The culprit, a little known application that masquerades as an anti-spyware blocker, is called SpyStopper. If I'm correct, it's been surreptitiously installing three CWS (Cool Web Search) trojans each time my rig boots (or each time the application is activated). To understand just how notorious CWS trojans are, allow me to quote the author of the only effective defense against CWS intrusions; Merijn, who also wrote amongst other applications HijackThis and the widely respected CWShredder application:
There is one particularly bad piece of spyware that has been grouped into a family known as "coolwebsearch". CWS is an extremely well written, extremely hard to kill piece of spyware. It is so "hooked" into the system that until CWShredder came around, some people wrote it off as impossible to remove without breaking windows.
Here's a quote from InfoWorks Technology Company website, the makers of SpyStopper:
Hackers, advertisers, and corporations may use Web bugs, spyware, adware, cookies, worms, advertisements, scripts, and other intrusive devices to gain access to your information and invade your privacy. SpyStopper is designed to block those devices that are used to track and profile you..
I've been running CWSshredder for almost as long as I've been running SpyStopper, until last night I couldn't work out why the CWS trojans kept returning. I didn't know why the updater for CWShredder always went dead when other on line updaters worked perfectly fine.
During a version update of SpyStopper, I deactivated the old version and forgot to reinstall the new one. I was off line, so I ran CWShredder purely out of habit. I noticed CWShredder was running much faster than usual and it kept telling me my rig was CWS trojan free. I also noted that SpyStopper wasn't installed. That's when I went back on line and tried the CWShredder updater and it worked (for the first time ever!). I then reinstalled the updated version of SpyStopper v3.0 and to my amazement the CWS trojans had returned, while the CWShredder updater went dead again. (v3.0 now contains three CWS trojans, as appossed to the one contained in v2.75).
I know this is a pretty serious accusation so before I land myself in legal chicken soup with InfoWorks Technology Company, I am going to ask as many of you as possible to confirm or dismiss this discovery by participating in a little experimentation.
First off, go to the InfoWorks Technology Company site and download their 15 day evaluation trial of SpyStopper.v3.0 . Then surf over to Spywareinfo.com , scroll down to the fourth box and download Merijn's CWShredder the latest version is v1.59, whilst you're over there take the time to read up about CWShredder and the CWS trojans if you're not already familiar with them.
Now here's the part where you need to be diligent. Before you install SpyStopper run CWShredder to insure there are no other CWS trojans already residing on your rig (CWS is prolific with more than 40 known variants, so don't be surprised if you find at least one). Once CWShredder has done its sweep, install SpyStopper and run CWShredder again. If my suspicions are correct, you will find CWShredder will flag up three variants of CWS trojans as a result of running SpyStopper:
Deactivate SpyStopper & run CWShredder, you'll notice all three trojans have vanished. Reactivate SpyStopper, run CWShredder again..., and the trojans are back.
At this point I have to raise my hand and confess that I don't know if the trojans are already on my rig and are being 'triggered' inadvertently by SpyStopper's activation, which seems far fetched, but this is where I need your help (I deactivated SpyStopper from launching at boot and got a clean sweep from CWShredder every time).
It's amusing and deeply ironic that InfoWorks Technology Company see fit to ensure the trojans only run when their 'anti-spyware' programme is running, nonetheless it casts a dubious shadow over all the applications they are selling. To add, each time SpyStopper boots, ZoneAlarm flags up an attempt by SpyStopper to establish itself as a server, this reinforces my suspicion that this application is doing much more than it 'says on the box', or the license agreement for that matter; I found this nestling in the agreement:
This software [the SpyStopper app?], and all accompanying files, data and materials [the trojans?], are distributed "AS IS" and with no warranties of any kind, whether express or implied. The user must assume the entire risk of using the program. This disclaimer of warranty constitutes an essential part of the agreement.
'All accompanying files, data and materials' could mean just about anything. It might absolve InfoWorks Technology Company from a legal stand point, but it wont protect their reputation or their sales if they are genuinely bundling notorious CWS trojans with their so called 'anti-spyware' applications. I can't think of a better way to insult your customers and take their money at the same time.
However, in defense of SpyStopper, the application 'does exactly what it says on the box' in a manner of speaking, it does 'block spyware, web bugs, worms, cookies, and other intrusive devices'. I've seen the number of ads and pop-ups virtually vanish, it works by using the 127.0.0.1 localhost loop-back trick by placing its own host file in the C:/WINDOWS folder. But in return, I believe, it holds an unforgivable secret which seriously undermines its claim to be a valid tool for spyware prevention.
Many thanks in advance for your participation, please post back and let me know your results.