Review of 3721(dot)com - Startupware: Managing Startups

Had a request to look at this site. Tried it, with my usual test box of totally clean, totally unpatched Win XP Home, no service packs, no antivirus, no nothing of any kind, just running a hardware firewall in the router.

The about.htm page asked me to install the Chinese Language Pack. Answered OK, it wanted the CD. I don’t get out of my chair that easily… clicked cancel. (Remember, I test like novices surf…) It took me back to the English about.htm page.

Found the how-to-use page, and let it install the Chinese keywords utility. The Install and Run warning, was properly signed by VeriSign, but the message was mostly bad font blocks. (No Chinese font loaded, as above.) Next, had a pop-up box all in Chinese, with one button. Clicked that, it went away. Nothing else happened. Restarted IE, nothing.

Restarted Win XP Home, and IE. There are 5 new icons in the tool bar, all Yahoo-related. Some Chinese characters appear in the right-end of the address bar.

All this was added to the autoplays, as reported by HijackThis:

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
O2 – BHO: IE – {D157330A-9EF3-49F8-9A67-4141AC41ADD4} – C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 – HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 – HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O8 – Extra context menu item: Quick Search (Yisou.com) – res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 – Extra button: Short Message – {00000000-0000-0001-0001-596BAEDD1289} – http://sms.3721.com/ie/index.htm (file missing)
O9 – Extra button: Yahoo 1G mail – {507F9113-CD77-4866-BA92-0E86DA3D0B97} – http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 – Extra button: E bazar – {59BC54A2-56B3-44a0-93E5-432D58746E26} – http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*
http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 – Extra button: 3721 Assistant – {5D73EE86-05F1-49ed-B850-E423120EC338} –
http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 – Extra button: Instant Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} –
http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 – Extra button: (no name) – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Repair Browser – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721(DOT)com/security1.htm?fb=Cns (file missing)
O9 – Extra button: (no name) – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Clean Internet access record – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721(DOT)com/clean1.htm?fb=Cns (file missing)
O11 – Options group: [!CNS] Chinese keywords

UNINSTALL–There was an entry in the add/remove list for Chinese keywords. Ran it. The uninstall was perfect. That’s rare–it put the autoplays back exactly as they were.

Overall, the install is sloppy–note the (file missing) on some of the items above. The uninstall was good. Clearly not a drive-by download. I saw no extra popups at the site, before or after installing the plug-in, or after removing it.

While the site is on the SpybotSD list of sites that it adds to the restricted sites list in IE, my test, as of Sept 8, 2005, didn’t show anything more suspicious than an overly-invasive toolbar with a sloppy install.

I’d like anyone who can read Chinese to repeat the test–I could easily have missed installing a optional portion of the toolbar.