Category Archives: Identification

For any given product, listings of autoplays and startupware entries.

Review of 3721(dot)com



Had a request to look at this site. Tried it, with my usual test box of totally clean, totally unpatched Win XP Home, no service packs, no antivirus, no nothing of any kind, just running a hardware firewall in the router.

The about.htm page asked me to install the Chinese Language Pack. Answered OK, it wanted the CD. I don’t get out of my chair that easily… clicked cancel. (Remember, I test like novices surf…) It took me back to the English about.htm page.

Found the how-to-use page, and let it install the Chinese keywords utility. The Install and Run warning, was properly signed by VeriSign, but the message was mostly bad font blocks. (No Chinese font loaded, as above.) Next, had a pop-up box all in Chinese, with one button. Clicked that, it went away. Nothing else happened. Restarted IE, nothing.

Restarted Win XP Home, and IE. There are 5 new icons in the tool bar, all Yahoo-related. Some Chinese characters appear in the right-end of the address bar.

All this was added to the autoplays, as reported by HijackThis:

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
O2 – BHO: IE – {D157330A-9EF3-49F8-9A67-4141AC41ADD4} – C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 – HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 – HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O8 – Extra context menu item: Quick Search (Yisou.com) – res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 – Extra button: Short Message – {00000000-0000-0001-0001-596BAEDD1289} – http://sms.3721.com/ie/index.htm (file missing)
O9 – Extra button: Yahoo 1G mail – {507F9113-CD77-4866-BA92-0E86DA3D0B97} – http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 – Extra button: E bazar – {59BC54A2-56B3-44a0-93E5-432D58746E26} – http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*
http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 – Extra button: 3721 Assistant – {5D73EE86-05F1-49ed-B850-E423120EC338} –
http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 – Extra button: Instant Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} –
http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 – Extra button: (no name) – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Repair Browser – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721(DOT)com/security1.htm?fb=Cns (file missing)
O9 – Extra button: (no name) – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Clean Internet access record – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721(DOT)com/clean1.htm?fb=Cns (file missing)
O11 – Options group: [!CNS] Chinese keywords

UNINSTALL–There was an entry in the add/remove list for Chinese keywords. Ran it. The uninstall was perfect. That’s rare–it put the autoplays back exactly as they were.

Overall, the install is sloppy–note the (file missing) on some of the items above. The uninstall was good. Clearly not a drive-by download. I saw no extra popups at the site, before or after installing the plug-in, or after removing it.

While the site is on the SpybotSD list of sites that it adds to the restricted sites list in IE, my test, as of Sept 8, 2005, didn’t show anything more suspicious than an overly-invasive toolbar with a sloppy install.

I’d like anyone who can read Chinese to repeat the test–I could easily have missed installing a optional portion of the toolbar.

BackBlaze

Crawler(dot)com toolbar

Downloaded and tested the Crawler.com search toolbar, which allows users to search multiple search engines at once.

Test run Aug 25th, 2005, clean Win XP Home, no patches, not activated, no drivers except automatically-installed items from the Windows installation. Items listed as detected by HijackThis.

Installing the Crawler toolbar added these items to the system settings:
Running processes:
C:\Program Files\Crawler\CToolbar.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O2 – BHO: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O3 – Toolbar: &Crawler Toolbar – {4B3803EA-5230-4DC3-A7FC-33638F3D3542} – C:\PROGRA~1\Crawler\ctbr.dll
O8 – Extra context menu item: Crawler Search – tbr:iemenu
O18 – Protocol: tbr – {4D25FB7A-8902-4291-960E-9ADA051CFBBF} – C:\PROGRA~1\Crawler\ctbr.dll

When Internet Explorer is NOT running, CToolbar continues to run, and it autoplays with the system.

Uninstall results–this item not removed–it’s the IE home page:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002

Overall: The main executable runs when it shouldn’t, for no stated purpose. Uninstall doesn’t restore home page but does restore all other settings. Search results from toolbar show pay-for-display ads first, clearly labeled, before showing true search results which may or may not be on the first page of results.

Summary: I wouldn’t automatically delete this one if the user finds it helpful–doesn’t appear to do anything disruptive. The publisher should fix the way it runs ctoolbar, so that it starts with IE, and doesn’t run all the time.

Yahoo Messenger 6.0.0.1922

Product Review–Yahoo Messenger

Test run July 20, 2005, default settings on clean install of Windows XP Home, OEM edition. Unpatched, no service packs, antivirus, or blocking software. Hardware firewall was the only security in place.

Version tested: Listed in ‘About’ box as “Yahoo! Messenger 6.0.0.1922 and MyYahoo Module 6.0.0.600, (C)1997-2004.”

Summary: Not evil, and not adware. Not harmless, either–it’s a massive set of changes to the system. Uninstallation is massively incomplete. Utility and value are dubious.

Recommendation, Business systems: Unwarrantied product with invasive settings. Prohibit all installations. Should be removed without option as part of all standard maintenance on corporate PCs.

Recommendation, Personal systems: Advise removal–there are too many autoplays and performance hits. Yahoo mail customers are vastly better off getting their emails from the ‘MyYahoo’ service, which requires no software installation. Could be left behind on non-networked systems with only one educated user, if adequate system speed is available to counter the slowdown caused by the software.

LICENSE
=======

The license agreement was the usual bizare set of disclaimers, not as bad as most, not as fair as it could be. There was one term that was interesting–note the absolute lack of notice when they decide to convert the service into anything else. There are no limits, and no notice, and no recourse.

“13. MODIFICATIONS TO SERVICE
Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Service (or any part thereof), with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modifcation, suspension or discontinuance of the Service.”

INSTALLATION
============

The installation ran smoothly. It’s the type that does the download during the install (5.37 Mb), but does calculate and display the time needed. For the test, I chose the defaults for everything. The ‘Anti-Spy’ button on the toolbar, on first press, offers to download and install, and has its own license agreement. There is a default checkbox on the Anti-Spy product that changes Yahoo! to the default search engine.

Misleading: One program install results in three entries under Add/Remove programs, for Yahoo! extras, Yahoo! Messenger, and Yahoo! Toolbar. The ‘Yahoo! Anti-Spy’ product has its own Add/Remove entry, matching the install.

Added to running files:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe

System settings changes, according to HijackThis:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*
http://www.yahoo.com/search/ie.html

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*
http://www.yahoo.com

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*
http://www.yahoo.com

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*
http://www.yahoo.com/ext/search/search.html

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*
http://www.yahoo.com

R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} –
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll

O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} –
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll

O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O8 – Extra context menu item: &Yahoo! Search – file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 – Extra context menu item: Yahoo! &Maps – file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} –
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

UNINSTALL
=========

All FOUR uninstall programs completed without failures or warnings.

These three settings were left behind:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*
http://www.yahoo.com/ext/search/search.html

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*
http://www.yahoo.com/ext/search/search.html

R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*
http://www.yahoo.com

Yahoo shortcuts were left behind, in Favorites and in Links.
In the read-only folder “C:\Program Files\Yahoo!” 221 files and 20 folders were left behind, total 12.4 Mb.

In the read-only folder “C:\Program Files\Internet Explorer\SIGNUP\Yahoo” 8 files were left behind, total 168 Kb.

REINSTALL TEST
==============
On a second installation after removal, the Yahoo Messenger install program advised me that it was already installed–was I sure that I wanted to install it anyway? My interpretation–even Yahoo’s software detects that their uninstall is incomplete.

POST-MORTEM
===========

Interesting follow-up, post-test: Yahoo sent an email message to confirm that I had activated the toolbar, and mention their use of email bugs (which they call ‘web beacons’) to confirm that I had read it. The email did NOT include any removal instructions for either the email message or the toolbar itself.

From their privacy information, linked in the email: “Web pages may contain an electronic file called a web beacon, that allows a web site to count users who have visited that page or to access certain cookies.”

The email claims that the toolbar provides these benefits, among others (not tested):
“Protect your PC with powerful anti-spy technology…”
“…Eliminate annoying pop-up ads with Pop-Up Blocker.”

From the email itself: “You may have noticed a powerful tool from Yahoo! that resides on your browser. It’s called the Yahoo! Toolbar and it was voted CNET Editors’ Choice in November 2004.
So what’s that mean for you?
It means you have more control over your web browsing experience. And since the Yahoo! Toolbar is customizable, you get quick and easy access to all the things that interest you the most…”
“…This is a service email related to your use of the Yahoo! Toolbar. Please do not respond to this email. To learn more about Yahoo!’s use of personal information, including the use of web beacons in HTML-based email, please read our Privacy Policy. Yahoo! is located at 701 First Avenue, Sunnyvale, CA 94089.”