Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

re: classified as "rogue"

Post by c۞g » Sun Mar 21, 2010 11:38 am

It can not be classified as "rogue" because there is no unsolicited intrusion/penetration into the system
Sure there is, you just never downloaded the installation and checked.

First, the download file: STOPzilla_Setup.exe (~385kb) is an installer.
The 14.52MB (real) file is downloaded via the installer, you can not install StopZilla off line, you must have internet access for the basic installation.

During the install, chose "Custom - for advanced user" you are presented with 2 prechecked options for "homepage protection" and for "StopZilla Safety Network"

Deselect those options and continue with installation.


In your startups you'll see: sziebho.dll re: [url= t=_self][/url]
This is an internet Explorer browser helper object, designed to stop websites from changing your homepage settings, and to eliminate popups.

This option was deselected during install, and it's a persistent little devil; causes WinPatrol to popup often asking to confirm addition to startups; naturally I said "no"
It's not a malicious file, winpatrol has a page for it:

I don't use IE for one...
IE has a built-in popup blocker since IE7 - IE6 is officially dead

So what do you call adding startup service for BHO's assigned to a browser you do not use when you deselected it's functionality during the install process?
I call that [url= t=_self]rogue[/url]

Now, this is not freeware and I have no problems with paid for AV software...
But my problem with this is that you downlaod a 385kb installer file, which downloads a 14 1/2 MB setup file, that installs system processes you elected not to use, then after reboot, you run a system scan and then you are informed of "problems" that do not exist on your machine, and you can only "see" them - you need to pay to unlock, to remove what is not there. That is called [url= t=_self]scareware[/url] BTW.

Sorry I did not take screen captures of every event, I didn't feel it was worth my time.

One other little thing: tpsvc.dll - [url= t=_self]bleeping startup[/url] - [url= t=_self]bleeping HJT[/url]
O20 Section


This section corresponds to files being loaded through the AppInit_DLLs Registry value and the Winlogon Notify Subkeys

The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

This method is known to be used by a CoolWebSearch variant and can only be seen in Regedit by right-clicking on the value, and selecting Modify binary data. Registrar Lite, on the other hand, has an easier time seeing this DLL.

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Steven Avery
Posts: 153
Joined: Thu Apr 09, 2009 8:43 am

stopzilla - usual motley crew of scamware, shamware & scareware

Post by Steven Avery » Sun Mar 21, 2010 11:53 pm

Hi Folks,

Thanks for the rogue documentation g7w.

The programs that are not what they seem are really a problem, be it Regcure, StopZilla or the Uniblue registry and speedup or 100 others. And think of those TV and radio ads too for other bogus "speed up" stuff. Some are worse than others, all are bad news, the semi-legit ones are in a sense MORE of a problem, because of all their efforts to manipulate forums, surveys, awards ... and journalists. They require more due diligence, such as WOT-awareness.

As for StopZilla, the Wilders Security folks are well aware of the worthlessness of the product as well.

STOPzilla as AV?

You can find a number of threads.

Steven Avery

Posts: 558
Joined: Tue Aug 18, 2009 12:06 am


Post by jpvip » Mon Mar 22, 2010 1:46 pm

Sure there is, you just never downloaded the installation and checked.

Umm, yes I did. I don't make foolish statements like that.

Just like the malware researchers at all the security companies, tested just like I did, and did not find anything wrong.

Security programs are known to hook the system, so it can protect the system. Many security programs do not even protect, some just detect and remove.

The research that you have done, is not enough information to present it as rogue.

Rogues commonly inject itself in to Windows processes, install malware on to the system, perform unsolicited popup advertisements and harsh warnings on the
system to enforce that the program needs to be purchased.

STOPzilla posts one advertisement to buy the higher version. There is no penetration in the System, the program only hooks certain Windows areas, just like other anti-spyware programs do.

I did not say I was a fan, but I am neutral about it.


:::Actual analysis::: 3-19-2010

>-Install process begins... all options checked and ready to go.
---C:\12057665.exe unique file connects to download STOPzilla and install it automatically.---

!-Kaspersky Internet Security 9: All protection enabled. Checking all files, !! PROMPT !!: "STOPzilla Setup (iS3, Inc.) wants to connect to the Internet"!

-Action: ALLOW! - STOPzilla has now begun installing. !!! BEGIN CHECK !!!
-> KNOWN PROCESSES BEGIN RUN: C:\12057665.exe (Reason: install), C:\Windows\System32\Services.exe (Reason: software configuration management), C:\Windows\System32\svchost.exe (Reason: DCOM), and C:\Windows\System32\svchost.exe (Reason: SVCHOST).

+++++++++++++BEGIN QUESTIONING ACTIONS++++++++++
-Downloads executable files? Verdict: NO! Files required for the program to run were downloaded.
-Downloads to System32 or Windows folders? Verdict: NO!
-Copies to Windows folder? Verdict: NO!
-Creates hidden executable files? Verdict: NO!
-Connects via WinSock? Verdict: YES!
-WinLogon Registry Key set creation? Verdict: NO!
-Creates or starts executable files? Verdict: YES! STOPzilla.exe began, and added a tray icon.
-Deletes files in the System? Verdict: NO!
-Kills security software? Verdict: NO!
-Hooks keyboard or mouse? Verdict: NO!
-Unauthorized change of home page? Verdict: NO!
-Creates mutex object? Verdict: YES!
-Sends data via DNS/IP? Verdict: NO!
-Deletes original sample? Verdict: NO!
-Kills processes? Verdict: NO!
-Injects code in to any file? Verdict: NO!
-Sends email? Verdict: NO!
-Alters Windows Firewall? Verdict: NO!
-Queries driver or service information? Verdict: NO!
-Attempts to autostart at Windows Boot? Verdict: NO!
-Opens or modifies the HOSTS file? Verdict: NO!
-Changes Internet Explorer or other browser proxy? Verdict: NO!
-BHO Installed? Verdict: YES! It is part of the program.
-More than 5 processes? Verdict: NO!
-Checks for debugger? Verdict: NO!
-Loaded or unloaded drivers? Verdict: NO!
-Windows API Calls? Verdict: NO!
-Infected? Verdict: NO!
-MD5 checked against all engines? Verdict: YES! Result: 1/48 ENGINE MCAFEE ARTEMIS
-SHA1 checked against all engines? Verdict: YES! Result: 1/48 ENGINE MCAFEE ARTEMIS


~DragonMaster Jay - Malware Analyst - admin of Advanced Malware Analysts.

The Technical Expert
Posts: 11
Joined: Thu Apr 22, 2010 2:37 pm

Stopzilla, a scareware and a crapware

Post by The Technical Expert » Thu Apr 22, 2010 2:37 pm

You see that Stopzilla says our comments are libelous. It asks to remove or comments, but don't listen!, because our comments are TRUE!
You can mail the Stopzilla team at .


Thanks but I feel it would

Post by Guest » Thu Apr 22, 2010 5:00 pm

Thanks but I feel it would only fall on deaf ears and subject me to legal threats etc. Will pass on any contact with them other than in this forum and thread. for views and news of the starte of digital security. Add your comments/.feedback on your existing security software to help others choose what's right for them and what isn't. Read up on the latest rogue software and threats too.

Posts: 126
Joined: Sun Feb 28, 2010 10:17 am


Post by Meat_Wagon » Thu Apr 22, 2010 10:52 pm

Tried it, & it IS bad news! 3 of my A/V progs pegged it as hi-threat malware during their 1st sweeps thru it & all the other places it plonks a file/dependency outside Prog-Files. Even the install file showed hot!
Managed to rid myself of it in XP safe mode and regedit.
Kill the Zilla!


Posts: 3291
Joined: Mon Nov 02, 2009 12:52 pm


Post by alphacentauri » Thu Apr 22, 2010 11:40 pm

It sounds like bad marketing has made a mediocre product come off as malicious. Our tech support people suggested installing the paid version on a machine at work that had a rootkit. The installed AV program, Avira, wouldn't update and didn't recognize any problem files when it scanned. Malwarebytes Antimalware refused to install at all. Stopzilla was suggested as a program that sometimes succeeded when other failed. In this case, since the problem was the malware was disabling other programs, Stopzilla's obscurity was a plus and it was successful. Did it remove all the malware? No. Once it ran a couple times and was coming up clean, we were able to update Avira, and it found several more files. Then Malwarebytes would finally install, and it found still more. There have been no annoyances since it's been installed, but we purchased the program in the first place rather than using a free trial. I wonder if people's opinions would be different if Stopzilla's marketing practices were different?

User avatar
Posts: 2136
Joined: Fri Mar 26, 2010 3:09 am

What analysis tool did you

Post by Nulander » Thu Apr 22, 2010 11:58 pm

What analysis tool did you use to obtain such results?
MF IT-UESC - Protecting your Digital Experience. Now.

User avatar
Posts: 2136
Joined: Fri Mar 26, 2010 3:09 am

In these case, try an

Post by Nulander » Fri Apr 23, 2010 12:01 am

In these case, try an Emergency Live-CD. It's better.
MF IT-UESC - Protecting your Digital Experience. Now.

Posts: 558
Joined: Tue Aug 18, 2009 12:06 am


Post by jpvip » Fri Apr 23, 2010 1:49 am

That is an analysis process, not a tool.

~DragonMaster Jay - Malware Analyst - admin of Advanced Malware Analysts.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 3 guests