Platte and that billing software

Background:

A few weeks ago I had a phone call from a friend who said that she had a virus on her computer, and would I go round and see if I could do anything. When I got there she said that she had been plagued with pop-up bills from a company she knew nothing about, and though they had now stopped, she was still getting a small pop-up in the right-hand corner giving her a number to phone to remove the software. She had even phoned the number, but since she was not able to give an account number, the gentleman she spoke to simply told her that he couldn’t help. The software concerned came from a company called Platte Media (I had never heard of it up to then) and I took her comment that it was some sort of virus at face value. Sure enough as soon as I booted up and logged in the pop-up appeared, as did a Platte icon on the screen.

It didn’t appear difficult to remove once I had identified the source executable; I ran Sysinternals Process Explorer, and managed to identify the two files at the root of the problem. Sure enough, removing those, and the other files that had installed at the same time rid her computer of the pop-ups. “How does this sort of stuff get on my computer in the first place?” she asked. I asked her if anyone had been looking at porn or maybe gambling online, as I know that those sites are the sort where you are most likely to acquire a trojan. She said yes, that she’d had a visitor some time ago who she knew had taken the opportunity to look at some stuff (pretty distasteful too). So I gave her a stern lecture on computer security.

Well, that seemed to be that, but a few days later I thought I’d look up Platte Media on the web. Initially I started with their own site, which led to the new GetFilmsNow service. And I looked at the MBS site, MBS being the original developers of the billing software (and a company who have subsequently been absorbed into Platte) – MBS made the astonishing claim that their software includes a ‘unique and non-removable identifier’. When I looked wider though, I found that the software was causing quite a bit of concern, to the point that the OFT had received such a volume of complaints that they got the company to change various aspects of their online billing system before they released a statement saying that they regarded the contract offered by Platte Media as a fair one, there was a balance to be struck and they didn’t want to stifle innovation... Elsewhere on the web, many people were complaining that the software had appeared on their computer unbeknown to them, and that they were sure it was a trojan.


The plan of action:

Since people were also saying that the sign-up process didn’t make the terms and conditions clear enough, I thought that it might be useful to sign up myself and then terminate my membership taking screenshots all through the process. I was also intrigued by that promise of a unique non-removable identifier since it’s so patently absurd - if something can be put on a computer it can be taken off again.


Signing up:

I set up a new user account on my computer in order to keep clear of all my other software and personal files. I wanted the normal punter experience, so I got in touch with Michael Pollitt, a technology journalist who was taking a particular interest in Platte and the MBS software, and asked him if he could point me to a porn site where I could sign up. I’m embarrassed to admit it, but when I visited the site he gave me, I couldn’t find any links whatever to the site concerned (getfilmsnow.com) so I had to go straight to their homepage. I’m obviously not used to navigating round that sort of site!

The process of signing up was not difficult, and I would have to say that the terms and conditions in the contract appeared very clear, I had no concerns whatever at that point. Signing up involved downloading a file and using that to install their software at the same time as signing up. The terms and conditions were repeated in full and I had to agree to them a second time. Windows gave me a warning that the software I was installing could put my computer at risk, and asked if I still wanted to install it; obviously I did.


What I got for my money:

I had a quick look at the installed files (9 of the ten that that had been on my friend’s machine, the Platte Icon was missing), and since they included an Active-X control, I found it almost impossible to see how the software could come as a trojan. I ran a rootkit scan (since rootkits are the best way to make software invisible) and while that was running I had a quick checkout of the site. The pictures on the getfilmsnow home page suggested that there would be a broad range of popular films. Inside though it was a different story, with nothing to even tempt me (certainly none of the films whose stills were up on that homepage). I did have a brief look inside the ‘Late Night’ section, and once again there could be no complaint – it was made very clear that it contained adult material, and I had to state that I was 18 or over, and provide my date of birth. I didn’t peruse too far inside, certainly not the sort of thing I’d want to watch. The rootkit scan came up clean, so I moved on to terminating my membership and getting the software off my computer again.


The dangers of installing such software:

There were two files that stood out as carrying considerable risk when installed on a computer. One is the pm_ax.ocx Active-X control, and the other is the jRegistryKey.dll. Without decompiling them it isn’t possible to determine the limit of their functionality, but potentially they allow direct access to the entire content of your computer; it then becomes a question of how much you trust the site you’ve downloaded them from. This is not specific to Platte at all; it is an ever present danger with software, particularly software downloaded over the internet.


Cancelling my subscription:

The arrangements for concluding membership are made very clear in the Platte ‘contract’:
17.4 To cancel Your Subscription and uninstall the Software You must either:
(a) Call 0800 051 6664 quoting Your Account number and request an uninstall.
(b) Click on the 'cancel Subscription' hyperlink and follow the uninstall instructions as provided in the cancel confirmation email which will be sent to you.

I elected to go for option (b) so I clicked on the ‘Cancel Subscription’ link and a further piece of software downloaded which I then ran. I requested the confirmation email (which they said was optional) and that arrived immediately. It contained no uninstall instructions, but I had presumed anyway that the software I had just run was itself the uninstall tool. So that seemed to be that, I was quite happy that it was made perfectly clear what customers signed up for. Here's the online cancellation confirmation (the email text is at the end of the post):

What came next:

The next morning I logged in to the same user account, because I wanted to transfer the screengrabs across to my normal user account. No problems at that point, but when I logged into my own account it was definitely not the same story. I got a pop-up in the bottom right-hand corner of my screen, telling me that I would need to phone 0800 051664 for a free uninstaller. That certainly was not what had been promised in the agreement, so I was not best pleased, particularly when I found that the same pop-up appeared in every user account on the computer bar the one that had installed the software in the first place. Here's the pop-up:

Now if someone was into watching porno stuff, and had taken discrete advantage of the free trial on a shared computer when the opportunity arose, he would have been pretty hacked off when the other users were alerted to the fact that he had done so even when he’d already cancelled the membership. I didn’t have much time to spare at that point, so I did a temporary roll-back to an earlier ghost image, and decided that as soon as I had the time I’d give it all a closer look and get it sorted. Plus I’d get Platte’s uninstall instructions sent by email if only because that was what they’d promised in our agreement.

When I finally got round to it, I rolled the computer forward again and was even more surprised. This time I got a pop-up bill, and this on a membership that had been terminated well before the end of the free trial. And surprise surprise, this pop-up bill appeared on every user account on the PC – three in the space of 10 minutes; I don’t know where that leaves Platte Media’s privacy policy (I checked back and the policy had nothing whatever to say of any relevance), let alone their promised restriction on the number of pop-up bills that are displayed. I suppose they think that restriction doesn't apply once you've cancelled your membership. Here's a pop-up bill in one account:

And another one, different user, 40 minutes later:

And each of the accounts had the Platte icon appear, which would always return on login even if it had been deleted. If a user were to click it to find out what it was and why it had appeared on their desktop, they find themselves invited to download further software; I declined that offer I'm afraid, but it wouldn't surprise me if Platte then claimed that money was owed, simply on the basis that their site had been visited again.

Now consider this scenario – the chap I referred to earlier wanting to give GetFilmsNow a discreet brief trial. He signs up, watches whatever porn movie is his particular cup of tea, and then cancels his membership online. He presumes that the software has been removed by the cancellation tool. But when the owner of the computer returns, they soon start getting plagued with the bills. Many people find those bills quite intimidating, and pay up to be rid of the problem – they’re not to know that the membership has already been cancelled and that nothing is owed anyway...


Looking closer at how it all works:

At this point I’m getting irritated, so I decide to take a closer look at the software and what was going on inside my computer. Clearly some change had taken place at the point I terminated my membership since the ‘for a free installer…’ pop-ups had started not long after (around 12 hours after I’d signed up, let alone cancelled my membership). But none of the installed files had been modified at all. Initially I assumed that Platte must have used the jRegistryKey file to change the keys in my registry while I was signing off, since I could think of no other easy explanation. In fact it was almost certainly a change to NTUSER files, both in the C:\Documents and settings\Local Service system folder, and in the account the subscriber used. That must be how the software distinguished between the user who had cancelled and the others.

The bills were different though, and it was clear that they were embedded somewhere, as I never subsequently reconnected to the internet while the Platte software was running. The program itself runs from a pair of executable files, pm_proc1.exe and pm_proc2.exe. These would start running on login, and were interlinked in a way that appeared to be primarily a mechanism for preventing their deletion. They were the only two processes that showed up on Sysinternals Process Explorer so I thought I’d run Process Monitor for a while and see if I could spot anything. Pm_proc1 was certainly very active, and one thing that did concern me was that it kept trying to access the Winlogon.exe file (this is the one that provides access across all the user accounts on the computer).


I was wrong:

I’m not often wrong (not that I'd admit to, at least), but on this occasion I quite definitely was. As far as the billing pop-ups went, I’d focussed on the registry files, taken a quick look through and although nothing immediately stood out, I knew that a complete check on two (maybe three) registry files would require considerable concentration and time. I’d got the registry files saved as text, so at that point I decided to pause and decide what I should look for first. But I couldn’t get over my nagging feeling that there was more to it than the registry, and the next time the bill popped up (and with the help of a little bit of lateral thinking) I cracked the puzzle.

The 9 files originally installed on my PC had now grown to 10 (the Platte Icon file had appeared as well). The Platte icon file showed as having been created at the same time as the first pop-up bill, and that was obviously the source of that persistent pesky icon on the desktop. But where was the billing software hidden? There were no image files anywhere that would make up the substance of the bill, and they weren’t originating directly from the pm_proc1 executable.


The solution:

Although the Platte software may well only be used for legitimate billing and is not of itself a trojan (I firmly believe that someone knowingly downloads it), it certainly contains a trojan in that it silently installs further uninvited software, not at the time of the original installation but three days later - this is when the bills first start appearing. That software is to all intents and purposes a rootkit , in that it is all hidden within the system and is clearly designed not to be detected. Where does it install? Directly in the C Drive. It creates a hidden system folder whose name is probably the ‘unique identifier’, a ten digit number – mine was 1550355105. Inside that folder are a further folder and two files; one of those (on my PC it's BeXiAYjmmRMMIXpc.htm - at the time this installs it creates that randomly generated sequence of letters) is a system file and is itself hidden. This is the file that provides the pop-up bills, and if it is deleted they stop even when the software is still running. If you delete the entire folder it just re-installs, but the file itself can be removed without it returning.

Once I had found that, I looked further, and found that a hidden system file had been created in the Windows\System32 folder at the time of the original installation (1550355105.sys). This is the file that provides the original ‘unique identifier’ ahead of the trojan making itself known. And from that original apparent install of 9 files, I found that my computer actually had 44!


Getting Platte’s uninstall tool:

I’d certainly not forgotten about the uninstall tool, now I was doubly curious to see how much of the software it left behind; I had a suspicion that it would be quite a bit. So I fired off an email asking for the uninstall instructions, only to get a reply saying that I should phone their freephone number. I emailed back, pointing out that I had been promised email instructions in the contract, and that was how I wanted to uninstall their software. That generated a further reply, which said that they needed to uninstall the software via an operator.

Out of curiosity I went to the nearest phonebox and called the 0800 number, but only to see what happened. I gave an account number (not my own), and the gentleman I spoke to confirmed that no money was due on it. Then he asked my postcode. You can’t have that, I said. How are we going to send you your uninstaller? he asked. I reminded him of the terms of the contract. 'I could talk you through it now then'. No, I said, I want to be emailed my instructions. He persisted a bit, but then told me that the instructions would be emailed out to me and that if they didn’t arrive I should call back later in the day. Did they arrive? Of course they didn’t.

So now I emailed back, saying pretty bluntly that I regarded Platte as being in breach of our contract, and that if the matter wasn’t settled within the next 48 hours I would presume that they were waiving their rights to the software installed on my computer. That produced a quick reply, and I finally got the instructions, and the link for the download tool.


The uninstall:

Straightforward, insofar as I downloaded the tool and ran it, inserted the code they gave me and it quickly told me that it had finished removing the software. Had it heck! It had taken 6 files out of the System32 folder, but all the rest remained. The pm_proc1 and pm_proc2 executables had gone as had the pm_ax.ocx Active-X control, but most worryingly that jRegistryKey.dll file was still on, leaving the computer completely vulnerable to unauthorised access. But the average PC owner would just think that it had indeed gone, and not worry any further given that the pop-ups had finally stopped.

So I sent another email, saying that their uninstaller had not cleared their software; I mentioned the jRegistryKey file, but didn’t let on that I knew about the hidden system files. I reminded them of the 48 hour deadline I had given them the day before. Then I had a reply from someone within software development, promising a new build of the installer that would deal with the problem and that it would be available the next day. I smiled to myself at that thought; he’d need to be working pretty hard to rewrite the installer so that it removed all those files (and hidden system files are a lot harder to remove than they are to install). He promised to let me know as soon as it was available.

The next day the 48 hour deadline passed, and I was just in the process of writing a final email pointing that out and saying that they no longer had any rights to the software on my computer when their email appeared in my inbox. Sure enough, the uninstaller was now available, and he gave me the link. But when I ran it, no further files got removed at all. I downloaded it again and ran it one more time but no change. I was surprised that he hadn’t at least set it to remove the visible files, but rather less surprised when I compared it with the uninstaller from the day before as they appeared identical. (Ed. There is a new uninstaller, follow link to later post further down) It is plain that Platte don’t possess an uninstaller for this software, only one that takes off a very few files (6 removed, 38 left behind). That's 86% still present. So another email, saying little more than 'that’s it.'


Conclusions:

My verdict on the Platte software is that it is dangerous; even after it has been ‘uninstalled’ it leaves your computer absolutely vulnerable to attack. If you’ve had the Platte software on your computer and used their uninstall, you should have your PC checked to see what you’ve had left behind. It’s best to get a professional do this, since removal involves exposing the system files and that carries a certain degree of risk for the novice. The fact that your 5 year old child knows how to install software better than you do absolutely does not qualify him for the task, in fact quite the opposite. If you are uncertain about how the software got on your computer in the first place you should ask for the browser logs to be recovered at the same time, then you will at least be able to find the route taken to the site, and the user account that it was taken from. You may well wish to bill Platte for the removal costs while you’re about it, it’ll do them no harm to be on the receiving end for once.

The contract they offer is clearly unfair and they simply do not meet its terms. I had far more pop-ups than they promised, the bills took no account whatever of the cancellation of my membership, and they do not possess an uninstall tool. They fail to point out that your privacy will not be respected on a multi-user computer, nor that the software that they leave behind on your machine leaves you vulnerable to attack. They don’t provide the email route to uninstalling the software that they promise (not unless you persist anyway), and they try to get you to provide your address even where they have said that they won’t need it.

The other problem with their contract is self-evident. They have no means whatever of knowing whether the person signing up is the owner of the computer or not, nor their age. It might surprise them to learn that people sometimes lie, particularly where something as compulsive as access to porn is concerned.

I’ve been in touch with the OFT already about this; I hope that they will soon come to the conclusion that it is very much in the public’s best interest that they decide to ‘stifle innovation in the online marketplace’ in this particular instance. And I let Mark Russinovich know since the installation of hidden system files could fall outside the terms of Microsoft’s third-party software developer license. Maybe the lawyers from Microsoft will be knocking on Platte International Ltd’s door before too long.

I’m going to return to this subject in further posts. I’ll take a detailed look at all the installed files, (I've posted a complete list) and attempt to identify all the registry keys that get written or modified (I’m about half way through that one). This will assist those who wish to confirm that their computer is entirely free of ‘Platte’ following uninstall. I won’t though be decompiling the software since that would breach Platte's intellectual property rights, nor providing detailed instructions for its removal - this is not from any fear of a solicitor's letter, just the feeling that the job's better left to a professional. I also want to address the issue of computer security, particularly for parents who find that their children have downloaded this software unbeknown to them.

I should say again that I do not believe that this program is accidentally acquired; someone has to have used the computer concerned to make the download. This can easily be confirmed by accessing the browser history log. If a computer owner has agreed to Platte's terms and conditions, they should abide by them, at least until Platte fail to honour their side of the agreement.

I hope someone from Platte Media reads this post and comments. If they address the serious concerns I've expressed here I will copy it into a separate post, so that it is more prominent.

(Ed. Since putting up this post, it has become clear that there is a further uninstaller available; it removes one more file. I've covered it in a new post)

(Ed. 15th July. There is now a third uninstaller available, considerably more effective, see this post for details)


A man of letters:

That should probably I fear be a woman of letters, as I elected relative anonymity when I dealt with Platte (but anonymous now no longer), using the name Carol. So by way of an appendix, here are Carol’s email exchanges with Karen Lacaba (customer services), Samantha White (also customer services), Vicky McKenzie (role within Platte empire unknown), Gareth Bridger (software development), and the anonymous server that sent me the initial cancellation of membership confirmation.


Anonymous Server:
Thank you for your cancellation request for Get Films Now
Our records show that your account was registered at 18:32 on 15/06/2008 and we confirm that you have cancelled within your three day free trial period.
Further to your cancellation you will not be able to access the site following 01/01/1970 at 06:32.
Should you have any queries regarding this email or your subscription please call our customer services team on 0845 017 8386
Please retain this email for your records.

Carol:
Since ending my trial membership with you, my computer has been plagued with pop-ups telling me that I need to contact you in order to remove the software. Why is this? I thought it had already gone. Not only that, but every user on the computer gets these, and the Platte Media icon keeps appearing too. No-one can get rid of these.
I need you to tell me how to remove the software. Please can you tell me. My reference number when I ended my membership was 043-36-301-9
I'd also like an explanation as to why I've experienced these problems, as it's quite different from what was promised in your terms and conditions. And it's quite embarrassing, since all the other computer users know I signed up with you now. So what about my privacy?
Awaiting your explanation

Karen:
Thank you for you recent enquiry.
If you would like to uninstall the software from your computer, please call our uninstall line free on 0800 051 6664. Our office is open Monday to Friday 08:00 until 20:00 and Saturday to Sunday 11:00 until 17:00.

Carol:
This is no good. The agreement on the getfilmsnow website clearly says that if you terminate your membership online you should follow the instructions to remove your software in the email you are sent. Neither the original email you sent me (at the time I closed my account) nor the one you sent me yesterday contain those instructions.
I do not want to deal with this by phone. I wish to do so with written instructions. You have my reference number. Please send them to me by return, with an indication of when I may expect a more detailed response to my complaints.

Samantha:
We need to uninstall the software via an operator. If you would prefer for us to give you call to uninstall, please provide us with your contact number.

Carol:
This is not acceptable; since it is totally at odds with paragraph 17.4 of the terms and conditions that constituted our legal agreement. As you will be aware, that states:
To cancel Your Subscription and uninstall the Software You must either:
(a) Call 0800 051 6664 quoting Your Account number and request an uninstall.
(b) Click on the 'cancel Subscription' hyperlink and follow the uninstall instructions as provided in the cancel confirmation email which will be sent to you.
I chose option (b), using the hyperlink. From that hyperlink, I downloaded and ran software supplied by you which I presumed had already done the uninstall, since I requested and received a cancel confirmation email that did not contain any further uninstall instructions.
At this point you have not met your obligations under that agreement. I wish to be sent written instructions for the uninstall, as I am not prepared to do it via an operator. If I do not receive them within the next 48 hours, I shall presume that you are defaulting on the agreement, and that you are waiving any rights you possess as a consequence of that agreement.
You still have not even extended me the basic courtesy of an explanation for your failure to fulfil your responsibilities under that agreement, or indicated when you feel you might be able to offer one.

Vicky:
We apologise for the delay in your uninstall code and inconvenience caused.
Thank you for your recent request to uninstall your Platte software. An uninstall code has been created for you. Please follow the instructions below:
Go to www.plattehelp.com
Platte Utility download
Run the file
Enter the four digit code
Follow onscreen instructions
Click the link Click here if you have received an update letter
Enter the following codes into the boxes provided
KEY: LS126LT-01
CODE: 3D052820-F44958FE-64E597FE-788AEAFE
Please note that this uninstall code is specific to your PC and can not be used on any other computer.

Carol:
Thank you for this. Unfortunately there is a serious problem; the downloadable uninstaller does not remove the program. It removes some but not all of the files - one of those remaining is a dangerous one that enables rewriting of the registry using javascript. Nor does it restore the registry.
There are other aspects of your software that give serious cause for concern, but I won't address those now.
Please provide me with an uninstaller that fully removes the software. Until you do so, you remain in breach of our agreement. As I said yesterday, unless you are able to provide me with a fully functioning uninstaller by 12.35 tomorrow I will take it that you have waived all rights that you might possess as a result of our agreement.
An indication of when you intend to respond to my complaints would also be appreciated.

Gareth:
Thank you for taking the time to bring this problem to our attention. The uninstaller appears to have encountered an error while removing the software from your system. We apologise for any inconvenience this may have caused. This issue will be addressed in the new build of the uninstaller due to be released tomorrow.
Please rest assured that your system is not at risk from the incomplete removal of the software. The registry bridge is only usable by trusted Java applications and not Javascript which is something completely different. It will have only been used by our software to read the license allowing your computer access to the subscribed websites on alternative web browsers. Java would also have required your explicit permission in order to do this for the first time. This is a security feature enforced by the Java virtual machine and not our software.
We will provide you with the updated uninstaller as soon as it becomes available tomorrow. In the meantime please do not hesitate to contact us with any further concerns regarding our software.

Gareth:
We are pleased to inform you that the updated uninstaller is now available from: http://download.plattemedia.com/updates/setup.exe
This can be used with the previously supplied uninstall keys and will remove the Java registry bridge. For clean removal please ensure that the uninstaller is run from an account with Administrative privileges and that it is not being blocked by security software on your system.
Please note the license stored in your registry will prevent the software our being reinstalled. This does affect the running of your machine but can be removed at your own discretion. Please do not hesitate to contact us if we can be of further assistance

Carol:
I am sorry to have to tell you, since I suspect that you've been quite busy, that your new uninstaller is no more effective than the first.
I have downloaded the new uninstaller twice, and run it three times (and rebooted following each uninstall), but to no more effect. The previous files still remain, although I have not yet checked whether there are any further alterations to the registry.
In these circumstances, I consider that Platte Media have failed to keep to their side of our contract, and that in doing so they have now waived their rights to the software installed on my computer. I will therefore make my own arrangements regarding its removal.
I would still be interested to learn why your software generates pop-up bills across all user accounts on the computer even after membership has been terminated online using your downloadable tool. Aside from the annoyance (and considerably more than two pop-up bills a day), there is a very serious question of privacy that needs to be addressed.

Gareth::
We are sorry to hear you are still experiencing unusual problems uninstalling the software. The uninstallers have undergone extensive testing and found to be working in all situations. Indeed this is the first report we have received of problems on a XP based system.
Unfortunately without detailed knowledge of your system it is difficult for us to establish exactly what is happening. We can only conclude that 3rd party software (such as a security package) is preventing the uninstaller from working properly on your system.
We are unable to comment on the inner workings of our software except to confirm that popups are limited to 20 in total with a maximum of 1 pop-up per day. We do however take all complaints seriously and welcome any details you are able to provide us with that would allow us to investigate further.

Carol:
If you've not had previous complaints, it can only be because people don't realise (or don't know where to look). It doesn't surprise me that your uninstaller doesn't work; some of the components of your software are an awful lot easier to put on a PC than they are to get off again. Certainly you'd have been very hard-pressed indeed to re-write your uninstall software in 24 hours to enable a full uninstall, even if you'd stayed up all night.
I'm sure the files I found on my computer will be on the others that have used your uninstaller; no doubt people will start looking pretty soon, and I wouldn't imagine that they'll be too happy.
Two of the files that your software installs appear to be in breach of Microsoft's licence for software developers. I can't be sure though, so I have merely drawn the matter to their attention. No doubt if they have any concerns they will contact you directly in due course.


Go to my next post on Platte Media