Jump to content

SpyStopper: one anti-spyware's dirty little secret

  • Please log in to reply
3 replies to this topic

#1 Guest_IZON_*

  • Guests

Posted 28 June 2004 - 05:24 AM

Last night (26.06.04), by fluke I discovered that an anti-spyware application which I had paid for, registered and been using for the last 12 months had been committing the most heinous act of treachery against my beloved rig.

The culprit, a little known application that masquerades as an anti-spyware blocker, is called SpyStopper. If I'm correct, it's been surreptitiously installing three CWS (Cool Web Search) trojans each time my rig boots (or each time the application is activated). To understand just how notorious CWS trojans are, allow me to quote the author of the only effective defense against CWS intrusions; Merijn, who also wrote amongst other applications HijackThis and the widely respected CWShredder application:

There is one particularly bad piece of spyware that has been grouped into a family known as "coolwebsearch". CWS is an extremely well written, extremely hard to kill piece of spyware. It is so "hooked" into the system that until CWShredder came around, some people wrote it off as impossible to remove without breaking windows.

Here's a quote from InfoWorks Technology Company website, the makers of SpyStopper:

Hackers, advertisers, and corporations may use Web bugs, spyware, adware, cookies, worms, advertisements, scripts, and other intrusive devices to gain access to your information and invade your privacy. SpyStopper is designed to block those devices that are used to track and profile you..

I've been running CWSshredder for almost as long as I've been running SpyStopper, until last night I couldn't work out why the CWS trojans kept returning. I didn't know why the updater for CWShredder always went dead when other on line updaters worked perfectly fine.

During a version update of SpyStopper, I deactivated the old version and forgot to reinstall the new one. I was off line, so I ran CWShredder purely out of habit. I noticed CWShredder was running much faster than usual and it kept telling me my rig was CWS trojan free. I also noted that SpyStopper wasn't installed. That's when I went back on line and tried the CWShredder updater and it worked (for the first time ever!). I then reinstalled the updated version of SpyStopper v3.0 and to my amazement the CWS trojans had returned, while the CWShredder updater went dead again. (v3.0 now contains three CWS trojans, as appossed to the one contained in v2.75).

I know this is a pretty serious accusation so before I land myself in legal chicken soup with InfoWorks Technology Company, I am going to ask as many of you as possible to confirm or dismiss this discovery by participating in a little experimentation.

First off, go to the InfoWorks Technology Company site and download their 15 day evaluation trial of SpyStopper.v3.0 . Then surf over to Spywareinfo.com , scroll down to the fourth box and download Merijn's CWShredder the latest version is v1.59, whilst you're over there take the time to read up about CWShredder and the CWS trojans if you're not already familiar with them.

Now here's the part where you need to be diligent. Before you install SpyStopper run CWShredder to insure there are no other CWS trojans already residing on your rig (CWS is prolific with more than 40 known variants, so don't be surprised if you find at least one). Once CWShredder has done its sweep, install SpyStopper and run CWShredder again. If my suspicions are correct, you will find CWShredder will flag up three variants of CWS trojans as a result of running SpyStopper:

- CWS.Svchost32
- CWS.Smartsearch
- CWS.Jksearch

Deactivate SpyStopper & run CWShredder, you'll notice all three trojans have vanished. Reactivate SpyStopper, run CWShredder again..., and the trojans are back.

At this point I have to raise my hand and confess that I don't know if the trojans are already on my rig and are being 'triggered' inadvertently by SpyStopper's activation, which seems far fetched, but this is where I need your help (I deactivated SpyStopper from launching at boot and got a clean sweep from CWShredder every time).

It's amusing and deeply ironic that InfoWorks Technology Company see fit to ensure the trojans only run when their 'anti-spyware' programme is running, nonetheless it casts a dubious shadow over all the applications they are selling. To add, each time SpyStopper boots, ZoneAlarm flags up an attempt by SpyStopper to establish itself as a server, this reinforces my suspicion that this application is doing much more than it 'says on the box', or the license agreement for that matter; I found this nestling in the agreement:

This software [the SpyStopper app?], and all accompanying files, data and materials [the trojans?], are distributed "AS IS" and with no warranties of any kind, whether express or implied. The user must assume the entire risk of using the program. This disclaimer of warranty constitutes an essential part of the agreement.

'All accompanying files, data and materials' could mean just about anything. It might absolve InfoWorks Technology Company from a legal stand point, but it wont protect their reputation or their sales if they are genuinely bundling notorious CWS trojans with their so called 'anti-spyware' applications. I can't think of a better way to insult your customers and take their money at the same time.

However, in defense of SpyStopper, the application 'does exactly what it says on the box' in a manner of speaking, it does 'block spyware, web bugs, worms, cookies, and other intrusive devices'. I've seen the number of ads and pop-ups virtually vanish, it works by using the localhost loop-back trick by placing its own host file in the C:/WINDOWS folder. But in return, I believe, it holds an unforgivable secret which seriously undermines its claim to be a valid tool for spyware prevention.

Many thanks in advance for your participation, please post back and let me know your results.

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 28 June 2004 - 07:04 AM

Read this thread. It lists rogue antispyware programs.

Signature file is under revision. This will be back shortly.

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 13 July 2004 - 11:13 PM

Mods, please move bionnaki's post to Malware Removal. << Done!

Bionnaki, reboot into Safe Mode and run CWShredder.


Would some Helper care to take his log if he generates one?

Edited by dave38, 14 July 2004 - 01:17 PM.

Signature file is under revision. This will be back shortly.

#4 ArtDaNoob



  • New Member
  • Pip
  • 1 posts

Posted 21 July 2004 - 03:40 PM


I doubt very much if SpyStopper is responsible for the CWS trojan on your system. I have used SpyStopper for over two years, and it has never installed any unwanted scumware on my system. I'm on version 3.0, and always come up clean every time I scan with AdAware, Spybot S&D, A Squared, and any other malware detector I've run. I think maybe you picked up that nasty little bug someplace else.

Here's a copy of my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:04:20 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpyStopper\spystopper.exe
C:\Program Files\QuickTime\qttask.exe
C:\D'Ld PROGRAMS\TitleBarClock Pro\Tbcpro.exe
C:\D'loaded Tools\BHODemon2.0\BHODemon.exe
C:\Program Files\Memento\Memento.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: (no name) - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\D'LOAD~3\IDA\idaiehlp.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster3.2\sbautoupdate.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\D'loaded Tools\BHODemon2.0\BHODemon.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: messenger.hotmail.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream...er/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{211D3366-75BD-4FE4-9E7C-C3C09A2D6A23}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{211D3366-75BD-4FE4-9E7C-C3C09A2D6A23}: NameServer =

BTW, BHODemon and SpywareBlaster are both recent installations, no older than 60 days max, so it can't be a case of them blocking any attempted malware installation by SpyStopper. In fact, since I've been using SpyStopper, I have had absolutely NO infection with any kind of spyware or trojan, and less than 10 popup ads. Granted, I'm very careful about where and how I surf, and no one but me uses this computer. And except for two times when Spy Stopper became a bit unstable and had to be re-installed, I've been very happy with the program.

Hope this helps to answer your question.


Member of UNITE
Support SpywareInfo Forum - click the button