Jump to content


Photo

Web-Nexus winsync invisibility etc.


  • Please log in to reply
30 replies to this topic

#1 leoff.rus

leoff.rus

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 24 September 2005 - 12:39 PM

Yes I have read the FAQ.

I have some general questions about the most recent incarnation of the Web-Nexus "winsync" adware suite. Of course I
expect Spybot or Ad-Aware to start handling this problem soon, but meanwhile I'd really like to learn a little more about
how this rat works. I wonder if somebody could fill me in, or point me to the right forum (I'm new to spywareinfo).

Note that a Google search on "winsync" generally finds material on previous versions (e.g. the file "datadx.dll" hasn't been
used for some time). The last version was probably released in July-August. The current version, with which I'm having
problems, was probably released in late August - early September and has (of course) some enhancements. Questions
follow:

(1) none of the four adware files I’ve identified (2 .exe, 2 .dll, all in WINNT\System32) are displayed by Windows (XP)
Explorer nor found by its “search” function (of course options are set to “view hidden files”, etc). I really don’t think settings
in <<<HKCU\SOFTWARE\Microsoft\Current Version\Explorer\Advanced>>> are pertinent to this problem, because if I
create a perfectly innocuous file, say an empty “.txt” file, in an entirely unrelated folder, e.g. c:\junk\junk, and then re-name
this file to the same name as any of the virus files (e.g. lplgkd.exe - names are (semi)randomly generated), it instantly
disappears from the Windows display (but still exists, of course. DOS can still see it, and if I try to create a second one
Windows will say “file already exists”). This happens so quickly it’s difficult for me to believe that an executing program is
continually scanning the file system and setting some file-specific flag; also, if I kill the executing virus processes (as in
next question) display of the filename is recovered. I wonder if anyone knows what mechanism(s) are used to accomplish
this invisibility?

(2) If I (2.1) set msconfig to "Selective Startup" with "load startup items" disabled, then (2.2) restart and delete the two
.exe files from WINNT\System32 and delete their registry entries from <<<HKLM\SOFTWARE\Microsoft\Active Setup\
Installed Components>>> and <<<HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg>>>, and finally
(2.3) disconnect and re-connect the power, then (2.a) Windows reports no printer is configured if I try to print, and the
printer configuration wizard fails, and (2.b) if msconfig is set to "normal startup" and Windows restarted, all deleted files
(all 4 if you delete all 4) and the startupreg entry (probably moved to <<<HKLM\SOFTWARE\Microsoft\Windows\Current
Version\run>>> with the other entries for "normal startup") are restored (the installed components entry is not). I take this
to mean there exists at least one more executable I've not yet identified. Does anyone know where this (these) file(s)
are located or from where in the registry they're started? Can you tell me any more about the tie-in to printer config?

(3) Task Manager does not report the executing winsync task(s). About 2 versions of winsync back Ad-Aware used
to report them but now does not. I don't know if that's a change to Ad-Aware or to winsync - unfortunately I updated
Ad-Aware on top of my earlier version. Can somebody tell me how winsync is keeping Task Manager from displaying
its process(es)?

If anyone would like to catch the latest version of Web-Nexus' winsync adware I have a procedure that's been pretty
reliable for me (warning - it's not for the squeamish). Or if anyone can enlighten me on any aspect of this (or other, if any)
Web-Nexus product(s), I'd appreciate it.

#2 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 24 September 2005 - 11:36 PM

Hi leoff.rus :)

Antivirus vendors and others classify this infection as the Qoologic trojan. A run of Ewido Security Suite in Safe Mode usually renders it harmless or removes it. It has a number of rootkit-like effects, including hiding its files and registry entries in normal mode, as you noted. If you are asking me exactly how it does this, I don't know. I haven't reverse engineered it, but I would imagine that like any other rootkit, it intercepts calls to the kernel API and simply is programmed to "filter" itself out of them in some way. I do know where all the autostarting files are. They are here:

1) One running from the 'winsync' registry key, a random EXE in %system% directory
2) A DLL running from the 'autoupdate' registry key, usually wuauclt.dll in %system%
3) A four-letter random EXE running from the All Users global startup folder

There are lots of other files and registry entries thrown around, but these are the autoloading ones. I don't think it has anything to do with printer configuration...

Does this help?

Google for "Qoologic" and you'll find some of the AV vendors' summaries as well. :)

#3 leoff.rus

leoff.rus

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 26 September 2005 - 08:58 AM

A little, thanks. FYI:

1) I don't think the name of the file in D&S\All Users\...\Startup, "nank.exe" is random. WebNexus has been using that
name for some time. They used to put it as a visible file in WINNT\pss. After it disappeared I assumed it was no
longer used but wow! there it is invisibly where you said.

2) I didn't realize the wuauclt.dll file was associated with this problem. I've had it renamed for some time and it doesn't
get restored, so I was ignoring it. I hesitate to fully delete anything until I more-or-less fully understand the problem. Also
note it stays visible. WebNexus seems to like to name their visible files very close to names of legal Microsoft files,
as apparently in this case.

3) I still believe there's a 2nd .exe associated with this problem in \WINNT\System32. (3.1) It's invisible, which already
makes it guilty in my opinion and (3.2) It gets restored by the mystery process along with the other .exe there when deleted.
As I mentioned it's referenced from ...\Active Setup\Installed Components. However, its registry reference doesn't seem
to get restored like "winsync" does when deleted. Name seems to be (7 random characters).exe. Note (6-char) name of
other executable is not quite random. 1st and 3rd characters have been identical in at least the last 3 versions of this, at
least on my system. There are also at least 2 .dll's in WINNT\System32, both invisible, as I said.

When I rename nank.exe and move the result from Startup, delete winsync entry from registry, disconnect and reconnect
power, and restart in "selective startup" mode without startup items, files still get restored and WebNexus adware/spyware
process started. I suppose I'll check Ewido, and Google "Qoologic". I really prefer to understand how something is
working, especially when neither Ad-Aware nor SpyBot recognize it. WebNexus seems to be devoting some significant
resources to upgrading their product, judging by the recent frequency of updates.

Anyway, thanks for info.

#4 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 26 September 2005 - 11:43 AM

Hi leoff.rus :)

I don't think the name of the file in D&S\All Users\...\Startup, "nank.exe" is random.

I guarantee it is. I have infected myself with this infection many times, and I get different filenames. It may not be random for you, on one particular machine, because the name is basically hashed from certain system characteristics, so if you re-infect the same machine over and over again, you might get the same name, but on two totally separate machines you will get different names.

I didn't realize the wuauclt.dll file was associated with this problem.

Yes. wuauclt.exe is the legitimate Windows Update client application. wuauclt.dll is Qoologic. :)

WebNexus seems to like to name their visible files very close to names of legal Microsoft files,
as apparently in this case.

Exactly right. :)

I still believe there's a 2nd .exe associated with this problem in \WINNT\System32.

Yes, there is usually a second EXE there, and a few DLLs and DATs which are also related, but they are random. I may not have mentioned that in my first post.

As I mentioned it's referenced from ...\Active Setup\Installed Components.

Also exactly right. It also throws in an HKCR\CLSID usually.

#5 MadMax706

MadMax706

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 November 2005 - 01:24 AM

Hi,

I am new to the group. I just spent the weekend tracking down a rather malicious adware which, through the help of a friend of mine, I came to realize was Web-Nexus.

I have for about the last four or five years, taken a few days out twice a year to track spammers back to their home address and telephone numbers. I do this so that the information can be used in combating illegal spamming.

But, after battling what to me is an evil, evil program, (read web-Nexxus) I find that I am now more determined to learn all I can about the software which did not announce itself, or ask for permission to install. In the end I used the Web-Nexus removal tool, which I am aware more likely than not installed a more subtle, but equally vicious program onto my computer.

I'd like to share some of the things I observed, during my bumbling attempts to fix this. So since I am not the most proficient computer person, I'll beg your forgiveness for my ignorance in advance. Please forgive my lack of technical expertise.

To my knowledge, I did not click on any screen authorizing the installation of this software. I believe I picked it up while doing research for a case (reading a rather mundane article on a to remain nameless website) I did click a text link in the article. (to get more information regarding that topic.) It was immediately after this that the pop ups began.

I noticed that when I set Zone Alarm (without which I would have never identified the files involved) to notify me of every alert. That SKYPE my messenging service suddenly became very active, trying to send data to various IP's around the world. Does anyone know if could have been web nexus related? I trust skype as a program of course.. but just wondering if WN was using some sort of exploit to send data.

I understand that there must be a keystrok logger function, as WN advertise essentially that. I presume for an advertising stand point it is how they do their targeted marketing. But do they also record passwords etc> Just wondering if anyone ever disected it to see if there was a data retrieval function that might utilize chat programs to sent the data.

I've read some previous posts and I agree that WN definately radomizs the names, which actually helps identify related files. on my infection over this past weekend, the files were kpkyiy.exe, ioip.exe, vwvqa.dat and aiaqoqa.dll and a few others which to be honest I didn't pay close enough attention to.

I believe that when I atempted to destroy the program it evaded destrution by renaming iself.

Since when the infection happened none of my anti virus or adware programs made a dent, I tried to track down related files by searching for kpkyiy.exe and looking at it with an hex editor. It didn't tell me anything interesting (becase I have no idea what any of it means) but what I did see were some kind of Unique "signatures" on the tops of the file. basically it said, this file must be run in win32. and then a few other characters and such.

I was able to compare the kind of writing style of this file right down to the spacing and punctuation of the kpkyiy.exe file. This told me that (me not being a coder I am guessing here) that the person that coded these files input the same information over in over again kind of like a header on a letter.

I isolated the files I described above and a few other things and after another day of trying figured out that the definition of spyware, allows for hostile software, provided it can befound on the ad remove programs list. It took just 30 seconds to find a suspicious title on my ad remove list. WEB_NEXUS of course.

Hence this was not classified as spyware by any of my programs.

I eventually surcumed and rather than wipe my drive went to the Web-nexus.net web site and used their remover. Their software set off my anti viral alerts. I used it anyway and will follow up with more research to see if I can locate any other installed male ware.

So my questions are:

Has anyone else experienced non consentual installation of this program?

Does anyone think that this software (web-nexus) is hijacking programs like skype to send data?

Has anyone else observed the program changing names when you try to delete it?

Has anyone else had difficulty connecting to the web when you trying to delete some of the the files for WN? (it happened to me a number of times. I found the solution through trial and error)

Does anyone know who the author of this software is? Is the software signed? I know that the software has a homepage of www.web-nexus.com, but does anyone have a persons name? Or Phone number for the company? Any intel on them would prove interesting I think.

Have there been any examples of more nefarious types using this software as a vehicle/cover to instal something worse that just adware?

OK well long first post, My apologies for the spelling but I am alseep at the keyboard!

backintothebush

the original

MADMAX :rant:

#6 Free Mind

Free Mind

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 November 2005 - 11:39 AM

Hi,

I am new to the group. I just spent the weekend tracking down a rather malicious adware which, through the help of a friend of mine, I came to realize was Web-Nexus.

I have for about the last four or five years, taken a few days out twice a year to track spammers back to their home address and telephone numbers. I do this so that the information can be used in combating illegal spamming.

But, after battling what to me is an evil, evil program, (read web-Nexxus) I find that I am now more determined to learn all I can about the software which did not announce itself, or ask for permission to install. In the end I used the Web-Nexus removal tool, which I am aware more likely than not installed a more subtle, but equally vicious program onto my computer.

I'd like to share some of the things I observed, during my bumbling attempts to fix this. So since I am not the most proficient computer person, I'll beg your forgiveness for my ignorance in advance. Please forgive my lack of technical expertise.

To my knowledge, I did not click on any screen authorizing the installation of this software. I believe I picked it up while doing research for a case (reading a rather mundane article on a to remain nameless website) I did click a text link in the article. (to get more information regarding that topic.) It was immediately after this that the pop ups began.

I noticed that when I set Zone Alarm (without which I would have never identified the files involved) to notify me of every alert. That SKYPE my messenging service suddenly became very active, trying to send data to various IP's around the world. Does anyone know if could have been web nexus related? I trust skype as a program of course.. but just wondering if WN was using some sort of exploit to send data.

I understand that there must be a keystrok logger function, as WN advertise essentially that. I presume for an advertising stand point it is how they do their targeted marketing. But do they also record passwords etc> Just wondering if anyone ever disected it to see if there was a data retrieval function that might utilize chat programs to sent the data.

I've read some previous posts and I agree that WN definately radomizs the names, which actually helps identify related files. on my infection over this past weekend, the files were kpkyiy.exe, ioip.exe, vwvqa.dat and aiaqoqa.dll and a few others which to be honest I didn't pay close enough attention to.

I believe that when I atempted to destroy the program it evaded destrution by renaming iself.

Since when the infection happened none of my anti virus or adware programs made a dent, I tried to track down related files by searching for kpkyiy.exe and looking at it with an hex editor. It didn't tell me anything interesting (becase I have no idea what any of it means) but what I did see were some kind of Unique "signatures" on the tops of the file. basically it said, this file must be run in win32. and then a few other characters and such.

I was able to compare the kind of writing style of this file right down to the spacing and punctuation of the kpkyiy.exe file. This told me that (me not being a coder I am guessing here) that the person that coded these files input the same information over in over again kind of like a header on a letter.

I isolated the files I described above and a few other things and after another day of trying figured out that the definition of spyware, allows for hostile software, provided it can befound on the ad remove programs list. It took just 30 seconds to find a suspicious title on my ad remove list. WEB_NEXUS of course.

Hence this was not classified as spyware by any of my programs.

I eventually surcumed and rather than wipe my drive went to the Web-nexus.net web site and used their remover. Their software set off my anti viral alerts. I used it anyway and will follow up with more research to see if I can locate any other installed male ware.

So my questions are:

Has anyone else experienced non consentual installation of this program?

Does anyone think that this software (web-nexus) is hijacking programs like skype to send data?

Has anyone else observed the program changing names when you try to delete it?

Has anyone else had difficulty connecting to the web when you trying to delete some of the the files for WN? (it happened to me a number of times. I found the solution through trial and error)

Does anyone know who the author of this software is? Is the software signed? I know that the software has a homepage of www.web-nexus.com, but does anyone have a persons name? Or Phone number for the company? Any intel on them would prove interesting I think.

Have there been any examples of more nefarious types using this software as a vehicle/cover to instal something worse that just adware?

OK well long first post, My apologies for the spelling but I am alseep at the keyboard!

backintothebush

the original

MADMAX :rant:


HI Max,

I got the same problem.

There was an installation without any consent on my part.
I suspect I got it when I was trying to listen some MP3 examples on Web site I can't remember.
Or I got it with installation of bundle iTunes.

Anyhow, I did a WHOIS search and found the following information about the company and their ISP hosting company:

Organization:
WEB NEXUS d.o.o.
Veb Majstor
Djure Danicica 6
Banja Luka, RS 51000
BA
Phone: +1 866 7288 039
Fax..: 051 300 116
Email: hostmaster@web-nexus.net

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: WEB-NEXUS.NET

Created on..............: Tue, May 10, 2005
Expires on..............: Wed, May 10, 2006
Record last updated on..: Thu, Aug 18, 2005

Administrative Contact:
WEB NEXUS d.o.o.
Veb Majstor
Djure Danicica 6
Banja Luka, RS 51000
BA
Phone: +1 866 7288 039
Fax..: 051 300 116
Email: hostmaster@web-nexus.net

Technical Contact:
WEB NEXUS d.o.o.
Veb Majstor
Djure Danicica 6
Banja Luka, RS 51000
BA
Phone: +1 866 7288 039
Fax..: 051 300 116
Email: hostmaster@web-nexus.net

Zone Contact:
WEB NEXUS d.o.o.
Veb Majstor
Djure Danicica 6
Banja Luka, RS 51000
BA
Phone: +1 866 7288 039
Fax..: 051 300 116
Email: hostmaster@web-nexus.net

Domain servers in listed order:

NS1.WEB-NEXUS.NET 216.144.225.98
NS2.WEB-NEXUS.NET 216.144.225.99

Register your domain name at http://www.register.com


The previous information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Network Solutions, therefore, does not guarantee its accuracy or completeness.

Show underlying registry data for this record



Current Registrar: REGISTER.COM, INC.
IP Address: 216.144.225.98 (ARIN & RIPE IP search)
IP Location: US(UNITED STATES)-CALIFORNIA-SEAL BEACH
Record Type: Domain Name
Server Type: Apache
Lock Status: REGISTRAR-LOCK
Web Site Status: Active
DMOZ no listings
Y! Directory: see listings
Web Site Title: Web Nexus
Secure: No
E-commerce: No
Traffic Ranking: Not available
Data as of: 21-Aug-2005


=======================================

WEB-NEXUS.NET


216.144.225.98
Record Type: IP Address


OrgName: Secured Private Network
OrgID: SPNW
Address: 1740 East Garry Ave.
Address: Suite 234
City: Santa Ana
StateProv: CA
PostalCode: 92705
Country: US

NetRange: 216.144.224.0 - 216.144.239.255
CIDR: 216.144.224.0/20
NetName: SPN1W
NetHandle: NET-216-144-224-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SECUREDPRIVATENETWORK.NET
NameServer: NS2.SECUREDPRIVATENETWORK.NET
Comment: For Abuse reports please email abuse@securedprivatenetwork.net
RegDate: 2002-07-03
Updated: 2005-05-10

RAbuseHandle: HOSTM519-ARIN
RAbuseName: Network Operations
RAbusePhone: +1-714-717-5813
RAbuseEmail: noc@securedprivatenetwork.net

RNOCHandle: HOSTM519-ARIN
RNOCName: Network Operations
RNOCPhone: +1-714-717-5813
RNOCEmail: noc@securedprivatenetwork.net

RTechHandle: HOSTM519-ARIN
RTechName: Network Operations
RTechPhone: +1-714-717-5813
RTechEmail: noc@securedprivatenetwork.net

OrgTechHandle: HOSTM519-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-714-717-5813
OrgTechEmail: noc@securedprivatenetwork.net


=============================

Veb Majstor is not a name but 'Web master' , however the address may be real.

If you do google search on 'Djure Danicica 6 Banja Luka RS 51000 qoologic' you come to the link
http://support.moonp...sified_vx2.html

The guy who posted it tracked them before and they called themselves Qoologic having same address listed in registar.

I actually send them feedback through they feedback form asking to post real uninstall, because their uninstall is fake and remains resident in memory doing something. I don't suppose to recieve a response, but advised them that if in 7 days no written response they may face legal action.

Of course being in Bosnia they may have no fear, I guess.

On meantime I used Microsoft Beta2 and tracked that something called 'yoqwak.exe' was running on start up.
Blocking it was not enough and there was no such file, but there was 'yoqwak.pif' which is executable as well.
So I deleted it and also found some dat file starting with 'q' that I deleted as well. In Microsoft Beta I removed registry entry that was responsible for running it (it is invisible in Registry Editor).

I will see if it will come back.

One sure thing to find out if it is still there is to do google search on ' web nexus removal' . I think it is watching for it and always pops.

Will post more if I have news.

#7 webnexus

webnexus

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 28 November 2005 - 11:02 AM

Uninstaller located at www.web-nexus.net/uninstall.php [Link disabled - cnm] works flawless, and it's guaranteed Trojan/Virus free.
All those AdWare-Remover applications that classify our Uninstaller as something malicious actually speak about their authors and their programming knowledge.

Web Nexus do not work with secure web pages nor it collect data from HTML fields (passwords and smilar data).

All the hidding tehniques are not harmful nor they aim against PC user - they are just our response to bunch of yappi Adware removers or competitors.

Edited by cnm, 28 November 2005 - 04:47 PM.


#8 Avohir

Avohir

    Computer Exorcist

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,098 posts

Posted 28 November 2005 - 01:36 PM

Uninstaller located at www.web-nexus.net/uninstall.php [Link disabled - cnm] works flawless, and it's guaranteed Trojan/Virus free.
All those AdWare-Remover applications that classify our Uninstaller as something malicious actually speak about their authors and their programming knowledge.

Web Nexus do not work with secure web pages nor it collect data from HTML fields (passwords and smilar data).

All the hidding tehniques are not harmful nor they aim against PC user - they are just our response to bunch of yappi Adware removers or competitors.


so... i'm to take the word of a virus writer that the removal for the virus is virus free

anyone else see a problem with that line of reasoning? :wtf:

being one of those "yappi adware removers", I have a number of things I'd love to say to you as an individual who's had to remove your trash from more systems than I care to think about. Unfortunately, this is a family friendly forum, so let me just say that I hope you get some karmic retribution in the form of a collision with a large motor vehicle of some sort

Edited by cnm, 28 November 2005 - 04:49 PM.

To err is human, to really foul up requires a computer
Donate to keep the site alive

Posted Image

#9 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 28 November 2005 - 01:49 PM

Gee thanks so much for being helpful, representative-from-company-that-makes-Qoologic-infection. Say, you want to help us out even more? Stop making unwanted software that installs without user's permission through exploits and bundles, and obstructs attempts to remove it.

All the hidding tehniques are not harmful nor they aim against PC user - they are just our response to bunch of yappi Adware removers or competitors.

Right. I suppose the popups do not "aim against PC user" either, right?

#10 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 28 November 2005 - 04:16 PM

All the hidding tehniques are not harmful nor they aim against PC user...

:rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl:
To quote mythbusters: “I reject your reality and substitute my own”.

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 28 November 2005 - 04:26 PM

Resistance is futile, you will be removed.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#12 Flrman1

Flrman1

    Member

  • Trusted Advisor
  • Pip
  • 44 posts

Posted 28 November 2005 - 04:52 PM

All the hidding tehniques are not harmful nor they aim against PC user

Worse than a dang politician. Like it depends on what the meaning of the word "not" is! :rofl:

Would you be interested in some prime swampland? :whistle:

#13 webnexus

webnexus

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 28 November 2005 - 05:24 PM

Hello again :cool:

You can view comments from third party regarding the validity of the uninstaller here:
http://www.bleepingc...showtopic=28970


PS. Have any of you guys actually tried our product, out of curiosity... on a test PC? :huh: That will put your concerns to rest.

#14 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 28 November 2005 - 06:07 PM

Tried your product?? :huh: I almost choked in my coffee.
You are kidding right?

Or do you mean the uninstaller? Why using it if we can get rid of it in another way?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 28 November 2005 - 06:24 PM

I didn't say the uninstaller didn't work --- it might work; I haven't tried it. The problem is that your "product" (I put "product" in quotation marks because it's really not a PRODUCT --- it's really a TROJAN, as most antiviruses flag it) forces itself on users without consent, hijacks normal computer usage, and obstructs removal by the normal, sensible means that any legitimate program permits. I suggest that instead of making a successful, malware-free uninstaller you work on a successful, malware-free software product to begin with.

#16 Avohir

Avohir

    Computer Exorcist

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,098 posts

Posted 28 November 2005 - 06:59 PM

Hello again :cool:

You can view comments from third party regarding the validity of the uninstaller here:
http://www.bleepingc...showtopic=28970


PS. Have any of you guys actually tried our product, out of curiosity... on a test PC? :huh: That will put your concerns to rest.


oh yes, I think I'll "try out your product"

incidentally, I'm also trying to contract ebola so I can work my way through med school... :rolleyes:
To err is human, to really foul up requires a computer
Donate to keep the site alive

Posted Image

#17 Jacee

Jacee

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 677 posts

Posted 29 November 2005 - 11:46 AM

All the hidding tehniques are not harmful nor they aim against PC user - they are just our response to bunch of yappi Adware removers or competitors.


Not harmful? I can't imagine any PC user wanting this utter garbage on a computer they bought....such audacity leaves me speechless :grrr:

http://vic.zonelabs....s.jsp?VId=43264

MS MVP Windows-Security 2006~2016


#18 Gnmpf

Gnmpf

    burn Malware burn

  • Trusted Advisor
  • PipPipPipPipPip
  • 4,487 posts

Posted 29 November 2005 - 12:25 PM

Tried your product?? :huh: I almost choked in my coffee.
You are kidding right?

Or do you mean the uninstaller? Why using it if we can get rid of it in another way?


Don't drink coffee if you read this bullshit :lol:

If anybody is interessted in the result of an online virusscann:

Avast 4.6.695.0 11.29.2005 Win32:Qoologic-T
AVG 718 11.29.2005 no virus found
Avira 6.32.0.6 11.29.2005 no virus found
BitDefender 7.2 11.29.2005 no virus found
CAT-QuickHeal 8.00 11.29.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 11.29.2005 no virus found
DrWeb 4.33 11.29.2005 no virus found
eTrust-Iris 7.1.194.0 11.29.2005 no virus found
eTrust-Vet 11.9.1.0 11.29.2005 no virus found
Fortinet 2.48.0.0 11.29.2005 suspicious
F-Prot 3.16c 11.28.2005 no virus found
Ikarus 0.2.59.0 11.29.2005 no virus found
Kaspersky 4.0.2.24 11.29.2005 no virus found
McAfee 4639 11.29.2005 no virus found
NOD32v2 1.1307 11.28.2005 no virus found
Norman 5.70.10 11.29.2005 no virus found
Panda 8.02.00 11.29.2005 no virus found
Sophos 4.00.0 11.29.2005 no virus found
Symantec 8.0 11.29.2005 no virus found
TheHacker 5.9.1.046 11.29.2005 no virus found
VBA32 3.10.5 11.29.2005 no virus found

Trying it? I don't ... Internet Connection needed lol
user posted image
proud member since 2004

Most active in: Resolved or inactive Malware Removal
user posted image

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 November 2005 - 12:53 PM

Oh, what a surprise! :gack:

Well, I've yet to meet a single person who:
[a] Asked for this crud to be installed on their PC.
[b] Didn't want it removed when they found it there.

I will continue to remove it by our own methods whenever and where-ever I find it.

Yap yap! :lol:
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 Free Mind

Free Mind

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 November 2005 - 01:10 PM

I didn't say the uninstaller didn't work --- it might work; I haven't tried it. The problem is that your "product" (I put "product" in quotation marks because it's really not a PRODUCT --- it's really a TROJAN, as most antiviruses flag it) forces itself on users without consent, hijacks normal computer usage, and obstructs removal by the normal, sensible means that any legitimate program permits. I suggest that instead of making a successful, malware-free uninstaller you work on a successful, malware-free software product to begin with.



Hey Guys,
It's all wrong! We just not getting it. People at Qoologic/Web-Nexus honored us to visit this forum and give us a brotherly hand! By the way I was stupid enough trying to run their uninstaller about 3 times and it failed every time until I realized that the problem was in my proxy settings. I work as a Web programmer in big corporation and our company has restricted access to the internet via proxy protected with the password.

So, finally I figured out that Web-Nexus uninstall is not smart enough to understand it and abruptly fails leaving itself resident in memory when it tries to do its 'work'. What exactly work it does I do not know, but when I ran it at home (it's notebook, alright! good luck for those who get it run on desktops) with proxy turned off their uninstaller finished its work and removed itself (uninstaller I meant)

Now, I am going to leave my curses to the end and list what I found out about the behavior of Web-Nexus for those who is impacted. I myself was severely impacted for being a Web programmer I have to test my work in Web browser and was so enjoyed with the pop-ups so almost decided to re-image my notebook.
The problem for me was that our company has all the computers served by IBM and it cost $500 bucks to re-image plus I had to re-install all the development software and e-mail, and connect ot all my projects and load them locally, etc, etc which would take me few days. And I can't afford that working daily under pressure. The irony is that Most of the WEb-Nexus pops failed because of proxy password protection I mentioned, where I denied to provide password on authentication. So, their 'product' never achieved its intended result when it tried to get info from the server, it did displayed some stuff that was loaded initially and sometimes proxy would display a warning instead of content when Web-Nexus was going (i guess) go to casino or porno sites for proxy monitors site ratings. So, nothing but irritation I had. But enough of complaining...

What I found out:
1. It consist of multiple files that are randomly named. It runs itself from the registry entry as a winsync and points to the executable file. In my case it was YOQWAK.EXE-154CE1A0.pf in C:\WINDOWS\Prefetch folder.
This file was not deleted by uninstaller and I have attached it. It may have been changed by it, though.
Once in memory, it hides registry entry and itself from the list of the processes in task manager. So, the program attaches itself to all system processes and thus slows down the performance.
2. It does have a paired dat file. In my case it was gygpu.dat in Windows\system32 directory. This file was removed by uninstaller. There could be others.
3. There was a 'pqwx.exeCommon Startup' (exact name) in Windows\pss directory. This directory also included back up copies of boot.ini, win.ini, and system.ini. This directory, files and backups were not removed by uninstaller. I have attached pqwx file. This file was trying to install itself on some wierd schedule, but I instructed Microsoft Antispyware to forbid that. I guess that the role of this file was to recreate other files and it could be more then one file that was doing that kind of background work.

The results: Web-Nexus was able to persist and recreate YOQWAK.EXE-154CE1A0.pf and gygpu.dat if they were deleted. I guess there is another executable I haven't caught that was doing this. One of the methods would be to leave these files and *deny access* to them, but I guess Web-Nexus guys can work around it if they not already have.

Conclusion: Web-Nexus Uninstaller works but far from 'flawless'. It leaves traces behind like every other thief. The question , of course, if traces are left on purpose and what purpose is this?

From non-technical prospective I noticed that the guy who represents Web-Nexus has a very good English for some one from Bosnia... I saw another forum and the other guy who said he represented Nexus was saying that it is a UK based marketing company existed as long as Internet does. Well, considering the fact that they have host in California accordingly to the trace, they may fall under jurisdiction of US... someone from Bosnia would not get that easy a hosting from US based provider. Another observation: all these guys who are saying that they represent Web-Nexus are insisting they are honest and legit, so my guess is that there is a way to get them legally. They seem to be too much concerned about their 'reputation' for a common thieves. THey are acting like ones: they sneak in your house (computer) and stole your time and money with it.
I leave this part to the US residents...

Or may be we have to beg on our knees so Web-Nexus would include in their Uninstaller a prompt for geting authorized on web proxy (why they need to go to the Internet to do it anyhow)?! Or (and it is an amusement thought!) to have them create a console application that can be run by the batch with proxy ID and password that can be delivered to their server?! I just can't wait for the answer from Web-Nexus guys to what they are going to offer to uninstall their 'software' when proxy settings are on. May be they should start selling licences for uninstalling their wonderfull product, so corporations can get discount on bulk purchases? (I remember Web-Nexus guy mentioning something about 'competitiors' in antispyware market)


Now for the curses part:
Let them, their families and all their heir to the ten generations suffer from misery, pain and death without forgiveness... Let it be... Let it be... Let it be...

#21 Free Mind

Free Mind

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 November 2005 - 01:51 PM

More on this:

I just recieved the following e-mail from Web Nexus <support@web-nexus.net>(sent yesterday)
with the following message:

<QUOTE>

Dear [my name],

Please open up Internet Explorer and download the latest version of our uninstaller from:

http://www.web-nexus.net/uninstall.php

OR

open up the uninstaller attached to this email and run it.


Prior running, please make sure that no firewall application is blocking our uninstaller.

Uninstaller is completely harmless and removes our application without hidden activities.

Thank you,

Web Nexus Support
</QUOTE>

OK, better later then never they suggested that I have to "make sure that no firewall application is blocking our uninstaller", which by this time I had figured myself.

Surely this version does not provide a cure for corporate computers that get infected.

Anyhow, if someone wants to write to Web-Nexus directly they now can. See e-mail above.

Good luck.

#22 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,573 posts

Posted 29 November 2005 - 05:51 PM

Free Mind,

We have other ways to remove this pest without using their uninstaller... I have NO faith that the uninstaller doesn't install a rootkit or other timebomb while it does its work... These people have no morals and will do whatever they can to collect money... It is quite possible that the uninstaller removes the obvious pest from your computer while installing bot software or some other more well hidden pest... Even if they can't make money off of you directly, they may try to find a way to steal from others using your computer...

You can certainly choose to use their uninstaller if you want, but I would not let it have access to my machine... This is even more true since they want you to turn the firewall OFF... :rant:
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#23 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 7,082 posts

Posted 29 November 2005 - 05:57 PM

Brings to mind a poem. 'Will you walk into my parlor said the spider to the fly'?

Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

 


#24 Flrman1

Flrman1

    Member

  • Trusted Advisor
  • Pip
  • 44 posts

Posted 29 November 2005 - 06:10 PM

I don't trust a malware uninstaller created by the author of the malware to start with. Add to that the fact that this one has to access the net to work ... well .... forget it .... I Will not trust it period!

#25 Jacee

Jacee

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 677 posts

Posted 29 November 2005 - 07:00 PM

I don't trust a malware uninstaller created by the author of the malware to start with. Add to that the fact that this one has to access the net to work ... well .... forget it .... I Will not trust it period!


Add to that... no firewall, while on the net :deal:

MS MVP Windows-Security 2006~2016


#26 Free Mind

Free Mind

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 November 2005 - 09:41 AM


I don't trust a malware uninstaller created by the author of the malware to start with. Add to that the fact that this one has to access the net to work ... well .... forget it .... I Will not trust it period!


Add to that... no firewall, while on the net :deal:


Hi everyone,

Thanks for trying to help.
I did used their uninstaller already, but I have firewall at home (as well as at work).
I think they using http on port 80 which is always open rather then TCP/IP that is normally cut by the firewalls. It is supported by the fact that removing proxy from browser settings let uninstaller finish.

Regarding the concerns that they have had another drop on the machine, I let them do their worst.
Our networks are monitoreded by IBM and if one of the computers creates suspicious traffic they simply shut down its IP (can also shut down the port on hardware as well). If this happens I will have more evidence and our company have pretty good damn layers to go after them.

On mean time I already have their files kept on my machine and email from their 'support' then can be tracked down to originated host.

I have thought of 'assymetric' response to their invasion rather then using third party removal tools.
No offense to people who work on the removal tools, but generally speaking, two industries of creating and removing this stuff live from one another. It is a symbiosis scientifically speaking...
It is well known mob tactic: "pay to us and we are going to protect you from other mobs".
The problem is whom you trust and whom you pay. There are too many companies around that claim that they can remove something that others can't... but you can't pay to every one of them. Technically you have to find the strongest one. I have an idea which one is better in this particular situation.
I am going to contact them and let them deal with Web-Nexus guys. Will keep you posted...

Cheers.

#27 Free Mind

Free Mind

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 November 2005 - 11:18 AM



I don't trust a malware uninstaller created by the author of the malware to start with. Add to that the fact that this one has to access the net to work ... well .... forget it .... I Will not trust it period!


Add to that... no firewall, while on the net :deal:


Hi everyone,

Thanks for trying to help.
I did used their uninstaller already, but I have firewall at home (as well as at work).
I think they using http on port 80 which is always open rather then TCP/IP that is normally cut by the firewalls. It is supported by the fact that removing proxy from browser settings let uninstaller finish.

Regarding the concerns that they have had another drop on the machine, I let them do their worst.
Our networks are monitoreded by IBM and if one of the computers creates suspicious traffic they simply shut down its IP (can also shut down the port on hardware as well). If this happens I will have more evidence and our company have pretty good damn layers to go after them.

On mean time I already have their files kept on my machine and email from their 'support' then can be tracked down to originated host.

I have thought of 'assymetric' response to their invasion rather then using third party removal tools.
No offense to people who work on the removal tools, but generally speaking, two industries of creating and removing this stuff live from one another. It is a symbiosis scientifically speaking...
It is well known mob tactic: "pay to us and we are going to protect you from other mobs".
The problem is whom you trust and whom you pay. There are too many companies around that claim that they can remove something that others can't... but you can't pay to every one of them. Technically you have to find the strongest one. I have an idea which one is better in this particular situation.
I am going to contact them and let them deal with Web-Nexus guys. Will keep you posted...

Cheers.


More on that:

I have had just a prove that their uninstaller did not uninstall everything or dropped something else:

from time to time (rarely) I am getting prompt from proxy server for authorization without navigating anywhere in browser. This means that Web-Nexus is pretty much alive and kicking.
It's strange that these guys had a nerve to send me their 'uninstaller' by email...

#28 brianscook

brianscook

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 December 2005 - 07:34 PM

If anyone would like to catch the latest version of Web-Nexus' winsync adware I have a procedure that's been pretty
reliable for me (warning - it's not for the squeamish). Or if anyone can enlighten me on any aspect of this (or other, if any)
Web-Nexus product(s), I'd appreciate it.


I would love to receive this procedure from you. I was hit with Web-Nexus and SurfSideKick 3 at the same time, ( not sure where I went or why my adware, mcafee or xp firewall didn't prevent the installation ), but now I have been fighting this buggers all day.

Thanks!

#29 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 30 December 2005 - 10:35 AM

Please read the FAQ and post a log in the malware forum and a helper will be with you. :)

#30 reaction

reaction

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 January 2006 - 01:09 PM

Hi I have found some additional entries.
If you deleted files specified in last posts you should also try to delete these. (notice, they all dont have to be parts of nexus)

Delete:
C:\Documents and Settings\<<USER>>\Application Data\enc does\
WINDOWS\SYSTEM32\nexus exe name
Registry value with nexus exe name link inside:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Also look for nexus exe name in Windows\Prefetch\ and remove it.(search with standard win search routine, because filenames in Prefetch arent identical)
Finally try to search for nexus exe name in registry and remove all found entries.

#31 tekjnke

tekjnke

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 04 February 2006 - 06:08 PM

Hey All - entertaining chat going on in here. I have a little computer support and service company and we fight this stuff all day long as well, and yes we don't use "their" uninstaller.

Edit: Nevermind the "what specific programs install this stuff" .. I just looked at notes from the previous week and got that answer. :)


-Tek
:techsupport:

Edited by tekjnke, 04 February 2006 - 06:23 PM.





Member of UNITE
Support SpywareInfo Forum - click the button