PDA

View Full Version : Manual Removal Guide for EnConfidence



Friday
2008-11-28, 18:33
The following instructions have been created to help you to get rid of "EnConfidence" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
The web installer appears to be OK, but manual installers - which are packed with other malware - install silently without the users' consent.
Supposed Functionality:
EnConfidence shows daily horoscopes and advertising. It collects user information for statistics.
Privacy Statement:
Introduction

"The Enconfidence Ad Software does not collect or maintain any personally identifying information about you [..] .The software does track the Web sites you visit through your computer as a means to assess your interests. Generally, such information is anonymously aggregated with the information of other users to determine interests and trends. It is possible, however, that we could use the information regarding specific sites that you visit to send you Enconfidence Ads that might be of particular interest to you. However, even in such circumstances, the Enconfidence Ad Software will not associate such information with other information that would enable us to identify you, as we do not obtain or maintain any personally identifying information.

Information Collected by Enconfidence and How It's Used

We intentionally do not seek information that would enable us to learn your identity, nor do we obtain or maintain personally identifiable information about you such as email addresses, last name, street addresses, or phone numbers or any other sensitive or personal financial information, such as credit card numbers, login IDs, passwords or bank account numbers. Warning: Enconfidence will never ask you for any such personally identifiable information.

The Enconfidence Software does, however, transmit limited non-personally identifiable information (the "Collected Information"), such as your computer's IP address, type of browser and operating system, unique software ID, version of the Enconfidence Software, internal software status indicators (including error codes to determine if the Enconfidence Software has encountered any internal errors), a tag that identifies any Enconfidence distribution partner from whom you may have downloaded or installed the Enconfidence Software, Web sites that you may visit, whether you have interacted with any Enconfidence Ads or registered for any products or services advertised by an Enconfidence Ad (although we will not obtain or maintain any of the registration information), your astrological sign and your time zone. We collect information regarding your Web surfing habits so that we can target advertisements and promotions that may be of the most interest to you. We will aggregate such information with the information of other consumers so that we can identify trends within our user base. We may share such information with our Advertisers to give them a sense of the interests of our users, such as informing a client that we have 10,000 users who visit Internet travel sites.

Collected Information also includes keyword and error search queries entered in your browser. Please note that search query information collected by the Enconfidence Software is generally maintained by us on an aggregated basis (i.e., together with the queries of all of our end-users) for the purposes of generating statistics regarding the use of the Enconfidence Software (such as the number of queries performed by the average end-user per month, a list of the most popular query terms, etc.), and is never used in a manner that associates specific search query information with other information that would enable us to identify you, as we do not obtain or maintain any personally identifying information. We may transmit search terms or phrases to certain third parties with whom we may have subcontracted to obtain Internet search results or other services in response to such search queries. We may also use search query information to send you Enconfidence Ads that might be of particular interest to you based on the search query information.

In the event that Enconfidence merges with another company, transfers or sells substantially all of its assets or capital stock to a third party, all Collected Information would be included in the merger, transfer or sale and that company would be bound by these Terms and Conditions just as we are bound today.

If legally required to do so, we will disclose to a third party any information we have.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "MyDailyHoroscope" and pointing to "<$PROGRAMFILES>\MYDAIL~1\MYDAIL~1.EXE".
Entries named "MyDailyHoroscope".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "My Daily Horoscope".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$WINDIR>\Downloaded Program Files\setup_update.inf".
A file with an unknown location named "setup_silent_15139.exe".
Make sure you set your file manager to display hidden and system files. If EnConfidence uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMS>\My Daily Horoscope".
The directory at "<$PROGRAMFILES>\My Daily Horoscope".
Make sure you set your file manager to display hidden and system files. If EnConfidence uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "Enconfidence" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "MyDailyHoroscope.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "Enconfidence" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{6E0AFB50-AB22-477C-B16A-AA155937791C}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{07637823-C894-4A52-B3F9-5D777FD8E36A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\".
If EnConfidence uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.