 A browser hijacking experience
Friday, 23 September 2005
I would like to share my browser hijacking experience with you. As a web developer I still have to use Microsoft Internet Explorer from time to time to test web compatibility. On this particular day, I, like a million others got compromised somewhere down the track while visiting legitimate sites of interest.
The hijacking did more than just change my homepage, it well and truly changed my life for the worse. Every time I opened Internet Explorer it would open up another window directed at sites for ringtones, pornography and generally annoying stuff. For two weeks I spent time on and off trying to identify and remove this spyware.
I tried all the usual programs, Norton Antivirus, Ad-Aware, Microsoft Antispyware, CCleaner and lots of others. All found various cookies and signatures and the system was reported as clean. The problem was that the symptoms did not go away and they just appeared every time when Internet Explorer was launched. I was back to square one. There was no hint in control panel, as the obvious intention was for this program to disguise itself.
Several more weeks went past until I decided to make this a priority. It was obvious to me that my browser was hijacked at some point in time but I was not sure what the root cause was. It was not until I installed HijackThis and was able to effectively trace what the browser was doing.
The culprit was Lop.com.
Lop, which stands for Live Online Portal, is a browser hijacker that resets the start and search pages in IE. Its aliases include: C2; Lop C2Media; Lop.com; Tubmo; Ultimate Browser Enhancer; as well as Lop/Active and variants such as Lop/Dialer, Lop/IMZ, and Lop/Trinity. Lop variants also may install an Accessories toolbar in IE, add shortcuts to the Favourites menu, monitor online activity, install a porn dialer, and load other spyware and third-party programs onto the system.
Lop is an ActiveX control that installs itself automatically on any PC that comes into contact with its affiliated sites. Although quite a few anti-spyware utilities claim to be able to remove this particular Trojan, this must have been a new variant. The only way I was able to remove it was manually.
Start by opening the Registry Editor and locating the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN key. Look for a corresponding value that references a QuieT or WinActive setting. Delete either if you find it. In addition, locate and delete the following keys and values (if present):
\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\DomainName
\HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Domain
\HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\VXD\MSTCP\Domain
\HKEY_LOCAL_MACHINE\SOFTWARE\CKOTETLLLYLLSHZ
\HKEY_LOCAL_MACHINE\SOFTWARE\KSEATEASTEESTOE
\HKEY_LOCAL_MACHINE\SOFTWARE\RHVLVEASTEAFPR
\HKEY_LOCAL_MACHINE\SOFTWARE\SSAXSTXOAIEOAGRH
\HKEY_LOCAL_MACHINE\SOFTWARE\TRINITYAYB
It is obvious that C2 Media Ltd, the owners of Lop.com, want to deliberately install this software without your consent or knowledge using manipulative and deceptive technology that C2 Media employs. They then make it as difficult as possible to detect and un-install. Then they have the audacity to post an End User License Agreement on their website stating that anyone who has this software agrees to all their terms and conditions.
They must be proud that they have wasted hours of my time redirecting me to pornographic websites. Although my life is back to normal now, imagine if you were in a corporate environment and your hijacked browser takes you to some of these sites. This can be grounds for instant dismissal. C2 Media would not care less as long as they could make 2c from you before you lose your job.
Also, they would love to install this software for your kid’s computers. That way they can teach your 8 year old not to visit the sites they want, but to redirect them to more appropriate pornographic sites instead. They could not care less if they damage people’s lives as long as they can make 2c from them during the process.
There is a place for parasites of the internet world such as C2 Media Ltd.
Their time will come.
|
Excellent article Steven. Thank you for sharing this information.
Very good article, I totally agree Steven at their unethical procedures. I got to the point where I nearly threw the PC downstairs out of sheer frustration after I got hijacked. My son inadvertently downloaded this totally unwanted rubbish, we think through messenger plus! I had all sorts of pop ups from gambling to porno! I was simply trying to access my bank account and trying to compose e-mails to the point where I 'lost it'!!! I got stressed as did my son! Hopefully there will be a law to stop such evil practise sooner rather than later. I'd love to see these criminals behind bars...what dam right do they think they have?? Evil,immoral !**%$~'s!!
My 63 year old cousin-in-law got the same problem. He's not a computer savvy at all, and did not know what to do. It blocked him from going into his bank account and investment, and can't use the computer. All the time these porno sites just keep on popping out! He had no clue what happened as his grandson and children uses his computer too.
I fixed his problem by installing mozilla as IE is so vulnerable! It will take me time to figure out where the problem is and even if I fixed the problem, it will start all over again!
But I agree, these hijackers are ruthless and should be penalized for abuse!