Welcome to Blaisdell's Little Corner of the Web


Bo's Browser Wars | MSIE News Front | Security | Next PageF | Updated 01/20/04

Spyware (Parisites) Hijacking and all of that jaz

I keep getting (the same five) porn icons on my desktop and in favorites in my Internet Explorer file. I keep deleting, they keep coming back. I have searched the registry etc. Nightmare! Any ideas - much appreciated!
~Iian

Sure Iain, I have one or two, but two is all I am allowed. Iian's problem is just one of many. The tips here may just help you solve your problem. Read on.

This is one of many different types of ploy by pornies. In most of these cases the problem can be traced as part of the Web3000 hacking community. Nine times out of ten they can be cleared up quite easily by running one of the many Spyware eradicators.

We are featuring some security freeware on our review page. Right now our favorite Spyware blocker and eradicator is SpyBot search & Dystroy. Some of the features are more for the advanced user but SS&D comes with a simple interface and will safely remove all known Spyware, Trojans, and Back Orifice parasites. The advanced option will also check for such things as registry sets that do not match criteria, as well as clear some URL and MRU lists. When using the advanced feature, one should be very careful of what you tell SS&D to remove. SS&D is a powerful, free tool that no Internet junkie should be without. Learn more and where to download by clicking here.

Once downloaded and installed, be sure to update the product, also free, and then do a full system scan. You will also notice that there is a section called "immunize". It is strongly recommended that you apply this as it will block all known Spyware. Be sure to update your definitions on a regular basis to keep them current. A good rule of thumb is to check SS&D for updates whenever your virus scanner connects and updates.

 What is Spyware? A technology that assists in gathering information about a person or organization without their knowledge. On the Internet, "Spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties." Even in some cases after these programs have been removed from your system. As such, Spyware is cause for public concern about privacy on the Internet

After you have cleared the Spyware from your system there are some pro-active things that you can do to help prevent this type of attack in the future.

 Recommended Minimal Security Settings

  1. Close all instances of Internet Explorer and Outlook Express
  2. In Control Panel | Internet Options | Click on the "Security" tab
  3. Highlight the "Internet" icon, click "Custom Level"
  4. Click on the "Content" tab, Click the "Publishers" button
  5. Click on the "Advanced" tab
  6. Click Apply
  7. Click Ok

Another useful tool, for the experienced user, is HijackThis. NOTE: HijsckThis shows the items on your system which start with the system and some items run in the browser active modes. Not all of these files need to have a fix applied, in fact, most of them are legitimate programs and should not have the fix applied. You need to know what is on your computer, why it is there and what seems to be something which is not supposed to be there. Never apply the fix in HijackThis without knowing exactly what you are doing.

That being said,  Go to: http://www.tomcoyote.org/hjt/
Download "Hijack This!" [freeware] or download direct [here]

    1.  Unzip, double-click "HijackThis.exe" and Press "Scan".
    2. When the scan is finished, the "Scan" button will change into a "Save Log" button.
    3. Click: "Save Log" (generates: "hijackthis.log") HijackThis Tutorial (recommended read)
    4. Next, go to: http://www.spywareinfo.com/forums/
    5. Sign in, go to the "Spyware and Hijackware Removal" section.
    6. Press "New Topic", copy and paste hijackthis.log into your new message.

Visiting the SpywareInfo Forum or one of the other recommended Forums, to finish cleaning up your system is highly recommended. As neither Ad-Aware or SpyBot can no longer completely remove these pests. This is mainly due to new daily threats and the use of random generated filenames used by these parasites! The folks on the forum are very good at keeping up with this stuff and are more than willing and happy to assist you in the proper removal if SS&D isn't able to complete the job for you.

The Registry Tweaks

NOTE: These tweaks can be done by hand in the system registry. If you do not know about the system registry or how to edit it, you can 1) learn more by going to Bo's Tweaky clean Windows, or 2) simply copy the items below (NOTE2: These registry edits are designed to be applied as a REG file. To make a regi file, simply copy the below items, into any unformatted text editor [I recommend Notepad] and save it as a REG file. Then all you need to do is double click on the file and the registry edit is applied. Be sure to reboot the computer for the changes to take affect)

Items in RED are copied to Notepad.


Name this file RepairPrefix.reg
What it does: Repairs the corrupted or altered (spyware) HTTP prefixes
Note: HijackThis can also repair the DefaultPrefix entry

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Save as FixTabs.reg

1) Restores the missing Tabs in IE (usually spyware related)
2) Unlocks the grayed-out Home Page section
3) Removes the Administrator message in Internet Options
Note: HijackThis can also repair the "Missing Tabs" restriction

REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000
"GeneralTab"=dword:00000000
"SecurityTab"=dword:00000000
"ContentTab"=dword:00000000
"ConnectionsTab"=dword:00000000
"PrivacyTab"=dword:00000000
"ProgramsTab"=dword:00000000
"AdvancedTab"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000
"GeneralTab"=dword:00000000
"SecurityTab"=dword:00000000
"ContentTab"=dword:00000000
"ConnectionsTab"=dword:00000000
"PrivacyTab"=dword:00000000
"ProgramsTab"=dword:00000000
"AdvancedTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000


Save as UnlockBrowserOptions.reg
Removes the Administrator message in Internet Options
SpyBot also has this option in the Immunize section

REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000


Save as EnableRegistryTools.reg
Unlocks the "Disable Regedit" entry, or use HijackThis
Note: Some malicious Spyware and even viruses use this to prevent you from opening up the System Registry Editor. This will unlock this administrative option.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000


Lately there has been a rash of incidents where either a web site or email spam has contained a hidden javascript that changes your Home Page entry, then disables the users ability to change it back. To prevent this from happening ... be one step ahead of these characters. Set your Home Page then disable the ability to change it via a Registry restriction.

HKCU_Hide_HomePage.reg (Current User)
HKCU_Undo_HomePage.reg (Current User)

To use: right-click and select: Merge (to view: open in Notepad)

HKLM_Hide_HomePage.reg <Local_Machine> HKLM_Undo_HomePage.reg

Note: this restriction can apply in 2 locations, the Registry checks the HKLM location first, then the HKCU location. The HKLM takes precedence and applies to all users. The HKCU applies to just the "Current User".

HKCU_Hide_HomePage.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Homepage"=dword:00000001

HKCU_Undo_HomePage.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000

HKLM_Hide_HomePage.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000001

HKLM_Undo_HomePage.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000


See these Microsoft Knowledgebase Articles for more on troubleshooting MSIE problems


THE NEWEST VARIANT(S) OF RAPIDBLASTER

This is from the RapidBlaster Killer site:

The most recent variants of RapidBlaster will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location.

Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system.

NOTE from RapidBlaster site: If you find one of these files on your system it is highly recommended that you do not delete it until you can confirm that it is indeed RapidBlaster, and not a legitimate file. (The current variants of RapidBlaster are around 72 kb in size, but that could easily change.) We do not recommend that you try removing RapidBlaster manually - instead, try RapidBlaster Killer. Go to the site for more.


Click Throughs:
Banner Ads and Scripts related to em
The Host File, use it!

You can use a HOSTS file to block ads, banners, cookies, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems. Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by the DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.

Now includes most major parasites, hijackers and unwanted Search Engines!

In many cases this can speed the loading of web pages by not having to wait for these ads, banners, hit counters, etc. to load. This also helps to protect your Privacy by blocking servers that track your viewing habits, known as "click-thru tracking".

As time has progressed the focus of this project has changed from blocking ads/banners to protecting the user from the many parasites that now exist on the Internet. It doesn't serve much purpose if you block the ad banner from displaying, but get hijacked by a parasite from an evil script contained on the web site. The object is to surf faster while preserving your privacy/

Creating a HOSTS Editor

To edit your HOSTS file you can create a custom Desktop\Quick Launch shortcut.
Note: the below locations are for the default paths, edit as needed.

Windows XP
Target: C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS

Start In: C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Windows ME/98
Target: "C:\Program Files\Accessories\WORDPAD.EXE" C:\WINDOWS\HOSTS

Start In: "C:\Program Files\Accessories"

Note: the quotes are required in both of the above entries.
TIP - copy and paste the above to avoid typing mistakes.

If you are using a HOSTS file now, check to see if there are any needed entries before you replace it with the new download. Several users have reported overwriting their entries for Norton's Email Protection.

127.0.0.1 pop3.norton.antivirus
127.0.0.1 pop3.spa.norton.antivirus

Editing the HOSTS file

* You must maintain the proper format or else the entry will be invalid.
* Entries are invalid if they contain "http:" or an ending "\" slash.
* In the event you need to rename the file, use the below batch file.
* Remember that the HOSTS file must be in capital letters. [more info]
* If you wish to disable an entry place a "#" in front of the line.

Note: HijackThis can detect invalid entries or a "redirection" [more info]

If you see an Action Cancelled message:

The Action Cancelled message is usually generated when entries in the users HOSTS file are preventing access from one or more servers designated in the web page. In most cases this occurs from 3rd party ad servers such as "doubleclick", where the "Action Cancelled" message replaces an [example] ad banner in the viewing page.

In other cases the message is displayed when a user clicks a link in a page that routes them thru a tracking service, or attempts to connect to a listed hijacker, parasite, etc. and this culprit is listed as an entry in the HOSTS file.

To determine if this is the case, right-click the Action Cancelled message and select: Properties. Look at the entire "path", (URL) you should see the listed entry. On some sites these entries will also cause the "red X" (missing image).

Pictures Are Not Displayed on Web Sites in Internet Explorer

Safely Rename the HOSTS file

In the event you can not access a site and you believe it may be due to an entry in the HOSTS file. Check the URL first! It may be taking you to somewhere you don't want to go! Yes webmasters can fudge the URL displayed in the lower left corner of your browser. When you are not sure - right-click the link and select: Copy Shortcut - paste to Notepad. You can use the HOSTS Editor to see if that server is listed. If it's listed, many times you'll see a "comment" next to the entry.

Example: if you see "#[Adware.StopPopupAdsNow]" copy the comment between the brackets and enter that term in Google and you'll see why it's listed.

You can use a simple batch file to rename the HOSTS file "on-the-fly". (98\ME\2K\XP)
Copy the below the red lines into notepad and name the file, RenHosts.bat   Double clicking on a batch file, or BAT file will launch the program.

@echo off
cls
goto toggleRename
:toggleRename
    If Not %winbootdir%'==' Set HostsOff=%windir%\NOHOSTS
    If %OS%'==Windows_NT' Set HostsOff=%SystemRoot%\system32\drivers\etc\NOHOSTS
    If %HostsOff%'==' goto noIdeaOfOS

    If Not %winbootdir%'==' Set HostsOn=%windir%\HOSTS
    If %OS%'==Windows_NT' Set HostsOn=%SystemRoot%\system32\drivers\etc\HOSTS
    If %HostsOn%'==' goto noIdeaOfOS

    If Not Exist %HostsOff% goto deActivate
    goto Activate
goto end

:deActivate
    if not exist %HostsOn% goto noHostsFile
    ren %HostsOn% NOHOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE BLOCKING IS NOW DE-ACTIVATED X
    echo
    echo.
    echo.
    echo. Advertising will be visible; Parasite protection off!
    echo Renamed from HOSTS to NOHOSTS
    echo.
goto end

:Activate
    if not exist %HostsOff% goto noHostsFile
    ren %HostsOff% HOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE BLOCKING IS NOW ACTIVATED
    echo
    echo.
    echo.
    echo. Advertising will be hidden; Parasite protection on!
    echo Renamed from NOHOSTS to HOSTS
    echo.
goto end

:noIdeaOfOS
    echo Sorry Unsupported OS.
goto end

:noHostsFile
    cls
    echo.
    echo
    echo Ŀ
    echo ERROR NO HOST FILES FOUND ! !
    echo
    echo.
    echo .
    echo Couldn't find "HOSTS" or "NOHOSTS" in the folder
    echo.
    echo please check that the HOSTS file is in this folder
    echo thanks..
:end
    set HostsOff=
    set HostsOn=
    pause
    exit


* Place RenHosts.bat in your Windows folder
* Create a Desktop or Quick Launch shortcut to RenHosts.bat
* You can also place a shortcut in your Favorites if needed.
* Note: if IE is open when you toggle the HOSTS file, click Refresh (F5)

To use: click (the shortcut) once to rename HOSTS to NOHOSTS
Click again to rename NOHOSTS back to HOSTS

Lock the Host File:

There are many of these hijackers that add their own entries to your HOSTS file. This is commonly know as redirects. To add a level of protection you might want to consider making your HOSTS file "read only". You can download a small batch file to accomplish this

To prevent tamperoring with the host file (The Host file is nothing more than a text script) you can use the following batch files for this purpose.

To use: place the appropriate files in your Windows folder, create a shortcut to each.

lockhost.bat

@echo off
cls
attrib +r +h +s %SystemRoot%\system32\drivers\etc\HOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE IS NOW READ ONLY! X
    echo
    echo.
    echo.
    echo. You must unlock the HOSTS file to edit
    echo Run unlockhosts.bat to reset the HOSTS file
    echo.
pause
exit

unlockhost.bat (XP\2K)

@echo off
cls
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE IS NOW UNLOCKED! X
    echo
    echo.
    echo.
    echo. You should lock the HOSTS file to prevent Hijacking
    echo Run lockhosts.bat to reset the HOSTS file to read only
    echo.
pause
exit

LockHostsME.bat

@echo off
cls
attrib +r +h +s %windir%\HOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE IS NOW READ ONLY! X
    echo
    echo.
    echo.
    echo. You must unlock the HOSTS file to edit
    echo Run UnLockHostME.bat to reset the HOSTS file
    echo.
pause
exit

UnlockHostME.bat

@echo off
cls
attrib -r -h -s %windir%\HOSTS
    echo.
    echo
    echo Ŀ
    echo HOSTS FILE IS NOW UNLOCKED! X
    echo
    echo.
    echo.
    echo. You should lock the HOSTS file to prevent Hijacking
    echo Run LockHostME.bat to reset the HOSTS file to read only
    echo.
pause
exit