Zero Popup from Tooto trapped with CoolWebSearch

[Assiste.com]

Hi to all,

First of all, sorry for my poor English.

Second, I don't find anything, using Google, about "Zero Popup" and the malware CoolWebSearch.

I've downloaded 2 times the V 7.90 of Zero Popup - tested on 29 Feb and 1st March - and found a variant of CWS in it.

On a first time, I wrote a few words to Liren, asking him if he know that and what I must think of this. His reply :

Quote:

We knew someone hijacked our program ID and released a very bad version. Could you download our latest version to see whether you still have this problem?
Thanks.
Liren

As I was not very satisfied, I wrote him this :

Quote:

.../...
My download are from http://www.sellshareware.com This is the official affiliate program for Zero Popup from Tooto Technologie.

I am not confused with "Zero Popup" from zeropopup.com witch is trapped with TinyBar.

Tooto is beginning to be known has having all its sw trapped with a variant of CoolWebSearch called CoolWWWSearch.HTMLEdit
As SellShareWare is the affiliate program and official download ftp we can only think :

* Tooto as signed with CWS
or
* SellShareWare implement CWS in sw it is managing without the consent of Tooto

The problem is that I must de-qualified your product from +5 to -5, waiting for a solution and my website is a reference.

SpyBot S&D find 4 keys after an install, classified as CWS :

1. CoolWWWSearch.HTMLEdit: Class
HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1
2. CoolWWWSearch.HTMLEdit: Class
HKEY_CLASSES_ROOT\HTMLEdit.ViewSource
3. CoolWWWSearch.HTMLEdit: Class ID HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}
4. CoolWWWSearch.HTMLEdit: Typelib HKEY_CLASSES_ROOT\Typelib\{5CF14351-C405-4323-A05B-A1BA021E1045}

With my tests, I find these keys - here are all of them including legitimate ones. Bold ones are of problem.

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource\CLSID
(Défaut) = '{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource\CurVer
(Défaut) = 'HTMLEdit.ViewSource.1'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\HTMLEdit.ViewSource.1\CLSID
(Défaut) = '{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}
(Défaut) = 'ViewSource Class'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\InprocServer32
(Défaut) = 'votre chemin\ZERO-P~1.DLL'
ThreadingModel = 'Apartment'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\ProgID
(Défaut) = 'HTMLEdit.ViewSource.1'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\Programmable

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\TypeLib
(Défaut) = '{5CF14351-C405-4323-A05B-A1BA021E1045}'

HKEY_CLASSES_ROOT\CLSID\{EB23F789-F17F-4bcc-988B-6B70A3A67E9C}\VersionIndependentProgID
(Défaut) = 'HTMLEdit.ViewSource'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}
(Défaut) = 'IViewSource'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\ProxyStubClsid
(Défaut) = '{00020424-0000-0000-C000-000000000046}'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\ProxyStubClsid32
(Défaut) = '{00020424-0000-0000-C000-000000000046}'

HKEY_CLASSES_ROOT\Interface\{15DD3623-7BA1-4348-81AF-D9244B355193}\TypeLib
(Défaut) = '{5CF14351-C405-4323-A05B-A1BA021E1045}'
Version = '1.0'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0
(Défaut) = 'Zero Popup 1.0 Type Library'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\0\win32
(Défaut) = 'votre chemin\Zero-Popup.dll'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\FLAGS
(Défaut) = '0'

HKEY_CLASSES_ROOT\TypeLib\{5CF14351-C405-4323-A05B-A1BA021E1045}\1.0\HELPDIR
(Défaut) = 'votre chemin\Zero Popup\'

Try to make something to stop this immediately otherwise the info will run like a fire on the Net and you will be completely blacklisted in a very few days.

Hope this can help you

Liren never wrote me back so I decide to publish this article.

Pierre
Assiste.com

Hi
Is this correct ?
Must we blacklist Tooto and/or SellShareware ?
Insert domain names in all known hosts list ?
Do not download - Do not update an old and clean version.
It was a good product. What a shame !
Franck

[Assiste.com]

Hi Franck
Yes, verified simply using TotalUninstall to view changes between before and after installation.
Also, SpyBot Search and Destroy see it.

Pierre

Realizing we are not from the same country an that we do not speak the same tongue..as you say.......may I ask a question...

Your website..interesting......notice this on your website:

"Simply seize the e-mail of a friend and send. The e-mail will be subjected to you for control and customization before sending."

Of course since I don't speak your tongue I could be mis-understanding the intent of you telling someone to seize another person's e mail...so certainly I am open-minded to your reply on this.
There are other questions..but I will forego those.....an if in fact I have mis-understood ..you have my apology...

Shun

[Assiste.com]

Hi Shanned

Good idea, thanks

About Zero Popup from Tooto and CoolWebSearch :

I am talking about it in the French community but I am surprised of the little reactions whereas this utility was regarded as one of the best but has just joined one of the worst pest, CoolWebSearch.

And, first of all, am I right finding this pest in it ?

Why nobody speaks about it on the Net whereas floods of insults are versed on CoolWebSearch ?

I've asked Tooto for the third time - still no response.

[Assiste.com]

Hi,
Found that PestPatrol has classified it at Hijacker under the mane of HtmlEdit in Feb 04, revised on March 13, 04

[Assiste.com]

Hi,

Today, what is the status of EB23F789-F17F-4bcc-988B-6B70A3A67E9C in Zero-Popup ?
Parasite ? Still pending ? Legetimate ?
The name of the BHO has changed from "ViewSource Class" to "Zero Popup Pro" as in :

Quote:

HijackThis 1.98.2
O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\TOOTOO~1\ZERO-P~1.DLL
or
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\ARCHIV~1\ZEROPO~1\ZERO-P~1.DLL

Notice the old spelling (my test in february) :
O2 - BHO: ViewSource Class - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL

CWShredder do not say anything.

SpyBot classify it at CWS.Dreplace - I am not sure of that : The CLSID for CWS.Dreplace is 086AE192-23A6-48D6-96EC-715F53797E85 and the file name is DReplace.dll

Quote:

Originally Posted by Merijn

If you are unable to download any of the files here and are redirected to a porn page, search page or just denied access to the file .../... the redirection is probably because of a Coolwebsearch variant (CWS.Aff.Tooncomics or CWS.Dreplace) that intercepts your download to prevent downloading my programs.

CWS.Dreplace is a hijacker for PestPatrol.