GrayScales - Scams, Viruses & More
Jim's Blatherings - Simple ramblings (maybe rants) from the Co-Founder of Quikonnex about Scams, Viruses, Internet Marketing, web techniques, tips & anything else that pops into his head.
Subscribe without Email Subscribe without Email
GrayScales - Scams, Viruses & More

Curiosity can be costly... Story of a Hijack

Monday, January 05, 2004
It all started this Saturday as I was trying to get my computer to read the DVD-RAM drive off my new digital camera. I was searching for a tool to help me decode the .vro files on the disk (the bundled software that came with the camera is not working right, but that's another story). I saw an article about ULead that said their software would read this file type, so off on a search for ULead. What I found was a website at http://cracks.st and I clicked on it --- bad mistake! For those of you who do not know, a "crack" is a term used to describe software code that will make copy protected software available for use freely (that means without registration or payment required). Sometimes is a piece of code that unlocks the copy protected software or sometimes it's the software itself.

I know what a crack is, before I clicked on this dastardly link. And I know that ULead software would not be found at this site (I found the right site). But being a computer weenie and always interested in what's going on elsewhere, my curiosity made me click on this site. I will tell you right up front that this website does contain code that will unlock software, but the penalty associated with going to this site would be disastrous for any novice. It caught me and it would catch you. So with one click, began my decent into computer hell.....

I've talked about this before in some earlier post to GrayScales, the drive-by installation of scumware software. If you're using MS Internet Explorer, you are vulnerable to this happening. All that is required, is that you get linked to a website that has these malicious scripts installed. Sometimes they'll warn you and ask permission to install themselves, but most of the time the bad guys don't ask, they install themselves with no warning from Internet Explorer nor from Microsoft Windows. The infamous Gator (now known a Claria) is a good example of a program that uses this type of installation method. This is downright unacceptable behavior (I'm really inclined to use more colorful language here) in regards to Microsoft. This type of attack installs dangerous programs, makes changes to your computer's critical registry files, and can literally take over your computer, violate your privacy, and right out piss you off! (okay, a little colorful... but I AM). This should be considered a virus, but it's not. A well updated anti-virus program will not protect you from this type of attack. 

The result of my encounter with this drive-by scumware attack was that I had a program call "FavoriteMan" installed. At least this is what I believe was the first one installed, mainly because it's categorized by my SpyBot program as code that will install other scumware after it has installed itself. What (but not all) that I got hit with was Ezula (hijacks the keywords on your websites), SaveNow (popup adware galore), PurityScan (supposedly searches for adult content but really serves ads), PopNav (hijacks your browser homepage), MySearch (hijacks your search sidebar and installs a toolbar), eAnthology (supposedly a popup stopper, but results are worse that any popup), Bargain Buddy (another ad server), BackWeb Lite (software that auto-updates your computer, normally used by OEMs but can serve popups & ads), 2nd Thought (another homepage hijacker), DyFuCa (a dialer program that connects you to pornographic websites) and the worst yet XXXToolbar Pornographic IE Toolbar (it will redirect homepage and searches to slotch.com. (http://www.xxxtoolbar.com). This thing installed 119 porno site links into my Favorites folder in Internet Explorer. There was much more that got installed on my computer and I won't go into all the details, but for almost the entire weekend my computer was out of commission. It seemed like every time I restarted it, these program would get reinstalled.

It took a combination of tools and techniques to clear this junk out and I'm not 100% sure it's all gone (I'm really considering doing my annual reformat and reinstall now). I ran my Spybot program (http://www.safer-networking.org), Adaware (http://www.lavasoftusa.com) and bought SpyHunter (http://www.enigmasoftwaregroup.com/) for $29.99. Additionally, I manually searched my computer's registry file, my computer's hard drive and tried to ferret out all instances of this scum. I did discover another program that may help in preventing such attacks in the future. There's a registry file that blocks all known "bad" ActiveX controls from running inside Internet Explorer by setting the "Kill bit". http://www.spywareguide.com/blockfile.php show several methods, but the RegBlock file looks like a good alternative for the non-technical folks. It allows you to select which program you want to block from your system (for example, the Alexa ToolBar is considered to be spyware among some circles). RegBlock is currently priced at $19.95 and you can reach their order form at http://www.regnow.com/softsell/nph-softsell.cgi?item=4353-4&affiliate=20229 It's pretty simple to use, just download, install, run and select which programs you want to block. I bought it and installed it myself. I'm crossing my fingers that it will help against future attacks, but from a technical perspective it made sense to me.

This is not something I'd like to see others go through, but I expect we'll be hearing a lot about this kind of attack this year. Happy New Year...... Jim

Posted on 01/05/04 at 11:26:18 by Jim Gray
Category: Viruses and Hoaxes

Comments

Debbie wrote:

I have two hjackers in my computer. TST. Toolbar and IST Bar can anyone help please I'm ready to throw computer through the window
Posted on 08/29/05 at 05:41:42

May wrote:

Help! I have the same problem as Michelle with the slotch crap. I went through and deleted the installed software and even the cookies, but it still pops up when I go online, and I can hardly use IE. What can I do?? I have McAfee, is that enough?? I'm so fed up, I'm practically ready to reformat my whole computer. Would that even do it??
Posted on 10/14/04 at 22:54:30

sarah saunders wrote:

hello,every time i try to read my e-mails it comes up as spyware box and then it comes up with a search enging. i cannot read my e-mails or do verid other things!
i cant get rid of it either because it comes up in american dollas... pleae help
Posted on 09/28/04 at 03:18:42

Michelle wrote:

I have the slotch virus where I was hijacked and now I lost my homepage. I have tons casino ads and such popping up all the time now. I love to download mp3s so I need some help. Not only do I have IE, I also have the regular version of kazaa. I want to get kazaalite and I've searched for it numerous times for even up to an hour at a time but all the versions I find I have to pay for! I know that this program is free out there somewhere. Does anyone know if spybot search and destroy will kill my problems or only make them worse? I've read so many articles about people trying to rid themselves of the slotch crap and all they end up doing is making their computer really screwed up if not unusable. Please help I want this crap out!!!!!
Posted on 08/02/04 at 08:53:31

Diana wrote:

Stay away from any freebies from the Internet unless you are absolutely sure what you are getting. If you want a good product check out http://www.pestpatrol.com. PestPatrol, combined with AdAware cleans out just about every pest out there. Be warned though, these new malicious codes coming out are learning how to trash programs that are trying to protect you. There is this new blasted hijacker that takes you to about:blank. It's a page loaded with ads and have fun removing it. There are other about:blank's out there but this one is different. It creates a ton of backups and codes into your computer and even when you think you got your browser back, tadaa, back to the page it goes. Reformatting seems to be the cure. Just back up your most important data and forget the rest. If it gets in your system again you have to start from scratch. Microsoft finally came out with a small patch to handle this mess but it's not the cure. So beware of this CoolWebSearch hijacker. Stay away and just be careful. Sheesh you can't even surf the net anymore without getting trashed.
Posted on 07/04/04 at 13:19:04

Phyllis Peterson wrote:

I want to know what is spyhunter, I had a virus on my computer, and I shut it down for two days, and I turned it on and spyhunter came on, and told me to click scan, and my computer started to work better then it had for a long time.
I want if I did something wrong, or not.
Posted on 05/09/04 at 18:57:46

Wahyu Wijanarko wrote:

I'm Using Ad-Aware 6.0
Posted on 03/31/04 at 06:37:41

Erik ineXplicable wrote:

http://www.lavasoft.de

get this program! Ad-Aware 6.0.

Keeps all the shit off your computer... I had the Claria "virus" and when I removed it, well Outlook express wont start up again... :(
Posted on 03/29/04 at 00:58:23

chirag pathak wrote:

i am fed up of pornographic progrms installed on my pc & want to get rid of it.Give me your suggestions
Posted on 02/24/04 at 00:37:55

Betty wrote:

I have POPNAV taking over my emails. I cannot read them without this search engine showing up instead. I'm with MSN and they are at a loss as to what to do. Any suggestions?
Posted on 02/23/04 at 23:10:27

Charly wrote:

Having 2 young adults and 1 teenager still at home, we have had our share of drive-by downloads. My oldest had recently been hijacked and sent to some very BAD sites. Warnings came up that verizon was monitoring him, but a link was attached to download a history killer. Seems to me they hijack you and then blackmail you at the same time. Somebody should go after these people.
Posted on 02/16/04 at 11:14:59

Dean wrote:

Yeah we get tons of problems with this on secretaries machines. They download tons of crap. Now the CoolWWWsearch can kill spyware cleaning apps. This is one battle that is just beginning to heat up.
Posted on 02/06/04 at 11:55:49

hackhound wrote:

I have to agree. Anyone who still uses IE is knowingly asking for trouble. That browser has more security holes than a slab of swiss cheese, and MS is NOT doing anything about it. Run, Forest, run!
Posted on 02/04/04 at 10:28:24

alex wrote:

http://www.w3.org/TR/html4/
...this might work.
Posted on 02/01/04 at 11:22:16

alex wrote:

Hello there! Popnav...what is it? Is this a virus? I was curioused so when I got this on my browser I searched the view source and found this link --http://www.w3.org/TR/html4/... I followed that link and found infos about the company and the people who work there, email addy included. I wonder if these are the maker of this popnav hijacker? What do you guys think?
Posted on 02/01/04 at 11:20:24

tsparks wrote:

Thanks Jim! I also went to this site, but did not stay nor click on anything. That could be why I was not infected with anything...or it could be because I NEVER use IE (unless a gun is to my head). Mozilla Firebird ignores ActiveX or VBA scripts. I searched my HD and registry for some of the things you listed and found none.

Everyone would be well advised to STOP using IE (unless the follow all rules at
http://www.staff.uiuc.edu/~...)
and start using either Firebird or Opera. The sooner that everyone switches away from IE, the sooner this albatross will be out of our internet life.
Posted on 01/10/04 at 15:19:28

Jimm wrote:

Thanx Jim for the heads up. Sorry to hear you got hit by system hyjackers and it looks as though there is no such thing anymore as a peaceful drive in the cyber countryside. I will have to add these programs to my protection and repair arsinal.
Posted on 01/05/04 at 14:19:00

Add Comments

:

:
:

:




Required for non-registered users




Navigation



Instant Messengers


Categories


Search by Keyword

Search by Date

« June 2013 »
SunMonTueWedThuFriSat
      1
2345678
9101112131415
16171819202122
23242526272829
30      


Contact Publisher

Publisher's Home Site