OR: Creating Avatars with Toolbars and Search Hooks

by Jerry Stern
Webmaster, Startupware.com

OK, I look like this now.

Well, maybe only kinda.

This project started out with a web ad. It told me that I could look like a character from the movie ‘Avatar.’ I’ve seen the ads before, clicked through to see what it was, and then shut down the page fast when I saw that there was a Flash plug-in and a membership form to agree to. This time, I said, well, let’s check it out. On my test machine, not the production box. With extreme caution.

OK, off to the XP test box. At the moment, it’s running XP Pro, Service Pack 3, fully-patched, and Microsoft Security Essentials Anti-Virus, and has no other security in place, no data, and no significant software other than patched versions of Adobe Flash and Sun Java.

The link from the ad was to mycartoon(dot)info, which immediately redirected to imakemoolah(dot)com, which then immediately redirected to home(dot)zwinky(dot)com. Note the past tense; as I write this, a week later, the link has changed, and the final step now goes to home(dot)mywebface(dot)com.

Neither of these sites contains the promised ‘Avatar’ look. The ad also implies that I can convert a photo. That’s not there, either. What was there is Zwinky, apparently an online ‘community’ using cartoon avatars. It invited me to create my Zwinky character. OK, so I did. There is a required sign-up for a membership in the online Zwinky site, and an email address is required (I used one of my temporary emails, and it has not been spammed, so far). Here’s what I found along the way, in case you find this on a computer during a cleanup.

First off, Internet Explorer 8 warned me of an Active X control installation. There is a basic warning that I’m installing the MyWebSearch toolbar. Note that the page is from Zwinky, but the download is from imgfarm(dot)com, while the source of the download is from their SmileyCentral project. It’s all very spread out over multiple sites.

Next, there is a clue that multiple products are included. The Internet Explorer Security Warning identifies the download as being from Fun Web Products, and includes “Zwinky, My Web Search, Search Assistant, and Easy…” The line is cut off; could go on for a ways yet.

Finally, my screen begins to show something that’s closer to what I clicked on:

And done:

OK, I UNCHECK both boxes, and click finish. The mywebsearch toolbar appears anyway, and I’m taken to the Zwinky page to create a character.

OK, now let’s look at what else is happening in the background.
I ran HijackThis, and checked the log; and it’s immediately apparent that this product is startupware–all these items are new:

R3 – URLSearchHook: (no name) – {00A6FAF6-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: mwsBar BHO – {07B18EA1-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 – Toolbar: My Web Search – {07B18EA9-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
-runkey
O4 – HKLM\..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=2 /w /h
O4 – HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 – HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 – Extra context menu item: &Search – http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000338&p=ZJxdm3802MUS&si=40699&a=..bh6qJGzk7dFMyFxzxTDA&n=2010061710
O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O23 – Service: My Web Search Service (MyWebSearchService) – MyWebSearch.com – C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe

In order, note the URL search hook in group R3, the two toolbars (group O2, Browser Helper Objects), and the installed service in group 23. Big product, by any measure.

Next, I took a look at the C: drive. Under Program Files, there’s 6Mb of files under ‘MyWebSearch’ and ‘0.6 Mb’ under ‘FunWebProducts’ that contains 4 folders and only 1 file. Over in Control Panel, there is one new entry, for “My Web Search (Zwinky)”, listed as 6.29 Mb. I’ll run that later.

Next, I go back into Internet Explorer. It opens to my usual home page of ‘about:blank’, so that’s OK–remember, I did decline the home page change earlier. I tried to turn off the toolbar, and here’s the result–I chose to disable :

OK, back to Control Panel. Ran the uninstaller. There’s one confirmation screen, and I chose to remove all features. A reboot is needed, OK. There’s a file left behind in c:\Program Files, so I delete ‘Uninstall Fun Web Products.dll’. A second pass through HijackThis shows one straggler autostart item–I removed it manually:

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab

Now, as invasive as this product is, their online drawing program does work easily. In case my readers are tempted to go there, and create an avatar, like I did–be warned. The avatar can’t be saved or exported, it’s only usable on Zwinky, and you can create only one, so it’s pretty limited overall. The images I’ve created were done using creative and major browser zooming on the page, then screen captures, imports of the captures into Corel Draw! X4 for a bitmap-to-vector conversion, more tweaking and editing, isolation of the head for some versions, and so on. I invested 90 minutes, and someone with less familiarity with drawing software would not end up with a usable avatar.

So what is all this? It looks like a URL search grabber, with a major content delivery system of cute drawing programs that can’t save files. Zwinky.com does, at least, have a visible means of financial support in the ads on their site, but they also have a link on the footer to their affiliate program, where they claim no spyware (right, just a search hook), no adware, high industry payouts, and association with webfetti, CursorMania, and “in partnership with neverblue”.

Let’s make this clear–these items are misleading, invasive, and possibly not quite fraudulent (in the legal sense), but they are clearly not drive-by downloads, except in one sense: The names are all mismatched. I click on mycartoon(dot)info, and pass through imakemoolah, to zwinky, download from imgfarm, and end up with FunWebProducts and MyWebSearch. Many end users aren’t watching that closely.

As far as cleanups go, when I have an infected PC on my desk, the usual situation is that there is some malware that was of unknown origin (didn’t see any on these sites, as of June 2010), so I go looking, and I find there are 10 autostart entries for one web application that my customer doesn’t remember installing, plus a variety of other items of similar unknown origin, so they all come out. For me to leave them alone would require that the install did not include a search hook, a toolbar, or an installed Windows service, and this combination of mismatched web sites delivers all three, and there is no need for a web page to run 10 autoplays. Delete that.

And that’s a shame, too. If these programs ran without the toolbars and autostarts, with no associated search hook baggage, and could save images easily, they would be worth paying for. Oh, well.