21 replies to this topic

[TeMerc]

I have spoken with Webhelper and in an effort to post all info he has garnered on this group, and to keep everyone aware of their presence and their involvement in some of the nastiest prevalent infections on the net, I will update this thread as he updates his site, with his blessing.

Our greatest tool against them is exposure.

TeMerc


Originally posted Feb 18, 2005:

Is This Software On Your Hard Drive?

How one of the Internet’s largest and most secretive adware companies really operates. With new regulations coming, will it really reform?

Dec. 9 - In November 2000, yet another e-commerce start-up was grappling with its inevitable fate. Dash.com CEO Dan Kaufman called a meeting of most of the company’s employees in its New York City offices and stared down at the conference-room table as he delivered the bad news. “This is a day I hoped would never happen,” he said, according to an employee at the meeting. The board of directors had just agreed that the dot-com company’s prospects were dim. “Please gather your belongings and exit the building.”

Dash’s business model was ahead of its time—a prototype of what adware companies are doing today. The business asked Web surfers to download a software toolbar that tracked their Internet shopping and offered related e-commerce discounts at the point of purchase. For example, if a user was prepared to buy a book at BarnesandNoble.com, the Dash toolbar could offer a coupon for the same book at Borders. In the midst of a profligate investment environment, Dash.com raised $50 million on this idea from venture capitalists such as AT&T Ventures and the JPMorgan Investment Corp. Now it was preparing to give any leftover cash back to investors and slink off into the dot-com void. “I guess we learned a lot of expensive lessons at Dash,” says Joshua Abram, a former vice president at the company.

As of June 2001, Dash.com and its competitive-coupons idea was officially dead. Or was it?

In this week’s edition of NEWSWEEK, we looked at the growing online presence of adware, software that sits on users’ hard drives and can slow down the desktop with resource-consuming pop-up ads. Adware companies like Claria, WhenU and 180solutions load their software onto hard drives by offering appealing free programs like games, updated weather reports and the like. The adware then serves pop-ups ads on the screen that are often related to the user’s Web activity.

Next year, Congress is likely to pass new legislation regulating the industry. It will require that adware companies obtain explicit permission from users before their programs are populated onto hard drives and to put their name at the top of each pop-up, so users know who’s responsible for it. Most importantly, the new law will make sure consumers can easily delete unwanted adware.

Full Read @ MSNBC
=====================================================
5 March 2005

Complete new update for all CWS Listings

Reprinted with permission by Webhelper

=======================================
24 March 2005


CPVMARKET.COM where they are using the affiliate interface from Mygeek.com from the AdsOn Network.

They also now have a new IPinsight Sentry Stub called mlotus.exe which they have named after their site which does not have an active IP assigned yet called mlotus.com.

They have also changed their Speer.dll from 2004 to a new one called speeryox.dl (More to come on this one)

They are also using their Speer2.dll which creates their buddy.exe like the Speer and ceres variants. See Speer2.dll

Reprinted with permissions by Webhelper

===================================================================

24 March 2005

Looks like the Transponder Gang has finally went over to the dark side of in allowing CWS exploits to not only bundle new variant called kz515.dll BUT I have also found for the first time in 4 Hijackthis logs on the Internet that their offeroptimizer.com is using an IP address for their search.offeroptimizer.com which is to their searchrabbit.com site. Also, search results direct themselves to findwhat.com. Pure Pay-Per Click search.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.offeroptimizer.com/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.offeroptimizer.com/sidebar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hotoffers.info/278/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

The CWS that shows hotoffers.info (See My write up on the dropper.exe)
and is from the IP Block of Atrivo that is infested with CWS
See: CWS Atrivo Listings

Reprinted with permission by Webhelper

===================================================================

25 March 2005

Looks like the KZ515.dll is being installed by a bundled install via a possible CWS exploit. If anyone who is hit by the kz515.dll and knows where it came from, please submit your link here: Submit Suspect Sites so that I can research it and we can see exactly why the Transponder gang has changed their methods by writing to the registry and changing users start pages.
************
About the Grandstreetinteractive.com GSM toolbar. Is Mygeek more than a major Transponder Gang partner?

Read it here

Reprinted with permission by Webhelper

[TeMerc]

From Webhelper:

27 March 2005

I was able to now find the kz515.dll and how it installs: Also. they list the website in the file properties as www .kz515.com of which I just checked and it is available.

Full details on the New Transponder kz515.dll

========================================
28 March 2005

Today I installed the kz515.dll and went to Mypctuneup.com to remove it. There software removed the kz515.dll, however, the software left all registery entries intact. This to me as I see it by their EULA, along with the different files of theirs that contain XML code to search a users computer for any of their CLSID's, to me is nothing more than when I stated on 12/27/2004 they were acting like 5th columinsts and all they leave behind after an uninstall amounts to what I call adware sleeper agents.

SEE: Direct-Revenue - Vx2 Transponder Gang Fifth Columnists with Adware Sleeper Agents

For an update with the mypctuneup.com see the following:
The Transponder Gangs, Mypctuneup.com - Updated information

Reprinted with permission by Webhelper

[TeMerc]

2 April 2005

Special Adware Alert Report with Continuing updates to come!

From Wallpapers4u.com we have ourselves not only a massive infestation of 3rd party adware from a 2nd-thought CPM Media site pacimedia.com along with their wmplayer.exe.tmp exploit, but also a new Clearsearch Variant and a new file from the transponder gang...

Read about it here.

Reprinted with permission by Webhelper

[TeMerc]

April 9, 2005


There is a lot of news about Direct-Revenue and its uninstaller processes of late. However, as I have in other writings of my testing of their variants and using their Mypctuneup.com to uninstall, there is still a lot of questions that need answered.

I just came across a article I found in the Goolge.com Groups search about Direct-Revenue.com and their uninstaller. From the article I found one part of a quote by Daniel Doman, Direct Revenue's chief technology officer where states he "...said the company just wanted to make sure that consumers weren't deterred from uninstalling with MyPCTuneUp. He said that the program doesn't install any other software, but leaves behind a tag indicating that DirectRevenue was once on the computer. With that tag, users cannot later reinstall DirectRevenue. "If a user uninstalls us, we're not going to reinstall ourselves ...".


Source: ("Adware Firms Up The Ante On Anti-Spyware"
Wendy Davis, Thursday, Mar 31, 2005 7:00 AM EST, publications.mediapost.com)

Lots more to read with many screenshots here.

Reprinted with permission by Webhelper

[TeMerc]

9 April 2005
I have started a new page called webhelper offlimits. This is due to the many search results that use my domain name along with pages to get users to their porn/adware/pay per click sites!

========================================
Webhelper Offlimits Page

At times when I am searching, I also use my own domain name in the searches and I have found a few at times are using it to try and get users to go to their site that then has nothing to do with the transponders and CWS that I research.
Below is my listings as I find then in google.com. Use at your own risk or restrict them!

218.149.128.154 twhois.com
Google:

twhoistwhois- Webhelper4u twwhois twhois.cm thwois twois twhois.cmo twhhois - Transponder Gangs Sites Whois Datawww.webhelper4u.com/twhois.
twhois.com/ - 14k - Apr 7, 2005 - Cached - Similar pages

Whois:
Hit P
Geomyang 802, 55-1, Chungjangro-4Ga,, Dong-Gu
Gwangju, non 501014
KR
IP Country REPUBLIC OF KOREA
********************
218.149.128.154 ivegas.www-pokerrules.com
Google:

Ivegas... Internet:AntiSpy ...www.webhelper4u.com/watcher/windexh.html Expat life in the concrete jungle - Statistics ¿Que ivvegas ivegas.cm ievgas ivgas ...
ivegas.www-pokerrules.com/ - 12k - Apr 7, 2005 - Cached - Similar pages

218.149.128.154 adultgambling.www-pokerrules.com
Google:
Adultgambling... Webhelper4u - CoolWebSearch - CWS Hijackers by IP ... adlutgambling adultgambling.cn ... adultxxxgames.net ...www.webhelper4u.com/CWS/cwsbyip.html ...
adultgambling.www-pokerrules.com/ - 14k - Apr 7, 2005 - Cached - Similar pages

********************
64.91.226.94 popupblocker1.com
Google:
stop popup... http://webhelper4u.c...ds-now_com.html # 16 AssortedInfo.com - Your Source for Practical Knowledge Affiliate_Marketing Animals Beauty Book ...
www.popupblocker1.com/stop_popup/ - 12k - Cached - Similar pages

Whois:
Domain name: popupblocker1.com

Administrative Contact:
Anderson Agencies
Nathan Anderson ()
+1.7194854858
Fax:
4858 North Creek Rd
Beulah, CO 81023 US
**********************
212.239.39.148 publiweb.it
Google: Porn type
goglw... www.webhelper4u.com/CWS/scumwareremover.html - 11k - 17 nov 2004 -. www.goglw.com/. JustBlowMe.com Adult Webmaster Forum - About 100 typin domains for . ...
www.publiweb.it/links/g/goglw.html - 8k - Cached - Similar pages

Whois:
domain: publiweb.it
org: Leader Consulting Group
descr: Servizi Publiweb srl
descr: Italy
*************************
66.111.53.50 hijacker-toolbar.hotresults.biz
The site tries to sell all the rogue software I write about not using.

Google:
hijacker toolbar... www.webhelper4u.com/CWS/defaulthomepagenetwork/ essential-free-downloads.html - 10k - Cached - Similar pages Microsoft PowerPoint - kevinseverud_Spyware ...
hijacker-toolbar.hotresults.biz/ - 120k - Cached - Similar pages

66.111.53.50 adaware-hijackers.hotresults.biz
Another by the same as above
adaware hijackers... Webhelper4u - About the CoolWebSearch - CWS Hijackers All ... www.webhelper4u.com/CWS/wmplayerexploits.html - 16k - Cached - Similar pages ...
adaware-hijackers.hotresults.biz/ - 84k - Cached - Similar pages

Whois: hotresults.biz
Russian Federation Site
*************************
Warning to sites that use my name in the pursuit of profits in Porn, adware, maleware, scams, etc. You are going to be listed here! All I need to is to see search engine results with my domain name and your sites source has my domain listed in your discription and/or keywords of your metatags.

Reprinted with permission by Webhelper

[TeMerc]

19 April 2005

The transponder has yet another new transponder variant along with a replacement to their buddy.exe called Bolger.dll and Aurora.exe. They are right now foisting this variant being bundled by isearch and using CWS exploits sites to install in stealth!

Other files included: Poller.exe, uacupg.exe, Nail.exe, thnall1ac.html, DrPMon.dll, svcproc.exe.


Read about the Bolger.dll and Aurora.exe here

Reprinted with permission by Webhelper

[TeMerc]

1 May 2005


New Transponder variant: imGiant.dll that also creates and uses the Buddy.exe
Plus this time they are partners with Media-Motors (chunkybreakfast.com)

Read about the imGiant and Buddy.exe here.


Reprinted with permission by Webhelper

[TeMerc]

Update Wednesday, 11 May 2005

There has been a lot of write ups at security forums dealing with 2-spyware.com owned by Ugnius Kiguolis with a whois listed as Lithuania and email: jurgita @ jurgita.com

Jurgita is also what a user at many of the forums uses and states their email is jurgita @ jurgita.com.
Here is the deal. I have always stated in my criteria for adding sites to my different lists that:

1. Any site that directly or indirectly, with or without the end users permission or knowledge installs adware, trackware, controlware, or anything that collects, tracks, and/or transmits the end users personal, private, and computer information to one or more controlling servers or is affiliated with those that foist adware, malware, spyware,exploits, or hijacking of users browsers.

2. All sites that belong to a site that deals with adware and especially any site that offers security software and/or help with adware/spyware wiill all be listed.

Full Read @ Webhelper with screenshots.

Reprinted with permission by Webhelper

[TeMerc]

14 May 2005

New Transponder site to watch for - MANMEDNW.NET

I just ran a whois for for direct-revenue.com and it lists them and their abetterinternet.com for the same IP, however a new one is listed:MANMEDNW.NET.

Whois shows domains by proxy right now so the owners can be hidden and the only page so far only shows "welcome".

Why do I say transponder? Most of their sites have always been kept in the same IP addresses.

direct-revenue.com 64.124.153.144
abetterinternet.com 64.124.153.144
manmednw.net 64.124.153.144

IP block data
Direct Revenue INAP-NYM-DIRECTREV-1466 (NET-64-74-242-0-1)
64.74.242.0 - 64.74.242.255

MANMEDNW.NET Created on: 12-Mar-05

This can mean only 1 of 2 things. The plan on creating a new variant (they normally name it after a site), or they plan on creating another IPinsight sentry stub like farmmext.exe, alchem.exe, belt.exe, conscorr.exe variant where they name the file after a website yet never place any pages on the website except to say unerconstruction, welcome, etc.


Reprinted with permission by Webhelper

[TeMerc]

25 May 2005


MyPcTuneUp.com 3rd Update

What MypcTuneUp.com Actually detects & cleans

This was a test to see exactly which transponder variants would be cleaned by the gang!

Full Read w\HJT analysis @Webhelper

Reprinted with permission by Webhelper

[TeMerc]

29 May 2005
Updated Information:

Just got off the phone with Charles Mullaney of pajamaexecutive.com and he was able explain because he is not a programmer, when he posted his reguest at Rentacode.com for an activeX component that was like spyware, he did not know that that type of wording is a No No in the Anti-spyware community. Of the 2004 request, the activeX was never created for him.

Both Clear2close.com/net ( Cmark and Associates) and Charles Mullaney pajamaexecutive.com are legit sites and business that can safely be used.

Read Full Details Here


26 May 2005

I just came accross a site called aurora.com. Good news is they are not part of the Direct-Revenue Transponder Gang and that is why they never were placed in my transponder sites listing. Bad news is because of their name, which by the way they had the domain before the transponder gang like those of the CWS gangsters use names that are already being used to confuse the users who have been infected by their adware.

So for all concerned, I want it to be known that aurora.com is NOT A TRANSPONDER SITE!

Here is their press release message about the transponder gang
http://www.aurora.co...rt/malware.html

Reprinted with permission by Webhelper

[TeMerc]

Updated: 05/31/2005

On 24 May 2005, SpywareWarrior Blog ran an article on Direct-Revenue'.com's AbetterInternet.com (a division of Direct-Revenue) on a cease and desist letter from Better Internets Lawyer to Sunbelt Software about their Anti-spyware software called CounterSpy.

From the C&D letter,Sara Edelman of the lawyer firm of Davois & gilbert LLP made some statements I just have to make a write up here on my take on this issue.

Webhelper's Take On The Cease & Desist Letter To Sunbelt Software

Full Read w\screenshots & tech report @ Webhelper

Reprinted with permission by Webhelper

[TeMerc]

3 June 2005

Understanding Direct-Revenue.com & aBetterInternet.com EULA's
Throughout the Direct-Revenue Transponder Gangs history, they have made constant changes to their MANY EULAs (End User License Agreement). What this means is that a user had better read very carefully any EULA that comes from this adware marketing group as there are some important items that may change your mind about installing their adware.

Complete Story here

3 June 2005

Direct-Revenue's Ad Policy vs What They Really Do!

Direct-Revenue states in their Ad Policies PDF file that advertisers cannot advertise anything that cannot be viewed by anyone under 18. They state no pornographic content as an example. So if that is so, then why even today May 3, 2005, they are still running ads that contain pornographic content??

Get the Full Story here


*****


3 June 2005
Fasterxp.com is a known adware installer of Direct-Revenue transponders, ebates, and mysearch...Use at your own risk!
IP: 64.202.167.129

Additional Info About Fasterxp by Paperghost

Reprinted with permission by Webhelper

[TeMerc]

3 June 2005

Direct-Revenue's Hidden Sites?
Went to check on callinghome.biz and I find one whois dated Nov 5 2004 and the name is joshua abram (CEO of Direct-Revenue)

Read About the Two sites that has something that abetterinternet.com peddles with their adware.

Reprinted with permission by Webhelper

[TeMerc]

4 June 2005

Lest we forget! I just read a blog entry over at SpywareWarrior Blog entitled "More on Netscape and Spyware" which led me to digging back in my older write ups on the Transponder Gang here in 2003 entitled "Thank the Dashbar for Todays Spyware Toolbars"

"...The history of Spyware toolbars that infest so many today are probably the descendants of the Dashbar and this was probably created thanks to the Netzero's ZeroPort when the company was launched in 1998. ..."

So so all who didn't get to read it or have forgotten here it is:

Thank the Dashbar for Todays Spyware Toolbars

Reprinted with permission by Webhelper