Description

Zyncos is a porn-related redirecter consists of an Internet Explorer Browser Helper Object and an executable file run at Windows startup.

At the time of writing its controlling server is no longer responding, so its exact intended behaviour is uncertain.

Also known as

ZyncosMark by Ad-Aware. Qwysh from its process's filename.

Distribution

Installed by ActiveX drive-by download from unknown sources; suspected to be disguised as a video viewer.

What it does

Advertising

Yes. Monitors web pages for predetermined (mostly porn-related) trigger words, and opens paid search results as from 66.28.33.20 (redirecting to pornfoto.com).

Privacy violation

Unknown.

Security issues

Yes. May silently download and execute arbitrary code from its controlling server cnctag.com, as an updating feature.

Stability problems

None known.

Removal

There is no built-in uninstaller. Ad-Aware updates from June 2003 can remove Zyncos.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\zyncosspace\cmctl.dll"

Next, open the registry (click 'Start', choose 'Run' and enter 'regedit'), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'ZyncosMark' entry on the right.

Restart the computer and you should be able to delete the entire 'zyncosspace' folder inside 'Program Files' on the C: drive (even if that's not where your normal Program Files folder is). You should also delete the entry 'ACCESS.AccessCtrl.1' in 'Downloaded Program Files' inside the Windows folder.