SnowGuy/hijacked

Yupper..its for true.....actually did it to myself.....installed a game which hijacked my homepage......towit: special note* this can be considered spyware: "pacquest" a pacman game....no notice given by vendor....at the completion of the install a popup appears saying thanks for installing adware.......thereafter a shortcut is placed on the desktop....for:

<http://www.popupbegone.com>....

removing the game does not remove the link..........


Here it now gets hazey.....I also install two other games.....which may have ALSO been involded in the hijack..not absolutely certain........but a definte on "pacquest"

the "new" homepage "sites" would have been.

<www.worldusa.com>

<www.searchgateway.net>

furthermore.......a cookie was found <fastclick> tracker/stored

I NEVER allow stored cookies. an the only time tonight that session cookies were allowed was at M$ update website....immediately afterwards no cookies allowed............take note that the cookie was missed by MRUBLASTER...plus two other cleaning programs(index included) so it must be a file type thingy............................
Everything has now been cleaned.....adawear found them all........also, spywareblaser did not prevent the hijacking......it was an inside job LOL so spywareblaster must not have noticed or else did not contain the block
about the jest of it folks....I hijacked myself by installing "SUPPOSEDLY CLEAN PROGRAMS"...............nither anti virus nor trojan scanner picked these up on their scanners............ooooh well......off to OZ


oh...the other games were: deluxepacman and flixball<that name may not be correct)

 

UPDATE

After some time passed I noticed something just wasn't right....so began to dig.........An found a call home ad trojan called <showbehind.exe>

Adawear DID NOT DETECT AND/OR REMOVE THIS BUG!!!!!!

After several hours of research I have discovered many complaints regarding this trojan.........its been commented that M$ Update installs it...as well as many freeware programs......south park mario (I had mario worlds).........an un-zipping program....several other free games....well you get the point no doubt.........an yes it is a known bug by anti virus vendors.........but in my case nither of my av's removed it..........
using a registry cleaner.....windows explorer......it appears that I have deleted this thingy..............its a real trickser.....
As I type I am downloading spybot s&d to see if it will catch any "remains" I may have missed.................frankly I am at a lost as to why an ad trojan as old as this one is not being detected by several really good programs.......this thing could really cause a newbies some real issues.......if I were not so cautous it would have slid right past me........an never been detected later............well, the firewall would have alerted.....nothing else.

spybot download just completed....will give it a go

 

So everyone who uses MS update as it? Hard to believe.

 

please NOTICE the word "COMMENTED"........which implies that "OTHERS" other than myself had made such "COMMENTS"......which were read by myself when doing research on the topic.

as for the m$ UPDATE ISSUE.........PERSONALLY i HAVE NO KNOWLEDGE OF ANY SUCH ACTION ON THE PART OF M$..............

 

Hi Snowman,

Does this help:

For showbehind:
http://pestpatrol.com/pestinfo/s/showbehind.asp
I'm not completely sure whether that is the same as you were talking about.
If it is, you might find there removal instructions.

If you use InternetExplorer, you might like to have a look at IE-SPYAD from Eric Howes:
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

IE-SPYAD puts a long list of sites in your restricted zone of InternetExplorer.
The trick is now to put everything in your Restricted Zone of IE at the highest possible security level.
For example ActiveX is then disabled for those sites.
Eric Howes publishes frequently an updated list, and posts notifications here at Wilders (and some other sites) in the Update-Alerts forum-section.

A quick search in my IE-SPYAD (at the moment I have not yet installed the latest one) shows me that those sites, which you mentioned, are listed in IE-SPYAD:
worldusa.com
searchgateway.net
fastclick : several items


If you like, you could post a HijackThis-log here:
https://www.wilderssecurity.com/forumdisplay.php?f=26

I hope this helps a little bit.

Take care !
Best regards, Jan.

 

FanJ

Thank you very much.......yes, it was those instructions plus others that helped me get rid of that bugger..............Also, I use the agnis list.....but in this case the bug came from installing a game program......I did it to myself FanJ.............the computer is old an sooner or later I'll give it to a needy child......so thought to put a couple of games on it..........
Strangly even McAfee didn't catch this exploit.....an yet McAfee clearly is SUPPOSE TO........according to McAfee......which has now been removed from the pc.....was to heavy.........am truely shocked by the way this exploit installed without any security program picking it up.........heck its not even a very complicated exploit.....makes me really begin to wonder.
will only be on the internet just long enough to finish rebuilding this old pc.............am just not up to this right now.....tired.
Again.....much thanks.......seems like I got it all out manually....so was lucky...this time.....by the way.....if I were not still recovering from that surgery ....there would be legal action taken against the products vendor.......the guy is targeting children....with free games.....an absolutely no notice that its adware infected......thats really wrong......but then after infecting the machine.....offers to sell the computer owner a pop-up blocker...even installs an icon on the desktop...linking to the site selling the pop-up blocker

 

The belowed listed is homepage and search page hijackers.....That go UN-SEEN by adawear...Spybot............associated with previously posted above.


<www.searchgateway.net>

<www.worldusa.com>

after several days I am still finding these in places in the registry.....after running both adwear and spybot..........

this to my understanding is a rather old hijacker..openbehind.exe....perhaps thats why its not being seen So, if it gets ya.....be prepared to manually dig it out......