Limited Time!
Totally FREE Web Design!
Click here!

Parasite: InternetOptimizer

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Internet Optimizer is an error page hijacker.

Variants

InternetOptimizer/Iopti: unknown-server errors, page-missing errors, server errors and even password-required errors are redirected to Internet Optimizer’s controlling server at www.internet-optimizer.com.

InternetOptimizer/Nem: as Iopti, but searches are hijacked to yoogee.com (a search site run by the makers of InternetOptimizer).

InternetOptimizer/Wsem: a larger version of the software, whose purpose is unclear.

InternetOptimizer/Active: a reduced version that doesn’t do error page hijacking, used purely for the updater function.

InternetOptimizer/Crmrest: an ActiveX downloader control for InternetOptimizer. This poses as a comedy or porn video from the site movies-etc.com, and when allowed to install may forward a mail to all contacts in your Outlook address book, promoting movies-etc in your name.

Also known as

DyFuCA.

Distribution

May be installed by MoneyTree/DyFuCA, Roimoi, or the Crmrest downloader variant.

What it does

Advertising

Yes. The ‘DyFuCA Active Alert’ component can open pop-up ‘alerts’ when directed by its controlling server.

Privacy violation

Suspected. The EULA at Internet Optimizer’s web site states the software may send all your browsing information back to its controllers. At the time of writing, however, this has not been seen to happen with the current version of the software.

Security issues

Yes. Can download and execute arbitrary unsigned code from its controlling server, as an update feature.

Stability problems

Unknown; some unclear user reports of it causing crashes.

Removal

Check the Control Panel’s Add/Remove Programs feature for ‘Active Alert’ and ‘Internet Optimizer’. In older versions these may work if used together. Newer versions present only ‘Internet Optimizer’, which on its own has no effect.

After removal, ensure that infection vector - MoneyTree/DyFuCA, Roimoi or CrmRest is no longer loaded.

Manual removal

For the Crmrest installer variant, open the Downloaded Program Files folder (inside the Windows folder) and remove the ‘Media Manager’ entry.

For other variants, open the Windows folder. You should be able to see a file ‘ioptiXXX.dll’ (Iopti variant), ‘nemXXX.dll’ (Nem variant) or ‘wsemXXX.dll’ (Wsem variant). The XXX differs for different versions; common versions are ‘iopti130.dll’, ‘nem207.dll’ and ‘wsem210.dll’.

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entries ‘DyFuCA’ and ‘DyFuCA Active Alerts’.

Now open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for the Iopti variant):

cd "%WinDir%\System"
regsvr32 /u ..\iopti130.dll

Or, for the Nem variant:

cd "%WinDir%\System"
regsvr32 /u ..\nem207.dll

Or, for the Wsem variant:

cd "%WinDir%\System"
regsvr32 /u ..\wsem210.dll

Restart the computer and you should be able to delete the DLL from the Windows folder, and the ‘DyFuCA’, ‘Internet Optimizer’ or ‘STWSI’ folder you may have inside Program Files. You can also delete the subkey ‘FCI’ in HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software to clean up if you like.

Links

Avenue Media wrote and control InternetOptimizer.