While X-Setup is the king of tweakers, that’s sometimes a little overkill when you just want to tidy up a few of your most cherished XP settings. A new interface is the most obvious change with the new TweakUI tool, giving you more of an Explorer sort of feel. The left pane shows expandable categories, with the right side displaying the contents of the selected item. Much more functionality has been added as well, making it a very worthwhile upgrade. Windows XP SP1 or Windows Server 2003 are required, so do bear that in mind.
The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.
An executable file named bootconf.exe is copied to the windowssystem32 folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.
Finally, the malware lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system. We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.
As of July 8, both Spybot S&D and Ad-aware should repair this hijack. Please use one or the other before doing anything else in an attempt to fix this hijack. If neither program fixes the problems, here are the manual removal instructions:
Download Merijn’s HijackThis program, extract it to a folder of your choice, and run a scan with it.
Look for entries containing numbers and % symbols as in this example, and tick the box next to them:
R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL= http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73
Look for any O1 Hosts entries similar to this example, and tick the boxes next to them:
O1 – Hosts: 1123694712 auto.search.msn.com
Look for these entries and tick the boxes next to them (the stylesheet entry may have a different file name):
O4 – HKLM..Run: [sysPnP] C:WINNTSystem32ootconf.exe
O19 – User stylesheet: C:WINNTsystem.css
Click the “Fixed Checked” button to remove these entries, then restart your computer. After Windows has loaded again, delete these files (the stylesheet entry may have a different file name):
Finally, go to Internet Options > Security, and select “Trusted Sites”. Press the “Sites” button. Delete any entries that you know you have not placed in there yourself, such as *.coolwebsearch.com, *.coolwwwsearch.com, and so on.
This article is located at http://www.spywareinfo.com/articles/cws/
Do you have a Paypal account? If so, then you need to be aware that, once again, someone is trying to steal your password.These scams are usually easy to spot because Paypal always logs you into your account using a secure page (https:// means secure). In this case, however, the con artist has registered a certificate for use on a secure connection. He has also disguised his web address to make it appear as if it led to Paypal’s web site.
Occasionally you may have come across a page on a web site that asks you to log in using a network password (example). You type in your user name and password and click OK to gain entry. There is a way to avoid having to enter your user name and password. You add your user name and password to the beginning of the internet address. http://my_name:[email protected]/passwd_protected/ is a good example of this.
The scammer’s email gives you a link to ki54ft.worldispnetwork.com/i.cgi, but it includes a user name and password for a password protected directory, and the user name happens to be www.paypal.com. This is the same cute trick used recently by a browser hijacker to fool people into thinking they were loading msn.com.At the web page linked in the email, there is a login form. If the victim fills in their password, they give this scammer their Paypal password, and his script combines that with their email address. After submitting the form, the cgi script redirects the user to the real Paypal login page. This is done in hopes that the victim doesn’t notice anything suspicious. The victim may not realize that anything is wrong until they get the email receipt of the scammer cleaning out their account.
Please, pass this warning along. Too many people fall victim to these scams, and this one is very convincing.
Those of you who want to try your hacking prowess, yet avoid legal entanglements, can try out this site. A lot harder than I thought it would be, but very interesting. The only caveat is that you aren’t allowed to share information about the levels. So if you figure it out, no spoilers.
While 59 percent know that Web sites collect information about them even if they don’t register, they don’t understand that data flows behind their screens invisibly connect seemingly unrelated bits about them. When presented with a common version of the way sites track, extract, and share information to make money from advertising, 85 percent of adults who go online at home said they would not accept it on even a valued site.