Results 1 to 18 of 18
  1. #1
    ABW Veteran jc101's Avatar
    Join Date
    January 18th, 2005
    Location
    Santa Cruz, CA
    Posts
    4,597

  2. #2
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    If this is "CoolWebSearch" then you're almost right.. it's a very tough parasite to remove and to be honest it might require a complete rebuild of the PC from scratch.

    However, you might have some success with with CWShredder, available from here: http://www.spywareinfo.com/~merijn/downloads.html
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  3. #3
    Full Member
    Join Date
    January 18th, 2005
    Posts
    270
    It can be removed but only after a lot of effort. I'd say this one was worth four-five hours of my time, and I wound up in the Registry changing stuff. I found cwshredder worked o.k., but it re-appeared, but I'm not too sure whether or not that was an additional download or not.

    The best I can figure out was that it was a piggyback download when The Resident Teenager downloaded some pron or music files.

    PITA all told.

    CodeJockey.

  4. #4
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Another prevention tool to use and pass on to your site visitors is Browser Hijacker 1.0 from javacool wildersecurity.com Free downlaod at http://www.majorgeeks.com/download.php?det=3786



    *****************************
    Browser Hijack Blaster Readme
    *****************************
    Created by javacool.

    Browser Hijack Blaster runs in the background, constantly watching for attempts to alter various Internet Explorer settings, and for newly added BHOs (Browser Help Objects). If an attempt is detected, you are notified immediately, and presented with details on the attempt, plus the option to either allow the change, or revert to the previous value.

    With Browser Hijack Blaster, you will be notified if an ActiveX control tries to silently install a new BHO (Browser Help Object) - and you will be presented with the ability to remove that BHO or allow it.

    ----------------------------

    Comments, questions, or suggestions?
    Post them at http://www.wilderssecurity.com
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  5. #5
    Kung Fu Master Eathan's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,833
    So the PPC campaign I'm running on Lycos is supporting these guys? Grr...

    It's dead hard not to support parasites these days.
    Eathan Mertz

    Black Cat Mining - Gold Prospecting & Rockhounding Equipment

  6. #6
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    Pharm_boy, how did you link the aboive posts up with Lycos? Curious.

  7. #7
    Kung Fu Master Eathan's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,833
    PPC ads purchased on Lycos went live on coolwebsearch the very same day. Now checking into it, Lycos PPC stuff looks to be powered by findwhat...
    Eathan Mertz

    Black Cat Mining - Gold Prospecting & Rockhounding Equipment

  8. #8
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    Hey Ethan, let me know what you find out about coolweb and lycos. I am very interested in this one. In particular how lycos is partnering with networks and partners who utilize BHOs. Much appreciate buddy and good to see you here

  9. #9
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    Speak of the devil. Can anyone share some detailed info about how to remove this piece of ****. I used cwshredder but it keep scoming back trying to hijack my home page. If I find out who the heck installed this one, I'm gonna..... (we apologize for the delay, this broadcast has been discontinued due to the extreme aggresive nature and incomprehensible language).

    **Edit**
    Just found Toppop in task manager. Have no way to get rid of this. Gotta love these freaking BHO's. Hope this info helps the next person who gets hit.
    ****

    **Edit 2**
    hmmm, either I am on crack or some BHO's has replaced my Adsense with Image Ads. I just double checked my AS settings and it is defaulted to Text. Man these freaks...
    ****

  10. #10
    ABW Ambassador Andy's Avatar
    Join Date
    January 18th, 2005
    Posts
    4,178
    Now Ian,

    You opted in for this! Sure you did! They don't do sneaky drive bys, just ask the networks. The BHO's are your friend! Consider all the value they're adding to your internet experience...

    Good luck getting rid of it, I am SO SICK of these software apps doing whatever the hell they want to!

    Andy

  11. #11
    ABW Ambassador phillyburbs's Avatar
    Join Date
    January 18th, 2005
    Location
    in the PhillyBurbs!
    Posts
    3,097
    Gang:

    This is the one I was posted about elsewhere in this forum. The tricky thing about it is that it came as part of a Trojan. As I worked my way through carving out pieces of the cancer, you could literally see new ones popping up in Task Manager.

    In the end, it took four full days and a complete Windows re-installation to beat the thing into submission.

    Question: I saved source code from two of the ads that I assume has the affiliate ID in them. Should I even bother to send that information to the "networks" they were served from?

  12. #12
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Lycos PPC stuff looks to be powered by findwhat... <HR></BLOCKQUOTE>

    FindWhat has partnered with MANY of these applications for a very long time. It's why I my heart about stopped and I broke out into a cold sweat when FindWhat bought Miva a good bit back. I wouldn't touch a Miva shopping cart now for all the money in the world.

    Also, Lycos is installing the Lycos Sidebar thing through drive by installs. I had it installed by CoolSearch. I also know someone else who got it through a banner ad. I didn't have time to test it too much to see what all it was or wasn't doing, before WebSearch killed it.

    @Ian, yes it will act as a backdoor to install other applications on your system.

    @Karl: Unfortunately will most likely be a futile exercise. At least that has been my past experience.

  13. #13
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    Karl & Ms B. are right. I kept on getting toppop in my task manager. I fodn the exe file and remove that, removed a bunch of registry items (anythign with coolsearch, mysearch, toppop, coolweb) and found C:\symantec on my harddrive with one .dll file. Nice try. Deleted that too. Hope these notes help others.

    The home page hijacker seems to have disappeared for the time being, now time to figure out why google ads are being replaced by their hokey image ads.

  14. #14
    Kung Fu Master Eathan's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,833
    Ian,

    It could be that the app is looking for AdSense code and replacing certain values to serve their ads on your pages.

    Karl,

    I'd definitely send whatever info you have to the networks. Parasites make the networks money, but they're not keen on all the bad PR they get over this stuff. [edited to fix words in wrong order. oops]

    Ms. B,

    What better place to do driveby installs on qualified buyers than a broadly distributed shopping cart system...? Nasty blighters.
    Eathan Mertz

    Black Cat Mining - Gold Prospecting & Rockhounding Equipment

  15. #15
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Well I've posted in various ABW places over the last week about these network sponsored affiliate S/W wanks. Wasted over 30 hours on just a few client machines hijacked by drive-by installs. We should take complain action against FindWhat.com and other 2nd tier PPCSEs drive to compete with Overture and AdWords by employing partnerships that employ computer trojan horse viruses to drain keyword accounts.

    Scratch the money trail of some of these BHO infections and you'll find Terrorists organizations -Russian and Asian mobs getting monitized by the silent affiliate networks. This really pisses me off as S/W affiliates are directly and indirectly buying bombs and bullets for terrorists, identity theft info for passports and ID's plus the credit cards for slipping murderers into countries everywhere.

    _______________________________
    Registrant: Coolsearch.com
    TROODEIISP
    Vvedensky 7
    St-Petersburg, St-Petersburg Region 190013
    Russian Federation

    Registered through: GoDaddy.com
    Domain Name: COOLSEARCH.COM
    Created on: 05-Aug-97
    Expires on: 04-Aug-05
    Last Updated on: 12-May-04

    Administrative Contact:
    Dimasov, Dimas dimas@mail.ru
    TROODEIISP
    Vvedensky 7
    St-Petersburg, St-Petersburg Region 190013
    Russian Federation
    8123261780 Fax --
    Technical Contact:
    Dimasov, Dimas dimas@mail.ru
    _________________________________________

    Dead give-away you have 3rd world cycbercriminals is phoney or hidden Whois information give cybercrime units fits till they supoena the networks and PPCSE partnership records to see where the money is really going.
    _____________________________________________

    Notice how the registrars like TUCOWS and www.compana.com help the hidden www.StopPop.com computer virus & BHO drive-by installers. They are in cahoots to cover their tracks and hide where the keyword money goes. Federal and Worldwide legislation is being pushed to make it a registrar/registraint crime to publish phoney WhoIS info or hide the identity of domain owners.

    Domain name: stoppop.com

    Registrant Contact:
    Compana
    Compana LLC (admin@compana.com)
    +1.4132151195
    Fax: +1.4132151195
    Post Box 111501
    Carrollton, TX 75011
    US

    Administrative Contact:
    Compana
    Compana LLC (admin@compana.com)
    +1.4132151195
    Fax: +1.4132151195
    Post Box 111501
    Carrollton, TX 75011
    US

    Billing Contact:
    Compana
    Compana LLC (admin@compana.com)
    +1.4132151195
    Fax: +1.4132151195
    Post Box 111501
    Carrollton, TX 75011
    US

    Domain name: COMPANA.COM

    Administrative Contact:
    LLC, Compana admin@compana.com
    PO Box 111501
    Carrollton, TX 75011
    US
    413-215-1195 Fax: 413-215-1195

    Technical Contact:
    LLC, Compana admin@compana.com
    PO Box 111501
    Carrollton, TX 75011
    US
    413-215-1195 Fax: 413-215-1195



    Registrar of Record: TUCOWS, INC.

    Also owns www.servers.com for browser homepage and searchbar hijacking probably giver Super-affiliate status.

    __________________________________

    Some other pieces of affiliate BHO crapware I ran into this week doing drive-bys and employing re-installs.

    Description
    Bargain Buddy consists of an IE Browser Helper Object, and a process set to run at startup. The BHO monitors web pages requested and terms entered into forms. If there is a match with a preset list of sites and keywords, an advertisement may be shown. The process can contact its maker's server to download updates to the list of adverts and to the software itself.

    Variants
    BargainBuddy/Apuc, original version whose BHO is stored in its own Program Files 'Bargain Buddy' folder. BargainBuddy/Versn, the BHO is a file inside the host application whilst the updater is still in 'Bargain Buddy'. BargainBuddy/adp uses the folder name 'adp' in Program Files. BargainBuddy/Apuc2 is the same as Apuc, but constantly tries to restart itself if you kill it.



    Description: NetPal is an IE Browser Helper Object from Mindset Interactive, the people behind Transponder. It does similar things to the Transponder range, but is quite different internally.

    Also known as
    PrizePopper (the internal name of the DLL, and a possibly related web site), Tracker or TrackIExplore (BHO name).

    Distribution
    Was installed by the FavoriteMan trojan, possibly also bundled with other software. Is downloadable through ActiveX at the site www.netpalnow.com; however, that site also used to distribute the original Transponder parasite under the same 'NetPal' name.

    Description
    ClientMan is a wide-ranging advertising parasite. The various versions released may add advertising links to web pages, open popup adverts, and redirect search engine results, address bar searches and error pages.

    Variants
    ClientMan/Helper is the earliest known variant. It includes two IE Browser Helper Objects - a 'browserhelper' and a 'trackurl' DLL, used to add yellow advertising links to pages - along with various other processes. It is not detected by the script at this site, for tedious technical reasons.

    ClientMan/Tagger is a newer update that can be loaded by browserhelper. The 'browserhelper' DLL is replaced by a 'taggerbho' one, and there is a new 'searchrep' DLL which redirects search engine usage, plus new EXE files 'fixtitle' and 'getbuys'.

    ClientMan/2in1 is the latest update. The taggerbho is replaced with a '2in1' DLL; the yellow links are no longer added to the page. Instead, all address bar searches, unknown domains and web server error pages are redirected (currently to searchassistant.net) by the new 'dnsrep' DLL, and pop-up adverts are opened at regular intervals by the new 'urlcli' DLL. (At the time of writing, these are spawned from popupsponsor.com and popuptraffic.com, and are closed immediately after opening, in order to con affiliate fees from these companies.) Additionally there are new 'gstylebho' and 'msvrfy' DLLs.


    Read up on some of the known commission thieves and system trashing tools ... http://www.doxdesk.com/parasite/
    _____________________________________

    Drive-bys from popups and e-mail auto infection scripts bring us these beauties...

    Description
    IEAccess is an ActiveX control used to download and install premium-rate diallers, primarily for porn sites.

    Variants
    IEAccess/IEDial, IEAccess/HTMLAccess and IEAccess/HTMLDialer are broadly similar but use different filenames and IDs.

    IEAccess/EGDial is based on IEAccess/HTMLDialer, with an extra file.

    Also known as eGROUP, by Spybot S&D, from the name of its makers.

    Distribution
    Installed by ActiveX drive-by-download by porn-related pages from nocreditcard.net and sex-explorer.com, which may be opened or redirected to by pop-up advertising.

    The IEDial variant is known to be installed automatically, without prompting, on Internet Explorer versions earlier than IE6 Service Pack 1, thanks to a security hole. The installer pages exploit this to run an EXE which adds 'Electronic Group' to the list of trusted publishers whose software IE will install automatically without asking.

    Electronic Group are also known to distribute at least two other types of stealth-installed dialer, StripPlayer and DialerOffline.


    Description
    HuntBar is a search-hijacker from Traffic Syndicate (controlling server dst.trafficsyndicate.com), with various additional features depending on version.

    Variants
    HuntBar/TS is the original version, also providing an IE toolbar with search features.

    HuntBar/Side is an addition to HuntBar/TS which also pops open a search sidebar pointed at its own results when it detects you using search engines.

    HuntBar/MSLink is a development of HuntBar/Side dropping the toolbar from HuntBar/TS and adding the ability to redirect you instantly when browing targeting web pages. This is typically used to hijack affiliate fees from merchant sites.

    HuntBar/BTLink is an updated version of MSLink.

    HuntBar/MSIn and HuntBar/BTIn are installer controls for both the MSLink and BTLink variants.

    HuntBar/SToolbar also tries to hijack your homepage to WebSearch.com, and copies searches you make in known search engines to the search field in the toolbar as you type.

    HuntBar/QDow is a small downloader ActiveX control used to load HuntBar/BTIn.

    Distribution
    Through ActiveX drive-by-download at affiliate sites, including pop-up advertising served by trafficsyndicate.com.

    TrafficSyndicate, the makers of HuntBar, offer 'co-branded' versions of HuntBar which may be installed by other sites under a different name. Known partner sites include bullseyesgames.com and side-search.com.

    Domain name: side-search.com

    Registrant Contact:
    Sidestep.com
    DNS tech (dns_tech@sidestep.com)
    408-235-1700
    Fax: 408-235-1717
    4701 patrick henry drv.
    Bldg. 10
    santa clara, CA 95054
    US

    First Cash Reserve, LLC
    621 N.W. 53rd St Suite 240
    Boca Raton, FL 33432-8291
    US

    Domain Name: TRAFFICSYNDICATE.COM

    Administrative Contact
    Dusan Senkypl: info@trafficsyndicate.com
    IBIS, LLC
    225 NE MIZNER BLVD STE 300
    Boca Raton, FL 33432
    US
    Phone 561-417-9415
    Fax 561-892-5808
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  16. #16
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Domain Name: COOLWEBSEARCH.COM
    Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
    Whois Server: whois.joker.com
    Referral URL: http://www.joker.com
    Name Server: NS2.ROSEXXXGARDEN.COM
    Name Server: NS1.MAXIMUMHOST.COM
    Status: ACTIVE
    Updated Date: 05-sep-2003
    Creation Date: 01-jun-2001
    Expiration Date: 01-jun-2007

    Whois Server: whois.joker.comdomain: coolwebsearch.com
    status: production
    organization: InterWeb Solutions Inc
    owner: InterWeb Solutions Inc
    email: admin@iweb-commerce.com
    address: P.O. Box 362
    address: Road Town
    city: Tortola
    postal-code: 65113
    country: IO
    admin-c: admin@iweb-commerce.com#0
    tech-c: admin@iweb-commerce.com#0
    billing-c: admin@iweb-commerce.com#0
    nserver: ns1.maximumhost.com
    nserver: ns2.rosexxxgarden.com
    registrar: JORE-1
    created: 2001-06-01 04:51:34 UTC JORE-1
    modified: 2004-03-17 14:59:02 UTC JORE-1
    expires: 2007-05-31 22:51:23 UTC
    source: joker.com

    Another 3rd world cyberterrorist operation who also operate hundreds of Humas and Hizbolla porn sites and cybercafes.

    CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating.

    CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com.

    CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries’ versions of Google) are set in the Hosts file to point to ‘localhost’ (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.

    CoolWebSearch/PnP: a search hijacker that hides inside the ‘inf’ folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ‘Safe Sites’ list, for unknown purpose (this is not the same as the Trusted Sites Zone).

    CoolWebSearch/KeyMgr: a new version of PnP with different names.

    CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc.


    Nice to see this type of domain Whois info for a coolwebsearch partner....

    Registrant:
    none
    none
    none, none none
    RU
    010101


    Domain Name: SLAWSEARCH.COM

    Administrative Contact:
    Simpson, Regina webmaster@sexy-models.net
    none
    none, none none
    RU
    010101


    Technical Contact:
    Simpson, Regina webmaster@sexy-models.net
    none
    none, none none
    RU
    010101
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  17. #17
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    ok confirmation:

    My PC is showing adware banners when I load a page with Google Adsense. I view source but all I see if the Google Adsense javascript. This is being routed locally on my machine. Anyone recognize these Grrrrr!

    http://m3.doubleclick.net/viewad/886...20x600-vps.gif

    http://webpdp.gator.com/4/message/54...craperJigA.gif

    http://cserver.mii.instacontent.net/...media35826.jpg

    http://m3.doubleclick.net/viewad/886...us_120x600.gif

    http://cserver.mii.instacontent.net/...media32847.gif

    http://cserver.mii.instacontent.net/...media31778.gif

    and so on and so forth. Any ideas how I can remove this annoyance? I was able to get rid of the home page hijacker but not these stupid banner ads.

  18. #18
    Newbie Affiliate Ian's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,540
    I hope this helps someone else.

    I lost Adsense on my machine and it was replaced by hokey banner ads. Found that my hosts file was inserted with a bunch of info. Google Syndication was one of them. Remove all entries from c:\windows\hosts and adsense is back in full force.

    Note, not hosts.sam but hosts file.

  19. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Beware!
    By Cheesehead in forum Suspicious Activity!
    Replies: 3
    Last Post: July 7th, 2008, 03:45 PM
  2. Beware!!
    By Gordon in forum Virtual Family and Off-Topic
    Replies: 7
    Last Post: May 12th, 2005, 05:32 AM
  3. Beware
    By Heyder in forum Midnight Cafe'
    Replies: 14
    Last Post: April 13th, 2002, 01:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •