MoneyTree

Description

MoneyTree is an ActiveX control used to download premium-rate diallers, generally for porn sites.

Variants

MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizerparasite.

Also known as

MoneyTree/NSUpdate is known as All-In-One Telcom by Spybot Search and Destroy; the NSLite variant by Ad-Aware 6 as Proclaim Telcom. Both names come from the company names given in the file’s digital signature.

Distribution

Loaded by ActiveX drive-by-download in pages operated by mtree (domains such as mtreexxx.nl), which are often redirected to by pop-up adverts, 404 pages at porn hosts and misspelled domains.

mtree also often use direct EXE file downloads to distribute the same diallers; this does not leave an ActiveX control loaded as is not detected by the script at this site.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. With the control installed, any web page may download and execute arbitrary unsigned code from one of mtree’s servers.

Stability problems

No.

Removal

Open the ‘Downloaded Program Files’ folder (which can be found in the Windows folder), and delete the entry for ‘NSUpdateLiteCtrl Class’ (NSUpdate variant), ‘NSLiteUpdateCtrl Class’ (NSLitevariant), ‘MoneyTree Dialer’ (UniDist variant), ‘MultiDist’ (MultiDist variant), or ‘Software Update Manager’ (DyFuCA variant).

woolrich sale

Meridian

Description

Meridian is an IE Browser Helper Object that opens pop-up advertising.

This software has not been fully tested, because its controlling servers are, at the time of writing, not responding.

Also known as

Popupper, after its internal name (‘Meridian Popupper’); MyAccess, after its filename.

Distribution

Unknown, suspected ActiveX drive-by-download on pop-up porn ads sourced through TBI Corporation.

What it does

Advertising

Yes, typically porn pop-ups.

Privacy violation

Unknown.

Security issues

Yes.

Can download and execute arbitrary unsigned code pointed to by its controlling server, thumbsnatcher.com. 

Stability problems

None known.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u myaccess.dll

After restarting the computer you should be able to delete the myaccess.dll file, which you can find in the System folder. (Inside the Windows folder; it is called ‘System’ on Windows 95/98/Me, or ‘System32’ on Windows NT/2000/XP.)

You can also delete the data files ‘gdiplus64.dll’, ‘ie64.dll’ and ‘ver64.dll’ which you may find in the same folder.

 

woolrich parka

Media Update

Description

MediaUpdate is an IE Browser Helper Object that monitors pages you view and opens or redirects to advertising.

Variants

MediaUpdate/012 and MediaUpdate/020; two versions of the same software controlled by media-update.com.

MediaUpdate/022 is a newer version controlled by stop-pops.com.

Also known as

DoubleAgent, or Movie-Viewer (020 variant), after internal object names.MedUp, after its filename. The 022 variant is known as SafeSurfing after the program it is distributed as part of.

Distribution

012 and 020 are known to be installed by .EXE video downloaders, probably spawned by porn pop-ups.

022 is distributed with a pop-up-advert stopper called ‘SafeSurfing’.

What it does

Advertising

Yes. It connects to its controlling server to download a list of site URLs and keywords to target. If you visit a targeted site, or view a page with a keyword in its title, MediaUpdate may redirect you to one of their affiliate pages, or open one in a new browser window.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary code from its controlling server, as a self-updating feature.

Stability problems

No.

Removal

MediaUpdate/020 includes an entry in the Control Panel’s Add/Remove Programs list for ‘Movie Viewer 2.1’. Unfortunately, it does not work.

Manual removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘UpdateMedia’ entry (012 and 020 variants) or ‘SafeSurfingUpdate’ (022 variant).

Now open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for the 012 variant):

cd "%WinDir%\System"
regsvr32 /u medup012.dll

Or, for the 020 variant:

cd "%WinDir%\System"
regsvr32 /u medup020.dll

Or, for the 022 variant:

cd "%WinDir%\System"
regsvr32 /u ssurf022.dll

Restart the computer and you should be able to delete the file ‘medup012.dll’ (012 variant), ‘medup020.dll’ (020 variant) or ‘ssurf022.dll’ (022 variant) in the System folder. (The System folder can be found inside the Windows folder; it is called ‘System32’ on Windows NT/2000/XP, or just ‘System’ on Windows 95/98/Me.) You can also delete the ‘MediaUpdate’ folder in Program Files with the 012 and 020 variants.

You can also delete the subkey ‘Invictus’ (012, 020 variants) or ‘SafeSurfing’ (022 variant) in the registry key HKEY_LOCAL_MACHINE\Software to clean up if you like.

woolrich jacken

MatrixDialer

Description

An ActiveX installer control for premium-rate phone diallers, distributed by Spanish company Matrix Technology Network SA.

Also known as

Msa32chk, or LanzarDLL, after filenames used by the software.

Distribution

Installed by ActiveX drive-by-download on porn pages.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes, critical. Any HTML page can direct the ActiveX control to download and run arbitrary, unsigned executable code from any server.

Stability problems

Unknown.

Removal

Open the Downloaded Program Files folder inside the Windows folder, and delete the control called ‘Marcador Class’.

This does not, unfortunately, uninstall the software itself.

Manual removal

Next, open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u MSA32CHK.DLL

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry called ‘Dialer’, which uses rundll32.exe to run msa32chk.dll. Find the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions, and delete the subkey {03FBB191-FB50-4154-91D7-587D5E3C0000}.

Open the Application Data folder. You can find this inside your user folder in ‘Documents and Settings’ on Windows 2000 or XP, or in your user folder in ‘Profiles’ in the Windows folder on Windows NT, or directly inside the Windows folder on Windows 95, 98 and Me. Delete the ‘MATRIX’ folder inside Application Data.

You can also delete MSA32CHK.DLL from the System folder (which is inside the Windows folder, and is called ‘System32’ on Windows NT, 2000 and XP), and any dialler icons added to your desktop and Start menu.

woolrich sale

MasterDialer

Description

An ActiveX installer control for premium-rate phone diallers.

Variants

MasterDialer/AXDownload: installs AXDownload.dll; MasterDialer/WebInstall: installs webinstall.ocx; MasterDialer/WebUpdate: install webupdate.ocx.

Also known as

MasterConnector.

Distribution

Installed by ActiveX drive-by-download on a pop-up window that imitates a Windows software installation dialogue, from web pages operated by Firstway Medien GmbH and COMFIX newMedia.

The software may claim to be a webcam viewer, chat program or eDonkey, depending on the site.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Any web page can direct it to install any executable code.

To work, the control needs a ‘key’ parameter, which theoretically only its owners can generate, to authorise the installation of code from a particular URL. However this key looks weak (it seems to be an ad hoc checksum rather than a proper cryptographic signature), so it’s probably possible for any web page at all to install whatever code it likes.

Stability problems

No.

Removal

Open the Downloaded Program Files folder inside the Windows folder, and delete the control called ‘Main class’ (AXDownload), ‘WebInstall’ or ‘WebUpdate’.

woolrich outlet

MarketScore

Description

MarketScore is a proxy service which claims to increase the speed of your internet connection. It runs at startup to ensure all your web connections are routed through MarketScore’s proxies. (I did not observe any significant speedup from using the service.)

Also known as

Netsetter (previous name), ossproxy (program name).

Distribution

Is installed through ActiveX at MarketScore’s site, heavily pushed by MarketScore affiliates. Possibly installed with some ISP software?

What it does

Advertising

No.

Privacy violation

Yes. Every web connection you make, including ‘secure’ connections, goes through the proxies and is logged and analysed on behalf of MarketScore’s customer companies.

Security issues

Unconfirmed. There is a ‘required update’ feature, but it is unknown whether this happens without consent from the user.

Stability problems

Won’t work if you have to use a different proxy. Will kill your internet connection if you try to delete the csloa.dll component manually.

Removal

There is a hidden uninstall feature. Open a DOS command prompt window (from Start->Programs->Accessories) and enter (for Windows 95/98/Me):

"%WinDir%\SYSTEM\NSCheck.exe" /uninstall

Or for Windows NT/2000/XP just:

NSCheck /uninstall

Spybot S&D version 0.95b6 and up can remove MarketScore.

woolrich jacken

Magic Control

Description

MagicControl is a commercial trojan from dialler manufacturer Electronic Group (eGroup).

It seems to contain code aimed at avoiding personal firewall software installed on the local machine.

Variants

MagicControl/MC: versions 1.0.1.0 to 1.0.1.4, stored in a folder called ‘mc’ in the Windows folder.

MagicControl/Wintrim: versions 1.0.1.5 to 1.0.2.7; folder is now called ‘wintrim’.

MagicControl/Wincomp: version 1.0.2.8; folder is called ‘wincomp’.

MagicControl/Winmgts: version 1.0.2.9; folder is called ‘winmgts’.

Also known as

The Wintrim variant is detected as Persis by F-Secure anti-virus. The Wintrim and Wincomp variants are detected as TROJ_WINTRIM.A by Trend anti-virus.

Distribution

Installed by IEAccess/EGDial and possibly other diallers/loaders from eGroup.

What it does

Advertising

No

Privacy violation

Suspected. The software contacts its controlling servers at secure-firewall.com and nocreditcard.com and passes what seems to be a block of encrypted data, the contents of which are unknown.

Security issues

Yes. May silently download and execute arbitrary code from its controlling servers.

Stability problems

None known.

Removal

From Add/Remove Programs in the Control Panel, choose ‘mc’ (MC variant), ‘wintrim’ (Wintrim variant) or ‘wincomp’ (Wincomp variant). This uninstaller should work, though it requires internet access.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands. For the MC variant:

cd "%WinDir%\System"
regsvr32 /u "..\mc\MagicControl.dll"

Or, for the Wintrim variant:

cd "%WinDir%\System"
regsvr32 /u "..\wintrim\MagicControl.dll"
regsvr32 /u "..\wintrim\EGPing.dll"

Or, for the Wincomp variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_wincomp.dll"
regsvr32 /u "..\wincomp\3_1,0,0,5_wincomp.dll"

Or, for the Winmgts variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_1,0,2,9_winmgts.dll"
regsvr32 /u "..\wincomp\3_1,0,0,6_winmgts.dll"

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘cpntmgc’ entry.

Restart the computer and you should be able to delete the entire ‘mc’, ‘wintrim’ or ‘wincomp’ folder inside the Windows folder, and the ‘msegcompid.dll’ file from the System folder (inside the Windows folder; called ‘System32’ on Windows NT, 2000 and XP).

You can delete the ‘iexplore’ folder in Program Files, too (not ‘Internet Explorer’, which is the real IE program folder). Also check to see if you haveIEAccess loaded and/or the eGroup certificate in your IE Trusted Publishers list.

woolrich parka

lop

What it does

Advertising

Yes. Some shortcut icons are added to the desktop. Many more are added to the Favorites menu. More are on an IE toolbar called ‘Accessories’. The process run on startup also occasionally pops up adverts.

Privacy violation

No.

Security issues

Yes. The startup process can download and execute arbitrary code from its controlling server.

Stability problems

Running the software may cause many ‘dial-up connection’ requests to appear if you are not connected. Windows seems to hang temporarily for a few minutes when this happens.

Removal

lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing ‘Menu’, then on the resulting window, clicking ‘Help’, then ‘Uninstall’. With newer variants you will have to answer an annoying riddle before it will go away

woolrich parka

LinkReplacer

Description

LinkReplacer is an Internet Explorer Browser Helper Object that adds content to the start of every web page viewed.

This content is (currently) a script that reads all your cookies and sends them to LinkReplacer’s controlling server wcft.net.

Distribution

As yet unknown.

What it does

Advertising

No.

Privacy violation

Yes. Cookies set by web sites (and sent by LinkReplacer) may contain personally identifying information.

Cookies are also often used for authorising access to web sites. LinkReplacer’s owners will often be able to gain access to your accounts on web sites you have accessed with it loaded.

Security issues

Yes. LinkReplacer can download and execute arbitrary code as an update feature.

On opening a new IE window, LinkReplacer contacts its controlling server to download the script to be added, and a new copy of itself if it has not updated for a while.

Stability problems

Yes. On closing an IE window you may receive an ‘Application Error’ crash in IEXPLORE.EXE.

Adding the script to the very start of each page can cause web pages that rely on a standards-compliant document type to render badly in IE6.

Removal

Open a DOS command prompt window (Start->Programs->Accessories) and enter:

cd "%WinDir%\System"
regsvr32 /u iehelper.dll

Restart the computer and you should be able to delete the file ‘iehelper.dll’ inside the System folder (inside the Windows folder; called ‘System32’ under Windows NT/2000/XP or ‘System’ under Windows 95/98/Me).

You might also want to change the passwords on web site accounts you have that LinkReplacer may have compromised.

woolrich arctic parka

KeenValue

Description

KeenValue is adware operated by eUniverse.com.

Variants

KeenValue/v1, original version, consisting of a single process (keenvalue.exe) run at startup, which spawns pop-ups. This variant cannot

KeenValue/Incredifind adds a second process, kwm.exe, to monitor web sites viewed for ad targeting. It also includes a hosts-file hijacker redirecting Netscape Search to incredifind.com, an address-bar-search and error-page hijacker pointed at incredifind.com (redirecting to sirsearch.com), and an Internet Explorer toolbar providing a search field pointed at sirsearch.com.

(The PowerSearch toolbar is a customised version of Visicom Media’s ‘Dynamic Toolbar’, other variants of which are not known to be parasitic.)

Distribution

Included in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com.

Also installed by the FavoriteMan parasite.

What it does

Advertising

Yes, opens pop-up ads periodically; in the Incredifind variant these may be triggered by targeted terms in pages being viewed.

Privacy violation

The software’s terms claim it may send all URLs viewed to its controllers. This behaviour has not been observed to happen in current versions of the software. In the Incredifind variant, the error hijack feature does leak sometrackable information on pages viewed.

Security issues

Yes. Can download and execute arbitrary code as directed by its controlling server, as an update feature.

Stability problems

There may be problems closing keenvalue.exe when shutting the computer down.

Removal

The v1 variant may be removed from the Control Panel’s Add/Remove Programs feature. Choose ‘KeenValue’ and click ‘Remove’.

The Incredifind variant can be partially removed using the ‘KeenValue’ and ‘PowerSearch toolbar for IE’ entries in Add/Remove Programs, if an internet connection is present.

Manual Removal

For the Incredifind variant, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System" regsvr32 /u "\Program Files\Incredifind\BHO\BHO.dll" regsvr32 /u "\Program Files\PowerSearch\Toolbar\pwrs0rbi.dll"

Next, for either variant, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Remove the ‘KeenValue’ entry. You can also delete the following keys to clean up, if you wish:

HKEY_CURRENT_USER\Software\Visicom Media\PWRS0RBI HKEY_LOCAL_MACHINE\SOFTWARE\eUniverse HKEY_LOCAL_MACHINE\SOFTWARE\KeenValue

(Also the ‘KeenValue’ and ‘PowerSearch’ keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall can be deleted if you still have them.)

Next, restart your computer and you should be able to delete the ‘KeenValue’ folder inside the Program Files\Common Files folder. For the Incredifind variant you can also delete the Program Files folders ‘PowerSearch’, ‘Incredifind’ and ‘Dynamic Toolbar\PWRS0RBI’.

Finally, restore your search settings (Internet Options->Programs->Reset Web Settings), and remove the Hosts file hijack: open the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT, 2000 and XP), go to ‘drivers’->’etc’, and load the file ‘hosts’ (with no file extension) into a text editor. Delete the following line and save.

12.129.205.209 search.netscape.com
woolrich parka