Category Archives: Parasites

Zyncos

Description

Zyncos is a porn-related redirecter consists of an Internet Explorer Browser Helper Object and an executable file run at Windows startup.

At the time of writing its controlling server is no longer responding, so its exact intended behaviour is uncertain.

Also known as

ZyncosMark by Ad-Aware. Qwysh from its process’s filename.

Distribution

Installed by ActiveX drive-by download from unknown sources; suspected to be disguised as a video viewer.

What it does

Advertising

Yes. Monitors web pages for predetermined (mostly porn-related) trigger words, and opens paid search results as from 66.28.33.20 (redirecting to pornfoto.com).

Privacy violation

Unknown.

Security issues

Yes. May silently download and execute arbitrary code from its controlling server cnctag.com, as an updating feature.

Stability problems

None known.

Removal

There is no built-in uninstaller. Ad-Aware updates from June 2003 can remove Zyncos.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\zyncosspace\cmctl.dll"

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘ZyncosMark’ entry on the right.

Restart the computer and you should be able to delete the entire ‘zyncosspace’ folder inside ‘Program Files’ on the C: drive (even if that’s not where your normal Program Files folder is). You should also delete the entry ‘ACCESS.AccessCtrl.1’ in ‘Downloaded Program Files’ inside the Windows folder.

Zipclix

Description

Zipclix is an Internet Explorer search toolbar.

Distribution

Installed by the InternetWasher parasite, along with Httper. Both programs are controlled by popupblockade.com.

What it does

Advertising

Yes. At the time of writing this feature is not in use, but the software can be directed by its controlling server to show periodic advertisements.

Privacy violation

No.

Security issues

Yes.

Can be directed by its controlling server to download and execute arbitrary code as a self-updating feature.

Stability problems

No.

Removal

There should be a ‘Zipclix’ entry in the Control Panel’s Add/Remove Programs feature. This works correctly.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Zipclix\Zipclix.dll"

After restarting the computer you should be able to delete the Httper folder inside Program Files.

You can also delete the key HKEY_CURRENT_USER\Software\Zipclix in the registry (Start->Run->regedit) to clean up if you like.

 

ZeroPopup

Description

An Internet Explorer toolbar with a pop-up advert-blocking feature, which also hijacks homepage and search settings to znext.com every time IE is started.

Also known as

ZeroPopUpBar, to distinguish it from the earlier standalone commercial popup-killer of the same name, by the same author. Note there is no connection to the similarly-named “ZeroPopup” by “Tooto Technologies”.

Distribution

‘Viral marketing’: some versions, when installed, send an endorsement purporting to be from you to everyone in your e-mail address book.

Also installed by ActiveX drive-by-download on the search bar pointed to by some variants of the parasite (also by the same author).

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

 

Stability problems

None known.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands:

cd "%WinDir%\System"
regsvr32 /u zeropopupbar.dll

After restarting the computer, you should be able to open the System folder (inside the Windows folder, called ‘System32’ on Windows NT/2000/XP or ‘System’ on Windows 95/98/Me), and delete the zeropopupbar.dll file.

Finally, set your home page back to what it was before (from Internet Options->General->Start page) and restore your search settings (by clicking Internet Options->Programs->Reset Web Settings).

Links

  • McAfee’s info on ZeroPopup and the ‘Tellafriend’ variant.
  • The official site is www.zeropopup.com. (This isn’t a link because this page causes a download to occur straight away – take care.)

HuntBar

Description

HuntBar is a search-hijacker from Traffic Syndicate (controlling server dst.trafficsyndicate.com), with various additional features depending on version.

Variants

HuntBar/TS is the original version, also providing an IE toolbar with search features.

HuntBar/Side is an addition to HuntBar/TS which also pops open a search sidebar pointed at its own results when it detects you using search engines.

HuntBar/MSLink is a development of HuntBar/Side dropping the toolbar from HuntBar/TS and adding the ability to redirect you instantly when browing targeting web pages. This is typically used to hijack affiliate fees from merchant sites.

HuntBar/BTLink is an updated version of MSLink.

HuntBar/MSIn and HuntBar/BTIn are installer controls for both the MSLink and BTLink variants.

HuntBar/SToolbar also tries to hijack your homepage to WebSearch.com, and copies searches you make in known search engines to the search field in the toolbar as you type.

HuntBar/QDow is a small downloader ActiveX control used to load HuntBar/BTIn.

Distribution

Through ActiveX drive-by-download at affiliate sites, including pop-up advertising served by trafficsyndicate.com.

TrafficSyndicate, the makers of HuntBar, offer ‘co-branded’ versions of HuntBar which may be installed by other sites under a different name. Known partner sites include bullseyesgames.com and side-search.com.

What it does

Advertising

No.

Privacy violation

HuntBar/TS sends the domain name of the site being viewed, the domain name of any site previously being viewed and the title and any keywords in the current page to its controlling servers whenever a new site is viewed. It does this even if the toolbar is not turned on.

HuntBar/Side, MSLink, BTLink and SToolbar send URLs and search terms used to its controlling servers with a unique ID allowing your search engine usage to be tracked.

Security issues

Yes. HuntBar/TS, MSIn and BTIn can silently download and execute arbitrary code, as an update feature.

Stability problems

HuntBar/BTLink and SToolbar seems to cause IE to crash often on some setups with an ‘Exception E Access Violation’.

Removal

TrafficSyndicate offer two uninstaller files for HuntBar/TS, which have been reported not to work properly.

HuntBar/Side may put an entry called ‘MSIETS’ in the Control Panel’s Add/Remove Programs option, which should remove this variant.

HuntBar/MSLink and HuntBar/BTLink have two entries in the Control Panel’s Add/Remove Programs option, called ‘Internet 404’ and ‘Tools for Internet Explorer’. Both entries (which also demand an internet connection to work) must be removed to get rid of these variants, but it will leave the files intact and still won’t remove the MSIn or BTIn installer, which can reinstall the software automatically in the future.

HuntBar/SToolbar puts an entry called ‘Search Toolbar’ in Add/Remove Programs, which should work (though it requires an internet connection).

Ad-Aware reffile and Spybot S&D can remove HuntBar variants other than BTLink, BTIn and SToolbar.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for HuntBar/TS):

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msiets.dll"

For HuntBar/Side and HuntBar/MSLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msielink.dll"

For HuntBar/BTLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\BTLINK\btlink.dll"

For HuntBar/MSIn, enter:

cd "%WinDir%\System"
regsvr32 /u msiein.dll

For HuntBar/BTIn, enter:

cd "%WinDir%\System"
regsvr32 /u btiein.dll

For HuntBar/SToolbar, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Search Toolbar\SToolbar.dll"

(Users of non-English verions of Windows will need to change ‘Program Files’ and ‘Common Files’ in the above commands to the name of the these folders in the language Windows was installed in.)

Having done this you can restart the machine and delete the folder ‘Common Files\MSIETS’ (TS, Side, MSLink variants), ‘Common Files\BTLINK’ (BTLink variant) or ‘Search Toolber’ (SToolbar variant) from the Program Files folder.

Inside the System folder (which is inside the Windows folder, called ‘System’ under Windows 95/98/Me or ‘System32’ under Windows NT/2000/XP), you can delete the file ‘msiein.dll’ (MSIn variant) or ‘btiein.dll’ (BTIn variant).

To clean up, you can also open ‘Downloaded Program Files’ in the Windows folder and delete the entry ‘{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}’, ‘{59450DB0-341D-4436-B380-B8377D8B6796}’, ‘{D6E66235-7AA6-44ED-A06C-6F2033B1D993}’ or ‘{26E8361F-BCE7-4F75-A347-98C88B418322}’.

You can also open the registry (Start->Run->regedit), find the key HKEY_CURRENT_USER and delete the subkey ‘MSIETS’ (TS, Side variants), ‘MSIEIN’ (MSIn variant), ‘BTIEIN’ (BTIn variant), ‘BTLINK’ (BTLink variant) or ‘Search Toolbar’ (SToolbar variant).

After removing the software you may want to delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal (Tools->Internet Options->Programs->Reset Web Settings).

Httper

Description

  Httper is a pop-up opener and error-page hijacker implemented as an Internet Explorer Browser Helper Object. When enabled by its controlling server config.url404.com, Httper will redirect any web server error page to a sponsor’s site.

Distribution

Installed by the InternetWasher parasite, along with Zipclix. Both programs are controlled by popupblockade.com.

What it does

Advertising

Yes. At the time of writing this feature is not in use, but the software can be directed by its controlling server to show periodic advertisements.

Privacy violation

No.

Security issues

Yes.

Can be directed by its controlling server to download and execute arbitrary code as a self-updating feature.

Stability problems

No.

Removal

There should be an ‘Httper’ entry in the Control Panel’s Add/Remove Programs feature. This works correctly.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Httper\httper.dll"

After restarting the computer you should be able to delete the Httper folder inside Program Files.

You can also delete the key HKEY_CURRENT_USER\Software\Httper in the registry (Start->Run->regedit) to clean up if you like.

Xupiter

Description

Xupiter consists of an Internet Explorer toolbar containing link buttons to one of Xupiter’s search engines and a task run at Windows startup which downloads updates to the software and may launch pop-ups. It also contains functionality to hijack your home page and address bar searches, and add Xupiter links to your bookmarks.

Variants

Xupiter/Xupiter uses the site xupiter.com for all functions; Xupiter/Xjupiter is the same but uses xjupiter.com instead. Xupiter/2003 is the same as the Xupiter variant, but puts its DLL directly in its Program Files folder instead of in an ‘Updates’ folder.

Xupiter/BrowserWise points to browserwise.com but is still otherwise identical to Xupiter. Xupiter/Browser is a newer variant which still points to browserwise.com, but stores its program files in a folder called ‘Browser’ instead of ‘Xupiter’.

Xupiter/Sqwire is a newer variant pointing at sqwire.com. Its program files are stored in a ‘Sqwire’ folder, in a different layout to previous versions, and an installer DLL is left in Downloaded Program Files.

Xupiter/OrbitExplorer is the latest variant, pointing at orbitexplorer.com. Some of its program files are stored in an ‘Orbit’ folder in Program Files, the rest in an ‘OE’ folder in Common Files. It also has the installer DLL.

Also known as

XupiterToolbar (program name).

Distribution

Installed by ActiveX drive-by-download in affiliate pages. Known sources include the site www.freewebupgrades.com (which is advertised by junk e-mail) and pop-up adverts on sites such as FortuneCity and cjb.net subdomains.

More recently also bundled with Grokster.

One of Xupiter/Sqwire’s ActiveX drive-by-download pages has been advertised by junk e-mail (spam) offering a ‘Free Christian Toolbar’. Another pretends to be a program to disable Windows Messenger service pop-ups.

What it does

Advertising

Yes. Apart from the hijacking and added links, the software periodically opens pop-under advertisements as directed by its controlling servers. (These may appear in windows with only an ‘exit’ menu.)

Privacy violation

The privacy policy states that the software may track all web usage. However this behaviour has not been observed.

Security issues

Yes. The software contacts its servers to ask for update code, which is executed without checks. It has also been known to download third-party software (for instance a casino loader app).

Stability problems

In the initial variants, the update-checking task tries to connect to xupiter.com to download updates whether or not you are connected. If it fails it may cause a crash in ‘RunDownload.exe’. Some versions of Xupiter can cause the Windows Explorer to crash when opened under Windows XP.

Removal

The OrbitExplorer variant may have an uninstall available. Go to Add/Remove Programs in the Control Panel, choose ‘Orbit’ and click ‘Remove’.

Other variants have no built-in uninstall. An uninstaller is available through ActiveX drive-by-download from Xupiter sites; reports suggest this works for some but not all variants, and may leave a message on bootup that Xupiter must be reinstalled.

The latest updates of Spybot S&D and Ad-Aware can remove all Xupiter variants.

Manual removal

Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Delete the entries ‘XupiterStartup’ and ‘XupiterCfgLoader’ (earlier variants), ‘SQUpdatesChecker’ and ‘SQConfigChecker’ (Sqwire variant) or ‘OrbitUpdate’ and ‘OrbitView’ (OrbitExplorer variant).

Open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands to deregister the toolbar (Xupiter andBrowserWise variants):

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Xupiter\Updates\XupiterToolbar.dll"
regsvr32 /u "\Program Files\Xupiter\Updates\XTUpdate.dll"
regsvr32 /u "\Program Files\Xupiter\Updates\XTSearch.dll"

(The earliest variants of Xupiter didn’t have the XTSearch.dll file, so don’t worry if this last command gives an error.)

For the 2003 variant, use:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Xupiter\XupiterToolbar.dll"
regsvr32 /u "\Program Files\Xupiter\XTUpdate.dll"
regsvr32 /u "\Program Files\Xupiter\XTSearch.dll"

For the Browser variant, use:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Browser\Updates\BrowserToolbar.dll"
regsvr32 /u "\Program Files\Browser\Updates\BWUpdate.dll"
regsvr32 /u "\Program Files\Browser\Updates\BWSearch.dll"

For the Sqwire variant, use:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Sqwire\t.dll"
regsvr32 /u "\Program Files\Sqwire\u.dll"
regsvr32 /u "\Program Files\Sqwire\s.dll"

For the OrbitExplorer variant, use:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\OE\toolbar.dll"
regsvr32 /u "\Program Files\Common Files\OE\redirector.dll"
regsvr32 /u "\Program Files\Common Files\OE\search.dll"

(On non-English versions of Windows, ‘Program Files’ and ‘Common Files’ may be called something different. In that case you will have to change these commands to match the name of these folders.)

Restart the computer and open the Program Files folder. Delete the ‘Xupiter’, ‘Browser’, ‘Sqwire’ or ‘Orbit’ folders, and in the OrbitExplorer variant also the ‘OE’ folder inside Common Files. For the Sqwire and OrbitExplorer variants, you should also open ‘Downloaded Program Files’ in the Windows folder and remove the ‘Loader class’ entry if it is there.

You can now restore your home page (Internet Options->General->Home page) and your search settings (Internet Options->Programs->Reset web settings). You can also delete the settings to clean up if you like: open the registry and delete the key HKEY_CURRENT_USER\Software\Xupiter, HKEY_CURRENT_USER\Software\SQ (Sqwire variant) or HKEY_CURRENT_USER\CLSID\{0FDA4D2B-7975-405d-8D7C-F5E2247EAE80} (OrbitExplorer variant).

Links

The XupiterBrowserWise and SqwireOrbitExplorer sites are just more bog-standard portals; their search features always return the same collections of mostly irrelevant links.

Michelle Delio at Wired News make some interesting discoveries about the people behind Xupiter.

The toolbar was developed by them based on generic toolbar code licensed from Orion Studios (which is why this name appears on earlier variants of XupiterToolbar.exe).

HotBar

Description

Marketed as a program to add graphical skins to IE toolbars, it also adds its own toolbar with context-sensitive link/search buttons.

Distribution

Bundled with older releases of iMesh and other free software; more recently, advertised through junk e-mail purporting to be a Microsoft upgrade to Outlook.

What it does

Advertising

Yes. HotBar’s toolbar grows buttons on the left-hand side leading to advertisers’ and/or paid search sites dependent on the site you are currently viewing.

Privacy violation

Yes. HotBar sends the address of every web site you visit to its controlling servers along with a unique ID that would enable your web usage habits to be tracked. Some sites are monitored more closely, with full URLs and/or data entered into forms being sent to HotBar.

Security issues

Yes.

Hotbar can silently download and execute arbitrary code from its controlling server, as an update feature. 

Stability problems

None known.

Removal

Should be removable from ‘Add/Remove Programs’ on the Control Panel, under the name ‘HotBar’ or ‘Web Tools by Hotbar’.

Version 3 of the software leave some mess behind in the registry, which you can clean up by running regedit if you want. Keys you can delete:

HKEY_CURRENT_USER\Software\Hotbar
HKEY_USERS\.DEFAULT\Software\Hotbar
HKEY_LOCAL_MACHINE\Software\Hotbar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\B195B3B3-8A05-11D3-97A4-0004ACA6948E
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\Hotbar 3.0

Partial installs

Sometimes the installer gets ‘stuck’ and won’t install Hotbar properly. “Add/Remove Programs” still works in this case.

XLoader

Description

A German ActiveX installer control for premium-rate diallers.

Distribution

Drive-by-download, unknown source.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. With XLoader installed, any site can direct it to download and execute code from its controlling servers.

Stability problems

No.

Removal

Open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\xloader.dll"
del "..\Downloaded Program Files\xloader.*"

Links

AnyGate are the company that digitally signed the software.

GlobalNetcom

Description

An ActiveX installer for premium-rate phone diallers.

Distribution

Downloaded at German sites (sometime promoted by junk e-mail).

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes.

Any web page can direct it to install arbitrary code downloaded from its home server.

Stability problems

No.

Removal

Spybot S&D can detect and remove GlobalNetcom.

Manual removal

Open ‘Downloaded Program Files’ in the Windows folder, right-click the ‘IELoaderCtl Class’ entry and choose ‘Remove’.

XDiver

Description

An German premium-rate phone dialler.

Variants

XDiver downloads can connect to many different phone numbers with differing prices. Costs up to €300 per call have been seen from XDiver.

Once installed, web sites can direct XDiver to dial other numbers using DPF files.

Also known as

EOPS-Connector (by Spybot S&D).

Distribution

Installed by ActiveX drive-by-download in a pop-up window that imitates a Windows software installation dialogue.

It describes XDiver as a “Kostenloses Update der Verbindungssoftware” (free connection software update). If you refuse the download, a JavaScript error appears and it attempts the process again.

Pages with these pop-ups have also been promoted through misleading junk e-mail (spam) campaigns.

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

Stability problems

No.

Removal

Go to the Control Panel’s Add/Remove Programs option and remove ‘XDiver’.

Links

  • eops AG wrote and manage XDiver.