PDA

View Full Version : Zero Popup from Tooto trapped with CoolWebSearch

Assiste.com
March 9th, 2004, 03:11 AM
Hi to all,

First of all, sorry for my poor English.

Second, I don't find anything, using Google, about "Zero Popup" and the malware CoolWebSearch.

I've downloaded 2 times the V 7.90 of Zero Popup - tested on 29 Feb and 1st March - and found a variant of CWS in it.

On a first time, I wrote a few words to Liren, asking him if he know that and what I must think of this. His reply :

-{ Quote: "We knew someone hijacked our program ID and released a very bad version. Could you download our latest version to see whether you still have this problem?
Thanks.
Liren" }-
As I was not very satisfied, I wrote him this :

-{ Quote: ".../...
My download are from http://www.sellshareware.com (http://www.sellshareware.com/ProgramInfo.asp?PrID=40743) This is the official affiliate program for Zero Popup from Tooto Technologie.

I am not confused with "Zero Popup" from zeropopup.com witch is trapped with TinyBar.

Tooto is beginning to be known has having all its sw trapped with a variant of CoolWebSearch called CoolWWWSearch.HTMLEdit
As SellShareWare is the affiliate program and official download ftp we can only think :

* Tooto as signed with CWS
or
* SellShareWare implement CWS in sw it is managing without the consent of Tooto

The problem is that I must de-qualified your product from +5 to -5, waiting for a solution and my website is a reference.

SpyBot S&D find 4 keys after an install, classified as CWS :

1. CoolWWWSearch.HTMLEdit: Class
HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1
2. CoolWWWSearch.HTMLEdit: Class
HKEY_CLASSES_ROOT\HTMLEdit.ViewSource
3. CoolWWWSearch.HTMLEdit: Class ID HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}
4. CoolWWWSearch.HTMLEdit: Typelib HKEY_CLASSES_ROOT\Typelib\{5CF14351-C405-4323-A05B-A1BA021E1045}

With my tests, I find these keys - here are all of them including legitimate ones. Bold ones are of problem.

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource\CLSID
(Défaut) = '{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource\CurVer
(Défaut) = 'HTMLEdit.ViewSource.1'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1\CLSID
(Défaut) = '{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\InprocServer32
(Défaut) = 'votre chemin\ZERO-P~1.DLL'
ThreadingModel = 'Apartment'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\ProgID
(Défaut) = 'HTMLEdit.ViewSource.1'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\Programmable

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\TypeLib
(Défaut) = '{5CF14351-C405-4323-A05B-A1BA021E1045}'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\VersionIndependentProgID
(Défaut) = 'HTMLEdit.ViewSource'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}
(Défaut) = 'IViewSource'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\ProxyStubClsid
(Défaut) = '{00020424-0000-0000-C000-000000000046}'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\ProxyStubClsid32
(Défaut) = '{00020424-0000-0000-C000-000000000046}'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\TypeLib
(Défaut) = '{5CF14351-C405-4323-A05B-A1BA021E1045}'
Version = '1.0'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0
(Défaut) = 'Zero Popup 1.0 Type Library'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\0\win32
(Défaut) = 'votre chemin\Zero-Popup.dll'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\FLAGS
(Défaut) = '0'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\HELPDIR
(Défaut) = 'votre chemin\Zero Popup\'

Try to make something to stop this immediately otherwise the info will run like a fire on the Net and you will be completely blacklisted in a very few days.

Hope this can help you" }-

Liren never wrote me back so I decide to publish this article.

Pierre
Assiste.com (http://assiste.free.fr)
Franck10
March 9th, 2004, 02:43 PM
Hi
Is this correct ?
Must we blacklist Tooto and/or SellShareware ?
Insert domain names in all known hosts list ?
Do not download - Do not update an old and clean version.
It was a good product. What a shame !
Franck
Assiste.com
March 15th, 2004, 09:41 PM
Hi Franck
Yes, verified simply using TotalUninstall to view changes between before and after installation.
Also, SpyBot Search and Destroy see it.
Shunned
March 15th, 2004, 11:17 PM
Pierre

Realizing we are not from the same country an that we do not speak the same tongue..as you say.......may I ask a question...

Your website..interesting......notice this on your website:

"Simply seize the e-mail of a friend and send. The e-mail will be subjected to you for control and customization before sending."

Of course since I don't speak your tongue I could be mis-understanding the intent of you telling someone to seize another person's e mail...so certainly I am open-minded to your reply on this.
There are other questions..but I will forego those.....an if in fact I have mis-understood ..you have my apology...

Shun
Assiste.com
March 16th, 2004, 04:27 AM
Hi Shanned

Good idea, thanks

About Zero Popup from Tooto and CoolWebSearch :

I am talking about it in the French community but I am surprised of the little reactions whereas this utility was regarded as one of the best but has just joined one of the worst pest, CoolWebSearch.

And, first of all, am I right finding this pest in it ?

Why nobody speaks about it on the Net whereas floods of insults are versed on CoolWebSearch ?

I've asked Tooto for the third time - still no response.
Assiste.com
March 29th, 2004, 07:48 AM
Hi,
Found that PestPatrol has classified it at Hijacker under the mane of HtmlEdit in Feb 04, revised on March 13, 04
Assiste.com
October 23rd, 2004, 06:56 PM
Hi,

Today, what is the status of EB23F789-F17F-4bcc-988B-6B70A3A67E9C in Zero-Popup ?
Parasite ? Still pending ? Legetimate ?
The name of the BHO has changed from "ViewSource Class" to "Zero Popup Pro" as in :

-{ Quote: "HijackThis 1.98.2
O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\TOOTOO~1\ZERO-P~1.DLL
or
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\ARCHIV~1\ZEROPO~1\ZERO-P~1.DLL

Notice the old spelling (my test in february) :
O2 - BHO: ViewSource Class - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL" }-

CWShredder do not say anything.

SpyBot classify it at CWS.Dreplace - I am not sure of that : The CLSID for CWS.Dreplace is 086AE192-23A6-48D6-96EC-715F53797E85 and the file name is DReplace.dll

-{ Quote: "If you are unable to download any of the files here and are redirected to a porn page, search page or just denied access to the file .../... the redirection is probably because of a Coolwebsearch variant (CWS.Aff.Tooncomics or CWS.Dreplace) that intercepts your download to prevent downloading my programs." }-
CWS.Dreplace is a hijacker for PestPatrol.