TweakUI PowerToy Update

March 8, 2008 – 2:23 PM

While X-Setup is the king of tweakers, that’s sometimes a little overkill when you just want to tidy up a few of your most cherished XP settings. A new interface is the most obvious change with the new TweakUI tool, giving you more of an Explorer sort of feel. The left pane shows expandable categories, with the right side displaying the contents of the selected item. Much more functionality has been added as well, making it a very worthwhile upgrade. Windows XP SP1 or Windows Server 2003 are required, so do bear that in mind.

Windows XP PowerToys

CWS Hijacker

March 8, 2008 – 2:22 PM

A new malware is being distributed that hijacks Internet Explorer start and search settings to one of several different web sites, including,,,, and All of these web sites appear to have an affiliate relationship with in which coolwebsearch pays them for for every visitor they refer. There could be other domains involved in the future. This hijack is similar to the hijack discovered last month. As with that older hijack, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the malware involved with CWS is an updated version of the same malware involved with datanotary.

The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.

An executable file named bootconf.exe is copied to the windowssystem32 folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

Finally, the malware lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system. We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

Removal Instructions

As of July 8, both Spybot S&D and Ad-aware should repair this hijack. Please use one or the other before doing anything else in an attempt to fix this hijack. If neither program fixes the problems, here are the manual removal instructions:

Download Merijn’s HijackThis program, extract it to a folder of your choice, and run a scan with it.

Look for entries containing numbers and % symbols as in this example, and tick the box next to them:
R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL= http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73

Look for any O1 Hosts entries similar to this example, and tick the boxes next to them:
O1 – Hosts: 1123694712

Look for these entries and tick the boxes next to them (the stylesheet entry may have a different file name):
O4 – HKLM..Run: [sysPnP] C:WINNTSystem32ootconf.exe
O19 – User stylesheet: C:WINNTsystem.css

Click the “Fixed Checked” button to remove these entries, then restart your computer. After Windows has loaded again, delete these files (the stylesheet entry may have a different file name):

Finally, go to Internet Options > Security, and select “Trusted Sites”. Press the “Sites” button. Delete any entries that you know you have not placed in there yourself, such as *, *, and so on.

This article is located at

Paypal Scam Alert!

March 8, 2008 – 2:21 PM

Do you have a Paypal account? If so, then you need to be aware that, once again, someone is trying to steal your password.These scams are usually easy to spot because Paypal always logs you into your account using a secure page (https:// means secure). In this case, however, the con artist has registered a certificate for use on a secure connection. He has also disguised his web address to make it appear as if it led to Paypal’s web site.

Occasionally you may have come across a page on a web site that asks you to log in using a network password (example). You type in your user name and password and click OK to gain entry. There is a way to avoid having to enter your user name and password. You add your user name and password to the beginning of the internet address. http://my_name:[email protected]/passwd_protected/ is a good example of this.

The scammer’s email gives you a link to, but it includes a user name and password for a password protected directory, and the user name happens to be This is the same cute trick used recently by a browser hijacker to fool people into thinking they were loading the web page linked in the email, there is a login form. If the victim fills in their password, they give this scammer their Paypal password, and his script combines that with their email address. After submitting the form, the cgi script redirects the user to the real Paypal login page. This is done in hopes that the victim doesn’t notice anything suspicious. The victim may not realize that anything is wrong until they get the email receipt of the scammer cleaning out their account.

Please, pass this warning along. Too many people fall victim to these scams, and this one is very convincing.


Hack This Site

March 8, 2008 – 2:20 PM

Those of you who want to try your hacking prowess, yet avoid legal entanglements, can try out this site. A lot harder than I thought it would be, but very interesting. The only caveat is that you aren’t allowed to share information about the levels. So if you figure it out, no spoilers.

Click here to try…

Most Web Surfers Oblivious to Web Site Collection of Personal Data

March 8, 2008 – 2:20 PM

U.S. Internet users are often unsuspecting of what goes on behind the scenes of their favorite Web sites. According to data from the Annenberg Public Policy Center of the University of Pennsylvania, 57 percent of U.S. Internet users incorrectly believe that when a Web site has a privacy policy, it will not share their personal information with other sites or companies. This misconception, among others, underscores the lack of education Internet users have about data flows, what the study calls, “…the invisible, cutting edge techniques whereby online organizations extract, manipulate, append, profile and share information about people online are part and parcel of how Web sites operate.”

While 59 percent know that Web sites collect information about them even if they don’t register, they don’t understand that data flows behind their screens invisibly connect seemingly unrelated bits about them. When presented with a common version of the way sites track, extract, and share information to make money from advertising, 85 percent of adults who go online at home said they would not accept it on even a valued site.

Full story…