Jump to content

transponder Gang Chronicles By Webhelper


TeMerc

Recommended Posts

I have spoken with Webhelper and in an effort to post all info he has garnered on this group, and to keep everyone aware of their presence and their involvement in some of the nastiest prevalent infections on the net, I will update this thread as he updates his site, with his blessing. Our greatest tool against them is exposure.TeMercOriginally posted Feb 18, 2005:Is This Software On Your Hard Drive?How one of the Internet’s largest and most secretive adware companies really operates. With new regulations coming, will it really reform?Dec. 9 - In November 2000, yet another e-commerce start-up was grappling with its inevitable fate. Dash.com CEO Dan Kaufman called a meeting of most of the company’s employees in its New York City offices and stared down at the conference-room table as he delivered the bad news. “This is a day I hoped would never happen,†he said, according to an employee at the meeting. The board of directors had just agreed that the dot-com company’s prospects were dim. “Please gather your belongings and exit the building.â€Dash’s business model was ahead of its time—a prototype of what adware companies are doing today. The business asked Web surfers to download a software toolbar that tracked their Internet shopping and offered related e-commerce discounts at the point of purchase. For example, if a user was prepared to buy a book at BarnesandNoble.com, the Dash toolbar could offer a coupon for the same book at Borders. In the midst of a profligate investment environment, Dash.com raised $50 million on this idea from venture capitalists such as AT&T Ventures and the JPMorgan Investment Corp. Now it was preparing to give any leftover cash back to investors and slink off into the dot-com void. “I guess we learned a lot of expensive lessons at Dash,†says Joshua Abram, a former vice president at the company.As of June 2001, Dash.com and its competitive-coupons idea was officially dead. Or was it?In this week’s edition of NEWSWEEK, we looked at the growing online presence of adware, software that sits on users’ hard drives and can slow down the desktop with resource-consuming pop-up ads. Adware companies like Claria, WhenU and 180solutions load their software onto hard drives by offering appealing free programs like games, updated weather reports and the like. The adware then serves pop-ups ads on the screen that are often related to the user’s Web activity. Next year, Congress is likely to pass new legislation regulating the industry. It will require that adware companies obtain explicit permission from users before their programs are populated onto hard drives and to put their name at the top of each pop-up, so users know who’s responsible for it. Most importantly, the new law will make sure consumers can easily delete unwanted adware. Full Read @ MSNBC=====================================================5 March 2005Complete new update for all CWS ListingsReprinted with permission by Webhelper=======================================24 March 2005CPVMARKET.COM where they are using the affiliate interface from Mygeek.com from the AdsOn Network.They also now have a new IPinsight Sentry Stub called mlotus.exe which they have named after their site which does not have an active IP assigned yet called mlotus.com.They have also changed their Speer.dll from 2004 to a new one called speeryox.dl (More to come on this one) They are also using their Speer2.dll which creates their buddy.exe like the Speer and ceres variants. See Speer2.dllReprinted with permissions by Webhelper===================================================================24 March 2005Looks like the Transponder Gang has finally went over to the dark side of in allowing CWS exploits to not only bundle new variant called kz515.dll BUT I have also found for the first time in 4 Hijackthis logs on the Internet that their offeroptimizer.com is using an IP address for their search.offeroptimizer.com which is to their searchrabbit.com site. Also, search results direct themselves to findwhat.com. Pure Pay-Per Click search.R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.offeroptimizer.com/sidebar.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.offeroptimizer.com/sidebar.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hotoffers.info/278/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing The CWS that shows hotoffers.info (See My write up on the dropper.exe)and is from the IP Block of Atrivo that is infested with CWS See: CWS Atrivo ListingsReprinted with permission by Webhelper===================================================================25 March 2005Looks like the KZ515.dll is being installed by a bundled install via a possible CWS exploit. If anyone who is hit by the kz515.dll and knows where it came from, please submit your link here: Submit Suspect Sites so that I can research it and we can see exactly why the Transponder gang has changed their methods by writing to the registry and changing users start pages.************About the Grandstreetinteractive.com GSM toolbar. Is Mygeek more than a major Transponder Gang partner? Read it hereReprinted with permission by Webhelper

Link to comment
Share on other sites

Guest LilBambi

Thanks TeMerc! Excellent info!I have had my fights with VX2 and all that their various iterations encompass! Direct Revenue/Dash and ALL it's various companies/names are definitely on my list and has been for a long time!Thanks again! :(

Edited by LilBambi
Link to comment
Share on other sites

From Webhelper:27 March 2005I was able to now find the kz515.dll and how it installs: Also. they list the website in the file properties as www .kz515.com of which I just checked and it is available.Full details on the New Transponder kz515.dll========================================28 March 2005 Today I installed the kz515.dll and went to Mypctuneup.com to remove it. There software removed the kz515.dll, however, the software left all registery entries intact. This to me as I see it by their EULA, along with the different files of theirs that contain XML code to search a users computer for any of their CLSID's, to me is nothing more than when I stated on 12/27/2004 they were acting like 5th columinsts and all they leave behind after an uninstall amounts to what I call adware sleeper agents. SEE: Direct-Revenue - Vx2 Transponder Gang Fifth Columnists with Adware Sleeper AgentsFor an update with the mypctuneup.com see the following: The Transponder Gangs, Mypctuneup.com - Updated informationReprinted with permission by Webhelper

Link to comment
Share on other sites

2 April 2005Special Adware Alert Report with Continuing updates to come! From Wallpapers4u.com we have ourselves not only a massive infestation of 3rd party adware from a 2nd-thought CPM Media site pacimedia.com along with their wmplayer.exe.tmp exploit, but also a new Clearsearch Variant and a new file from the transponder gang...Read about it here.Reprinted with permission by Webhelper

Link to comment
Share on other sites

April 9, 2005There is a lot of news about Direct-Revenue and its uninstaller processes of late. However, as I have in other writings of my testing of their variants and using their Mypctuneup.com to uninstall, there is still a lot of questions that need answered. I just came across a article I found in the Goolge.com Groups search about Direct-Revenue.com and their uninstaller. From the article I found one part of a quote by Daniel Doman, Direct Revenue's chief technology officer where states he "...said the company just wanted to make sure that consumers weren't deterred from uninstalling with MyPCTuneUp. He said that the program doesn't install any other software, but leaves behind a tag indicating that DirectRevenue was once on the computer. With that tag, users cannot later reinstall DirectRevenue. "If a user uninstalls us, we're not going to reinstall ourselves ...".Source: ("Adware Firms Up The Ante On Anti-Spyware" Wendy Davis, Thursday, Mar 31, 2005 7:00 AM EST, publications.mediapost.com)Lots more to read with many screenshots here.Reprinted with permission by Webhelper

Link to comment
Share on other sites

9 April 2005I have started a new page called webhelper offlimits. This is due to the many search results that use my domain name along with pages to get users to their porn/adware/pay per click sites!========================================Webhelper Offlimits PageAt times when I am searching, I also use my own domain name in the searches and I have found a few at times are using it to try and get users to go to their site that then has nothing to do with the transponders and CWS that I research.Below is my listings as I find then in google.com. Use at your own risk or restrict them! 218.149.128.154 twhois.comGoogle:twhoistwhois- Webhelper4u twwhois twhois.cm thwois twois twhois.cmo twhhois - Transponder Gangs Sites Whois Datawww.webhelper4u.com/twhois.twhois.com/ - 14k - Apr 7, 2005 - Cached - Similar pages Whois: Hit PGeomyang 802, 55-1, Chungjangro-4Ga,, Dong-GuGwangju, non 501014KRIP Country REPUBLIC OF KOREA ********************218.149.128.154 ivegas.www-pokerrules.comGoogle:Ivegas... Internet:AntiSpy ...www.webhelper4u.com/watcher/windexh.html Expat life in the concrete jungle - Statistics ¿Que ivvegas ivegas.cm ievgas ivgas ...ivegas.www-pokerrules.com/ - 12k - Apr 7, 2005 - Cached - Similar pages 218.149.128.154 adultgambling.www-pokerrules.comGoogle:Adultgambling... Webhelper4u - CoolWebSearch - CWS Hijackers by IP ... adlutgambling adultgambling.cn ... adultxxxgames.net ...www.webhelper4u.com/CWS/cwsbyip.html ...adultgambling.www-pokerrules.com/ - 14k - Apr 7, 2005 - Cached - Similar pages ********************64.91.226.94 popupblocker1.comGoogle:stop popup... http://webhelper4u.com...op-popup-ads-now_com.html # 16 AssortedInfo.com - Your Source for Practical Knowledge Affiliate_Marketing Animals Beauty Book ...www.popupblocker1.com/stop_popup/ - 12k - Cached - Similar pages Whois:Domain name: popupblocker1.comAdministrative Contact:Anderson AgenciesNathan Anderson ()+1.7194854858Fax: 4858 North Creek RdBeulah, CO 81023 US**********************212.239.39.148 publiweb.itGoogle: Porn typegoglw... www.webhelper4u.com/CWS/scumwareremover.html - 11k - 17 nov 2004 -. www.goglw.com/. JustBlowMe.com Adult Webmaster Forum - About 100 typin domains for . ...www.publiweb.it/links/g/goglw.html - 8k - Cached - Similar pages Whois:domain: publiweb.itorg: Leader Consulting Groupdescr: Servizi Publiweb srldescr: Italy*************************66.111.53.50 hijacker-toolbar.hotresults.bizThe site tries to sell all the rogue software I write about not using.Google: hijacker toolbar... www.webhelper4u.com/CWS/defaulthomepagenetwork/ essential-free-downloads.html - 10k - Cached - Similar pages Microsoft PowerPoint - kevinseverud_Spyware ...hijacker-toolbar.hotresults.biz/ - 120k - Cached - Similar pages 66.111.53.50 adaware-hijackers.hotresults.bizAnother by the same as aboveadaware hijackers... Webhelper4u - About the CoolWebSearch - CWS Hijackers All ... www.webhelper4u.com/CWS/wmplayerexploits.html - 16k - Cached - Similar pages ...adaware-hijackers.hotresults.biz/ - 84k - Cached - Similar pages Whois: hotresults.bizRussian Federation Site*************************Warning to sites that use my name in the pursuit of profits in Porn, adware, maleware, scams, etc. You are going to be listed here! All I need to is to see search engine results with my domain name and your sites source has my domain listed in your discription and/or keywords of your metatags. Reprinted with permission by Webhelper

Link to comment
Share on other sites

Webhelper is also amazing! Because of the research that he conducts, there are those who continue trying to track down infomation on him. Perhaps they think they can knock him out of the loop or they are curious about this person who is often one step ahead of them. Webhelper is #1 in my book!

Link to comment
Share on other sites

19 April 2005The transponder has yet another new transponder variant along with a replacement to their buddy.exe called Bolger.dll and Aurora.exe. They are right now foisting this variant being bundled by isearch and using CWS exploits sites to install in stealth! Other files included: Poller.exe, uacupg.exe, Nail.exe, thnall1ac.html, DrPMon.dll, svcproc.exe.Read about the Bolger.dll and Aurora.exe hereReprinted with permission by Webhelper

Link to comment
Share on other sites

  • 2 weeks later...

1 May 2005New Transponder variant: imGiant.dll that also creates and uses the Buddy.exePlus this time they are partners with Media-Motors (chunkybreakfast.com)Read about the imGiant and Buddy.exe here.Reprinted with permission by Webhelper

Link to comment
Share on other sites

  • 2 weeks later...

Update Wednesday, 11 May 2005There has been a lot of write ups at security forums dealing with 2-spyware.com owned by Ugnius Kiguolis with a whois listed as Lithuania and email: jurgita @ jurgita.com Jurgita is also what a user at many of the forums uses and states their email is jurgita @ jurgita.com. Here is the deal. I have always stated in my criteria for adding sites to my different lists that: 1. Any site that directly or indirectly, with or without the end users permission or knowledge installs adware, trackware, controlware, or anything that collects, tracks, and/or transmits the end users personal, private, and computer information to one or more controlling servers or is affiliated with those that foist adware, malware, spyware,exploits, or hijacking of users browsers.2. All sites that belong to a site that deals with adware and especially any site that offers security software and/or help with adware/spyware wiill all be listed. Full Read @ Webhelper with screenshots.Reprinted with permission by Webhelper

Link to comment
Share on other sites

14 May 2005New Transponder site to watch for - MANMEDNW.NETI just ran a whois for for direct-revenue.com and it lists them and their abetterinternet.com for the same IP, however a new one is listed:MANMEDNW.NET.Whois shows domains by proxy right now so the owners can be hidden and the only page so far only shows "welcome". Why do I say transponder? Most of their sites have always been kept in the same IP addresses.direct-revenue.com 64.124.153.144abetterinternet.com 64.124.153.144manmednw.net 64.124.153.144IP block dataDirect Revenue INAP-NYM-DIRECTREV-1466 (NET-64-74-242-0-1) 64.74.242.0 - 64.74.242.255MANMEDNW.NET Created on: 12-Mar-05This can mean only 1 of 2 things. The plan on creating a new variant (they normally name it after a site), or they plan on creating another IPinsight sentry stub like farmmext.exe, alchem.exe, belt.exe, conscorr.exe variant where they name the file after a website yet never place any pages on the website except to say unerconstruction, welcome, etc. Reprinted with permission by Webhelper

Link to comment
Share on other sites

  • 2 weeks later...
Update Wednesday, 11 May 2005There has been a lot of write ups at security forums dealing with 2-spyware.com owned by Ugnius Kiguolis with a whois listed as Lithuania and email:  jurgita @ jurgita.com  Jurgita is also what a user at many of the forums uses and states their email is jurgita @ jurgita.com.  Here is the deal.  I have always stated in my criteria for adding sites to my different lists that:
2-spyware.com, jurgita.com, 2-free.net, 2-downloads.com and other projects created and managed by Ugnius Kiguolis and eSolutions never supported any Adware or Spyware.Dispute letter to Webhelper tales written at: webhelper - case of defamation
Link to comment
Share on other sites

29 May 2005Updated Information:Just got off the phone with Charles Mullaney of pajamaexecutive.com and he was able explain because he is not a programmer, when he posted his reguest at Rentacode.com for an activeX component that was like spyware, he did not know that that type of wording is a No No in the Anti-spyware community. Of the 2004 request, the activeX was never created for him. Both Clear2close.com/net ( Cmark and Associates) and Charles Mullaney pajamaexecutive.com are legit sites and business that can safely be used.Read Full Details Here 26 May 2005I just came accross a site called aurora.com. Good news is they are not part of the Direct-Revenue Transponder Gang and that is why they never were placed in my transponder sites listing. Bad news is because of their name, which by the way they had the domain before the transponder gang like those of the CWS gangsters use names that are already being used to confuse the users who have been infected by their adware.So for all concerned, I want it to be known that aurora.com is NOT A TRANSPONDER SITE! Here is their press release message about the transponder ganghttp://www.aurora.com/support/malware.htmlReprinted with permission by Webhelper

Link to comment
Share on other sites

Updated: 05/31/2005 On 24 May 2005, SpywareWarrior Blog ran an article on Direct-Revenue'.com's AbetterInternet.com (a division of Direct-Revenue) on a cease and desist letter from Better Internets Lawyer to Sunbelt Software about their Anti-spyware software called CounterSpy.From the C&D letter,Sara Edelman of the lawyer firm of Davois & gilbert LLP made some statements I just have to make a write up here on my take on this issue.Webhelper's Take On The Cease & Desist Letter To Sunbelt SoftwareFull Read w\screenshots & tech report @ Webhelper Reprinted with permission by Webhelper

Link to comment
Share on other sites

3 June 2005Understanding Direct-Revenue.com & aBetterInternet.com EULA'sThroughout the Direct-Revenue Transponder Gangs history, they have made constant changes to their MANY EULAs (End User License Agreement). What this means is that a user had better read very carefully any EULA that comes from this adware marketing group as there are some important items that may change your mind about installing their adware.Complete Story here3 June 2005Direct-Revenue's Ad Policy vs What They Really Do!Direct-Revenue states in their Ad Policies PDF file that advertisers cannot advertise anything that cannot be viewed by anyone under 18. They state no pornographic content as an example. So if that is so, then why even today May 3, 2005, they are still running ads that contain pornographic content??Get the Full Story here *****3 June 2005 Fasterxp.com is a known adware installer of Direct-Revenue transponders, ebates, and mysearch...Use at your own risk!IP: 64.202.167.129Additional Info About Fasterxp by PaperghostReprinted with permission by Webhelper

Link to comment
Share on other sites

4 June 2005 Lest we forget! I just read a blog entry over at SpywareWarrior Blog entitled "More on Netscape and Spyware" which led me to digging back in my older write ups on the Transponder Gang here in 2003 entitled "Thank the Dashbar for Todays Spyware Toolbars"

"...The history of Spyware toolbars that infest so many today are probably the descendants of the Dashbar and this was probably created thanks to the Netzero's ZeroPort when the company was launched in 1998. ..."
So so all who didn't get to read it or have forgotten here it is:Thank the Dashbar for Todays Spyware ToolbarsReprinted with permission by Webhelper
Link to comment
Share on other sites

Guest LilBambi

Yes, NetZero's ZeroPort ... annoying piece of software there ... prelude to Dash....

The Dashbar could be considered the Grandfather of Spyware toolbars as it came into being in 1999 Dashbar Screen Shot from the past owners of Dash.com.
Seeing the VX2 and Transponder references reminded me of a recent development.Did you notice the removal of the terms "VX2" and "Transponder" from Sunbelt's listings for "BetterInternet software programs" and reclassification as adware? I read the pdf on it.Was saddened to see that; however I was very glad that they will continue to offer detection and removal capabilities if the user wishes to have them removed. on Sunbelt's blog. And they made that VERY clear.I was glad to see they were up front about the changes on the SunbeltBlog. The information is on the following blog entry:Our response to Abetterinternet lawyers.http://sunbeltblog.blogspot.com/2005/06/ou...erinternet.htmlAbetterinternet's cease and desist letter: http://sunbeltblog.blogspot.com/2005/05/another-one.htmlSunbelt's response (pdf):http://www.sunbelt-software.com/ihs/alex/betterinternet2.pdfAlex signed it:Alex(Still scratching my head) Edited by LilBambi
Link to comment
Share on other sites

  • 1 month later...

July UpdatesWebhelper UnmaskedCWS listings sorted by IP address in text format(IP & Domains)CWS listings Alpha sorted text format(Only Domains)CWS complete works in MS Office Exel formatDirect-Revenue and their Ad Policy Part IINew CWS desktop scare tactics:Your system Is Infected July 24Popfinder.net XPSP2 Type Information Bar Scare for Adwaredelete July 24, 2005Warning: You may be infected July 27Reprinted with permission by Webhelper

Link to comment
Share on other sites

  • 5 months later...
Apologies for negecting this thread
Major CWS Sites UpdateCWS List Sorted By IP Address In Text Format(IP and Domains ) Updated 11 Sept 2005CWS Alpha Sort In Text Format (Only Domains listed) Updated 11 Sept 2005Full Read\More Info====================================================================
In late August 2005, I was given a link by my friend Suzi of Spywarewarrior that was an IP address 195.225.177.33 that ran a massive CWS infestations similar to that of the infamous vxiframe.biz infestations. Upon further research I found that this IP was also being used by two well known CWS porn sites along with an IP of Esthost/Estdomains as an 404 error page that calls a page called waite.html which also contains 195.225.177.33 in an IFRAME to load the IP automatically thus infesting users. The waite.html page is an old scare scam for RazeSpyware. See Spywarewarrior Rogue Anti-Spyware listing for details. This waite.html page will only be seen about a second and then will close and the CWS infestations will begin. Below is what the page looks like without the live CWS link.
Full Read @ Webhelper======================================================================Webhelper's CWS Diaries
"One must know the past in order to understand the future, if one is to change the future"
Home |CWS Lists Main Index |Updated: 27 November, 2005 10:46 AM I. About The CWS Diaries
  • A. What The Dairies Are B. Webhelper Definition of Cool Web Search or CWS for Short C. Criteria I Use For My Investigative Research

II. Historical Overview of the CWS

  • CWS Groups Historical Overview From 2003 To Nov 2005

III. The Webhelper CWS Diaries

  • A. November 2005

IV. The CWS Groups and Their Histories (These will be added very soon)

  • A. Feel Media Group: from Datanotary.com to today's Martfinder.com B. 008k.com - Petro-line Gang (looking-for.cc, lookfor.cc, searchv.com,) C. AliBaba & 40 Loop Back Gang ( Hijacks to Searchadv.com as of 2005) D. J Cactus Dimpy Gang (Most Dangerous of all Gangs) E. VladZone (Slemshield, Slimfind, adslim.com) F. Asher Nahmais (i--search.com, iexplorer.reg ) uses *.reg files to hijack with G. Esthost,Estdomains,est-corp - Estonia group H. Henry Bison (find4u.com) Finish/Estonia gang I. Security Scam Hijackers J. Coolwebsearch.com K. Umaxsearch - searchadv.com (Russian affiliate program like Coolwebsearch.com L. Wallace Sandford Defualt-Homepage-Networks Hijacker and Scare Scams for spydeleter till FTC closed down in 2004

V. CWS Sites Lists

  • A. CWS Sites Sorted By IP Address B. CWS Sites Sorted By Domains C. Specialisted CWS Lists By Groups

VI. Index Of Past CWS Writings VII. Support Forums and Other Help Resources

  • A. CastleCops (Also provide support in other languages) B. Spywarewarrior.com C. Freedomlist.com D. Carma Blog and Forum E. Landzdown.com Adaware and Hijackthis Specialists F. Bluetack (BISS) (Internet Security Solutions) G. MVPS.org Host file H. IE-Spyad - Eric Howes Blocking lists I. Maddoktor2 (Spyware Beware)

VII. Additional Readings and Resources

  • A. Merijn's Cool Web Search Chronicles May 27, 2003 to April 17, 2004 B. The CLSID / BHO List / Toolbar Master ListThis is the Master BHO and Toolbar list by Tony Klein and CastleCops C. HijackThis log tutorial D. ActiveX Objects (Downloaded Program Files) aka O16 E. Startup Programs List

Direct Link To Webhelper's CWS Diaries=====================================================================As of January 2, 2006, I now have all my CWS lists including the master in excel format online:Sorted by IP Address (Text format) http://webhelper4u.com/CWS2/cwslists/cwsbyip.txtSorted by Domains (Text Format) http://webhelper4u.com/CWS2/cwslists/cwsalpha.txtMS Office Excel format contains more indepth information on the sites listed.http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xlsI have links to the excel viewer if needed:http://webhelper4u.com/CWS/index.html webhelper============================================================================The CWS Groups and Their Histories Update: Jan 7A: Feel Media Group: from Datanotary.com to today's Martfinder.comB: 008k.com - Petro-line Gang =====================================================Jan 19

Razespyware and its whois CWS owner Pantier CoRazespyware has been on the rise via CWS infestations and many are looking for information about them. razespyware.net which has the razespyware whois now shows a one Painter Co or aka Pant co who have been a known linked to the CWS world for a long time with its many porn sites. In August 2005, I did a write up about a scare ad page for Razespyware that redirected to a major (vxiframe.biz- cactus @ asdbiz.biz) CWS infester and hijacker. Today Razespyware is being used by many of the major CWS hijackers but it is their whois owner that I have made a PDF document about for today. Later I will be talking about the Nelroy Ltd. that is shown in the Company info page at their site.August 2005 write up:The CWS hackers look like they are starting to spread to what was once thought to be the safe part of the Internet!http://webhelper4u.com/CWS/Research/screen...iteexploit.htmlJan 19, 2006 PDF on the Painter Co infestaions and Rzespyware installs:http://webhelper4u.com/CWSDiaries/painter_...razespyware.pdf
Reprinted with permission by Webhelper=================================================CWS Sites Lists Updates Jan 22, 2006 Text format sorted by Domains (0 -Z)http://webhelper4u.com/CWS2/cwslists/cwsalpha.txtText format sorted by IP addresses:http://webhelper4u.com/CWS2/cwslists/cwsbyip.txtAlso the Master CWS list in Excel Spreadsheet format has been updatedhttp://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xlsFor all above an others see the CWS Main Index:CWS Main Index==============================================================JAN 27VladZone Sites Now in My Site - pass the word to blockThese are linked to the CWS desktop take overs and scare ads for anti-spyware scams, so because of their history and their sites that are part of the desktop scare scams with CWS they are now going to all be listed at my site.SMART-SECURITY.INFO, adslim.com, SLEMSHIELD.COMListinghttp://webhelper4u.com/CWS/cws_vladzones.htmlScreenshots of various scare scams that happen after you are infested.****http://www.webhelper4u.com/CWS/greg-search...screenshot.htmlsecurityiguardhttp://www.webhelper4u.com/CWS/Research/sc...ktopsearch.htmlisrvs isearchhttp://webhelper4u.com/CWS/Research/screen...pywarescam.htmlslimshield scam - topantispywareshttp://webhelper4u.com/CWS/Research/screen...re_tactics_.htmtrojan-spy.HTML.smitfraud.c and w32.hllp.spreda.b.spyhttp://webhelper4u.com/CWS/Research/screen...idinfected.htmlstealthSWs114.h!dll hoax
Link to comment
Share on other sites

  • 2 weeks later...

The Great CWS Migration of Jan 2006

There has been a lot of changes with the really bad guys in the CWS world since the appearance of the second zero day exploit WMF was started to be used. A lot of sites have changed servers or are in the process of doing so. Because of these changes, I now have a special spreadsheet in excel format with all the changes of the sites that have moved from Atrivo/Intercage Servers in the US to the servers in the Ukraine.http://www.webhelper4u.com/CWS2/jcactusdim...rations2006.xlsAs I go on in the next few days or so about this migrations, the sites and alias names involved, I want to refresh everyones memories and for those who never seen this. Right after July 27, when I found the SARS identity theft keylogger, one of our researchers at Sunbelt in August of 2005, discovered a document in Russian in one of their sites. We had it translated by one of our Russian programmers and it is a blueprint in how this group I call the jcactusdimpy has been operating since early 2004 when one of the first of the worst sites (SF2F*CKED.BIZ) appeared.
The document in PDF format Webhelper BlogReprinted with permission from Webhelper
Link to comment
Share on other sites

Alibaba & 40 Loopback CWS AboutBlank Hijacker GangUpdated: 12 February, 2006 09:02:21 AM -0800

The Alibaba & 40 Loopback gang date back to 2003 and has been affiliated with Coolwebsearch.com and Umax searchmeup.com/searchadv.com. Their calling cards are the Se.dll A Hijackthis log that shows their files for home page hijackings using the About Blank would be as follows:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

They also infest with a BHO that is random named (kjoa.dll), and makes entries in the Filter: text/html and Filter: text/plain.

O2 - BHO: (no name) - {0B4C6427-90F8-4FC8-92A6-05F2C6275D9C} - C:\WINDOWS\system32\kjoa.dllO4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstallO4 - HKLM\..\Run: [windesktop] C:\WINDOWS\system32\windesktop.exeO4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exeO4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\system32\windesktop.exeO4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symsvcsa.exeO18 - Filter: text/html - {7FAA2075-F5BE-4769-8A97-33CA499E6978} - C:\WINDOWS\system32\kjoa.dllO18 - Filter: text/plain - {7FAA2075-F5BE-4769-8A97-33CA499E6978} - C:\WINDOWS\system32\kjoa.dllO21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\ WINDOWS\system32\dcom_13.dll

This group is also heavily linked to the Umax/searchadv.com Pay Per Click Affiliate group which just began using a new trojan variant to operate a click fraud scam to bilk the searchfeed groups and online advertisers that pay for each click made to their sites

Full Read @ Webhelper
Link to comment
Share on other sites

  • 1 month later...

March 20 2006

Lots of Updates and More to comeSites Listing Updateshttp://webhelper4u.com/CWS2/cwslists/cwsalpha.txt
NOTE: As I have over 3500 sites listed, sometimes a duplicate entry may be found which I am correcting but it will be slowAll sites listed here are either linked to sites that run exploits,are found in the code of CWS files that have been infested on computers,or their whois with their mostly faked owners and or emails areregistered to other domains that run the CWS exploits.
http://webhelper4u.com/CWS2/cwslists/cwsbyip.txt
NOTE: As I have over 1400 sites listed, sometimes a duplicate entry may be found.All sites listed here are either linked to sites that run exploits,are found in the code of CWS files that have been infested on computers,or their whois with their mostly faked owners and or emails areregistered to other domains that run the CWS exploits.
http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xlshttp://webhelper4u.com/CWS2/cwslists/groupssites.xls(Group spreadsheet contains the worst of the worst)Anything in red indicates a zero day exploitWhois History Time Line of the Klik Gang and RoguesAnti Spyware Appshttp://webhelper4u.com/CWSDiaries/Rogues_and_Klik_gang1.pdfRogues covered are:Adwarebazooka.comadwaredelete.comAdwarepunisher.comantivirus-gold.comantivirus-gold.comHitvirus.comrazespyware.netRemedyantispy.comspydemolisher.comSpyiblock.comspysheriff.comspytrooper.comspywareno.comthespyguard.comAll call:traffweb.biz/dl/error.phpFirst zero day exploit:traffweb.biz/dl/adv799/fillmemadv799.htmtraffweb.biz/dl/adv799/bag.htmSecond zero day exploittraffweb.biz/dl/xpladv799.wmfCHM exploittraffweb.biz/dl/adv799/x.chmByteVerify Java Exploittraffweb.biz/dl/adv799/loaderadv799.jar Main Trojan Installertraffweb.biz/dl/adv799/win32.exeAll these sites belong with the above traffweb and all call the traffweb.biz85.249.19.122wwise.bizjason coffman Philadelphia PA US admin @ iframecash.biz85.249.19.1228-extreme.biz Gaylen Goldston Belle Plaine KS US admin @ toolbarweb.biz85.249.19.122Gaylen Goldston Belle Plaine KS US abuse @ 8-extreme.biz5-extreme.biz 4-extreme.biz 7-extreme.biz 6-extreme.biz 3-extreme.biz 2-extreme.biz 1-extreme.biz85.249.19.121extrememoney.bizHenry Nery Henderson NV US darkgt @ mail.rutraffbest.biz traffbucks.biz traffcool.biz traffdollars.biz traffmoney.biz traffnew.biz traffsale1.biz traffweb.biz /progs/ms1.txtkl.txtsecure32.htmlhosts.txttoolbar.txtde.txtau.txtus.txtit.txtpaytime.txttool1.txttool2.txttool3.txttool4.txttool5.txtReplacement for game4all.biz217.107.217.184 traff4all.biz D B kog omsk RU test @ test.ua
look.jpg Webhelper
Link to comment
Share on other sites

  • 3 weeks later...

Webhelper CWS Sites Lists Updates 6 April 2006Text format:http://webhelper4u.com/CWS2/cwslists/cwsbyip.txthttp://webhelper4u.com/CWS2/cwslists/cwsalpha.txtExcel Spreadsheet format: contains complete historieshttp://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xls Size 972KBIn the spreadsheet, I have all new ones under the Sites Added April 2006 tabThis also includes the highconvert.com/instllme John Miller aka sp2f(word).biz new sites, vip01.biz to vip15.biz. I will go into more detail later but we must block the IP as the files all come from that and is called from traffweb.biz and installs desktop hijack for alfacleaner and drops what we call the BigBlue identity theft keyloggers named for the IBM000#.dll files and transmits to the instme.biz IP via FTP the users email logins, passwords and protected storage data. They are right now in the middle of changing their methods and I have been watching them in real time That is how far ahead of them I am now compared to last year. Like the transponder gang of old, if they sneeze I am going to know it.The JFP Group tab is the John Miller, Nick Fedorov, Vasiliy Pupkin. The cactus tab is the traff4all,game4all aka vxiframe crew.As a treat in August of 2005, we uncovered a document in Russian at instme.biz and just last Friday at highconvert.com we snagged an updated copy of how they operated in Russian (Sunbelt-software has many who speak a lot of languages )August 2005http://www.webhelper4u.com/CWS2/jcactusdimpy/crims.pdfApril 2006http://www.webhelper4u.com/CWS2/jcactusdim..._Adware_v01.pdfAnyway, it refers to the yapsearch.com which also includes the yapbrowser.com which they bill it as safe:"..There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities..."The install popup will get you:YapBrowser is FREE,thanks to Zango. Why? Because it’s paid for by advertising.Now the document in Russian on highconvert that runs the worst exploits and has all the traffweb and james wurster sites and also deals in kiddie porn at their russian sites along with identity theft key loggers and wmf exploits has Zango on board with them.As I use to ssay I am the Keeper of the Internet Histories and the Webhelper sees all!Reprinted with permission by Webhelper

Link to comment
Share on other sites

  • 2 weeks later...

Webhelper: Transponder Gang 2006 Final ChapterAnd so it now begins once again after reading the 5 exhibits of emails referencing me since 2004 by the Transponder Gang............Main Menuhttp://webhelper4u.com/transpondergang2006/index.htmlWrite ups and Spreadsheets of Transponder and their distributors sites.Exhibit e76 24 March 2004. Email from the owners of Cosmicvillage about my finding on 18 March 2004 where an activeX secretly installed the twaintec variant for getting a Free Astrology reading at CosmicVillage.comhttp://webhelper4u.com/transpondergang2006...dexhibit76.html

Edited by TeMerc
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...