Don’t PassThisOn…
Some áššhølë took over my computer last night.
To be more specific, some áššhølë wrote some software and published it on the object.passthison.com subdomain which then took over my computer. While Googling for some information for some fellow notaries public, I ran across a notary website that displayed the ad that the bûtthëád created. Despite the tight firewall, up-to-date antivirus definitions, anti-popup addons, and current anti-spyware software, my machine started freaking out.
The first sign was that everything on my computer screen went blank except for an instruction to “press the enter key.” Well, of course, that wasn’t going to be the first thing I tried — like I’m going to blindly follow some áššhølë’s instructions! Needless to say, after trying many other things, pressing enter was the only viable option. An ad then popped up, saying that I had spyware on my machine and that if I didn’t want it, then I had to buy a particular package of anti-spyware.
Blackmail! Extortion! Úšhølëš! Arrrgh!
This morning I opened up Internet Explorer and my screen went black. Seconds later, my Empire Earth CD was ejected from my D: drive, accompanied by a message that said if my CD drives opened, then I had spyware on my machine. As before, if I didn’t want the spyware, then I had to buy a particular package of anti-spyware software.
Right. Like I’m going to send that guy ANY money!
Passthison.com is registered to SmartBot.NET, Inc. at 3 Cobblestone Court, Richboro, PA 18954, phone: 215-953-7291, fax: 215-942-4338, with the name server as smartbotpro.net. Whois for smartbotpro.net also lists the phone number 603-817-0902. Through other sources, I get the name Stanford (although his real name is “Sanford”) Adam Wallace, phone: 215-628-9780. There’s also default-homepage-network.com, registered to a Mike Cayer at Seismic Entertainment Productions, Inc., a known spamming friend of Sanford’s. Their ISPs are ServInt Internet Services (passthison.com), Excalibur Internet (default-homepage-network.com) and Service Telematique Service Internet de Montreal (smartbotpro.net). More info on the áššhølë from AnnOnline and a cornucopia of knowledge about Sanford Wallace at Tired of Spam.
After searching the ‘net, I found that most people (including an official representative from PassThisOn) blame the peer-to-peer file sharing system, Kazaa. PassThisOn also states in a quoted email that they “[use] banners on other participating networks in accordance to their own and PassThisOn.com’s terms of service.” Yeah, that’s fair. If it’s OK with us, and OK with the websites on which we advertise, it’s OK for us to mess with your computer. Not! I somehow doubt that the notary whose website I was trying to read would condone PassThisOn’s actions.
Of note, I don’t have Kazaa installed on my computer.
“PassThisOn.com prompts and changes consumers’ browser behaviors to offer a better user experience and a more targeted advertiser-to-consumer communication system… PassThisOn.com utilizes several technical and business methods to change users’ default homepage to one that PassThisOn.com controls… Some users do not wish to see pop-ups on their web browsers. It is easy to install ‘pop blockers’ which will dissallow that feature. PassThisOn.com does not attempt to cause any damage or harm in any way. It will, however, use NON-DESTRUCTIVE ’scare tactics’… to demonstrate the importance that users’ secure their computers from malicious hackers, and then PassThisOn.com attempts to sell products designed to secure users’ computers. PassThisOn.com enforces a zero-tolerance anti-spam policy.”
Thanks, but I think I am the most qualified person to decide how I want my own browser to behave. Sanford’s definition of a “better user experience” is far different than mine.
Well, if you’ve read this far, it’s probably because you want to know how to get rid of this annoyance. So far, I’ve found that their latest version is really easy to bypass since it doesn’t install anything in the StartUp directory like it used to. Previous versions installed files called reg.vbs, reg.hta, or reg2.hta in your StartUp folder, but PassItOn (same group as PassThisOn) claims to have stopped doing that.
Reset your home page in Internet Explorer using Tools -> Internet Options…
I’m just glad the idiots at PassThisOn didn’t do anything worse.
I’d like to track Spamford down and bìtçh-šláp him into non-existence! I managed to get his çráp onto my computer and I didn’t even know about it! (Probably an affiliate.) I also picked up another, more virilent(sp?), spy-ware concoction called Look2Me that wouldn’t die! like Dracula or Dr. Phibes, it just kept rising from the grave. I suspect that Look2Me has something to do with Spamford, but I haven’t found a link. After messing with the usual Spybot S&D, AdAware programs (without success) I found “SpySweeper”. I was amazed! It found *several* spywares on my system that the others missed. Now, I just have wait and see if SpySweeper is spyware as well. But everything seems to be on the level. BTW - SpySweeper is a free trial download and will run out in 30 days. I’m wondering if after the 30 days, will all the spyware be re-installed?!?
I have the horrible Enter Here hijacker that blocks everything and keeps coming back…it is a nightmare…this and other stupid things are deeply embedded in my system and as quickly as I rid myself of them they come back…these people must be totally insane to think that anyone is going to have anything to do with any of their associates…I have reset my homepage countless times and it keeps being hijacked…do you have a recommendation? Thanks..
Has anyone verified the address in PA? I have shot a few complaints to the Attorney Gen of PA.
First, install Ad-Aware. Upon first launching it, update the definitions, everyone fscking forgets to do this. Then scan. Then right click, select all, quarantine, and, more than likely, it’ll say you need to reboot to clean the last buggers off. Second, try running Bazooka. Update it’s defs, though it prompts you. It may find some stuff that doesn’t exist, but read the pages thoroughly and follow the removal instructions to the letter. It’s not a hand-holder like Ad-aware but it’s very thorough and their database is first-rate. If you’re still screwed, you could always give up on IE. Install Mozilla. It works just as good for 99% of the sites out there and doesn’t have any of the spyware (or auto-installing virus) problems. Of course, I’d really like to tell you to buy a Mac, since it there’s 0 virii and 0 spyware, but hey, Mozilla is a good first step. Remember, even more than these scumsucking spyware báštárdš, Microsoft is the problem. If they didn’t design a habadash browser that let these things auto-install based on the spyware’s whim then you’d never have gotten infected in the first place. Getting Microsoft out of the equation as much as humanly possible is the only long-term solution. Everything else is just a band-aid.
Hey I just got a message from my firewall that these guys were scanning my computer as well. The program found (apparently) the tech’s info that scanned my computer: TechHandle: PR229-ARIN TechName: Roussil, Pierre TechPhone: +1-514-993-8496 TechEmail: pierre@roussil.com Is it real? Do we have any legit legal action to take on these people? I, too, do not have KaaZa on my computer. I learned that mistake long ago!
i was searching the web and somehow got this çráp on my computer at work im in the military and it was a government computer these guys better hope i can get rid of it or they are going to be in a world of hurt
I dont have kazaa installed either and my internet option settings still say “default” but I keep getting this jerk’s šhìt. What do we need to do to shut him down? The other problem is I don’t know where it came from and I put some links on my site - I DONT WANT TO PASSTHISON to my users. I am really pìššëd off- I cant use explorer and I cant get rid of him! GL to all you other sufferers - the kid in Germany is in prison for the last Trojan - why is this guy still operating after at least 2 years?
Found your site whilst searching for info on this exact problem — yeah, it’s a bìtçh to get out of the system. It’s almost encouraging though to know others are in the same boat. Spybot S&D worked for a while but it eventually came back, Adaware seems to be much more thorough (so far so good). How is this even legal? If info is known about the creator’s names or whereabouts, the fact that they’re invading privacy online should be no different than a “real life” similar incrimination. Sheesh. (Do they REALLY think pìššìng people royally off will get them more business?) Oh well, at least nothing on the system is altered other than IE…. ::as I knock on wood::
one other thing, apparently PassThisOn installs a ‘reg’ file (I think in Start Up), or a variation of that file name. Does anyone know more about this or how to delete it?
Thanks for posting this info. Now I know who to take a contract out on. . . I got my IE6 messed up good and proper when I visited a site to try and get hold of a Vredir bug patch for W98SE (seeing as MS want to SELL me the bloody bugfix!). Checking thro’ my History afterwards showed that the guilty site was probably members.tripod.com/erpman1/w98seupd.html It wasted a couple of hours while I tried to clear the mess up. Note: McAfee VScan didn’t find any spyware (sometimes it does, sometimes it doesn’t. . .), and nothing new was in the Startup or Run keys of the Regsistry. I removed the data from the Start Page, Search Bar and Homepage values in the IE Main key. This just stopped IE6 from working. It took several cycles of uninstalling and re-installing IE6 unsuccessfully (IE6 is always a pig to re-install or remove - good old MS!) before I decided to just delete the (now empty) values from the Registry. This did the trick.