A STORY ABOUT INTERNET EXPLORER HIJACKING

(Alternative Title:  "Nobody Likes A Cheat")

When you visit the url http://snurl.com/1yer you will be taken to http://www.pornstarguru.com/page.php?x=329614&m=2 

The site is a "game". You visit the page and the owner gets 'cash'; the more hits he (or she) gets, the higher the ranking of the owner, who is hoping to become a 'porn star guru' by getting to the top of the charts.. real kid stuff, but kid stuff with a nasty bite -  the pornstarguru site above will try to hijack your home page, hijack your search engine and install SPYWARE that tries to 'phone home'.  If you have an older version of IE, or your security settings are wrong, and you do not have a firewall installed it will succeed.

The following table shows you what the pornstarguru site will try to download and install onto your computer.  It is all EASILY removed using AdAware, or you can remove the rubbish manually by deleting the registry keys and files listed below.   Just to be safe, empty your IE cache and delete any files in c:\windows\temp or equivalent.

If you are running ZoneAlarm, free from http://www.zonelabs.com/store/content/home.jsp or any other firewall, Tinybar.exe doesn't get the chance to phone home.  As for the search engine and home page hijackings, delete the registry keys and Internet Explorer will revert back to its original defaults. Go to Internet Explorer, Tools, Internet Options, Security (Internet Zone) Ensure that the option to download "signed" activex controls is set to PROMPT so that hijackware cannot install silently.

For lots more information about Internet Explorer hijacking and how to avoid them go to Prevent browser hijackings

VendorTypeCategoryObjectComment
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Search Page" ("http://www.couldnotfind.com/search_page.html?&account_id=131067") Possible browser hijack attempt
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Search Bar" ("http://www.couldnotfind.com/search_page.html?&account_id=131067") Possible browser hijack attempt
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Search"SearchAssistant" ("http://www.couldnotfind.com/search_page.html?&account_id=131067") Possible browser hijack attempt
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Start Page" ("http://www.slotch.com/?&account_id=131067") Possible browser hijack attempt
xxx-toolbar Process Malware c:\windows\tinybar.exe
xxx-toolbar RegKey Data Miner HKEY_CLASSES_ROOT:CLSID\{018b7ec3-eeca-11d3-8e71-0000e82c6c0d}\
istbar RegKey Malware HKEY_CLASSES_ROOT:ISTactivex.Installer\
istbar RegKey Malware HKEY_CLASSES_ROOT:ISTactivex.Installer.1\
istbar RegKey Malware HKEY_CURRENT_USER:Software\IST\
SearchbarCash RegKey Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Code Store Database\Distribution Units\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}\
istbar RegKey Malware HKEY_CLASSES_ROOT:TYPELIB\{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B}\c:\windows\downloaded program files\istactivex.dll
istbar File Malware c:\windows\downloaded program files\istactivex.dll
istbar RegKey Malware HKEY_LOCAL_MACHINE:Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll\
istbar RegValue Malware HKEY_LOCAL_MACHINE:Software\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\windows\downloaded program files\istactivex.dll
istbar File Malware c:\windows\downloaded program files\istactivex.inf

 

SOAP BOX EDITORIAL

The rules of the game say that 'spamming' an address to try and get more hits is prohibited.  The owner of the above pornstarguru address has been including the shortened URL as part of his signature... He may not be breaking the letter of the law, but he sure seems to be breaking the 'spirit' of the law by posting his page's address, disguised as a shortened URL, to newsgroups.  Specifically the anti-spam policy says:

"PornStarGuru.com prohibits its members from using spam and other forms of Internet abuse to gain character advantages. Spam is defined as including, but not limited to, the following:

Electronic mail messages addressed to a recipient with whom the initiator does not have an existing business or personal relationship or is not sent at the request of, or with the express consent of, the recipient;
Messages posted to Usenet and message boards that are off-topic (unrelated to the topic of discussion), cross-posted to unrelated newsgroups, or posted in excessive volume;
Solicitations posted to chat rooms, or to groups or individuals via Internet Relay Chat or "Instant Messaging" system (such as ICQ);
Certain off-line activities that, while not considered spam, are similar in nature, including distributing flyers or leaflets on private property or where prohibited by applicable rules, regulations, or laws.
PornStarGuru.com may undertake, at its sole discretion and with or without prior notice, the following enforcement actions...."

 

Copyright 1999 - 2004, Sandra Hardmeier, No content may be reproduced without the express written permission of the author.
Reproduction, in any form, of information on this site is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site

 

Last updated Saturday, May 06, 2006

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

info.htm