The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/jan13,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

So you got a new PC for Christmas. Maybe it is the first PC you have ever owned and someone was kind enough to send you here to read this. If you are just now experiencing the internet for the first time, I have some bad news for you. This is a very bad neighborhood. Many of the houses are boarded up. There is trash in the street. People will jump in your face and try to sell you things you don't want. And there are people waiting for you to walk down the wrong alleyway so they can mug you. Welcome to the World Wide Web.

If this is your first time on the web, I guarantee you, you are going to be mugged sooner or later. If you have been here before but are now using a shiny new PC, chances are better than average you will be mugged too. That is, unless you follow the advice that I am about to give.

More so than ever before, a computer connecting to the internet today is in danger of becoming infected by everything from viruses to trojans to adware and spyware. These days, you really don't have to do much to become infected. You don't have to open an email attachment. You don't have to be tricked into downloading and running a strange file. These days, all you really have to do is connect to the internet and surf around a little. Chances are good that you will be infected by something by the end of the day.

To help you keep your new PC clean, this newsletter will be a republication of my two most popular articles, the Browser Hijacker articles. Follow the advice in these articles and you will be far less likely to become infected by the parasites flooding the internet today. The first article will help you protect your PC from becoming infected in the first place. The second article, how to clean up a hijacker-infected PC, is a little out of date. Still, it will point you in the right direction if you do become hijacked.

If you know someone who has received their first computer for Christmas and is brand new to the internet, I strongly urge you to send them a link to this page. You will be doing them a big favor. http://www.spywareinfo.net/jan13,2005

Permalink | Top

Program: X-Cleaner
Author: X-Block
Platform: Windows 9x, ME, NT 4.0, 2K, XP
License: $39.95 [20% off for SpywareInfo readers]
Coupon code: SPYQ-8SXC-XBLK (Expires January 19, 2005)
More Information: http://www.spywareinfo.com/downloads/x/

X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. X-Cleaner also features a unique mobile active-x spy scanning utility so you can login through your member's center and use it from public terminals.

A new feature of the program even allows you to bypass hardware keyloggers which use no detectable software.

No installation required - simply download and use or you may install if you choose. X-Cleaner provides courteous support via e-mail for registered users. Software is delivered instantly via digital download and you can download new versions as often as you like the first year.

You can even put this on a floppy disk and carry it to work in an envelope or in your shirt pocket. Insert floppy, scan and zap the keylogger or delete your surfing traces.

X-Cleaner was recommended by Kim Komando in her article for MSN, Danger, danger: 5 tips for using a public PC.

Features

1) New expanded detection and removal database.

2) General Interface Improvement- Users can now resize the program window to fit into their screen anyway they like, especially useful for the encyclopedia where they had to scroll right.

3) Bypass *hardware* keyloggers using onscreen keyboard for input- This is under the Expert tab for Deluxe Users only and makes use of the built-in based keyboard in Windows so that users can key in information without using physical keystrokes. This is very useful for sending sensitive material since hardware keyloggers (a growing threat X-Block is working on) evade anti-spyware which normally targets software loggers only. Given X-Cleaner's mobility in terms of file size, this is a useful little addition to have since you can go to an Internet Cafe- sweep for keyloggers (or use the full active-x scanner in the members area) and then use the software based keypad to evade hardware logging.

4) Direct link to online assistance integrated into software- as always X-Cleaner technicians are dedicated to providing prompt and professional e-mail support for even hard to remove cases of the spyware plague.

If you have any problems with the ordering page or with the coupon code (SPYQ-8SXC-XBLK), please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

By Mike Healan
March 23, 2004 (Updated Jan 12, 2005)

If you've ever been infected with a browser hijacker, you know what an infuriating situation it is. For all intents and purposes, your $3,000 computer is converted into a source of revenue for some fly-by-night web site unable to generate legitimate web traffic. Once installed, it usually takes an expert to remove a browser hijacker effectively.

If you've gone through this before, you never, ever want it to happen again. So, how do you prevent being hijacked? This is surprisingly easy.

Dump Internet Explorer

First and most simply, stop using Internet Explorer. If you use either Mozilla, Firefox or Opera, you are immune to virtually all browser hijackers.

You are safe for two reasons. First, most people use Internet Explorer, so most malicious code is custom built to exploit it. Second, Opera's and Mozilla's programmers take security very seriously and have made these browsers very secure. It is not possible to install software from a web site using these browsers without at least seeing a prompt of some sort asking permission. As long as the user exercises enough common sense not to approve a software installation that appears out of nowhere, there will no problem.

If you have to use MSIE

Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.

The most important thing is to update your browser and operating system. Go to WindowsUpdates and install the latest version of Internet Explorer, then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers. If you have Windows XP, the most current version of Internet Explorer available to you is version 6 with XP Service Pack 2. I encourage you to install SP2 if you do not have it yet.

Although Microsoft makes plenty of noise about being concerned about security, clearly it is nothing but a marketing ploy. In typical, monopolistic disregard for people who have not bought their latest software, Microsoft refuses to provide the security updates available in the XP SP2 version of Internet Explorer to users of older versions of Windows. This is contemptible behavior. If you use a version of Windows other than XP, the most updated version of Internet Explorer you can install is version 6 with MSIE Service Pack 1.

After you've done that, replace Microsoft Java VM with Sun Java. You can download that from http://www.java.com/. There are several hijackers that exploit flaws in Microsoft Java VM. Sun's Java is more secure and more up to date. Make certain, in Java's options, that Sun Java JRE is set to work with Internet Explorer.

Open Internet Options from the Windows control panel and click the "Security" tab. Highlight the "Internet" icon and then click "Custom Level". Choose "Medium" from the drop-down box at the bottom, then click the "Reset" button. Click "ok", then click "Custom Level" again.

Set your options just as I have listed below:

.NET Framework-reliant components

• Run components not signed with Authenticode (Disable)
• Run components signed with Authenticode (Prompt)

ActiveX controls and plug-ins

• Download signed ActiveX controls (Prompt)
• Download unsigned ActiveX controls (Disable)
• Initialize and script ActiveX controls not marked as safe (Disable)
• Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
• Script ActiveX controls marked safe for scripting (Prompt)

Miscellaneous

• Access data sources across domains (Disable)
• Drag and drop or copy and paste files (Prompt)
• Installation of desktop items (Prompt)
• Launching programs and files in an IFRAME (Disable)
• Navigate sub-frames across different domains (Prompt)
• Software channel permissions (High safety)
• Userdata persistance (Disable)

Scripting

• Allow paste operations via script (Prompt)
• Scripting of Java applets (Prompt)

Next, you need to run a registry script called IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.

Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.

Now you need to install SpywareBlaster. ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a "kill bit" in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.

As a final safeguard, install a program called Browser Hijack Blaster. This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.

Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.

Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote's site for instructions on doing that.

Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D for antispyware and Nod32 for antivirus.

Permalink | Top

The Problem

Author: Mike Healan

There is a despicable trend that is becoming more and more common wherein the browser settings of web surfers are being hijacked forcibly by malicious web sites and software which modifies your default start and search pages.

Sometimes internet shortcuts will be added to your favorites folder without asking you. The purpose of this is force you to visit a web site of the hijacker's choice so that they artificially can inflate their web site's traffic for higher advertising revenues.

In some cases, these changes are reversible simply by going into internet options and switching them back. Not always, however. Sometimes it's necessary to edit the windows registry (gasp!) to undo the changes made. Sometimes there is even a combination of registry setting and files clandestinely placed on your hard drive that redo your settings every time you reboot the computer.

No matter how often you change your settings back, they are changed again the next time you restart. There have even been cases where internet options have been removed from the tools menu by registry hacking to prevent you from controlling your own computer!

Even AOL has become a browser hijacker by placing their web site free.aol.com in Internet Explorer's trusted sites security zone, thereby bypassing the most frequently used security settings. This occurs after installing their AOL software, AOL Instant Messenger, Netscape 6.x and ICQ2001b has reportedly done this. AOL then exploits this by downloading ActiveX components to your computer without your consent. The CWS trojan also does this.

Preventing a hijack

This section has been superseded by a new article which focuses specifically on hijack prevention. That article is available at http://www.spywareinfo.com/articles/hijacked/prevent.php

Hijack Removal

Any of the products below will remove most hijackers completely, unless it is one which has just started spreading.

Spybot S&D [recommended]
Ad-aware
SpySweeper
X-Cleaner

If you have a hijack that is not fixed by any of these products, you may use these solutions below that I have gathered after helping to fix these same problems countless times through email and at the forums. Read on...

Please read the disclaimer below before doing anything described here. By following any of these instructions, you agree to be bound by the disclaimer. If you do not agree, do not follow these instructions. Also note that with Windows NT/2K/XP you likely will need to be logged in as an administrator for much of this. Go ahead and do that now.

The situation: Your browser now has a new start page and a new search page. Every time your browser loads a page that doesn't exist, you end up at some strange site, probably filled with popup ads.

You go to Tools > Internet Options to fix this, only to find that option grayed out. You open the control panel, only to find Internet Options missing from there too. You try to open regedit to start hacking away at the registry, but you are given the message that "your administrator has not given you that privilege".

Some scumbag webmaster has paid a scumbag script kiddie to truly mess up your browser settings and has made it next to impossible for you to change it back.

Notice that I said "next to impossible"...........

So, what do you do here?

Skip any step that deals with a problem that doesn't effect you

1. Assuming that none of the spyware removal programs listed above helps you, the very first thing you need to do is download and run HijackThis. Put a check mark next to every search and start page setting it lists which you haven't put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7*, fix those as well. Please ask for advice at the forums before using HijackThis to change anything else.

   *Note: Spybot S&D, Start Page Guard, Settings Sentry, and similar programs may provide options to lock settings against unauthorized changes. If you have these options enabled, HijackThis will detect that as a restrictions hijack. Disable those options before scanning with HijackThis.

2. Second, you have to put Internet Options back into the control panel. Do a file search and look for a file named "control.ini". Open it in Notepad. You may see something like this:
   
   [don't load]
   inetcpl.cpl=yes
   
   Delete the "inetcpl.cpl=yes" line under "[don't load]". Save and close the file, then try the control panel again. If it's still not there, restart your machine and it should be there.
   
   

   For Windows 2000 and XP, you will need to edit the registry to do this. Go to the start menu > RUN command > type REGEDIT and press enter. Navigate through the registry keys until you get to HKEY_CURRENT_USER\Control Panel\don't load\. Look and see if inetcpl.cpl is listed. If it is, delete the entry for it and log off.

   See the list at the bottom of this page to identify other entries. Thanks to Corné de Leeuw for this information.

3. Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn't hurt, unlike dll's which are also used sometimes for this purpose. (Thanks to cexx.org for the additional info in this step).

4. HijackThis will list any BHO installed on your computer. Check the BHOs listed against the list of all known BHOs. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it.

   If you find a BHO that is not included in the list, please make a post in the Browser Hijackings section of our support forums with the HijackThis log pasted in along with an explanation of your problem. Please wait for replies before deleting this BHO, as it may be a new one which I can have added to various spyware/malware cleaning programs. It may also be an innocent file that is not causing your problem, so please wait for advice before deleting it.

5. Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry.

   Look in HijackThis for 04 startup items. Check the entries listed against Pacman's List. Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and "fix" it.

Again, it will be absolutely necessary for you to close all open Internet Explorer windows before any of these changes will take effect. That includes this window. Some changes may even require a log off or even a reboot before they have any effect.

Still not fixed?

I hope this helps anyone who has become a victim of a browser hijack. If it does, great.

If the problem still remains after doing all of the above, you can visit our support forums and post the specifics of your problem there. I or someone else can troubleshoot the problem. Before posting, please make sure you have followed all of the instructions above.

Related Links:

http://www.cexx.org/hphijack.htm - Homepage Hijackers
http://www.pcworld.com/news/article/0,aid,63345,00.asp - Stealth ad explosion
http://www.pcworld.com/news/article/0,aid,101916,00.asp - Web Ad Explosion
http://www.pcworld.com/news/article/0,aid,84464,tk,dn021402X,00.asp - Invasion of the browser snatchers
http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html#xupiter - Xupiter

Disclaimer of Warranty

Go back

"SpywareInfo and/or the author" assumes no responsibility for errors or omissions in these materials.

THESE MATERIALS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

"SpywareInfo and/or the author" further does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. "SpywareInfo and/or the author" shall not be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from the use of these materials. The information on this server is subject to change without notice and does not represent a commitment on the part of "SpywareInfo and/or the author" in the future.

That said, if you do happen to find a problem with anything here, please contact me immediately. I'll do my best to correct the problem as soon as possible.

Common Control Panel Applet File Names

Thanks to Corné de Leeuw for this information.

Go back

access.cpl - Accessibility Applet
appwiz.cpl - Add/Remove Programs Applet
console.cpl - Console Applet
timedate.cpl - Date and Time Applet
desk.cpl - Display Applet
fax.cpl - Fax Applet
hdwwiz.cpl - Hardware Wizard Applet
irprops.cpl - Infrared Port Applet
intl.cpl - International and Regional Applet
inetcpl.cpl - Internet Settings Applet
joy.cpl - Joystick Applet
liccpa.cpl - Licensing Applet
main.cpl - Mouse and Keyboard Applet
mlcfg32.cpl - Mail Applet
mmsys.cpl - Sound and Multimedia Applet
modem.cpl - Modem and Phone Applet
ncpa.cpl - Network and connectivity Applet
netcpl.cpl - Network and Dial-up Connectivity Applet
nwc.cpl - Netware Client Applet
odbccp32.cpl - ODBC Applet
devapps.cpl - PC Card Applet
ports.cpl - Ports Applet
powercfg.cpl - Power Management Applet
sticpl.cpl - Scanner and Camera Applet
srvmgr.cpl - Server Manager Applet
sapi.cpl - Speech Properties Applet
sysdm.cpl - System Applet
telephon.cpl - Telephony Applet
tweakui.cpl - TweakUI Applet
nusrmgr.cpl - User Manager Applet
wspcpl32.cpl - WSP Client Applet
quicktime.cpl - QuickTime Applet
S32LUCP1.cpl - Norton Live Update Applet
cpqmgmt.cpl - Compaq Insight Agents Applet
wtcpl.cpl - Wild Tangent Auto Updater Applet

Go back