Spam, Spyware, Redirectors and Rogues

Sick of getting spammed by the messenger service? Sick of pop-up ads? Having trouble with trojans or spyware? Want to play a few games on the web without getting ads flashed in your face?

Also see Viruses, Trojans and Worms and Patching a New XP Installation via the Internet on this website.

There is a new variant of a very nasty hijacker known as CoolWebSearch. The variant is CoolWebSearch.SmartKiller. Even if you feel that you are well protected and currently don't have any infestations, you should immediately download BOTH the removal tools for CoolWebSearch listed below. The trojan/spyware/spammer will launch attacks on browsers, firewalls, popup-stoppers and virus checkers in order to prevent you from gaining access to sites that provide tools that can remove it. If you download the files and keep them in a safe place, the software will not be able to attempt to prevent you from removing it.

Index

Trojan and Spyware Defences

Messenger Spam

Firewalls and Popup Stoppers

Use Your HOSTS File to Block Ads and Prevent Redirects

Using Internet Explorer's Restricted Zone Feature

CoolWebSearch

Lop Toolbar - lop.com - Lop Inc.

Redirectors, Rogues and Spyware

Other Ad and Spyware

E-mail Spam

Trojan and Spyware Defences

SpywareBlaster is a freeware preventative for many pestiferous types of ad and spyware. It does not scan for spyware, it prevents it from being installed. The SpywareBlaster page isn't exactly clear on how the product works, but once it has been run and configured for the first time, it apparently continues to do its job without loading into memory, assumedly because it has made registry changes that redirect miscreant behaviour.

SpyBot Search & Destroy (freeware)

AdAware (Entry level product is free)

HijackThis (direct download, freeware) - If you find HijackThis useful, please visit the HijackThis page here and support the author with a donation. Warning: HijackThis is for advanced users.

Trojan Remover "was written to aid in the removal of Trojan Horses and Internet Worms when standard anti-virus software has either failed to detect the problem or is unable to effectively eliminate it. Trojan Remover has been written for Windows 95/98/NT/Millennium/XP. It has been successfully used by Windows 2000 users, although this platform has not been officially tested."

TrojanHunter "Awarded the highest possible rating by Webattack. Awarded the highest possible rating by German computer magazine Chip. Rated Editor's Choice: Best for most users by www.anti-trojan-software-reviews.com. TrojanHunter is the only trojan scanner on the market capable of cleaning parasitic process-injecting trojans!"

Trojan Defence Suite "First released in 1997, TDS (Trojan Defence Suite) is one of the longest established anti-trojan programs in existance and today is widely considered to be the most powerful and comprehensive anti-trojan program by the Internet security community. It is the only anti-trojan program that has free daily database updates and is the only anti-trojan program supported by a fulltime team of dedicated internationally recognised anti-trojan professionals ..."

Agnitum Tauscan "bolts the backdoors."

A-Spy "This program shows all known ways to start some application during Windows startup process and logging. It's possible to add/delete/edit entries, move them from one place to another. Access rights are considered at NT/2000 platforms. Supports all Windows platforms. 17 ways how to detect possible trojans, hiding in the startup entries."

Messenger Spam

A Messenger service window that contains an Internet advertisement appears. The text in the advertisement is similar to “Messenger Service”, “Message from source to your_computer_name.ISP_name on date time”, or “Message Text”. To resolve this issue, install or turn on a firewall that blocks inbound NetBIOS and UDP broadcast traffic. The method that you use to resolve this issue depends on your operating system and how you connect to the Internet. The following sections provide examples of several different configurations and possible methods of resolution.

Read this Microsoft knowledge base article, Messenger Service Window That Contains an Internet Advertisement Appears.

Firewalls and Popup Stoppers

Visit the Firewalls and Virus Checkers page on this site for free firewall and popup stopper software.

Use Your HOSTS File to Block Ads and Prevent Redirects

To filter additional ads and to stop redirects, parasites, dialers and hijackers, visit mvps.org and download the hosts file from their Blocking Unwanted Ads with a Hosts File page. Save the file as “hosts” with NO extension into the “C:\WINDOWS\SYSTEM32\DRIVERS\ETC” directory. That’s all you have to do.

WARNING: If you have had to modify the hosts file at some point in the past, be careful not to overwrite any earlier changes.

Using Internet Explorer's Restricted Zone Feature

Visit mvps.org and read their Adding Sites to the Restricted Zone page. Download entries for suspect sites. From the website: "You can manually add an entry to the Restricted Zone or use the pre-made reg file that contains most of the major ad servers, hijackers, dialers and parasites. This will help prevent "drive-by" installs of unwanted software."

CoolWebSearch

CoolWebSearch is the name given to a wide variety of different browser hijackers that can have substantially different symptoms from one variant to the next. All of these hijackers redirect browsers to coolwebsearch.com or to one of many other affiliated sites. This software causes the lop.com toolbar to pale into insignificance when it comes to criminal activity.

Symptoms of a CoolWebSearch infestation vary greatly but often include:

Home page search settings pointing to coolwebsearch

Hosts file hijacked or deleted

Encoded, odd looking URLs

Programs set to run on every boot

coolwebsearch.com added to IE's Trusted Sites list

Impersonating msn.com

Masquerading as a device driver

Direct attacks on your antivirus, firewall, hijack preventative and trojan removal software

Closing running processes and generating fake Windows errors to cause confusion

Overwriting various files belonging to security software, and much more

There are well over 1200 known affiliates of coolwebsearch. A full list is available here . It's a very long list so the text is quite small. Given the major variations in this particular hijacker, it is not recommended that you follow the removal instructions at that link. Instead, download BOTH of these:

http://www.majorgeeks.com/download4086.html

http://www.majorgeeks.com/download4113.html

If either of those links are temporarily down, try BOTH of these:

CWShredder

CoolWWWSearch.SmartKiller

Lop Toolbar - lop.com - Lop Inc.

The Lop Toolbar hijacks your home page and deliberately redirects you to advertisers associated with lop.com. It also tracks every website that you visit and reports your surfing activity to Lop Inc, as well as stuffing your favourites list full of spam links and hijacking your default search settings. The information gathered by the Lop Toolbar is used to target you with adverting. The Lop Toolbar is particularly nefarious because it updates itself without your permission and also renames itself to avoid detection by software designed to remove it.

Removing the Lop Toolbar is not going to be easy. It may well cost you a significant time and cash investment so you should consider if it's worth backing up your important data and doing a clean install of Windows XP.

AdAware and SpyBot, links in next section (Redirectors, Rogues and Spyware), are likely to find a large proportion of a Lop infestation, but they have been known to miss some files if the Lop Toolbar has updated and renamed itself recently. At the time this article was updated (19 June 2003), there were at least 18 known Lop variants that changed your home page to one of these:

aavc.com acjp.com ebav.com ebaw.com ebch.com

ebdv.com ebdw.com ebgo.com ebjp.com ebkb.com

ebkn.com ebky.com eblv.com ebmu.com ebvr.com

ecmh.com ecmp.com ecwz.com ecyb.com edhq.com

edty.com eduy.com eeev.com ibmx.com icwb.com

icwo.com icwp.com iddh.com idhh.com ifiz.com

iguu.com samz.com saoe.com sbee.com sbjr.com

sbnl.com sbnt.com sbvr.com scbm.com sckr.com

scrk.com sdry.com seld.com sfux.com sipo.com

smds.com srox.com srsf.com ssaw.com ssby.com

surj.com tbvg.com tdak.com tdko.com tdmy.com

tefs.com tfil.com thko.com tjar.com tjaw.com

tjdo.com tjem.com tjgo.com torc.com wabq.com

wabu.com wbkb.com wfix.com wflu.com farse.com

sheat.com

You should start your attempt to remove the Lop Toolbar by using HijackThis first because it has been reported to catch a large number of Lop changes missed by AdAware and SpyBot. PestPatrol (not free) may find some more of the files and changes made by the Lop Toolbar, but because Lop constantly changes, it may not be a sure-fire cure. Online PC Fix also has a Lop remover, but it also is not free. Links to all of these tools and products are listed below, in the next section.

Redirectors, Rogues and Spyware

This class of program and/or plugin can and do make dramatic changes to your Internet Explorer, Netscape, Opera, and Mozilla browsers, amongst others. They redirect the default search engine page, attach themselves to toolbars, alter your home page, as well as put shortcuts to websites on your desktop and into your favourites folder. They can cause your browser to lock and die, and they can, and do, track the types of pages that you visit then target your browser with ads that match your browsing habits.

You may also be wondering how the dreadful beast that now plagues you managed to parasite itself onto your system. A lot of people will tell you it's because you downloaded porn or warez, but more than likely you didn't deliberately download anything at all to get caught. Redirectors, rogues and spyware can easily be installed by ActiveX from many websites, often through seemingly innocuous pop-up advertisements. Unscrupulous websites create a mass of confusion on your screen by generating pop-up loops that open endlessly and then use the confusuin to trick you into downloading the parasite. Unfortunately these tricks have also been employed by mainstream advertising networks. So, there is no real way of knowing where you actually got it from, but if you recently had a firestorm of pop up windows then that's the likely source.

If you have a problem with any of the symptoms described above, you might try these removal tools:

SpyBot Search & Destroy (freeware)

AdAware (Entry level product is free)

HijackThis (direct download, freeware) - If you find HijackThis useful, please visit the HijackThis page here and support the author with a donation.

Visit this link for specific issues with the invidious rogue called Xupiter - the removal product for Xupiter is not free. PestPatrol (around $US40) may find some more of the remaining files. You can download an evaluation version of PestPatrol that will identify ad and spyware plagues on your system, but the functionality to remove detected items is disabled. Online PC Fix also has a Lop remover , but it is not free.

Find out more about the insidious Lop Toolbar at spywareinfo.com.

There are many sites on the Internet that list known spyware, Sutton Designs is one of them. They have two pages, the first is a list of "known spyware" and the second is a description of the Radiate/Aureate technology and a list of applications it is embedded into. If you want to find out what other software is or might be "spyware", you should use a search engine. Also visit Gibson Research for a very interesting look into the world of spyware.

Once you have tried removing any vermin from your system, if Internet Explorer hangs as a result of those changes, read this article: How to Reinstall/Repair Internet Explorer and Outlook Express

Other Ad and Spyware

Alexa: "Alexa's Toolbar Service improves your ability to use the Web. One of its most important features is Related Links, which tells you about websites that are "related" to the ones you are viewing while surfing the Web and which you may find interesting. It does this, in part, by logging and analyzing the Web surfing patterns of Alexa users, which we call usage paths. These usage paths are also used to create research and commercial reports that analyze aggregate Web usage patterns." Manual removal instructions from safersite.com.

bridge.dll is part of WinFavorites, which has been reported as spyware or adware. Pestpatrol claims to remove this parasite, but the software is not free. More information on Winfavorites is available here. If you don't want to pay for Pestpatrol, take a look here.

GAIN or Gator: "GAIN is an acronym for the Gator Advertising & Information Network. GAIN helps keep many popular software applications and services free in exchange for delivering ads, information, and software based on the web sites being viewed. This network of GAIN supported applications includes games, audio & video products, and a number of helpful utilities. You will receive GAIN messages so long as you have GAIN supported applications on your system." To stop receiving advertising through GAIN-supported software, uninstall the software in accordance with the EULA supplied with the offending software.

TinyBar: From safersite.com: An Internet Explorer toolbar implemented as an HTML file, which may offer a search feature pointed at a generic portal, for example: tinybar.com allcybersearch.com gocybersearch.com topsearcher.com znext.com traffic4sure.com errorpage404.com searchaccurate.com ourlinklist.com topclicks.net iseekresults.com ysearchus.com There may also be link buttons pointed at the same site. Some versions may not be visible in the IE interface at all and only spawn pop-up ads. Manual removal instructions from safersite.com.

Yahoo! Yahoo? Yes, Yahoo!: "Yahoo! sends to your web browser most of the advertisements you see when you use the Yahoo! network of web sites. However, we also allow other companies, called third-party ad servers or ad networks, to serve advertisements within our web pages. Because your web browser must request these advertising banners from the ad network web site, these companies can send their own cookies to your cookie file, just as if you had requested a web page from the site. Please note that if an advertiser asks Yahoo! to show an advertisement to a certain audience (for example, men ages 18-34) and you respond to that ad, the advertiser or ad-server may conclude that you fit the description of the audience they are trying to reach." Read who Yahoo! currently has an advertising relationship with. Some of them are known to use spyware cookies, such as AtlasDMT.com, which has been identified as a "most prevalent pest."

SaveNow: From cnet news (view original article): In efforts to locate revenues from their free services, companies that create popular programs, including BearShare, Audiogalaxy Satellite and iMesh, are adding outside pieces of software that have nothing to do with file trading. Dubbed "adware," or "spyware" by their critics, these software programs run in the background even when the original file-swapping software isn't operating, popping up advertisements while people surf online, and sometimes quietly uploading information about a Web surfer's habits. Manual removal instructions from safersite.com.

For information on removing any of the following prasites, visit doxdesk ...

2020Search         7FaSSt             AccessPlugin

ActualNames        ACXInstall         AdBreak

AdRoar             AdultLinks         AproposMedia

Aornum             ASpam              AutoSearch

AutoStartup        BargainBuddy       BDE

BookedSpace        BrowserAid         BrowserToolbar

Bulla              ClearSearch        ClickTheButton

ClientMan          CnsMin             CometCursor

Comload            CommonName         CrackedEarth

CustomToolbar      Cytron             DailyToolbar

DailyWinner        DialerOffline      DialerActiveX

DialXS             DownloadPlus       DownloadReceiver

DownloadWare       E2Give             eStart

eXactSearch        ezCyberSearch      ezSearching

FavoriteMan        FlashTrack         FreeScratchAndWin

Gratisware         GAMsys             Gator

GlobalNetcom       HotBar             Httper

HuntBar            IEAccess           IEDriver

IEMonit            IEPlugin           IETray

IGetNet            ILookup            InetSpeak

InternetOptimizer InternetWasher     IPInsight

ISTbar             KeenValue          LinkReplacer

MagicControl       MarketScore        MasterDialer

MatrixDialer       MediaUpdate        Meridian

MoreResults        MoneyTree          MyPageFinder

MySearch           NavExcel           nCase

NetPal             NetworkEssentials NewDotNet

NewtonKnows        NowBox             Onflow

OnlineDialer       PerfectNav         PerMedia

PowerStrip         Pugi               RapidBlaster

RelatedLinks       Roimoi             SaveNow

SCBar              SearchAndBrowse    Searchex

SearchSprint       SearchSquire       SearchWWW

ShopAtHomeSelect   ShopNav            Sidesearch

SmartBrowser       SpyBlast           StarDialer

StripPlayer        SubSearch          Surfairy

SuperBar           SVAPlayer          TinyBar

ToolbarCC          TopText            TOPicks

Transponder        TVMedia            Wazam

webHancer          Whazit             Wink

Winshow            Winupie            Wonderland

WurldMedia         XDialer            XDiver

XLoader            ZeroPopUp          Zipclix

Zyncos

E-mail Spam

There is only one real way to effectively deal with e-mail spam. Commonsense. If you post into Usenet with your real e-mail address or you provide your personal details and/or e-mail address to websites that you do not know or are not familiar with, then expect to get bombarded with spam. If you have a website and include your contact e-mail address, expect unscrupulous spammers to spider and crawl your site looking for e-mail addresses. In short, if you cannot exercise commonsense, then really, if you get spammed, you deserved it.

Valuable Anti-Spam Tip #1

Not reading what is written on the screen is probably the most common form of getting caught in a spam trap. When signing up for anything, always look for already checked checkboxes that say, "Yes, sign me up" or the like. Also look for unchecked checkboxes that try to trick you with negative statements such as "No, I do not wish to receive e-mail".

Valuable Anti-Spam Tip #2

Most users who have been using the Internet for some time will naturally gravitate to using a selection of websites on a regular basis, and are often prudent with giving out their e-mail address. If you are just starting out on the long road of evaluating websites that appeal to you, the following will help you identify the sites you can and cannot trust with your e-mail address.

www.cjb.net offer a free web URL redirection service that allows you to redirect an easy-to-remember yourname.cjb.net address to your web site, no matter where it happens to be hosted. One of the features of cjb.net's free service is a POP3 account. You can send mail from the account that you have with your ISP and recieve mail via your cjb.net POP3 account. The sign-up process requires you to specify a web URL for the redirection service. If you do not have a website, just specify your browser home page as the redirect URL.

What happens is that cjb.net assigns you a subdomain of cjb.net in the form of yourname.cjb.net. All mail, irrespective of the name in front of the @ symbol is redirected to the master account for the subdomain. In other words, mail for fred@yourname.cjb.net is sent to the same POP3 account as the mail for joe@yourname.cjb.net. The beauty of this may not be readilly apparent...

Once your account is created and you have you@yourname.cjb.net set up in your e-mail client and can send and receive e-mails to and from the account, you can confidently provide any e-mail address at yourname.cjb.net and identify the source of any unwanted spam. Simply put the name of the website before the @ symbol. If you start to receive spam from that e-mail address, you know where it came from.

All you need do to never see spam again for that e-mail address is set up a simple rule in your e-mail client. Outlook Express can interrogate the destination e-mail address of an e-mail on the POP3 server and delete it for you. Just select Tools > Message Rules > Mail and configure as shown. You do not need a filter for every e-amil address. Under 3. Rule Description (click on underlined value to edit it), simply click the underlined text and add more addresses as you need them.