To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, firstname.lastname@example.org Date: Mon, 2 Aug 2004 15:20:13 +0200
Has anyone heard of this IE hijacker?
One of our uses went through a devastating Sunday when he tried to remove
this piece of software from his PC. It appears as a side panel (on the
left) and prompts with suggestions when the user utilises Google to perform
a search. Essentially, it notices what Google searches you do and comes up
with suggestions in its own little window. However, if you try to remove
the item using "Add/Remove Programs" (since it's listed), you can end up
with massive problems with your computers. This user ended up losing all
files on a secondary partition of his hard disk. I found one post in a
forum where the poster claimed that it "trashed his OS" but did not say
what was specifically affected.
The user was wise enough to try an undelete utility which restored most but
not all of his files and then used XP's system restore feature to attempt
to restore things back to a day before but this obviously meant that the
utility re-appeared in "Add/Remove" and under "Program Files".
I didn't find much help on the net and no one seems to be flagging it as a
potentially disturbing piece of malware except for the poster mentioned
above. Disassembling it showed that it has an embedded registry resource
and by using that I removed all traces to it from the registry.
The only files that were not recovered were images (mainly belonging to his
daughter - and which weren't backed up; hereby proving Murphy's law) and it
seems as if there was some kind of cross-linked references in the file
table since opening some pics in an ASCII viewer shows quite clearly that
they are not pics but either PDFs, MP3s, etc. I renamed a few of the files
and they worked. I'm not sure if this is SideFind or the undelete utility
that did this though ...
What I'd like is more information as to how this damn utility installed
itself on the user's PC. He claims to have never intentionally installed
it and he's a reliable enough user for me to believe that he didn't just
click on "Yes" w/o reading the dialog first ...
Malta Communications Authority
Suite 43/44, "Il-Piazzetta"
Sliema SLM 16
Tel: +356 21 336840
Fax: +356 21 336846
Mob: +356 79 271852
"This is a lesson that the stars in the sky teach us - they may be related
to the sun, and just as brilliant, but they never appear in her company"
Baltasar Gracian, 1601 - 1658