Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to navigate away from quicksand domains which hold your browser captive until you install their software?

0 views
Skip to first unread message

Tom

unread,
Jul 13, 2008, 9:04:02 AM7/13/08
to
How do we get out of the browser infinite loop quicksand when we navigate
to web pages designed to lock us in and force us to hit the "pay me" button
(whatever they want to force you to do)?

These are just a sample of nasty quicksand web pages I've run into which
lock your browser into a loop and won't let you get out until you hit the
"install" or "run" or "OK" button... (whatever it is they want you to do).

http://www.spywareiso.com
http://antivirus-scanner.com
http://findyourlink.net
http://www.findyourlink.net
http://spywareiso2008.com
http://www.spywareiso2008.com
http://www.immenseclips.com
http://antivirus2009-scanner.com
http://thecatalogfree.net
etc.

When you navigate to these quicksand links, you can not get out of their
infinite loop with your browser no matter what you do. I'm forced to
control alt delete and kill the browser from the task manager ... but I ask
...

Is there a more graceful way, after the fact, to navigate away from
quicksand domains which have a hold on your browser, other than control alt
deleting the browser process?

Bear Bottoms

unread,
Jul 13, 2008, 9:14:37 AM7/13/08
to
On Sun, 13 Jul 2008 08:04:02 -0500, Tom <twil...@hotmail.com> wrote:

> How do we get out of the browser infinite loop quicksand when we navigate
> to web pages designed to lock us in and force us to hit the "pay me"
> button
> (whatever they want to force you to do)?
>
> These are just a sample of nasty quicksand web pages I've run into which
> lock your browser into a loop and won't let you get out until you hit the
> "install" or "run" or "OK" button... (whatever it is they want you to
> do).
>
>

> When you navigate to these quicksand links, you can not get out of their
> infinite loop with your browser no matter what you do. I'm forced to
> control alt delete and kill the browser from the task manager ... but I
> ask
> ...
>
> Is there a more graceful way, after the fact, to navigate away from
> quicksand domains which have a hold on your browser, other than control
> alt
> deleting the browser process?

Why not just close the tab/page? BTW, some of these links are dangerous to
persons who would navigate to them out of curiosity. Not a good idea Tom.

--
Bear Bottoms
Freeware website: http://bearware.info

Bit Twister

unread,
Jul 13, 2008, 9:50:54 AM7/13/08
to
On Sun, 13 Jul 2008 06:04:02 -0700, Tom wrote:
> How do we get out of the browser infinite loop quicksand when we navigate
> to web pages designed to lock us in and force us to hit the "pay me" button
> (whatever they want to force you to do)?

download/install/run firefox 3.0.
install NoScript Add On

That blocks javascript which can hide in video/flash/gif/...
from executing, some of which can be malware.


install privoxy from http://www.privoxy.org/
then add user.action rules from
http://www.neilvandyke.org/privoxy-rules/

The add privoxy to firefox
In firefox,
Edit->Preference->Advanced
Click Network tab
Connection
Settings button

click Manual proxy configuration:
HTTP Proxy: 127.0.0.1 Port: 8118
SSL Proxy: 127.0.0.1 Port: 8118
Be sure to clear the "No Proxy for" box
Click OK
Click Close

Privoxy blocks add servers, which may have been cracked
and are serving up malware.

Check out first two of those sites you posted.
http://www.google.com/safebrowsing/diagnostic?site=http://www.spywareiso.com
http://www.google.com/safebrowsing/diagnostic?site=http://antivirus-scanner.com

Tom

unread,
Jul 13, 2008, 10:06:32 AM7/13/08
to
On Sun, 13 Jul 2008 08:14:37 -0500, Bear Bottoms wrote:

>> Is there a more graceful way, after the fact, to navigate away from
>> quicksand domains which have a hold on your browser, other than control
>> alt
>> deleting the browser process?
>
> Why not just close the tab/page?

That's my whole point. You CAN NOT close the tab. It just won't close!
In fact, you can't even navigate AWAY from the tab!

What Firefox flaw are they taking advantage of that hijacks your browser
and won't even let you close the tab or the browser or even switch to
another tab. You're stuck in the quicksand and can't get out.

Bear Bottoms

unread,
Jul 13, 2008, 10:10:33 AM7/13/08
to

Can't help you there, I use Opera.

Bear Bottoms

unread,
Jul 13, 2008, 10:15:23 AM7/13/08
to

Or just use Opera!

Gabriele Neukam

unread,
Jul 13, 2008, 10:49:05 AM7/13/08
to
On this special day, Tom wrote:

> That's my whole point. You CAN NOT close the tab. It just won't close!
> In fact, you can't even navigate AWAY from the tab!

Solution #1: Disable Java/JavaScript
Solution #2: Disable automatic forwarding. This will make the backup
button functional again.
Solution #3: Use a browser different from the Internet Explorer, ie one
of the Mozillas or Opera. They cannot be manipulated via ActiveX
commands.


Gabriele Neukam

Gabriele.Spam...@t-online.de

--
Reality is something, people cannot cope with.
If they could, they would not play.


Sherman Pendley

unread,
Jul 13, 2008, 10:58:00 AM7/13/08
to
Tom <twil...@hotmail.com> writes:

> How do we get out of the browser infinite loop quicksand when we navigate
> to web pages designed to lock us in and force us to hit the "pay me" button
> (whatever they want to force you to do)?

Patient: Doctor, it hurts when I do this.
Doctor: Then don't do that.

sherm--

--
My blog: http://shermspace.blogspot.com
Cocoa programming in Perl: http://camelbones.sourceforge.net

David H. Lipman

unread,
Jul 13, 2008, 11:09:07 AM7/13/08
to
From: "Tom" <twil...@hotmail.com>

| How do we get out of the browser infinite loop quicksand when we navigate
| to web pages designed to lock us in and force us to hit the "pay me" button
| (whatever they want to force you to do)?

| These are just a sample of nasty quicksand web pages I've run into which
| lock your browser into a loop and won't let you get out until you hit the
| "install" or "run" or "OK" button... (whatever it is they want you to do).

< snip >

| etc.

| When you navigate to these quicksand links, you can not get out of their
| infinite loop with your browser no matter what you do. I'm forced to
| control alt delete and kill the browser from the task manager ... but I ask
| ...

| Is there a more graceful way, after the fact, to navigate away from
| quicksand domains which have a hold on your browser, other than control alt
| deleting the browser process?

If you post possibly malicious web sites it is incumbant upon you to obfuscate the URL to
make sure said URL is NOT clickable such as...

hxxp://antivirus2009-scanner.com

This will protect others from possibly getting infected.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


VanguardLH

unread,
Jul 13, 2008, 11:43:39 AM7/13/08
to
Tom wrote:

Note: comp.infosystems.www.authoring.html was removed from Newsgroups in
my reply. This discussion is definitely off-topic for the
alt.comp.freeware group.

- Started up a virtual machine (running Windows XP Pro SP-3).
- Opened Internet Explorer v7 (home page = about:blank).
- Went to http://www.yahoo.com/.
- Opened another tab.
- In 2nd tab, went to http://www.intel.com/.
- In 2nd tab, went to http://www.spywareiso.com/.
- Got "page not found error".
- "nslookup www.spywareiso.com" returns 127.0.0.1.
- I don't use a hosts file with a bunch of "bad" domains pointing at
localhost.
- Used SamSpade to do a dig on www.spywareiso.com which reports
"Nameserver has a problem and can't talk right now".
- Domain registrant says they are in Moldova
(http://maps.google.com/maps?q=%2Bmoldova).
- Domain registration says nameservers for domain are NS1.SPYWAREISO.COM
and NS2.SPYWAREISO.COM which do resolve to IP addresses from my DNS
server (I use OpenDNS, not my ISP's DNS server).
- Tried "nslookup www.spywareiso.com NS1.SPYWAREISO.COM" to use their
nameserver but the DNS requests timed out.
- So their nameserver isn't responding right now. So much for the first
site to test.

- In 2nd tab (displaying Intel site), went to next bad site in your
list: http://antivirus-scanner.com.
- OpenDNS blocks that site. The default block category of "phishing"
(to block known phishing sites) is enabled but I also had the "adware"
category blocked (blocks sites that distribute *applications* that
display ads without user's permission/choice (i.e., adware) but not
ad-serving sites). So I had to disable that block category in my
OpenDNS account. Wait 4 minutes for config changes to become effective
on my account.
- Tried the site again.
- Redirected to http://www.infectionscanner.com/.
- Yep, another "Antivirus 2008" pest/scam site. Waited until it
presented its bogus "found pest" frame.
- Hit the Back toolbar button.
- Went back to Intel site.
- Hit Forward button.
- Went back to scam site.
- Enter http://www.ibm.com in the web browser's Address bar.
- Went to IBM's site.

Didn't bother to test the rest as I already found one of your listed
sites which did NOT behave as you claim for the web browser that I used
(IE7). Reverted the VM back to is snapshot to return to my baseline
(clean) setup. Must be a problem in your UNIDENTIFIED web browser. Or
your security settings for your web browser are lower than my settings
(which are customized for the Internet security zone, not the default
settings level, but still do allow scripting).

Tom

unread,
Jul 13, 2008, 12:33:16 PM7/13/08
to
On Sun, 13 Jul 2008 16:49:05 +0200, Gabriele Neukam wrote:

> Solution #1: Disable Java/JavaScript
OK. But nothing else will work if you do that.

> Solution #2: Disable automatic forwarding.

How?

> Solution #3: Use a browser different from the Internet Explorer

I'm using Firefox 3.0 on WinXP and this quicksand effect certainly affects
the Mozilla browsers!

Tom

unread,
Jul 13, 2008, 12:44:42 PM7/13/08
to
On Sun, 13 Jul 2008 09:15:23 -0500, Bear Bottoms wrote:

> Or just use Opera!

I'm confused. I thought Mozilla Firefox was "the safe" browser?
What's different about Opera with respect to these quicksand pages?
http://thecatalogfree.net

http://www.immenseclips.com
http://antivirus2009-scanner.com

Can an Opera user try these pages with Opera to see if they're quicksanded
to let us know what's different about Opera than Firefox when it hits HTML
quicksand?

Roger Hunt

unread,
Jul 13, 2008, 12:57:55 PM7/13/08
to
In article <zhqek.14183$xZ....@nlpi070.nbdc.sbc.com>, Tom
<twil...@hotmail.com> writes

You're joking Shirley?
It would be noble and valiant if you were to install Opera and try for
yourself.
--
Roger Hunt

David E. Ross

unread,
Jul 13, 2008, 1:00:34 PM7/13/08
to

For #1:

Install the PrefBar extension for Firefox. See
<http://prefbar.mozdev.org/>. Then setup a checkbox to enable and
disable Javascript. With Firefox 2 and SeaMonkey 1.1.10, the preference
variable is javascript.enabled. It's likely that didn't change for
Firefox 3.

With the PrefBar toolbar, you can easily switch between enabling and
disabling Javascript. Disable it when you hit "quicksand".

Also, does not the Home button on your Personal toolbar work?

--

David E. Ross
<http://www.rossde.com/>.

Q: What's a President Bush cocktail?
A: Business on the rocks.

Bear Bottoms

unread,
Jul 13, 2008, 1:08:00 PM7/13/08
to

I tried them all, Opera alerts you to nefarious activity and you can
simply close the tab.

Tom

unread,
Jul 13, 2008, 1:08:48 PM7/13/08
to
On Sun, 13 Jul 2008 17:03:54 +0100, hummingbird wrote:

> Afaik the only solution is to shut the browser down and
> enter its name in your HOSTS file, so you never go there again.

Hummingbird has a great answer!

Here's what I did when I went to an HTML kwiksand domain just now on
Firefox 3.0 on WinXP with JavaScript and Java enabled ('cuz you need 'em
for other pages).

1. I opened a tab to http://thecatalogfree.net with Firefox 3.0 on WinXP
2. I tried to kill the tab -> the html kwiksand prevented this
3. I tried to go to a new tab -> the html kwiksand prevented this
4. I tried to kill firefox -> the html kwiksand prevented this
5. Rather than kill the firefox process in the task manager ...
6. I now just type Start->Run->hosts and enter the domain
127.0.0.1 thecatalogfree.net
7. I then shift-reload my browser (to flush cache)
8. Voila! A shift-reload flushes cache & dumps the kwiksand page!

Note this one-time setup:
1. Copy hosts to host.txt and to hosts.bck
2. Start->Run->Regedit to add the following key-value pair:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
hosts.exe = c:\windows\system32\drivers\etc\hosts.txt

Do this every time you are caught in HTML kwiksand!
1. Go to the web page http://thecatalogfree.net
2. You'll note you are stuck on that page forever
3. Rather than control alt delete kill the Firefox browser session ...
4. Just type Start -> Run -> hosts
5. Enter the domain into that hosts.txt file
127.0.0.1 thecatalogfree.net
6. Write the hosts.txt file to hosts (overwriting the hosts file)
8. Quick out of your text editing session (I used vim freeware)
9. Shift Reload your browser
10. The kwiksand web page will disappear!

Woo hoo! Hummingbird found the solution to HTML kwiksand!!!!!!!!!!!!!!

Tom

unread,
Jul 13, 2008, 1:11:06 PM7/13/08
to
On Sun, 13 Jul 2008 10:58:00 -0400, Sherman Pendley wrote:

> Patient: Doctor, it hurts when I do this.
> Doctor: Then don't do that.

Hi Sherman,
The problem is that you are redirected unkwittingly to the HTML kwiksand
web pages from a variety of other entrapment pages.

It's like saying "Doctor, it hurts when someone hits me on the back of the
head" ... for the doctor to say "tell them not to hit you" won't work 'cuz
they're intent on these HTML kwiksand pages in trapping you.

Luckily the great Hummingbird came up with a solution that we can all live
with! Hooray!

Hendrik Maryns

unread,
Jul 13, 2008, 1:16:24 PM7/13/08
to
Op 13-07-08 18:44 heeft Tom als volgt van zich laten horen:

> On Sun, 13 Jul 2008 09:15:23 -0500, Bear Bottoms wrote:
>
>> Or just use Opera!
>
> I'm confused. I thought Mozilla Firefox was "the safe" browser?
> What's different about Opera with respect to these quicksand pages?

> http://antivirus-scanner.com

If I click on this in Firefox 3 (on Linux, but that shouldn’t make a
difference), I get a page warning that it is a scam page, with a button
‘Get me out of here!’.

That should say enough.

H.

Me Here

unread,
Jul 13, 2008, 1:22:18 PM7/13/08
to

I just tried all those links using nothing but FireFox 3 with javascript
and java enabled. All of them bar two failed to load. Of those, one
was blocked by OpenDNS, one was blocked by FF/antivirus/spywareblaster,
two loaded no probs although I could easily navigate away/shut them down
(spywareiso2008). The others have been taken down.

--
Me Here


Liberty lies in the rights of that person whose views you find most
odious. -- John Stuart Mill

Tom

unread,
Jul 13, 2008, 1:35:10 PM7/13/08
to
On Sun, 13 Jul 2008 11:09:07 -0400, David H. Lipman wrote:

> If you post possibly malicious web sites it is incumbant upon you to obfuscate the URL to
> make sure said URL is NOT clickable such as...
> hxxp://antivirus2009-scanner.com
> This will protect others from possibly getting infected.

This is a good idea. I will do so in the future!

Please do not click on the prior links.

Use these instead.
hxxp://thecatalogfree.net
hxxp://findyourlink.net
hxxp://antivirus2009-scanner.com
hxxp://www.spywareiso.com
hxxp://spywareiso2008.com
hxxp://antivirus-scanner.com
hxxp://www.immenseclips.com

Tom

unread,
Jul 13, 2008, 1:37:34 PM7/13/08
to
On Sun, 13 Jul 2008 10:43:39 -0500, VanguardLH wrote:
> Didn't bother to test the rest as I already found one of your listed
> sites which did NOT behave as you claim for the web browser that I used
> (IE7).

I must admit, those were the last few I ran into.

But the last one occurred today (which I started putting at the top of the
list for just the type of thing you wonderfully tested!)

What happens when you try this one?
http://thecatalogfree.net

Tom

unread,
Jul 13, 2008, 1:40:22 PM7/13/08
to
On Sun, 13 Jul 2008 10:00:34 -0700, David E. Ross wrote:

> Also, does not the Home button on your Personal toolbar work?

No. Nothing works except to kill firefox and not restart with all the same
tabs all over again.

The only other thing that stops the quicksand while you're still in the
browser session is to add it to the hosts file and then shift reload the
browser.

Only then does the quicksand page dump itself.

Try it yourself with the following domain which quicksanded me today!

hxxp://thecatalogfree.net

(note I obfuscated the http protocol to protect others as per lipman)

Tom

unread,
Jul 13, 2008, 1:42:48 PM7/13/08
to
> 1. I opened a tab to http://thecatalogfree.net with Firefox 3.0 on WinXP
...

> 127.0.0.1 thecatalogfree.net
> 7. I then shift-reload my browser (to flush cache)
> 8. Voila! A shift-reload flushes cache & dumps the kwiksand page!

I tried this without shift reloading and the kwiksand page still locks up
the browser infinately.

So, the kwiksand page must NOT be looking at the hosts file after the first
reload which means it must be looking only in your cache which means it
must have already dumped its malicious code in your cache from the start.

Only shift reloading the browser after putting the quicksand page into the
hosts file will solve the problem.

Tom

unread,
Jul 13, 2008, 1:44:38 PM7/13/08
to
On Sun, 13 Jul 2008 19:16:24 +0200, Hendrik Maryns wrote:

> If I click on this in Firefox 3 (on Linux, but that shouldn’t make a
> difference), I get a page warning that it is a scam page, with a button
> ‘Get me out of here!’.

That warning must be coming from the browser. That was an old link I gave
you (from my past experience).

What happened when you clicked on http://thecatalogfree.net (which I
verified today)?

Does http://thecatalogfree.net also give you that "get me outta'here"
warning?

C A Upsdell

unread,
Jul 13, 2008, 1:45:20 PM7/13/08
to
Tom wrote:
> How do we get out of the browser infinite loop quicksand when we navigate
> to web pages designed to lock us in and force us to hit the "pay me" button
> (whatever they want to force you to do)?

If Windows, Ctrl Alt Delete to call up the task manager; select the
browser; kill it.

Ed Mullen

unread,
Jul 13, 2008, 1:48:03 PM7/13/08
to

403 Forbidden.

--
Ed Mullen
http://edmullen.net
I have found the paradox, that if you love until it hurts, there can be
no more hurt, only more love. - Mother Teresa

hummingbird

unread,
Jul 13, 2008, 1:49:43 PM7/13/08
to

On Sun, 13 Jul 2008 10:08:48 -0700 'Tom'
wrote this on alt.comp.freeware:

Yep, you got the HOSTS syntax absolutely right in [5.] above.
Deal with these malware peddlers by blocking access to them.
It works wonders :-)


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

Tom

unread,
Jul 13, 2008, 1:54:42 PM7/13/08
to
On Mon, 14 Jul 2008 03:22:18 +1000, Me Here wrote:

> I just tried all those links using nothing but FireFox 3 with javascript
> and java enabled. All of them bar two failed to load. Of those, one
> was blocked by OpenDNS, one was blocked by FF/antivirus/spywareblaster,
> two loaded no probs although I could easily navigate away/shut them down
> (spywareiso2008). The others have been taken down.

I must admit these were in a series which, over the past weeks, I've been
keeping track of.

Let me dig today to try to hit a site that is definate for today so we can
all run the right tests!

Bear Bottoms

unread,
Jul 13, 2008, 2:36:33 PM7/13/08
to
On Sun, 13 Jul 2008 12:40:22 -0500, Tom <twil...@hotmail.com> wrote:

> hxxp://thecatalogfree.net

All kinds of bells and whistles went off and Cox intercepted it saying it
was trying to change my network settings via a Trojan. Not a nice place.
Of course, no harm was done to my computer, but I wouldn't advise anyone
to try it out.

Bear Bottoms

unread,
Jul 13, 2008, 2:41:19 PM7/13/08
to
On Sun, 13 Jul 2008 12:49:43 -0500, hummingbird <hummi...@127.0.0.1>
wrote:

> Yep, you got the HOSTS syntax absolutely right in [5.] above.
> Deal with these malware peddlers by blocking access to them.
> It works wonders

Rather after-the-fact isn't it?

Bear Bottoms

unread,
Jul 13, 2008, 2:49:46 PM7/13/08
to

You did it again...stop trolling dude.

Ed Mullen

unread,
Jul 13, 2008, 2:52:18 PM7/13/08
to

Huh? My Windows XP Pro SP3 says: "Can't find hosts ..."

Why are you jumping through all these hoops? The Windows "hosts" file
is a plain text file you can edit in Notepad.

And do a search on "hosts.exe" and you'll find things like this:

http://www.bleepingcomputer.com/startups/host.exe-8795.html

This entire thread is becoming suspect.

In some cultures what I do would be considered normal.

Bear Bottoms

unread,
Jul 13, 2008, 2:56:14 PM7/13/08
to
On Sun, 13 Jul 2008 13:52:18 -0500, Ed Mullen <e...@edmullen.net> wrote:

> This entire thread is becoming suspect.
>

Bingo

hummingbird

unread,
Jul 13, 2008, 3:18:52 PM7/13/08
to
On Sun, 13 Jul 2008 10:11:06 -0700, Tom wrote in <iGqek.14185$xZ.8716
@nlpi070.nbdc.sbc.com>:

It's nice to be appreciated. What has Franklin and Ari ever done for
a.c.f. or any other group?

hb


--
...of all the things i've lost in my life ... i miss my mind the most

hummingbird

unread,
Jul 13, 2008, 4:36:51 PM7/13/08
to

On Sun, 13 Jul 2008 13:41:19 -0500 'Bear Bottoms'
wrote this on alt.comp.freeware:

>On Sun, 13 Jul 2008 12:49:43 -0500, hummingbird <hummi...@127.0.0.1>
>wrote:
>
>> Yep, you got the HOSTS syntax absolutely right in [5.] above.
>> Deal with these malware peddlers by blocking access to them.
>> It works wonders

>Rather after-the-fact isn't it?

He can use the hosts file to avoid going to that site again.

hummingbird

unread,
Jul 13, 2008, 4:37:26 PM7/13/08
to
On Sun, 13 Jul 2008 09:10:33 -0500, Bear Bottoms wrote in
<op.ud8hn...@bwwlxc1.br.no.cox.net>:
> On Sun, 13 Jul 2008 09:06:32 -0500, Tom <twil...@hotmail.com> wrote:

>
> > On Sun, 13 Jul 2008 08:14:37 -0500, Bear Bottoms wrote:
> >
> >>> Is there a more graceful way, after the fact, to navigate away from
> >>> quicksand domains which have a hold on your browser, other than control
> >>> alt
> >>> deleting the browser process?
> >>
> >> Why not just close the tab/page?
> >
> > That's my whole point. You CAN NOT close the tab. It just won't close!
> > In fact, you can't even navigate AWAY from the tab!
> >
> > What Firefox flaw are they taking advantage of that hijacks your browser
> > and won't even let you close the tab or the browser or even switch to
> > another tab. You're stuck in the quicksand and can't get out.
>
> Can't help you there, I use Opera.
>

What if it's an Opera tab that is stuck on one of those URLs?

hummingbird

unread,
Jul 13, 2008, 4:37:46 PM7/13/08
to

On Sun, 13 Jul 2008 20:18:52 +0100 'FORGERY'
wrote this on alt.comp.freeware:

--------------FORGERY------------

--
If they give you an enema before you die, they could bury you in a matchbox.

Chris F.A. Johnson

unread,
Jul 13, 2008, 4:21:19 PM7/13/08
to

No. I get:

Forbidden

You don't have permission to access / on this server.

I had no problems with the other links you posted, even when I
ignored FF's warning about the site.

--
Chris F.A. Johnson <http://cfaj.freeshell.org>
===================================================================
Author:
Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)

hummingbird

unread,
Jul 13, 2008, 4:58:18 PM7/13/08
to

On Sun, 13 Jul 2008 14:52:18 -0400 'Ed Mullen'
wrote this on alt.comp.freeware:

The HOSTS file is named exactly that: HOSTS
It has no file extension.


>http://www.bleepingcomputer.com/startups/host.exe-8795.html
>
>This entire thread is becoming suspect.

BB thinks so too.

hummingbird

unread,
Jul 13, 2008, 5:11:50 PM7/13/08
to
On Sun, 13 Jul 2008 20:21:19 +0000, Chris F.A. Johnson wrote in <cefb0
$487a63bf$cef88ba3$97...@TEKSAVVY.COM>:

> On 2008-07-13, Tom wrote:
> > On Sun, 13 Jul 2008 19:16:24 +0200, Hendrik Maryns wrote:
> >
> >> If I click on this in Firefox 3 (on Linux, but that shouldn¢t make a
> >> difference), I get a page warning that it is a scam page, with a button
> >> ¡Get me out of here!¢.
> >
> > That warning must be coming from the browser. That was an old link I gave
> > you (from my past experience).
> >
> > What happened when you clicked on http://thecatalogfree.net (which I
> > verified today)?
> >
> > Does http://thecatalogfree.net also give you that "get me outta'here"
> > warning?
>
> No. I get:
>
> Forbidden
>
> You don't have permission to access / on this server.
>
> I had no problems with the other links you posted, even when I
> ignored FF's warning about the site.
>

Was any file installed. Did any malware appear in the browser cache?

hb

Bear Bottoms

unread,
Jul 13, 2008, 5:30:26 PM7/13/08
to
On Sun, 13 Jul 2008 15:37:26 -0500, hummingbird <hummi...@127.0.0.1>
wrote:

> On Sun, 13 Jul 2008 09:10:33 -0500, Bear Bottoms wrote in
> <op.ud8hn...@bwwlxc1.br.no.cox.net>:
>> On Sun, 13 Jul 2008 09:06:32 -0500, Tom <twil...@hotmail.com> wrote:
>>
>> > On Sun, 13 Jul 2008 08:14:37 -0500, Bear Bottoms wrote:
>> >
>> >>> Is there a more graceful way, after the fact, to navigate away from
>> >>> quicksand domains which have a hold on your browser, other than
>> control
>> >>> alt
>> >>> deleting the browser process?
>> >>
>> >> Why not just close the tab/page?
>> >
>> > That's my whole point. You CAN NOT close the tab. It just won't close!
>> > In fact, you can't even navigate AWAY from the tab!
>> >
>> > What Firefox flaw are they taking advantage of that hijacks your
>> browser
>> > and won't even let you close the tab or the browser or even switch to
>> > another tab. You're stuck in the quicksand and can't get out.
>>
>> Can't help you there, I use Opera.
>>
>
> What if it's an Opera tab that is stuck on one of those URLs?
>

I've never been unable to close a tab. I tried all of the URL's he
provided that worked and didn't fall into any 'quicksand.' I've had issues
trying to use the back button on some sites, but then I just close the tab.

There is a bug in 9.50 and 9.51 I found playing spades on Yahoo. If a java
applet for say and invitation, or score applet is left open when you close
Opera, the browser closes, but a process is still running as viewed in the
task manager. You have to terminate that before you can run Opera again.

Bear Bottoms

unread,
Jul 13, 2008, 5:37:46 PM7/13/08
to
On Sun, 13 Jul 2008 15:58:18 -0500, hummingbird <hummi...@127.0.0.1>
wrote:

>> This entire thread is becoming suspect.
>
> BB thinks so too.
>

So does Craig...whom I like but don't like but like but like but

Well, what I like about him is he ... er, well, he posts on the issue, not
the person...well most of the time somewhat.

hummingbird

unread,
Jul 13, 2008, 5:45:18 PM7/13/08
to

On Sun, 13 Jul 2008 16:30:26 -0500 'Bear Bottoms'
wrote this on alt.comp.freeware:

>On Sun, 13 Jul 2008 15:37:26 -0500, hummingbird <hummi...@127.0.0.1>

BB, you responded to a forgery.

hummingbird

unread,
Jul 13, 2008, 5:47:34 PM7/13/08
to

On Sun, 13 Jul 2008 22:11:50 +0100 'THE FORGER'
wrote this on alt.comp.freeware:

---------FORGERY----------

Message has been deleted

Tom

unread,
Jul 13, 2008, 10:02:39 PM7/13/08
to
On Sun, 13 Jul 2008 14:52:18 -0400, Ed Mullen wrote:

> Why are you jumping through all these hoops? The Windows "hosts" file
> is a plain text file you can edit in Notepad.

I know, I know.

Microsoft put the c:\windows\system32\drivers\etc\hosts file in the most
ridiculous non-intuitive spot it could possibly find, deep in muck, deep
under large directories that take a while to load, and without a decent
extension so you have to grope for your text editor (mine is vim freeware).

So, rather than "jump thru hoops" each time just to edit the hosts file, I
add a one-time-only registry key "hosts" which opens up the TEXT file (so
that I have a backup if I need it).

When I type "Start -> Run -> hosts", vim opens up that
c:\windows\system32\drivers\etc\hosts.txt text file, where I edit and save
to "hosts" which it saves in the current directory (i.e.,
c:\windows\system32\drivers\etc\hosts).

That's a LOT easier than navigating deep into the windows hierarchy into
the least logical place MS could have placed the hosts file and then
fumbling around to get notepad to edit the file with no extension.

Tom

unread,
Jul 13, 2008, 10:09:43 PM7/13/08
to
On Sun, 13 Jul 2008 21:58:18 +0100, hummingbird wrote:
> The HOSTS file is named exactly that: HOSTS
> It has no file extension.

I know. I know. Of course it's named hosts.

I'll explain again. You can fumble around trying to find the hosts file
every time you have to edit it but I don't wish to be that inefficient.

I just type "hosts", I make my edits, and I save the results as "hosts" and
I'm done.

Behind the scenes, the magic of that simplicity is:
a) Typing "Start -> Run -> hosts" exercises the "hosts.exe" registry key
b) That hosts.exe registry key brings up the hosts.txt file
c) Saving that as "hosts" saves that file as the proper hosts file.

It's that simple. You might prefer the lousy inefficient way and that's
just fine. Here's the horribly inefficient way to edit the hosts file.

a) Navigate to C:\windows (hosts belongs here)
b) Navigate to system32 (dunno why it's here)
c) Navigate to drivers (it's not a driver)
d) Navigate to etc (what's etc got to do with it?)
e) Right click on the hosts file to edit in Notepad
f) Save as hosts.bak (you should have a backup)
g) Save as hosts (this overwrites the original file)

So, you can do it either way. I think the method I proposed is elegant.
I think both methods will work.

BTW, there isn't any hosts.exe file.
Those who know the Windows registry know that, in Microsoft's infinite
wisdom, the "App Paths" key MUST end with "exe" for it to work. There is no
hosts.exe (I repeat) there is no hosts.exe. The whole point of the App
Paths key is to make the editing of hosts a simple one-click affair.

Hope this helps!

Tom

unread,
Jul 13, 2008, 10:11:21 PM7/13/08
to
On Sun, 13 Jul 2008 21:36:51 +0100, hummingbird wrote:

>>Rather after-the-fact isn't it?
>
> He can use the hosts file to avoid going to that site

The whole point is to be able to get out of the quicksand without having to
kill the entire browser session (losing all your tabs).

If you kill the browser, yet you wanted the OTHER tabs (not the quicksand
tab), you can't ever start it again 'cuz you can only recover all the tabs
or none of the tabs.

So, this hosts edit and then doing a shift reload, allows you to blank out
the one quicksand tab and move on with your life.

Elegant, isn't it?

Tom

unread,
Jul 13, 2008, 10:16:50 PM7/13/08
to
On Sun, 13 Jul 2008 14:52:18 -0400, Ed Mullen wrote:

> And do a search on "hosts.exe" and you'll find things like this:

I know. I know.

Those who know the Windows registry know that, in Microsoft's infinite
wisdom, the "App Paths" key MUST end with "exe" for it to work.

There is no hosts.exe (I repeat) there is no hosts.exe.

The whole point of the App Paths key is to make the editing of hosts a
simple one-click affair.

But, Microsoft insists that ALL "Apps Paths" keys end with "exe" whether or
not the file you're trying to open ends with ".exe".

So, that's the ONLY reason the hosts App Path key is called "hosts.exe".

Please reply if you understand this 'cuz I feel badly that this was
misunderstood by a few of you.

Tom

unread,
Jul 13, 2008, 10:28:35 PM7/13/08
to
On Sun, 13 Jul 2008 13:45:20 -0400, C A Upsdell wrote:

> If Windows, Ctrl Alt Delete to call up the task manager; select the
> browser; kill it.

Very inelegant.

When you have a dozen tabs open, killing the browser, kills all the tabs.

When you restart Firefox, it asks if you want to open all the old tabs,
but, of course, that will just open the quicksand site all over again.

So, without editing the hosts file and shift reloading, you're forced to
say NO to reloading your old tabs ... and you lose them all.

That's why you don't kill the browser session.

Luckily we found a single-click way to solve the problem (type "start ->
run -> hosts, add the offending domain, and shift reload the browser). This
turns the quicksand URL into cement. Voila! Thanks to hummingbird!

Tom

unread,
Jul 13, 2008, 10:30:09 PM7/13/08
to
On Sun, 13 Jul 2008 13:56:14 -0500, Bear Bottoms wrote:
> Bingo

Hi BB,

I stopped doing the URLs but you and others questioned the URLs so I had to
repeat and test one that got me into quicksand (the others were older ones
that I had made a note of prior).

Please look thru the thread again and notice that I only repeated the URLs
to clarify when people were confused when they kindly tested it.

Also please look back and see that I'm trying to answer their concerns,
e.g., they all got confused by "hosts.exe" which, if you know the registry
(and I know YOU do), is required by microsoft in order to have a "Start ->
Run -> hosts" command work.

Otherwise you have to inefficiently remember the stuuuuupid illogical place
Microsoft puts the hosts text file and then fumble around to get notepad to
open that file sans extension.

Likewise with the confusion about my method of opening a hosts.txt file
first (in order to have a ready-made backup) and then just saving it as
hosts so that I could, in a single editing session, have two files (one for
backup).

I'm sorry if people are confused by these little bits of elegance but I've
realized a LOT (especially hummingbird's wonderful suggestion of using the
hosts file and then shift-reloading to get out of the browser quicksand).

I've also learned that other people have OTHER things happening when they
get redirected to these malicious sites (unnamed as per popular request) so
I guess that is a big reason for the confusion out there.

The good news is the problem is solved.

Here's the solution:
a) When I get redirected to a quicksand site ...
b) Instead of killing the entire browser session (which others do) ...
c) I just type "Start -> Run -> hosts" and save the results as "hosts"
d) Back in the browser, I just shift reload and close the quicksand tab
which has now turned to cement forever!

This is the solution I will use and I will not ask more about it (if others
ask me to clarify, I'll clarify).

Thanks,
Tom

Chris F.A. Johnson

unread,
Jul 13, 2008, 10:46:49 PM7/13/08
to
On 2008-07-13, hummingbird wrote:
> On Sun, 13 Jul 2008 20:21:19 +0000, Chris F.A. Johnson wrote in <cefb0
> $487a63bf$cef88ba3$97...@TEKSAVVY.COM>:
>> On 2008-07-13, Tom wrote:
>> > On Sun, 13 Jul 2008 19:16:24 +0200, Hendrik Maryns wrote:
>> >
>> >> If I click on this in Firefox 3 (on Linux, but that shouldn¢t make a
>> >> difference), I get a page warning that it is a scam page, with a button
>> >> ¡Get me out of here!¢.
>> >
>> > That warning must be coming from the browser. That was an old link I gave
>> > you (from my past experience).
>> >
>> > What happened when you clicked on http://thecatalogfree.net (which I
>> > verified today)?
>> >
>> > Does http://thecatalogfree.net also give you that "get me outta'here"
>> > warning?
>>
>> No. I get:
>>
>> Forbidden
>>
>> You don't have permission to access / on this server.
>>
>> I had no problems with the other links you posted, even when I
>> ignored FF's warning about the site.
>
> Was any file installed.

Not if I didn't tell it to.

> Did any malware appear in the browser cache?

What's malware?

Beauregard T. Shagnasty

unread,
Jul 13, 2008, 10:48:05 PM7/13/08
to
Tom wrote:

> Behind the scenes, the magic of that simplicity is:

..to simply place a shortcut on your desktop - calling your text editor
to load HOSTS. Then all you have to do is save after you edit, and
bypass all those extra chores you've created for yourself.

--
-bts
-Friends don't let friends drive Windows

DrumStick

unread,
Jul 13, 2008, 10:54:35 PM7/13/08
to
Tom presented the following explanation :

For those who want another way to edit Hosts on the fly, use Hostman.

Drumstick


Ed Mullen

unread,
Jul 13, 2008, 11:11:07 PM7/13/08
to

Nonsense!

You have detailed a process that does not work in my standard install of
WXP-SP3. You have further created a questionable process involving
editing the Windows Registry which is, at best, a questionable process
in and of itself, and hardly something to be posting to a newsgroup.

Further, you have not answered satisfactorily any questions of the links
you posted. And, your bizarre approach to a HOSTS file is ...
mind-blowingly stupid.

I deem this entire thread bogus at best, threatening at worst. I
encourage no one to do anything that "Tom" has recommended until he
demonstrates that he actually knows what he's doing by citing
authoritative references.

That HOSTS file and registry stuff is total nonsense and the product of
(at best) someone who has not a clue and who has been surfing and copied
suspect references.

IGNORE ALL OF THIS.

A budget is just a method of worrying before you spend money, as well as
afterward.

Ed Mullen

unread,
Jul 13, 2008, 11:13:09 PM7/13/08
to

You do not have a freaking clue. Your entire rant about the HOSTS file
management process in Windows is ignorant at best, damaging most likely,
possibly intent on some nefarious goal.

There's no trick to being a humorist when you have the whole government
working for you. - Will Rogers

Ed Mullen

unread,
Jul 13, 2008, 11:27:44 PM7/13/08
to

No one should pay any attention to any posts by "Tom". This is idiotic
to the max.

And, by the way, what sites are you surfing to that redirect you to
these so-called "quicksand" sites? Is this a problem for anyone else?
Or for anything less than a miniscule percentage of users? I doubt it.
Is this a problem for anyone else? I doubt it.

This entire issue is bogus as are all of the posts from "Tom"

Hey, just my opinion. But, I post in the clear with a legitimate mail
address and have done so for many years. You all can make up your own
minds. I have marked "Tom" as a troll. A potentially dangerous one at that.

Can you be a closet claustrophobic?

C A Upsdell

unread,
Jul 13, 2008, 11:43:02 PM7/13/08
to
Tom wrote:
> On Sun, 13 Jul 2008 13:45:20 -0400, C A Upsdell wrote:
>
>> If Windows, Ctrl Alt Delete to call up the task manager; select the
>> browser; kill it.
>
> Very inelegant.

Inelegant. But reliable, and safe.


Tom

unread,
Jul 13, 2008, 11:58:00 PM7/13/08
to
On Sun, 13 Jul 2008 23:43:02 -0400, C A Upsdell wrote:

>>> If Windows, Ctrl Alt Delete to call up the task manager; select the
>>> browser; kill it.
>>
>> Very inelegant.
>
> Inelegant. But reliable, and safe.

I agree. It's what I used to do before I found Hummingbird's more elegant
hosts file solution.

Thanks everyone,
Tom

Ed Mullen

unread,
Jul 14, 2008, 12:01:38 AM7/14/08
to
Tom wrote:
> On Sun, 13 Jul 2008 21:36:51 +0100, hummingbird wrote:
>
>>> Rather after-the-fact isn't it?
>> He can use the hosts file to avoid going to that site
>
> The whole point is to be able to get out of the quicksand without having to
> kill the entire browser session (losing all your tabs).

You have not demonstrated that this is an issue. Most of the URLS you
posted died as a 403 or something. This is a non-issue for 99% of users
and I believe you are (at best) spamming, at worst trying to suck people
into your links. Well, ok, you could just be stupid.

>
> If you kill the browser, yet you wanted the OTHER tabs (not the quicksand
> tab), you can't ever start it again 'cuz you can only recover all the tabs
> or none of the tabs.

What? You are clueless.

> So, this hosts edit and then doing a shift reload, allows you to blank out
> the one quicksand tab and move on with your life.
>
> Elegant, isn't it?

Not!

Idiotic at best when considered in light of his other posts.

A clear conscience is usually the sign of a bad memory.

Me Here

unread,
Jul 14, 2008, 12:23:03 AM7/14/08
to

If you have other tabs open that you want to keep viewing, then yes,
it's a good immediate, albeit 'temporary' solution to the problem. I
say temporary because using a Hosts file isn't a good solution. Many
malware sites scan and remove their listings from hosts files (and even
locking it via the read-only attribute won't protect you). They do it
by making you log into a benign site first (one that isn't blocked) and
using that to remove their entry from your Hosts file before redirecting
you and trapping your browser. Even running free FireFox addons such as
NoScript won't protect you unless you've been caught before and know not
to allow the site access to Java or JS. You should really be running
an IP blocking program like PeerGuardian or if that is too much hassle,
do what I do and use OpenDNS. I'm sure there are other solutions, those
two just spring to mind. My advice, if you don't want this happening
again and you're the type that's likely to run across sites like these
often, is to do a bit of research into blocking methods and choose the
one that best suits your need.


--
Me Here


I've started referring to the proposed action against Iraq as Desert
Storm 1.1, since it reminds me of a Microsoft upgrade: it's expensive,
most people aren't sure they want it, and it probably won't work. --
Kevin G. Barkes 2002

Alfred Einstein

unread,
Jul 14, 2008, 12:23:44 AM7/14/08
to

"Ed Mullen" <e...@edmullen.net> wrote in message
news:oIGdnTP_78JRXufV...@comcast.com...

Nonsense. This is a fine solution (though I can think of simpler ones ...
like just creating a shortcut to vim-edit the hosts file).


Alfred Einstein

unread,
Jul 14, 2008, 12:24:58 AM7/14/08
to

"Ed Mullen" <e...@edmullen.net> wrote in message
news:X7Cdnc2HA5I5UufV...@comcast.com...

Hey Ed. Are you Bare Bottoms in disguise. Or just a wannabee?.


Alfred Einstein

unread,
Jul 14, 2008, 12:25:33 AM7/14/08
to

"Ed Mullen" <e...@edmullen.net> wrote in message
news:oIGdnTL_78LaWefV...@comcast.com...

> Tom wrote:
>> On Sun, 13 Jul 2008 14:52:18 -0400, Ed Mullen wrote:
>>
>>> And do a search on "hosts.exe" and you'll find things like this:
>>
>> I know. I know.
>>
>> Those who know the Windows registry know that, in Microsoft's infinite
>> wisdom, the "App Paths" key MUST end with "exe" for it to work. There is
>> no hosts.exe (I repeat) there is no hosts.exe. The whole point of the App
>> Paths key is to make the editing of hosts a
>> simple one-click affair.
>>
>> But, Microsoft insists that ALL "Apps Paths" keys end with "exe" whether
>> or
>> not the file you're trying to open ends with ".exe".
>>
>> So, that's the ONLY reason the hosts App Path key is called "hosts.exe".
>>
>> Please reply if you understand this 'cuz I feel badly that this was
>> misunderstood by a few of you.
>
> You do not have a freaking clue. Your entire rant about the HOSTS file
> management process in Windows is ignorant at best, damaging most likely,
> possibly intent on some nefarious goal.

I think Ed is dead in the head.


Beauregard T. Shagnasty

unread,
Jul 14, 2008, 1:15:20 AM7/14/08
to
Me Here wrote:

> If you have other tabs open that you want to keep viewing, then yes,
> it's a good immediate, albeit 'temporary' solution to the problem. I
> say temporary because using a Hosts file isn't a good solution. Many
> malware sites scan and remove their listings from hosts files (and even
> locking it via the read-only attribute won't protect you).

What? You are gonna have to find reliable cites for that nonsense.

> They do it by making you log into a benign site first (one that isn't
> blocked) and using that to remove their entry from your Hosts file
> before redirecting you and trapping your browser. Even running free
> FireFox addons such as NoScript won't protect you unless you've been
> caught before and know not to allow the site access to Java or JS.

More bollox.

Me Here

unread,
Jul 14, 2008, 1:45:31 AM7/14/08
to

Beauregard T. Shagnasty wrote:
> Me Here wrote:
>
>> If you have other tabs open that you want to keep viewing, then yes,
>> it's a good immediate, albeit 'temporary' solution to the problem. I
>> say temporary because using a Hosts file isn't a good solution. Many
>> malware sites scan and remove their listings from hosts files (and even
>> locking it via the read-only attribute won't protect you).
>
> What? You are gonna have to find reliable cites for that nonsense.

Google is your friend. I won't do your homework for you.

--
Me Here


Now each one of us, black or white, is a symbol. The war is out in the
open and the skin color is a uniform. All the deep and basic
similarities of the human condition are forgotten so that we can
exaggerate the few differences that exist. -- John D. MacDonald, The
Girl in the Plain Brown Wrapper

Michael Fesser

unread,
Jul 14, 2008, 1:51:46 AM7/14/08
to
.oO(Me Here)

>If you have other tabs open that you want to keep viewing, then yes,
>it's a good immediate, albeit 'temporary' solution to the problem. I
>say temporary because using a Hosts file isn't a good solution. Many
>malware sites scan and remove their listings from hosts files (and even
>locking it via the read-only attribute won't protect you). They do it
>by making you log into a benign site first (one that isn't blocked) and
>using that to remove their entry from your Hosts file before redirecting
>you and trapping your browser.

Indeed. I do the same on my own websites. I always scan the machines of
my visitors for nude pics and contact info of their girlfriends.

>Even running free FireFox addons such as
>NoScript won't protect you unless you've been caught before and know not
>to allow the site access to Java or JS. You should really be running
>an IP blocking program like PeerGuardian or if that is too much hassle,
>do what I do and use OpenDNS. I'm sure there are other solutions, those
>two just spring to mind. My advice, if you don't want this happening
>again and you're the type that's likely to run across sites like these
>often, is to do a bit of research into blocking methods and choose the
>one that best suits your need.

I don't block anything, I don't even have anti-spyware or virus scanners
on my workstation, still my box is clean. What am I doing wrong? Help!!1

Mi'amused'cha

Me Here

unread,
Jul 14, 2008, 1:55:24 AM7/14/08
to

Beauregard T. Shagnasty wrote:
> Me Here wrote:
>
>> If you have other tabs open that you want to keep viewing, then yes,
>> it's a good immediate, albeit 'temporary' solution to the problem. I
>> say temporary because using a Hosts file isn't a good solution. Many
>> malware sites scan and remove their listings from hosts files (and even
>> locking it via the read-only attribute won't protect you).
>
> What? You are gonna have to find reliable cites for that nonsense.
>

Oh, just so I don't get the wrong idea - are you saying that malware
can't change the hosts file or that you've never heard of it being done?

--
Me Here


"Your vote certainly counts. On the other hand, your vote may not be
counted." -- Robert Richie, Center for Voting and Democracy, commenting
on the 2000 Presidential election.

Michael Fesser

unread,
Jul 14, 2008, 2:04:46 AM7/14/08
to
.oO(Me Here)

>Beauregard T. Shagnasty wrote:
>> Me Here wrote:
>>
>>> If you have other tabs open that you want to keep viewing, then yes,
>>> it's a good immediate, albeit 'temporary' solution to the problem. I
>>> say temporary because using a Hosts file isn't a good solution. Many
>>> malware sites scan and remove their listings from hosts files (and even
>>> locking it via the read-only attribute won't protect you).
>>
>> What? You are gonna have to find reliable cites for that nonsense.
>
>Google is your friend. I won't do your homework for you.

A website alone doesn't do that. A good browser doesn't do that. An
appropriate system setup doesn't allow that. Many things have to go
really wrong in order for this to be possible. The most important:

* You have to use a "browser" like IE, preferrably with all ActiveX crap
enabled (not necessary, but makes it a bit easier for the attacker).

or

You have to disable your brain before executing a mail attachment.

* You have to be logged-in with admin privileges.

In such an insecure environment it's no surprise when you get infected
with a trojan. And if the malware is on a system with admin privileges,
then good night. But if you are at that point, you've already made some
huge mistakes before. On a properly configured system such things don't
happen.

Micha

Me Here

unread,
Jul 14, 2008, 2:07:04 AM7/14/08
to

Ahh fuckit, I wasn't going to do your homework but I just couldn't help
Googling to see how many links popped up - so many I just shook my head
and laughed. Of course, wikipedia was among the top 3...

Here's two to start you off explaining why hosts files by themselves
aren't secure and how easily they get hijacked:

http://en.wikipedia.org/wiki/Hosts_file

and just in case you have doubts about the authenticity of information
in wikipedia:

http://www.virusbtn.com/resources/glossary/hosts_file.xml


Once you've grasped that, then you may begin to realise why, if you use
a hosts file to block stuff, you need to run a hosts file manager (all
good hosts file managers monitor the hosts file for unauthorised
attempts at changing it) or else you're just pissing in the wind.

Next time, please Google and get your facts right before slighting
someone else's post.


--
Me Here


The speed is a pain, but better than a 1/2 hour drive across Munich. --
Bernhard Schneck, Re: disk NFS-mounted via PPP (1993)

Hendrik Maryns

unread,
Jul 14, 2008, 3:55:09 AM7/14/08
to
Tom schreef:

> On Sun, 13 Jul 2008 19:16:24 +0200, Hendrik Maryns wrote:
>
>> If I click on this in Firefox 3 (on Linux, but that shouldn’t make a
>> difference), I get a page warning that it is a scam page, with a button
>> ‘Get me out of here!’.
>
> That warning must be coming from the browser.

Of course it is. In the Preferences: Security → ‘Tell me whether the
website I am visiting is a possible attack site’ and ‘Tell me whether
the website I am visiting is a possible spoof site’ or something similar
(I have a Dutch version).

H.
--
Hendrik Maryns
http://tcl.sfs.uni-tuebingen.de/~hendrik/
==================
http://aouw.org
Ask smart questions, get good answers:
http://www.catb.org/~esr/faqs/smart-questions.html

hummingbird

unread,
Jul 14, 2008, 4:52:51 AM7/14/08
to

On Sun, 13 Jul 2008 19:09:43 -0700 'Tom'
wrote this on alt.comp.freeware:

>On Sun, 13 Jul 2008 21:58:18 +0100, hummingbird wrote:
>> The HOSTS file is named exactly that: HOSTS
>> It has no file extension.
>
>I know. I know. Of course it's named hosts.
>
>I'll explain again. You can fumble around trying to find the hosts file
>every time you have to edit it but I don't wish to be that inefficient.
>
>I just type "hosts", I make my edits, and I save the results as "hosts" and
>I'm done.

I can locate my HOSTS file on my system in about 2 seconds.
But then, I use a real filemanager (payware ZtreeWin).


>Behind the scenes, the magic of that simplicity is:
>a) Typing "Start -> Run -> hosts" exercises the "hosts.exe" registry key
>b) That hosts.exe registry key brings up the hosts.txt file
>c) Saving that as "hosts" saves that file as the proper hosts file.

I do not have a file called hosts.exe on my system, never have
had. Nor is there anything in the registry by that name.

>It's that simple. You might prefer the lousy inefficient way and that's
>just fine. Here's the horribly inefficient way to edit the hosts file.
>
>a) Navigate to C:\windows (hosts belongs here)
>b) Navigate to system32 (dunno why it's here)
>c) Navigate to drivers (it's not a driver)
>d) Navigate to etc (what's etc got to do with it?)
>e) Right click on the hosts file to edit in Notepad
>f) Save as hosts.bak (you should have a backup)
>g) Save as hosts (this overwrites the original file)

This is where the hosts file is located in XP:
C:\WINDOWS\system32\drivers\etc\HOSTS

>So, you can do it either way. I think the method I proposed is elegant.
>I think both methods will work.
>
>BTW, there isn't any hosts.exe file.
>Those who know the Windows registry know that, in Microsoft's infinite
>wisdom, the "App Paths" key MUST end with "exe" for it to work. There is no
>hosts.exe (I repeat) there is no hosts.exe. The whole point of the App
>Paths key is to make the editing of hosts a simple one-click affair.
>
>Hope this helps!


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

Bear Bottoms

unread,
Jul 14, 2008, 6:03:43 AM7/14/08
to

I'll give you the benefit of the doubt I had, and apologize.

--
Bear Bottoms
Freeware website: http://bearware.info

Tom

unread,
Jul 14, 2008, 7:43:08 AM7/14/08
to
On Sun, 13 Jul 2008 22:48:05 -0400, Beauregard T. Shagnasty wrote:

> Tom wrote:
>
>> Behind the scenes, the magic of that simplicity is:
>
> ..to simply place a shortcut on your desktop - calling your text editor
> to load HOSTS. Then all you have to do is save after you edit, and
> bypass all those extra chores you've created for yourself.

That would work also. I prefer the registry App Paths (that's what it's
for) because I can export it and use it on multiple machines and use it
when I re-image my machine, etc. but there are more than a few ways to edit
a file that has no extension and all will work just fine.

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 7:53:16 AM7/14/08
to
Me Here wrote:

> Beauregard T. Shagnasty wrote:
>> Me Here wrote:
>>> If you have other tabs open that you want to keep viewing, then yes,
>>> it's a good immediate, albeit 'temporary' solution to the problem.
>>> I say temporary because using a Hosts file isn't a good solution.
>>> Many malware sites scan and remove their listings from hosts files
>>> (and even locking it via the read-only attribute won't protect
>>> you).
>>
>> What? You are gonna have to find reliable cites for that nonsense.
>>
>>> They do it by making you log into a benign site first (one that
>>> isn't blocked) and using that to remove their entry from your Hosts
>>> file before redirecting you and trapping your browser. Even
>>> running free FireFox addons such as NoScript won't protect you
>>> unless you've been caught before and know not to allow the site
>>> access to Java or JS.
>>
>> More bollox.
>
> Ahh fuckit, I wasn't going to do your homework but I just couldn't
> help Googling to see how many links popped up - so many I just shook
> my head and laughed. Of course, wikipedia was among the top 3...

Hey, I don't have to do homework; you are the one who made the
statements and I asked for cites. Why should I have to prove - or
disprove - your claims.

> Here's two to start you off explaining why hosts files by themselves
> aren't secure and how easily they get hijacked:
>
> http://en.wikipedia.org/wiki/Hosts_file

Micha already answered the point about how a website hijacking the hosts
file isn't possible.

"A website alone doesn't do that. A good browser doesn't do that. An
appropriate system setup doesn't allow that. "

> and just in case you have doubts about the authenticity of information

> in wikipedia:
>
> http://www.virusbtn.com/resources/glossary/hosts_file.xml
>
> Once you've grasped that, then you may begin to realise why, if you
> use a hosts file to block stuff, you need to run a hosts file manager
> (all good hosts file managers monitor the hosts file for unauthorised
> attempts at changing it) or else you're just pissing in the wind.

My hosts file is located here: /etc/hosts
What host file manager would you recommend I use?

> Next time, please Google and get your facts right before slighting
> someone else's post.

<lol> Next time, don't write statements like "Many malware sites scan
and remove their listings from hosts files" that aren't true.

And like Micha, I don't have any anti- anything software on my computer
either.

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 8:01:38 AM7/14/08
to
Me Here wrote:

> Beauregard T. Shagnasty wrote:
>> Me Here wrote:

>>> ... Many malware sites scan and remove their listings from hosts


>>> files (and even locking it via the read-only attribute won't
>>> protect you).
>>
>> What? You are gonna have to find reliable cites for that nonsense.
>
> Oh, just so I don't get the wrong idea - are you saying that malware
> can't change the hosts file or that you've never heard of it being
> done?

And just so you don't think I have no knowledge of the subject, I'm
saying that your statement "Many malware sites ..." [I assume that means
web sites] is false. Subsequent infections by visiting those sites with
insecure browsers on unprotected Windows PCs may load something *else*
that could hijack a hosts file.

John Corliss

unread,
Jul 14, 2008, 8:29:04 AM7/14/08
to
Tom wrote:
> How do we get out of the browser infinite loop quicksand when we navigate
> to web pages designed to lock us in and force us to hit the "pay me" button
> (whatever they want to force you to do)?
>
> These are just a sample of nasty quicksand web pages I've run into which
> lock your browser into a loop and won't let you get out until you hit the
> "install" or "run" or "OK" button... (whatever it is they want you to do).
>
> http://www.spywareiso.com
> http://antivirus-scanner.com
> http://findyourlink.net
> http://www.findyourlink.net
> http://spywareiso2008.com
> http://www.spywareiso2008.com
> http://www.immenseclips.com
> http://antivirus2009-scanner.com
> http://thecatalogfree.net
> etc.
>
> When you navigate to these quicksand links, you can not get out of their
> infinite loop with your browser no matter what you do. I'm forced to
> control alt delete and kill the browser from the task manager ... but I ask
> ...
>
> Is there a more graceful way, after the fact, to navigate away from
> quicksand domains which have a hold on your browser, other than control alt
> deleting the browser process?

Tom, what browser are you using? That makes a big difference in how to
get around the problem.

Maybe you've answered this question already in this thread, but there
are too many replies to it for me to read the whole thread.

TIA.

--
John Corliss BS206. I use nFilter to block all crossposts and all Google
Groups posts because of Googlespam. No ad, cd, commercial, cripple,
demo, dotnet, nag, share, spy, time-limited, trial or web wares OR warez
for me, please.

hummingbird

unread,
Jul 14, 2008, 9:28:23 AM7/14/08
to

On Mon, 14 Jul 2008 00:25:33 -0400 'Alfred Einstein'
wrote this on alt.comp.freeware:

Ded Mullet?

hummingbird

unread,
Jul 14, 2008, 9:37:36 AM7/14/08
to

On Mon, 14 Jul 2008 14:23:03 +1000 'Me Here'
wrote this on alt.comp.freeware:

>Tom wrote:
>> On Sun, 13 Jul 2008 13:45:20 -0400, C A Upsdell wrote:
>>
>>> If Windows, Ctrl Alt Delete to call up the task manager; select the
>>> browser; kill it.
>>
>> Very inelegant.
>>
>> When you have a dozen tabs open, killing the browser, kills all the tabs.
>>
>> When you restart Firefox, it asks if you want to open all the old tabs,
>> but, of course, that will just open the quicksand site all over again.
>>
>> So, without editing the hosts file and shift reloading, you're forced to
>> say NO to reloading your old tabs ... and you lose them all.
>>
>> That's why you don't kill the browser session.
>>
>> Luckily we found a single-click way to solve the problem (type "start ->
>> run -> hosts, add the offending domain, and shift reload the browser). This
>> turns the quicksand URL into cement. Voila! Thanks to hummingbird!


>If you have other tabs open that you want to keep viewing, then yes,
>it's a good immediate, albeit 'temporary' solution to the problem. I
>say temporary because using a Hosts file isn't a good solution. Many
>malware sites scan and remove their listings from hosts files (and even
>locking it via the read-only attribute won't protect you). They do it
>by making you log into a benign site first (one that isn't blocked) and
>using that to remove their entry from your Hosts file before redirecting
>you and trapping your browser.

Good point MH. I've never experienced that trick, especially since
I started safe hexing, but I am aware it can happen.

These days, I seem to be safe with a hosts file to block unwanted
sites, plus a supplementary program or two (SpyWareBlaster etc).


>Even running free FireFox addons such as
>NoScript won't protect you unless you've been caught before and know not
>to allow the site access to Java or JS. You should really be running
>an IP blocking program like PeerGuardian or if that is too much hassle,
>do what I do and use OpenDNS. I'm sure there are other solutions, those
>two just spring to mind. My advice, if you don't want this happening
>again and you're the type that's likely to run across sites like these
>often, is to do a bit of research into blocking methods and choose the
>one that best suits your need.


--

hummingbird

unread,
Jul 14, 2008, 9:40:53 AM7/14/08
to

On Mon, 14 Jul 2008 08:04:46 +0200 'Michael Fesser'
wrote this on alt.comp.freeware:

Whatever, what MH described can happen and has been recorded
as happening. How often? I dunno, but a lot of people surf with
minimal security and are open to that risk. A HOSTS file is no
guarantee of absolute security.

hummingbird

unread,
Jul 14, 2008, 9:48:28 AM7/14/08
to

On Mon, 14 Jul 2008 07:53:16 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

Said the vicar to the 12 year old pregnant girl who had
unprotected sex.

>> and just in case you have doubts about the authenticity of information
>> in wikipedia:
>>
>> http://www.virusbtn.com/resources/glossary/hosts_file.xml
>>
>> Once you've grasped that, then you may begin to realise why, if you
>> use a hosts file to block stuff, you need to run a hosts file manager
>> (all good hosts file managers monitor the hosts file for unauthorised
>> attempts at changing it) or else you're just pissing in the wind.
>
>My hosts file is located here: /etc/hosts
>What host file manager would you recommend I use?
>
>> Next time, please Google and get your facts right before slighting
>> someone else's post.
>
><lol> Next time, don't write statements like "Many malware sites scan
>and remove their listings from hosts files" that aren't true.
>
>And like Micha, I don't have any anti- anything software on my computer
>either.

You're out of your depth Shagnasty. Accept it and go fishing.

There are plenty of people who surf unprotected and are at risk
of getting clobbered by websites containing malware. A HOSTS
file is no absolute guarantee of safety.

[HEALTH WARNING]
If you switch off all your security s/w and surf to this website,
see what happens: www.pricelessware.org

Guy Macon

unread,
Jul 14, 2008, 10:01:18 AM7/14/08
to


Ed Mullen wrote:

>This is idiotic to the max.

>This entire issue is bogus

I have found that a simple filter removes all of the noise from
this newsgroup. I have set my filters to not display anything that
is crossposted to alt.comp.freeware. The remailing posts are all
high quality and on-topic.

--
Guy Macon
<http://www.GuyMacon.com/>

Me Here

unread,
Jul 14, 2008, 10:07:52 AM7/14/08
to

It *IS* possible, that's the point - websites can, and do, do that. Why
does *his* statement pass without so much as a cite whereas mine is
required to produce fact (which I gave). Where are *his* cites? Why do
you believe *his* statement and not mine? Because it supports *your*
point of view? READ the damn links I gave you and then do some damn
research yourself.


> My hosts file is located here: /etc/hosts
> What host file manager would you recommend I use?

There are several freeware ones I used to use before I changed to
OpenDNS. Google Hostfile manager and I'm sure you'll find them.

>
>> Next time, please Google and get your facts right before slighting
>> someone else's post.
>
> <lol> Next time, don't write statements like "Many malware sites scan
> and remove their listings from hosts files" that aren't true.
>

Of course it's true. Even the damn links I gave you proved it. Malware
isn't just downloaded programs you know..... or do you... hmmmm.


> And like Micha, I don't have any anti- anything software on my computer
> either.
>

It is true, there is a sucker born ever minute. It's only a matter of
time (if it hasn't happened yet) before you get bent over.


--
Me Here


After filing the largest corporate bankruptcy in history, Worldcom stock
closed at $0.14 on Monday which leaves consumers with the dilemma. Do
you buy one share of Worldcom stock, or 2 minutes of MCI long distance?
Dennis Miller Live 07/26/2002.

Me Here

unread,
Jul 14, 2008, 10:12:07 AM7/14/08
to

Beauregard T. Shagnasty wrote:
> Me Here wrote:
>
>> Beauregard T. Shagnasty wrote:
>>> Me Here wrote:
>>>> ... Many malware sites scan and remove their listings from hosts
>>>> files (and even locking it via the read-only attribute won't
>>>> protect you).
>>> What? You are gonna have to find reliable cites for that nonsense.
>> Oh, just so I don't get the wrong idea - are you saying that malware
>> can't change the hosts file or that you've never heard of it being
>> done?
>
> And just so you don't think I have no knowledge of the subject, I'm
> saying that your statement "Many malware sites ..." [I assume that means
> web sites] is false.

It's not false. You obviously have a problem with either reading or
English. If malware sites couldn't do anything to your computer, why
the hell are browser companies so worried about security now-a-days? Of
course malware sites can effect your computer.

Micha is right though, a properly secured browser reduces the chances of
this happening quite significantly.

As for ActiveX, only a fool runs that crap. Worst nightmare MS ever
introduced into the internet (IMHO).

--
Me Here


"First they came for the Communists but I was not a Communist so I did
not speak out. Then they came for the Socialists and the Trade
Unionists but I was not one of them, so I did not speak out. Then they
came for the Jews but I was not Jewish so I did not speak out. And
when they came for me, there was no one left to speak out for me."

Me Here

unread,
Jul 14, 2008, 10:16:33 AM7/14/08
to

As I said, a hosts file is great, so long as you protect it otherwise it
becomes pointless. Many programs out there now protect things like Home
pages and hosts files simply because security companies are aware that
they are easily hijacked with things like WSH or ActiveX (or even a
crappy FF addon).


--
Me Here


Don't let your education interfere with your intelligence. -- unknown

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 10:36:59 AM7/14/08
to
hummingbird wrote:

> On Mon, 14 Jul 2008 07:53:16 -0400 'Beauregard T. Shagnasty'
> wrote this on alt.comp.freeware:

>> And like Micha, I don't have any anti- anything software on my
>> computer either.
>
> You're out of your depth Shagnasty. Accept it and go fishing.

That's funny...

> There are plenty of people who surf unprotected and are at risk of
> getting clobbered by websites containing malware. A HOSTS file is no
> absolute guarantee of safety.

Of course not, and I did not say it was.

> [HEALTH WARNING]
> If you switch off all your security s/w and surf to this website,
> see what happens: www.pricelessware.org

Ok, I did. I see a ~1995-coding-style web site with many lists of free
Windows software. What was supposed to happen?

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 10:38:41 AM7/14/08
to
Me Here wrote:

You are apparently assuming I am using a Windows operating system.

hummingbird

unread,
Jul 14, 2008, 11:50:05 AM7/14/08
to

On Mon, 14 Jul 2008 10:36:59 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:
>
>> On Mon, 14 Jul 2008 07:53:16 -0400 'Beauregard T. Shagnasty'
>> wrote this on alt.comp.freeware:
>>> And like Micha, I don't have any anti- anything software on my
>>> computer either.
>>
>> You're out of your depth Shagnasty. Accept it and go fishing.
>
>That's funny...

:-)

>> There are plenty of people who surf unprotected and are at risk of
>> getting clobbered by websites containing malware. A HOSTS file is no
>> absolute guarantee of safety.
>
>Of course not, and I did not say it was.
>
>> [HEALTH WARNING]
>> If you switch off all your security s/w and surf to this website,

>> see what happens: xxx.pricelessware.org


>Ok, I did. I see a ~1995-coding-style web site with many lists of free
>Windows software. What was supposed to happen?

Well, several months ago, if you had no security running that
website was discreetly transferring you to a URL based in HK
and downloading a trojan onto your system and running it to take
you over. A recent poster reported a similar problem only a coupla
days ago on ACF. I believe a malicious a-frame was installed by
hackers. Much debate here about it on ACF at the time.

After I got hit by it, I added the URL into my HOSTS file to
prevent myself ever going there again in error.

hummingbird

unread,
Jul 14, 2008, 11:51:25 AM7/14/08
to

On Tue, 15 Jul 2008 00:16:33 +1000 'Me Here'
wrote this on alt.comp.freeware:

Yeah, I must think about protecting my own hosts file. I think
SpyWareBlaster offers this feature.

[rushes off to check]

Gabriele Neukam

unread,
Jul 14, 2008, 11:54:02 AM7/14/08
to
On this special day, Tom wrote:

> No. Nothing works except to kill firefox and not restart with all the same
> tabs all over again.

Strange. I just looked at this presumed antivirus 2009 (with FireFox 3)
and closed the tab. No problems at all. I have Java (not JavaScript)
disabled generally and will allow exceptions only to specific sites
that I will list.

As soon as I had installed FF3, I opened the JavaScript Expanded Button
and unchecked all except for the topmost box, which is "move or resize
existing windows" (which can still be abused IMHO but cannot do much
harm - at least I do hope so)

Maybe this is the soluton.


Gabriele Neukam

Gabriele.Spam...@t-online.de

--
No I am not a troll. Just a beginner and lazy!!!!!!!!!!!
(leepeach in alt.comp.virus, asked why (s)he was repeatedly asking the
same question)


Beauregard T. Shagnasty

unread,
Jul 14, 2008, 12:05:55 PM7/14/08
to
hummingbird wrote:

> 'Beauregard T. Shagnasty' wrote:


>> hummingbird wrote:
>>> [HEALTH WARNING]
>>> If you switch off all your security s/w and surf to this website,
>>> see what happens: xxx.pricelessware.org
>
>> Ok, I did. I see a ~1995-coding-style web site with many lists of
>> free Windows software. What was supposed to happen?
>
> Well, several months ago, if you had no security running that website
> was discreetly transferring you to a URL based in HK and downloading
> a trojan onto your system and running it to take you over. A recent
> poster reported a similar problem only a coupla days ago on ACF. I
> believe a malicious a-frame was installed by hackers. Much debate
> here about it on ACF at the time.

So that was a Windows trojan then? Ok, I understand. To become
infected, you probably needed to be using a Windows OS, probably
Internet Explorer, probably allowing ActiveX, probably don't have
patches to stop malicious iframe redirection (which is quite common on
hacked sites). [I guess you meant iframe, rather than a-frame.]

> After I got hit by it, I added the URL into my HOSTS file to prevent
> myself ever going there again in error.

If you got hit by this trojan, then which of the above were you not
securing yourself from? Windows/IE/ActiveX/patches/iframes ?

Franklin

unread,
Jul 14, 2008, 12:35:33 PM7/14/08
to
On Mon 14 Jul 2008 16:50:05, hummingbird wrote:
>
> Well, several months ago, if you had no security running that
> website was discreetly transferring you to a URL based in HK
> and downloading a trojan onto your system and running it to take
> you over. A recent poster reported a similar problem only a coupla
> days ago on ACF. I believe a malicious a-frame was installed by
> hackers. Much debate here about it on ACF at the time.
>
> After I got hit by it, I added the URL into my HOSTS file to
> prevent myself ever going there again in error.
>


Hummingbird, people who understood what was going on better than you
tried to explain to you that there is no malware to worry about.

For example, see: http://preview.tinyurl.com/5vlark

All you are doing now is putting forward an old argument of yours even
though it has been conclusively shown to be false.

Surprisingly, you were running with no antivirus software at all and
using an old unpatched version of IE. Yet you were not infected by any
malware capable of doing any harm.

hummingbird

unread,
Jul 14, 2008, 12:58:02 PM7/14/08
to

On Mon, 14 Jul 2008 12:05:55 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:


>
>> 'Beauregard T. Shagnasty' wrote:
>>> hummingbird wrote:
>>>> [HEALTH WARNING]
>>>> If you switch off all your security s/w and surf to this website,
>>>> see what happens: xxx.pricelessware.org
>>
>>> Ok, I did. I see a ~1995-coding-style web site with many lists of
>>> free Windows software. What was supposed to happen?
>>
>> Well, several months ago, if you had no security running that website
>> was discreetly transferring you to a URL based in HK and downloading
>> a trojan onto your system and running it to take you over. A recent
>> poster reported a similar problem only a coupla days ago on ACF. I
>> believe a malicious a-frame was installed by hackers. Much debate
>> here about it on ACF at the time.


>So that was a Windows trojan then?

The one in question is called "trojan.systemposer".

>Ok, I understand. To become
>infected, you probably needed to be using a Windows OS,

I use XP-Pro. I have no idea if *nix suffers the same problems.
Some people say it's more secure, but that's probably because
the hackers focus on MS s/w.

>probably Internet Explorer,

I use an IE clone (Avant).

>probably allowing ActiveX, probably don't have
>patches to stop malicious iframe redirection (which is quite common on
>hacked sites). [I guess you meant iframe, rather than a-frame.]

Sorry, yes I meant i-frame.

The problem with banning Active-X across the board in IE browsers
is that some websites simply don't display correctly without it.


>> After I got hit by it, I added the URL into my HOSTS file to prevent
>> myself ever going there again in error.
>
>If you got hit by this trojan, then which of the above were you not
>securing yourself from? Windows/IE/ActiveX/patches/iframes ?

All, but I took immediate to kill it and recovered within an hour.
I might add that that was the first time ever I got hit, and that
is without running AV s/w and not having a lot of browser patches,
although my browsing security is quite tight.

I read in the thread that you don't use Windows, so you probably
don't have all these problems. But my earlier point was about them
affecting a majority of users using Windows.

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 2:33:18 PM7/14/08
to
hummingbird wrote:

> 'Beauregard T. Shagnasty' wrote:
<snippage>


>> So that was a Windows trojan then?
>
> The one in question is called "trojan.systemposer".

That is a nasty one. It's a rootkit as well, and - depending on what
else it downloaded and installed - nearly impossible to get rid of.
Experts suggest you flatten and reinstall to be totally sure you are rid
of everything.

>> Ok, I understand. To become infected, you probably needed to be using
>> a Windows OS,
>
> I use XP-Pro. I have no idea if *nix suffers the same problems. Some
> people say it's more secure, but that's probably because the hackers
> focus on MS s/w.

Linux is not affected. And not because hackers focus on Windows, it's
because they won't be successful targeting Linux. In order to install
anything, my Linux operating system will ask me for my root password.
When that occurs, everything else on the desktop is frozen. All I have
to do is answer [ Cancel ] - if it would ever occur in the first place.
There are no Linux viruses/trojans in the wild, simply because they
can't be reproduced outside a lab.

In order to successfully compromise a Linux PC, you have to be sitting
in front of it.

>> probably Internet Explorer,
>
> I use an IE clone (Avant).

That's an IE shell rather than a clone, so you are still using IE
beneath that shell, with much of the same security issue.

>> probably allowing ActiveX, probably don't have patches to stop
>> malicious iframe redirection (which is quite common on hacked
>> sites). [I guess you meant iframe, rather than a-frame.]
>
> Sorry, yes I meant i-frame.

http://htmlhelp.com/reference/html40/special/iframe.html

> The problem with banning Active-X across the board in IE browsers is
> that some websites simply don't display correctly without it.

There are so few of those sites anymore, and in most cases, you can find
alternative sites for the same information. You could also use Firefox
with the 'simulate ActiveX' extension, which would probably work but be
a lot more secure.

>>> After I got hit by it, I added the URL into my HOSTS file to prevent
>>> myself ever going there again in error.
>>
>> If you got hit by this trojan, then which of the above were you not
>> securing yourself from? Windows/IE/ActiveX/patches/iframes ?
>
> All, but I took immediate to kill it and recovered within an hour.

Some sites about that trojan indicate that an hour might not be long
enough. <g>

> I might add that that was the first time ever I got hit, and that
> is without running AV s/w and not having a lot of browser patches,
> although my browsing security is quite tight.
>
> I read in the thread that you don't use Windows, so you probably
> don't have all these problems. But my earlier point was about them
> affecting a majority of users using Windows.

Sure, almost everyone uses Windows. And the hackers love it because of
all the holes in it. ;-)

hummingbird

unread,
Jul 14, 2008, 3:51:20 PM7/14/08
to

On Mon, 14 Jul 2008 14:33:18 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:


>
>> 'Beauregard T. Shagnasty' wrote:
><snippage>
>>> So that was a Windows trojan then?
>>
>> The one in question is called "trojan.systemposer".
>
>That is a nasty one. It's a rootkit as well, and - depending on what
>else it downloaded and installed - nearly impossible to get rid of.
>Experts suggest you flatten and reinstall to be totally sure you are rid
>of everything.

Interesting.
I researched at the time but found conflicting descriptions.

Anyway, I noticed what was happening at the time and shut down
the browser and ADSL connection within about 10secs.

I found 7-8 small programs on my system and wrapped them in
a zipfile for safety (later sent to SuperAntiSpyware guys for
analysis).

I then spent 2-3 hours running every piece of anti-malware s/w
I have, including several root kit programs. All came up clear.

Since then, I've seen no abnormal activity on my system using
packet sniffers and monitoring ports etc. My guess is that I
killed it before it had hardly got started doing its evil work.


>>> Ok, I understand. To become infected, you probably needed to be using
>>> a Windows OS,
>>
>> I use XP-Pro. I have no idea if *nix suffers the same problems. Some
>> people say it's more secure, but that's probably because the hackers
>> focus on MS s/w.
>
>Linux is not affected. And not because hackers focus on Windows, it's
>because they won't be successful targeting Linux. In order to install
>anything, my Linux operating system will ask me for my root password.
>When that occurs, everything else on the desktop is frozen. All I have
>to do is answer [ Cancel ] - if it would ever occur in the first place.
>There are no Linux viruses/trojans in the wild, simply because they
>can't be reproduced outside a lab.
>
>In order to successfully compromise a Linux PC, you have to be sitting
>in front of it.

I believe you, thousands wouldn't ;-)

>>> probably Internet Explorer,
>>
>> I use an IE clone (Avant).
>
>That's an IE shell rather than a clone, so you are still using IE
>beneath that shell, with much of the same security issue.

Indeed.

>>> probably allowing ActiveX, probably don't have patches to stop
>>> malicious iframe redirection (which is quite common on hacked
>>> sites). [I guess you meant iframe, rather than a-frame.]
>>
>> Sorry, yes I meant i-frame.
>
>http://htmlhelp.com/reference/html40/special/iframe.html

Thanks, I'll take a look at that.
I presume it's easy to imbed a malware URL into one of those.


>> The problem with banning Active-X across the board in IE browsers is
>> that some websites simply don't display correctly without it.
>
>There are so few of those sites anymore, and in most cases, you can find
>alternative sites for the same information. You could also use Firefox
>with the 'simulate ActiveX' extension, which would probably work but be
>a lot more secure.

A site I read a bit is the UK Telegraph newspaper which requires
Active-X. But I now have my browser set to prompt for Active-X
use.

>>>> After I got hit by it, I added the URL into my HOSTS file to prevent
>>>> myself ever going there again in error.
>>>
>>> If you got hit by this trojan, then which of the above were you not
>>> securing yourself from? Windows/IE/ActiveX/patches/iframes ?
>>
>> All, but I took immediate to kill it and recovered within an hour.
>
>Some sites about that trojan indicate that an hour might not be long
>enough. <g>

see above. I jumped into action like greased lightning!

>> I might add that that was the first time ever I got hit, and that
>> is without running AV s/w and not having a lot of browser patches,
>> although my browsing security is quite tight.
>>
>> I read in the thread that you don't use Windows, so you probably
>> don't have all these problems. But my earlier point was about them
>> affecting a majority of users using Windows.
>
>Sure, almost everyone uses Windows. And the hackers love it because of
>all the holes in it. ;-)

When I build my next system, I hope to install a version of *nix
as well as XP-Pro-SP3, probably using VMPC.

Beauregard T. Shagnasty

unread,
Jul 14, 2008, 4:45:26 PM7/14/08
to
hummingbird wrote:
<snippage>
["trojan.systemposer"]

> Anyway, I noticed what was happening at the time and shut down
> the browser and ADSL connection within about 10secs.
>
> I found 7-8 small programs on my system and wrapped them in
> a zipfile for safety (later sent to SuperAntiSpyware guys for
> analysis).
>
> I then spent 2-3 hours running every piece of anti-malware s/w
> I have, including several root kit programs. All came up clear.
>
> Since then, I've seen no abnormal activity on my system using
> packet sniffers and monitoring ports etc. My guess is that I
> killed it before it had hardly got started doing its evil work.

Maybe you got lucky. Maybe it wasn't activated by its owner prior to
your shutting off your connection.

You do have a router and firewall, correct?

>> Sure, almost everyone uses Windows. And the hackers love it because
>> of all the holes in it. ;-)
>
> When I build my next system, I hope to install a version of *nix as
> well as XP-Pro-SP3, probably using VMPC.

Try Ubuntu. You can also install it from within Windows using Wubi. For
testing and playing. I wouldn't recommend using any virtual machine for
a working installation, though.

hummingbird

unread,
Jul 14, 2008, 5:40:23 PM7/14/08
to

On Mon, 14 Jul 2008 16:45:26 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:


><snippage>
>["trojan.systemposer"]
>> Anyway, I noticed what was happening at the time and shut down
>> the browser and ADSL connection within about 10secs.
>>
>> I found 7-8 small programs on my system and wrapped them in
>> a zipfile for safety (later sent to SuperAntiSpyware guys for
>> analysis).
>>
>> I then spent 2-3 hours running every piece of anti-malware s/w
>> I have, including several root kit programs. All came up clear.
>>
>> Since then, I've seen no abnormal activity on my system using
>> packet sniffers and monitoring ports etc. My guess is that I
>> killed it before it had hardly got started doing its evil work.
>
>Maybe you got lucky. Maybe it wasn't activated by its owner prior to
>your shutting off your connection.
>
>You do have a router and firewall, correct?

s/w firewall = yes, router = no.

A router is for my next system in a few months.

>>> Sure, almost everyone uses Windows. And the hackers love it because
>>> of all the holes in it. ;-)
>>
>> When I build my next system, I hope to install a version of *nix as
>> well as XP-Pro-SP3, probably using VMPC.
>
>Try Ubuntu. You can also install it from within Windows using Wubi. For
>testing and playing. I wouldn't recommend using any virtual machine for
>a working installation, though.

Yep ok. Ubuntu is currently top of my list :-)
We have one or two folks here on ACF who know about that and
there's always the other groups WHEN (not if) I get stuck ;-)

Thanks for the suggestion...

hummingbird

unread,
Jul 14, 2008, 6:31:26 PM7/14/08
to
On Mon, 14 Jul 2008 22:40:23 +0100, hummingbird wrote in <g5gkko.lg.1
@localhost.127.0.0.1>:

------FORGERY---------

--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

--
...of all the things i've lost in my life ... i miss my mind the most

hummingbird

unread,
Jul 14, 2008, 6:32:06 PM7/14/08
to
On Mon, 14 Jul 2008 20:51:20 +0100, hummingbird wrote in <g5ge89.1ts.1
@localhost.127.0.0.1>:

>
> On Mon, 14 Jul 2008 14:33:18 -0400 'Beauregard T. Shagnasty'
> wrote this on alt.comp.freeware:
>
> >hummingbird wrote:
> >
> >> 'Beauregard T. Shagnasty' wrote:
> ><snippage>
> >>> So that was a Windows trojan then?
> >>
> >> The one in question is called "trojan.systemposer".
> >
> >That is a nasty one. It's a rootkit as well, and - depending on what
> >else it downloaded and installed - nearly impossible to get rid of.
> >Experts suggest you flatten and reinstall to be totally sure you are rid
> >of everything.
>
> Interesting.
> I researched at the time but found conflicting descriptions.
>
> Anyway, I noticed what was happening at the time and shut down
> the browser and ADSL connection within about 10secs.
>
> I found 7-8 small programs on my system and wrapped them in
> a zipfile for safety (later sent to SuperAntiSpyware guys for
> analysis).
>
> I then spent 2-3 hours running every piece of anti-malware s/w
> I have, including several root kit programs. All came up clear.
>
> Since then, I've seen no abnormal activity on my system using
> packet sniffers and monitoring ports etc. My guess is that I
> killed it before it had hardly got started doing its evil work.
>
>
> When I build my next system, I hope to install a version of *nix
> as well as XP-Pro-SP3, probably using VMPC.
>

------FORGERY---------

hb

hummingbird

unread,
Jul 14, 2008, 6:32:37 PM7/14/08
to
On Mon, 14 Jul 2008 17:58:02 +0100, hummingbird wrote in <g5g43a.8o.1
@localhost.127.0.0.1>:


------FORGERY---------

It is loading more messages.
0 new messages