Results 1 to 9 of 9
  1. #1
    Full Member
    Join Date
    January 18th, 2005
    Posts
    322
    I’ve been seeing this in my logs lately. The website,http://www.funwebproducts.com/ ,offers a few “free” downloads and claims to be adware free, but all their downloads include a product called “My Web Search” and I can’t find any info on their site about it. Funny thing is, one of their downloads is a popup blocker, but when I leave their site, I get an exit popup. Doesn’t lead me to have a lot of faith in their “adware free” claims. Anybody with more experience testing these things than me want to have a look?

    Jason
    “I get on my knees and pray, we don’t get fooled again!” – Who said that? I said that!

  2. #2
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    NewCastleB ..you've been around enough to understand any and all FREEBEEs are funded by spam brokers, parasites and spyware folks. Only thing that changes is the bait on the barbed hook .....LOL. The Master Baiter has spoken!

    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Some more for the AM's and netowrks to investigate.

    Sypware/Adware/malware associated with the coolweb and globalfinder.com & family COOLWEBSEARCH

    SMNi a new parasite, worm and spyware BHO http://static.smni.com/e/privacy.htm and about half way down are instructions for getting rid of popups. Adware not finding this yet.

    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

  4. #4
    Full Member
    Join Date
    January 18th, 2005
    Posts
    270
    Just had to clean this p.o.s. off our network... talk about going around quickly.

    Can't understand why our anti-virus software didn't catch this.

    Cleaner located at: http://www.spywareinfo.com/~merijn/

    FWIW.

    CodeJockey.

  5. #5
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Thanks Codejocky for that link. Had that bugger secretly installed on my system.

    AM's bann the perverted domain affiliates if they are in your affiliate base. They are all traffic hijackers and re-direct cookie setters.

    coolwwwsearch.com
    jetseeker.com
    bargainbuddy.com
    xrenoder.com
    CoolWebSearch
    allhyperlinks.com
    vrape.hardloved.com
    thehun.com
    madthumbs.com
    worldsex.com
    teeniefiles.com
    al4a.com
    sublimedirectory.com
    thumbzilla.com
    sexocean.com
    easypic.com
    absolut-series.com
    jpeg4free.com
    thumbnailpost.com

    allhyperlinks.com
    activexupdate.com
    slawsearch.com
    true-counter.com
    Global-Finder.com
    luckysearch.net

    After reading all of this, you must be under the impression that a CoolWebSearch hijack is near impossible to fix since there are so many variants. Though it is true that the conventional tools like Ad-Aware, Spybot S&D and HijackThis won't fix all of the variants, there is one tool that will.

    After about the 3rd CWS variant, I realized this particular spyware company moved faster than any other I'd seen before, and that the anti-spyware programs wouldn't be able to keep up with it. So I decided to write a separate program dedicated to removing CoolWebSearch. It's called CWShredder and can be downloaded here, in several forms: http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Basically all new search sites and certainly all Freebee sites are suspect for affiliate managers who care about their brand being associated with traffic hijackers and adware/spyware drive-by installers.

    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

    [This message was edited by EcomCity.com on October 04, 2003 at 12:38 PM.]

  6. #6
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Nice source from Symantic on new Adware programs and links to their dubeous profiles

    http://securityresponse.symantec.com...hreats/adware/

    Nice to see eBates ranks as a computer virus by Symantic

    Publisher: EBates
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


    Removal: Low
    Damage: Low




    Intelligent Updater Definitions*
    August 18, 2003


    LiveUpdate™ Definitions **
    August 18, 2003


    *
    Intelligent Updater definitions are released daily, but require manual download and installation.
    Click here to download manually.

    **
    LiveUpdate definitions are usually released every Wednesday.
    Click here for instructions on using LiveUpdate.





    This threat can be detected only by Symantec products that support expanded threats. For more information on expanded threats, please go here.



    Behavior
    Adware.MoeMoney is an adware program that downloads and display advertisements.

    Symptoms
    The files are detected as Adware.MoeMoney.

    Transmission
    This adware program must be manually installed. However, there are several known programs that have Adware.MoeMoney within them and that install it as the program itself is installed.



    File names: EbatesMoeMoneyMaker14.exe

    Adware.MoeMoney is an adware program that displays advertisements. The installer of this adware application does not display any information when it is installed. Instead, it relies on the program that installs it to display the End User License Agreement (EULA).

    When Adware.MoeMoney is run, the installer does the following:


    Creates the folder, C:\Program Files\EbatesMoeMoneyMaker, and then inserts several files and subfolders into this folder.


    Adds the value:

    EbatesMoeMoneyMaker

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Most often, other programs install Adware.MoeMoney. This adware is written using Java and it requires Wjview.exe (a legitimate Microsoft file) to function.

    When running, this adware tracks Internet browsing habits and sends information about them to a central server. It periodically downloads advertisements and displays them.



    --------------------------------------------------------------------------------
    Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.
    --------------------------------------------------------------------------------

    Update the virus definitions.
    Delete the value that was added to the registry, and then restart the computer.
    Run a full system scan and delete all the files detected as Adware.MoeMoney.

    For specific details on each of these steps, read the following instructions.

    1. Updating the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

    2. Deleting the value from the registry

    --------------------------------------------------------------------------------
    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    --------------------------------------------------------------------------------

    Click Start, and then click Run. (The Run dialog box appears.)
    Type regedit

    Then click OK. (The Registry Editor opens.)


    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    In the right pane, delete the value:

    EbatesMoeMoneyMaker


    Exit the Registry Editor.
    Restart the computer.

    3. Scanning for and deleting the infected files
    Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
    For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
    Run a full system scan.
    If any files are detected as infected with Adware.MoeMoney, click Delete.
    Using Windows Explorer, delete the folder, C:\Program Files\EbatesMoeMoneyMaker.



    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

    [This message was edited by EcomCity.com on October 04, 2003 at 12:43 PM.]

  7. #7
    Newbie
    Join Date
    January 18th, 2005
    Posts
    17
    Fun Web Products is a search companion application distributed by MYWebSearch whioch is owned by the Excite Network which is owned by iWon which is owned by Focus Interactive. It is in fact the defact standard search companion browser helper object with nearly every P2P application.

  8. #8
    Full Member
    Join Date
    January 18th, 2005
    Posts
    164
    Can anyone advise me how to block the useragent FunWebProducts and divert vistors to my site with this parasite installed to a page explaining they cant access my site until they remove the infection.

    Kili

  9. #9
    Full Member
    Join Date
    January 18th, 2005
    Posts
    469
    Any server-side script that looks at user-agent headers should be able to block (or redirect) web browsers that include the specified string in their user-agent headers.

    What kind of scripting do you use on your web server? Or in principle this could even be implemented in a bit of JavaScript.

  10. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Is Funwebproducts.com a parasite?
    By elynn in forum Suspicious Activity!
    Replies: 6
    Last Post: September 8th, 2004, 10:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •