If you have not read my earlier posts on Platte, you may find it helpful to do so.

The new uninstaller downloads as before as a setup.exe file:





How do you know you've got the latest one? Right-click on the file and select 'Properties' from the drop-down menu. A small applet opens, and you should go to the 'Digital Signatures' tab. This will show the timestamp as 14 July 2008 09:01:07 :






You run this as before, entering your code. This time I found that the hidden folder on the C drive (and all the files within it) were removed, although the files elsewhere remain. In the C:\WINDOWS\System32 folder there are two icon files for 'Platte' and for 'Get Films Now', plus a third file which is the remaining hidden system file. Its name is a ten figure number followed by .sys, and since the number is different for each computer (and with it being a hidden system file) it can be difficult to find. As I said in my original post on Platte, system files are notoriously difficult for uninstall tools to remove anyway, and this one is likely to be doubly so because of that unique file name. In the photo below it is in the upper left-hand corner. What does it do? That's difficult to determine. I would have said that it was that unique and non-removable identifier they promised (and I still think it is) but since Platte said in one of their emails that the licence is in the registry I must be wrong I suppose. Since its purpose is uncertain it should definitely be removed, either by a professional or by a skilled acquaintance (not by one of your children, however skilled you like to think them):





In the C:\Program Files folder there is still the 'Platte Information Files' folder:





This contains two further files (one of which is executable) plus a shortcut:





Clicking on the first of these files throws up a display of your supposedly deleted Platte account details (this is from the executable file):





The second gives you the details of the contract that was agreed at the time of setting up your account:





So that's it. From having 6 of the 44 files removed we have now gone to having 39 removed and only 5 left behind. Maybe one day Platte will offer an uninstall tool that actually removes the lot. Even now, I do not think it in the slightest unreasonable to bill Platte for using a professional to achieve a complete removal and obviously there is also the question of compensation for Platte's clear breach of the original agreement. I would have thought that a sum of lets say £30 per customer would be pretty fair given all the circumstances.

My next post on this will cover general aspects of computer security, with particular emphasis on how to keep software of this nature off your computer in the first place. I conscious that I promised an analysis of registry changes in an earlier post and I will indeed post on that, but not until it becomes clear that Platte are not proposing any further immediate builds of their uninstaller since reading through registry files is very time consuming. But I'm going to go back on what I said in my original post; I'll put up full illustrated instructions for removing these files safely (since Platte can't manage it).

There remain of course other areas of concern over this software, but I will cover the main ones when I address the security issues. In the meantime, I hope these posts have been of help.


Go to my next post on Platte Media

Friday, 11 July 2008

Platte and that billing software IV: www.plattehelp.com

A lot of people are visiting this blog via search engines because they are not able to connect to www.plattehelp.com to download their uninstall software. At the time of posting, this link will take you directly to the download. However, you are very strongly advised to read all my posts relating to this software, since you will need to take further measures to ensure its complete removal.

If you find the link no longer works, it would be very helpful if you leave a comment to that effect.

Go to my next post on Platte Media

Tuesday, 8 July 2008

Platte and that billing software III: the new uninstaller

I said in my original post on this topic that when Gareth, a software developer at Platte, offered me an updated uninstaller, I found that it was exactly the same as the first. How could I tell? - I checked the digital signature for the software, and they both had the same date - 8th May 2008. In truth I was somewhat surprised by this since Gareth's email appeared to have taken my complaint about the software seriously, and it was self-evident that if I had found the jRegistryKey.dll once, I would be checking to see whether it had gone the second time around. Since I was online when he sent the email, I did wonder if he had simply sent the email prior to the new uninstaller being set up to the link, so I did download a second time, but it was again the same. Here's that first digital signature showing time and date of release:



Even after putting up my original post I remained slightly mystified, so yesterday evening I did a third download of that 'new' uninstaller to find that it is now at least definitely a new one. It is timed and dated to just before Gareth sending me the email, so I think that my failure to get the new uninstaller first time round counts as cock-up rather than conspiracy. Here's that second signature:



I've run the new uninstaller, and it does indeed remove the jRegistryKey file - the one that leaves your computer potentially open to further access by Platte. I have double-checked this morning, and it is up for general download. If you uninstalled their software via email, I would suggest that you follow those instructions again, as it will make your computer a lot safer. Those who were talked through the uninstall won't find things so easy, and are probably best seeking skilled help with the removal.

Nevertheless, this very much begs the question of why Platte didn't offer an uninstaller that removed the file in the first place, particularly given that Gareth says that "the uninstallers have undergone extensive testing and found to be working in all situations." But then again, it appears that I'm the only person who appears to have had this difficulty. "Indeed this is the first report we have received of problems on a XP based system." And it doesn't deal with the question of the 37 remaining files, since the jRegistryKey is the only one that the new installer removes beyond that of the old one; what sort of extensive testing could we be talking about here?

Here for instance is that hidden system folder on the C drive:



Here's what you find if you look inside it:



And here's what you get if you click on the .htm file (it's now clear that the name is a sequence of randomly generated letters):




There are still two files left in the system32 folder; one of these is the hidden system file (at the bottom of the picture (highlighted), the pm_icon.ico is just above and to the right of it):



The 'Platte Information Files' folder is also unchanged, and one of the files within it is an executable:



So, although the new uninstaller leaves your computer very considerably safer than the old one, it certainly comes nowhere near doing the job. So my advice is unchanged, you should get your computer checked by a professional, if only to confirm that all the Platte files have been removed.

(Ed. 15th July. There is now a third uninstaller available, considerably more effective, see this post for details)


Go to my next post on Platte Media

Monday, 7 July 2008

Platte and that billing software II: the files

In my earlier post on Platte's software, I said that their uninstaller had proved very ineffectual indeed; of the 44 files their software had installed it removed only 6. So I thought that it would be useful if I listed the files that the Platte Media software installs for the benefit of those who take my earlier advice and have a professional check their PC over post 'uninstall'. It will assist them if you print this off beforehand (without it they will not be able to find them). Your own PC may have a few variant files, as some files might change depending on how long you have the software on board, but this list is as complete as I can make it. I'll be carrying this information over to a more substantial post in due course, explaining what the various files do, so this is just a temporary post to cover that gap.

I have produced this list from a computer that runs XP pro. I have no reason to suppose that it will be any different on Vista, but obviously it might.

Files that are starred were not removed on my PC by the Platte removal tool (released 8th May 2008). Files that are concealed (either as system files or through being placed within a system folder) will have a (c) appended, those you can see will have a (v). The ten digit unique identifier is shown here as 0000000000. One file name is a randomly generated sequence of letters; I have indicated which below.

Files installed at time of initial installation:
C:\WINDOWS\system32\0000000000.sys (c) *
C:\WINDOWS\system32\pinf.sys
C:\WINDOWS\system32\pm_ax.ocx (v)
C:\WINDOWS\system32\pm_proc1.exe (v)
C:\WINDOWS\system32\pm_proc2.exe (v)
C:\WINDOWS\system32\jRegistryKey.dll (v)*
C:\WINDOWS\system32\pm_setup_util.exe (v)
C:\WINDOWS\system32\pm_dll.dll (v)
C:\WINDOWS\system32\Get Films Now.ico (v)
C:\Program Files\Platte Information Files\Get Films Now.htm (v) *
C:\Program Files\Platte Information Files\Platte Utility (shortcut) (v) *
C:\Program Files\Platte Information Files\pm_viewer.exe (v) *

Folder created at time of initial installation:
C:\Program Files\Platte Information Files (v) *


Files installed after 72 hours:
C:\WINDOWS|system32\pm_icon.ico (v) *
C:\0000000000\BeXiAYjmmRMMIXpc.htm (c) * (a randomly generated sequence of letters, this is as it shows on my PC)
C:\0000000000\style.css (c) *
C:\0000000000\images\bar_l2.png (c) *
C:\0000000000\images\bar_l3.png (c) *
C:\0000000000\images\bar_l5.png (c) *
C:\0000000000\images\bar_m.png (c) *
C:\0000000000\images\bar_m2.png (c) *
C:\0000000000\images\bar_m3.png (c) *
C:\0000000000\images\bar_r2.png (c) *
C:\0000000000\images\bar_r3.png (c) *
C:\0000000000\images\bar_r5.png (c) *
C:\0000000000\images\box_bl.png (c) *
C:\0000000000\images\box_bl2.png (c) *
C:\0000000000\images\box_br.png (c) *
C:\0000000000\images\box_br2.png (c) *
C:\0000000000\images\box_ml.png (c) *
C:\0000000000\images\box_ml2.png (c) *
C:\0000000000\images\box_bl.png (c) *
C:\0000000000\images\box_mr.png (c) *
C:\0000000000\images\box_mr2.png (c) *
C:\0000000000\images\box_tl.png (c) *
C:\0000000000\images\box_tl2.png (c) *
C:\0000000000\images\box_tr.png (c) *
C:\0000000000\images\box_tr2.png (c) *
C:\0000000000\images\cheque.png (c) *
C:\0000000000\images\debitcard.png (c) *
C:\0000000000\images\logo.png (c) *
C:\0000000000\images\onlinebank.png (c) *
C:\0000000000\images\operator4.png (c) *
C:\0000000000\images\phonebank.png (c) *
C:\0000000000\images\postalorder.png (c) *
C:\0000000000\images\question.gif (c) *
C:\0000000000\images\tab_l.png (c) *
C:\0000000000\images\tab_r.png (c) *

Folder created after 72 hours:
C:\0000000000 (c) *


Go to my next post on Platte Media

Sunday, 6 July 2008

Why I won't be using Firefox 3

I have been a very satisfied user of Firefox over several years now. Recently I put Firefox 3 on a friend's computer and was very impressed. It was blindingly quick, and the new GUI was not so far different form the old one, which always makes life easier (unlike say the switch to IE7).

So I put 3 on my computer, which ground to a total halt. The cause was immediately apparent, it was increasing the percentage of CPU resources used for kernal mode running (60%+ against maybe 20% with Firefox 2 on my very elderly PC). I didn't manage to download a single page as a result, and it was soon off again. If I ever get a new computer, that's the time I'll give it another try.

Platte and that billing software

Background:

A few weeks ago I had a phone call from a friend who said that she had a virus on her computer, and would I go round and see if I could do anything. When I got there she said that she had been plagued with pop-up bills from a company she knew nothing about, and though they had now stopped, she was still getting a small pop-up in the right-hand corner giving her a number to phone to remove the software. She had even phoned the number, but since she was not able to give an account number, the gentleman she spoke to simply told her that he couldn’t help. The software concerned came from a company called Platte Media (I had never heard of it up to then) and I took her comment that it was some sort of virus at face value. Sure enough as soon as I booted up and logged in the pop-up appeared, as did a Platte icon on the screen.

It didn’t appear difficult to remove once I had identified the source executable; I ran Sysinternals Process Explorer, and managed to identify the two files at the root of the problem. Sure enough, removing those, and the other files that had installed at the same time rid her computer of the pop-ups. “How does this sort of stuff get on my computer in the first place?” she asked. I asked her if anyone had been looking at porn or maybe gambling online, as I know that those sites are the sort where you are most likely to acquire a trojan. She said yes, that she’d had a visitor some time ago who she knew had taken the opportunity to look at some stuff (pretty distasteful too). So I gave her a stern lecture on computer security.

Well, that seemed to be that, but a few days later I thought I’d look up Platte Media on the web. Initially I started with their own site, which led to the new GetFilmsNow service. And I looked at the MBS site, MBS being the original developers of the billing software (and a company who have subsequently been absorbed into Platte) – MBS made the astonishing claim that their software includes a ‘unique and non-removable identifier’. When I looked wider though, I found that the software was causing quite a bit of concern, to the point that the OFT had received such a volume of complaints that they got the company to change various aspects of their online billing system before they released a statement saying that they regarded the contract offered by Platte Media as a fair one, there was a balance to be struck and they didn’t want to stifle innovation... Elsewhere on the web, many people were complaining that the software had appeared on their computer unbeknown to them, and that they were sure it was a trojan.


The plan of action:

Since people were also saying that the sign-up process didn’t make the terms and conditions clear enough, I thought that it might be useful to sign up myself and then terminate my membership taking screenshots all through the process. I was also intrigued by that promise of a unique non-removable identifier since it’s so patently absurd - if something can be put on a computer it can be taken off again.


Signing up:

I set up a new user account on my computer in order to keep clear of all my other software and personal files. I wanted the normal punter experience, so I got in touch with Michael Pollitt, a technology journalist who was taking a particular interest in Platte and the MBS software, and asked him if he could point me to a porn site where I could sign up. I’m embarrassed to admit it, but when I visited the site he gave me, I couldn’t find any links whatever to the site concerned (getfilmsnow.com) so I had to go straight to their homepage. I’m obviously not used to navigating round that sort of site!

The process of signing up was not difficult, and I would have to say that the terms and conditions in the contract appeared very clear, I had no concerns whatever at that point. Signing up involved downloading a file and using that to install their software at the same time as signing up. The terms and conditions were repeated in full and I had to agree to them a second time. Windows gave me a warning that the software I was installing could put my computer at risk, and asked if I still wanted to install it; obviously I did.


What I got for my money:

I had a quick look at the installed files (9 of the ten that that had been on my friend’s machine, the Platte Icon was missing), and since they included an Active-X control, I found it almost impossible to see how the software could come as a trojan. I ran a rootkit scan (since rootkits are the best way to make software invisible) and while that was running I had a quick checkout of the site. The pictures on the getfilmsnow home page suggested that there would be a broad range of popular films. Inside though it was a different story, with nothing to even tempt me (certainly none of the films whose stills were up on that homepage). I did have a brief look inside the ‘Late Night’ section, and once again there could be no complaint – it was made very clear that it contained adult material, and I had to state that I was 18 or over, and provide my date of birth. I didn’t peruse too far inside, certainly not the sort of thing I’d want to watch. The rootkit scan came up clean, so I moved on to terminating my membership and getting the software off my computer again.


The dangers of installing such software:

There were two files that stood out as carrying considerable risk when installed on a computer. One is the pm_ax.ocx Active-X control, and the other is the jRegistryKey.dll. Without decompiling them it isn’t possible to determine the limit of their functionality, but potentially they allow direct access to the entire content of your computer; it then becomes a question of how much you trust the site you’ve downloaded them from. This is not specific to Platte at all; it is an ever present danger with software, particularly software downloaded over the internet.


Cancelling my subscription:

The arrangements for concluding membership are made very clear in the Platte ‘contract’:
17.4 To cancel Your Subscription and uninstall the Software You must either:
(a) Call 0800 051 6664 quoting Your Account number and request an uninstall.
(b) Click on the 'cancel Subscription' hyperlink and follow the uninstall instructions as provided in the cancel confirmation email which will be sent to you.

I elected to go for option (b) so I clicked on the ‘Cancel Subscription’ link and a further piece of software downloaded which I then ran. I requested the confirmation email (which they said was optional) and that arrived immediately. It contained no uninstall instructions, but I had presumed anyway that the software I had just run was itself the uninstall tool. So that seemed to be that, I was quite happy that it was made perfectly clear what customers signed up for. Here's the online cancellation confirmation (the email text is at the end of the post):






What came next:

The next morning I logged in to the same user account, because I wanted to transfer the screengrabs across to my normal user account. No problems at that point, but when I logged into my own account it was definitely not the same story. I got a pop-up in the bottom right-hand corner of my screen, telling me that I would need to phone 0800 051664 for a free uninstaller. That certainly was not what had been promised in the agreement, so I was not best pleased, particularly when I found that the same pop-up appeared in every user account on the computer bar the one that had installed the software in the first place. Here's the pop-up:





Now if someone was into watching porno stuff, and had taken discrete advantage of the free trial on a shared computer when the opportunity arose, he would have been pretty hacked off when the other users were alerted to the fact that he had done so even when he’d already cancelled the membership. I didn’t have much time to spare at that point, so I did a temporary roll-back to an earlier ghost image, and decided that as soon as I had the time I’d give it all a closer look and get it sorted. Plus I’d get Platte’s uninstall instructions sent by email if only because that was what they’d promised in our agreement.

When I finally got round to it, I rolled the computer forward again and was even more surprised. This time I got a pop-up bill, and this on a membership that had been terminated well before the end of the free trial. And surprise surprise, this pop-up bill appeared on every user account on the PC – three in the space of 10 minutes; I don’t know where that leaves Platte Media’s privacy policy (I checked back and the policy had nothing whatever to say of any relevance), let alone their promised restriction on the number of pop-up bills that are displayed. I suppose they think that restriction doesn't apply once you've cancelled your membership. Here's a pop-up bill in one account:




And another one, different user, 40 minutes later:




And each of the accounts had the Platte icon appear, which would always return on login even if it had been deleted. If a user were to click it to find out what it was and why it had appeared on their desktop, they find themselves invited to download further software; I declined that offer I'm afraid, but it wouldn't surprise me if Platte then claimed that money was owed, simply on the basis that their site had been visited again.

Now consider this scenario – the chap I referred to earlier wanting to give GetFilmsNow a discreet brief trial. He signs up, watches whatever porn movie is his particular cup of tea, and then cancels his membership online. He presumes that the software has been removed by the cancellation tool. But when the owner of the computer returns, they soon start getting plagued with the bills. Many people find those bills quite intimidating, and pay up to be rid of the problem – they’re not to know that the membership has already been cancelled and that nothing is owed anyway...


Looking closer at how it all works:

At this point I’m getting irritated, so I decide to take a closer look at the software and what was going on inside my computer. Clearly some change had taken place at the point I terminated my membership since the ‘for a free installer…’ pop-ups had started not long after (around 12 hours after I’d signed up, let alone cancelled my membership). But none of the installed files had been modified at all. Initially I assumed that Platte must have used the jRegistryKey file to change the keys in my registry while I was signing off, since I could think of no other easy explanation. In fact it was almost certainly a change to NTUSER files, both in the C:\Documents and settings\Local Service system folder, and in the account the subscriber used. That must be how the software distinguished between the user who had cancelled and the others.

The bills were different though, and it was clear that they were embedded somewhere, as I never subsequently reconnected to the internet while the Platte software was running. The program itself runs from a pair of executable files, pm_proc1.exe and pm_proc2.exe. These would start running on login, and were interlinked in a way that appeared to be primarily a mechanism for preventing their deletion. They were the only two processes that showed up on Sysinternals Process Explorer so I thought I’d run Process Monitor for a while and see if I could spot anything. Pm_proc1 was certainly very active, and one thing that did concern me was that it kept trying to access the Winlogon.exe file (this is the one that provides access across all the user accounts on the computer).


I was wrong:

I’m not often wrong (not that I'd admit to, at least), but on this occasion I quite definitely was. As far as the billing pop-ups went, I’d focussed on the registry files, taken a quick look through and although nothing immediately stood out, I knew that a complete check on two (maybe three) registry files would require considerable concentration and time. I’d got the registry files saved as text, so at that point I decided to pause and decide what I should look for first. But I couldn’t get over my nagging feeling that there was more to it than the registry, and the next time the bill popped up (and with the help of a little bit of lateral thinking) I cracked the puzzle.

The 9 files originally installed on my PC had now grown to 10 (the Platte Icon file had appeared as well). The Platte icon file showed as having been created at the same time as the first pop-up bill, and that was obviously the source of that persistent pesky icon on the desktop. But where was the billing software hidden? There were no image files anywhere that would make up the substance of the bill, and they weren’t originating directly from the pm_proc1 executable.


The solution:

Although the Platte software may well only be used for legitimate billing and is not of itself a trojan (I firmly believe that someone knowingly downloads it), it certainly contains a trojan in that it silently installs further uninvited software, not at the time of the original installation but three days later - this is when the bills first start appearing. That software is to all intents and purposes a rootkit , in that it is all hidden within the system and is clearly designed not to be detected. Where does it install? Directly in the C Drive. It creates a hidden system folder whose name is probably the ‘unique identifier’, a ten digit number – mine was 1550355105. Inside that folder are a further folder and two files; one of those (on my PC it's BeXiAYjmmRMMIXpc.htm - at the time this installs it creates that randomly generated sequence of letters) is a system file and is itself hidden. This is the file that provides the pop-up bills, and if it is deleted they stop even when the software is still running. If you delete the entire folder it just re-installs, but the file itself can be removed without it returning.

Once I had found that, I looked further, and found that a hidden system file had been created in the Windows\System32 folder at the time of the original installation (1550355105.sys). This is the file that provides the original ‘unique identifier’ ahead of the trojan making itself known. And from that original apparent install of 9 files, I found that my computer actually had 44!


Getting Platte’s uninstall tool:

I’d certainly not forgotten about the uninstall tool, now I was doubly curious to see how much of the software it left behind; I had a suspicion that it would be quite a bit. So I fired off an email asking for the uninstall instructions, only to get a reply saying that I should phone their freephone number. I emailed back, pointing out that I had been promised email instructions in the contract, and that was how I wanted to uninstall their software. That generated a further reply, which said that they needed to uninstall the software via an operator.

Out of curiosity I went to the nearest phonebox and called the 0800 number, but only to see what happened. I gave an account number (not my own), and the gentleman I spoke to confirmed that no money was due on it. Then he asked my postcode. You can’t have that, I said. How are we going to send you your uninstaller? he asked. I reminded him of the terms of the contract. 'I could talk you through it now then'. No, I said, I want to be emailed my instructions. He persisted a bit, but then told me that the instructions would be emailed out to me and that if they didn’t arrive I should call back later in the day. Did they arrive? Of course they didn’t.

So now I emailed back, saying pretty bluntly that I regarded Platte as being in breach of our contract, and that if the matter wasn’t settled within the next 48 hours I would presume that they were waiving their rights to the software installed on my computer. That produced a quick reply, and I finally got the instructions, and the link for the download tool.


The uninstall:

Straightforward, insofar as I downloaded the tool and ran it, inserted the code they gave me and it quickly told me that it had finished removing the software. Had it heck! It had taken 6 files out of the System32 folder, but all the rest remained. The pm_proc1 and pm_proc2 executables had gone as had the pm_ax.ocx Active-X control, but most worryingly that jRegistryKey.dll file was still on, leaving the computer completely vulnerable to unauthorised access. But the average PC owner would just think that it had indeed gone, and not worry any further given that the pop-ups had finally stopped.

So I sent another email, saying that their uninstaller had not cleared their software; I mentioned the jRegistryKey file, but didn’t let on that I knew about the hidden system files. I reminded them of the 48 hour deadline I had given them the day before. Then I had a reply from someone within software development, promising a new build of the installer that would deal with the problem and that it would be available the next day. I smiled to myself at that thought; he’d need to be working pretty hard to rewrite the installer so that it removed all those files (and hidden system files are a lot harder to remove than they are to install). He promised to let me know as soon as it was available.

The next day the 48 hour deadline passed, and I was just in the process of writing a final email pointing that out and saying that they no longer had any rights to the software on my computer when their email appeared in my inbox. Sure enough, the uninstaller was now available, and he gave me the link. But when I ran it, no further files got removed at all. I downloaded it again and ran it one more time but no change. I was surprised that he hadn’t at least set it to remove the visible files, but rather less surprised when I compared it with the uninstaller from the day before as they appeared identical. (Ed. There is a new uninstaller, follow link to later post further down) It is plain that Platte don’t possess an uninstaller for this software, only one that takes off a very few files (6 removed, 38 left behind). That's 86% still present. So another email, saying little more than 'that’s it.'


Conclusions:

My verdict on the Platte software is that it is dangerous; even after it has been ‘uninstalled’ it leaves your computer absolutely vulnerable to attack. If you’ve had the Platte software on your computer and used their uninstall, you should have your PC checked to see what you’ve had left behind. It’s best to get a professional do this, since removal involves exposing the system files and that carries a certain degree of risk for the novice. The fact that your 5 year old child knows how to install software better than you do absolutely does not qualify him for the task, in fact quite the opposite. If you are uncertain about how the software got on your computer in the first place you should ask for the browser logs to be recovered at the same time, then you will at least be able to find the route taken to the site, and the user account that it was taken from. You may well wish to bill Platte for the removal costs while you’re about it, it’ll do them no harm to be on the receiving end for once.

The contract they offer is clearly unfair and they simply do not meet its terms. I had far more pop-ups than they promised, the bills took no account whatever of the cancellation of my membership, and they do not possess an uninstall tool. They fail to point out that your privacy will not be respected on a multi-user computer, nor that the software that they leave behind on your machine leaves you vulnerable to attack. They don’t provide the email route to uninstalling the software that they promise (not unless you persist anyway), and they try to get you to provide your address even where they have said that they won’t need it.

The other problem with their contract is self-evident. They have no means whatever of knowing whether the person signing up is the owner of the computer or not, nor their age. It might surprise them to learn that people sometimes lie, particularly where something as compulsive as access to porn is concerned.

I’ve been in touch with the OFT already about this; I hope that they will soon come to the conclusion that it is very much in the public’s best interest that they decide to ‘stifle innovation in the online marketplace’ in this particular instance. And I let Mark Russinovich know since the installation of hidden system files could fall outside the terms of Microsoft’s third-party software developer license. Maybe the lawyers from Microsoft will be knocking on Platte International Ltd’s door before too long.

I’m going to return to this subject in further posts. I’ll take a detailed look at all the installed files, (I've posted a complete list) and attempt to identify all the registry keys that get written or modified (I’m about half way through that one). This will assist those who wish to confirm that their computer is entirely free of ‘Platte’ following uninstall. I won’t though be decompiling the software since that would breach Platte's intellectual property rights, nor providing detailed instructions for its removal - this is not from any fear of a solicitor's letter, just the feeling that the job's better left to a professional. I also want to address the issue of computer security, particularly for parents who find that their children have downloaded this software unbeknown to them.

I should say again that I do not believe that this program is accidentally acquired; someone has to have used the computer concerned to make the download. This can easily be confirmed by accessing the browser history log. If a computer owner has agreed to Platte's terms and conditions, they should abide by them, at least until Platte fail to honour their side of the agreement.

I hope someone from Platte Media reads this post and comments. If they address the serious concerns I've expressed here I will copy it into a separate post, so that it is more prominent.

(Ed. Since putting up this post, it has become clear that there is a further uninstaller available; it removes one more file. I've covered it in a new post)

(Ed. 15th July. There is now a third uninstaller available, considerably more effective, see this post for details)


A man of letters:

That should probably I fear be a woman of letters, as I elected relative anonymity when I dealt with Platte (but anonymous now no longer), using the name Carol. So by way of an appendix, here are Carol’s email exchanges with Karen Lacaba (customer services), Samantha White (also customer services), Vicky McKenzie (role within Platte empire unknown), Gareth Bridger (software development), and the anonymous server that sent me the initial cancellation of membership confirmation.


Anonymous Server:
Thank you for your cancellation request for Get Films Now
Our records show that your account was registered at 18:32 on 15/06/2008 and we confirm that you have cancelled within your three day free trial period.
Further to your cancellation you will not be able to access the site following 01/01/1970 at 06:32.
Should you have any queries regarding this email or your subscription please call our customer services team on 0845 017 8386
Please retain this email for your records.

Carol:
Since ending my trial membership with you, my computer has been plagued with pop-ups telling me that I need to contact you in order to remove the software. Why is this? I thought it had already gone. Not only that, but every user on the computer gets these, and the Platte Media icon keeps appearing too. No-one can get rid of these.
I need you to tell me how to remove the software. Please can you tell me. My reference number when I ended my membership was 043-36-301-9
I'd also like an explanation as to why I've experienced these problems, as it's quite different from what was promised in your terms and conditions. And it's quite embarrassing, since all the other computer users know I signed up with you now. So what about my privacy?
Awaiting your explanation

Karen:
Thank you for you recent enquiry.
If you would like to uninstall the software from your computer, please call our uninstall line free on 0800 051 6664. Our office is open Monday to Friday 08:00 until 20:00 and Saturday to Sunday 11:00 until 17:00.

Carol:
This is no good. The agreement on the getfilmsnow website clearly says that if you terminate your membership online you should follow the instructions to remove your software in the email you are sent. Neither the original email you sent me (at the time I closed my account) nor the one you sent me yesterday contain those instructions.
I do not want to deal with this by phone. I wish to do so with written instructions. You have my reference number. Please send them to me by return, with an indication of when I may expect a more detailed response to my complaints.

Samantha:
We need to uninstall the software via an operator. If you would prefer for us to give you call to uninstall, please provide us with your contact number.

Carol:
This is not acceptable; since it is totally at odds with paragraph 17.4 of the terms and conditions that constituted our legal agreement. As you will be aware, that states:
To cancel Your Subscription and uninstall the Software You must either:
(a) Call 0800 051 6664 quoting Your Account number and request an uninstall.
(b) Click on the 'cancel Subscription' hyperlink and follow the uninstall instructions as provided in the cancel confirmation email which will be sent to you.
I chose option (b), using the hyperlink. From that hyperlink, I downloaded and ran software supplied by you which I presumed had already done the uninstall, since I requested and received a cancel confirmation email that did not contain any further uninstall instructions.
At this point you have not met your obligations under that agreement. I wish to be sent written instructions for the uninstall, as I am not prepared to do it via an operator. If I do not receive them within the next 48 hours, I shall presume that you are defaulting on the agreement, and that you are waiving any rights you possess as a consequence of that agreement.
You still have not even extended me the basic courtesy of an explanation for your failure to fulfil your responsibilities under that agreement, or indicated when you feel you might be able to offer one.

Vicky:
We apologise for the delay in your uninstall code and inconvenience caused.
Thank you for your recent request to uninstall your Platte software. An uninstall code has been created for you. Please follow the instructions below:
Go to www.plattehelp.com
Platte Utility download
Run the file
Enter the four digit code
Follow onscreen instructions
Click the link Click here if you have received an update letter
Enter the following codes into the boxes provided
KEY: LS126LT-01
CODE: 3D052820-F44958FE-64E597FE-788AEAFE
Please note that this uninstall code is specific to your PC and can not be used on any other computer.

Carol:
Thank you for this. Unfortunately there is a serious problem; the downloadable uninstaller does not remove the program. It removes some but not all of the files - one of those remaining is a dangerous one that enables rewriting of the registry using javascript. Nor does it restore the registry.
There are other aspects of your software that give serious cause for concern, but I won't address those now.
Please provide me with an uninstaller that fully removes the software. Until you do so, you remain in breach of our agreement. As I said yesterday, unless you are able to provide me with a fully functioning uninstaller by 12.35 tomorrow I will take it that you have waived all rights that you might possess as a result of our agreement.
An indication of when you intend to respond to my complaints would also be appreciated.

Gareth:
Thank you for taking the time to bring this problem to our attention. The uninstaller appears to have encountered an error while removing the software from your system. We apologise for any inconvenience this may have caused. This issue will be addressed in the new build of the uninstaller due to be released tomorrow.
Please rest assured that your system is not at risk from the incomplete removal of the software. The registry bridge is only usable by trusted Java applications and not Javascript which is something completely different. It will have only been used by our software to read the license allowing your computer access to the subscribed websites on alternative web browsers. Java would also have required your explicit permission in order to do this for the first time. This is a security feature enforced by the Java virtual machine and not our software.
We will provide you with the updated uninstaller as soon as it becomes available tomorrow. In the meantime please do not hesitate to contact us with any further concerns regarding our software.

Gareth:
We are pleased to inform you that the updated uninstaller is now available from: http://download.plattemedia.com/updates/setup.exe
This can be used with the previously supplied uninstall keys and will remove the Java registry bridge. For clean removal please ensure that the uninstaller is run from an account with Administrative privileges and that it is not being blocked by security software on your system.
Please note the license stored in your registry will prevent the software our being reinstalled. This does affect the running of your machine but can be removed at your own discretion. Please do not hesitate to contact us if we can be of further assistance

Carol:
I am sorry to have to tell you, since I suspect that you've been quite busy, that your new uninstaller is no more effective than the first.
I have downloaded the new uninstaller twice, and run it three times (and rebooted following each uninstall), but to no more effect. The previous files still remain, although I have not yet checked whether there are any further alterations to the registry.
In these circumstances, I consider that Platte Media have failed to keep to their side of our contract, and that in doing so they have now waived their rights to the software installed on my computer. I will therefore make my own arrangements regarding its removal.
I would still be interested to learn why your software generates pop-up bills across all user accounts on the computer even after membership has been terminated online using your downloadable tool. Aside from the annoyance (and considerably more than two pop-up bills a day), there is a very serious question of privacy that needs to be addressed.

Gareth::
We are sorry to hear you are still experiencing unusual problems uninstalling the software. The uninstallers have undergone extensive testing and found to be working in all situations. Indeed this is the first report we have received of problems on a XP based system.
Unfortunately without detailed knowledge of your system it is difficult for us to establish exactly what is happening. We can only conclude that 3rd party software (such as a security package) is preventing the uninstaller from working properly on your system.
We are unable to comment on the inner workings of our software except to confirm that popups are limited to 20 in total with a maximum of 1 pop-up per day. We do however take all complaints seriously and welcome any details you are able to provide us with that would allow us to investigate further.

Carol:
If you've not had previous complaints, it can only be because people don't realise (or don't know where to look). It doesn't surprise me that your uninstaller doesn't work; some of the components of your software are an awful lot easier to put on a PC than they are to get off again. Certainly you'd have been very hard-pressed indeed to re-write your uninstall software in 24 hours to enable a full uninstall, even if you'd stayed up all night.
I'm sure the files I found on my computer will be on the others that have used your uninstaller; no doubt people will start looking pretty soon, and I wouldn't imagine that they'll be too happy.
Two of the files that your software installs appear to be in breach of Microsoft's licence for software developers. I can't be sure though, so I have merely drawn the matter to their attention. No doubt if they have any concerns they will contact you directly in due course.


Go to my next post on Platte Media