GuitarFX hijacks your browser

I’m on vacation right now. So I began my long planned task of improving my guitar skills with dusting off my electric guitar and putting on new strings. I have not yet cleaned & repaired my amp so I plugged the guitar into the PC and abused it as a makeshift amplifier. This worked surprisingly well, and before long I discovered a few guitar-centric websites where I found dedicated amplifier and DSP-effect software. The most promising one was GuitarFX, and with it my PC worked as a better amplifier (in terms of available effects) than my real hardware amp & effects ever worked. For those of you who dare, here is a first example 🙂

That was mostly on Saturday. Since I recommended a few links to BoingBoing during the weekend, I checked the site a few times. Already then I had a rather odd feeling, which was confirmed today: both BoingBoing and Lifehacker show a statistically above-average amount of guitar-, guitar-amplifier and guitar-effect related ads:

I was pretty surprised to see such targeted ads. Actually I never saw targeted ads to such an extent before. But only after similar ads showed up on Yahoo as well I started to realize that someone has hijacked my browser. So I ran virus and spyware checkers – but they didn’t find anything special. I did a thorough run around the Windows startup options only to find nothing. So I had a closer look at the ads and finally clicked the “Remove these ads” button. This transferred me to a site which said:

Annoying ads in your internet browser? Don’t scream like a baby! You have ads in your TV, but you don’t panic even you can’t remove ads from your TV.

The site showed a few links – one redirects to a Google sponsored Firefox download promising FF does remove ALL banners, and another one to payable (sic!) banner removing software. OK, so where has this bugger embedded itself into my system? The ads are showing up in Firefox and Internet Explorer, so it must be pretty low level. One link dubbed “recommendations for stupid beginners” had something interesting to say:

Special notes for GuitarFX users: you must uninstall this software via Windows Control Panel. Sometime you must install it and then uninstall immediatly, this helps in 100%. Note: you was informed about ads in the licence.txt file of GuitarFX, if you run it, you agree to see ads. Uninstall it via Windows Control Panel and do not see ads.

A-ha! So it was GuitarFX! Unfortunetaly the mentioned licencse.txt file wasn’t there, but there was a readme.txt and it said:

The Demo version can change your default home page in Internet Explorer and can show banners or other ads and can visit some www pages that can content banners, other ads and standard internet counters wich can track info available via internet and internet explorer you use and, may be, some other tech info about GuitarFX itself and your PC hardware and software. […] Use of this software indicates you agree to this.

My IE hompage is protected so this one could not have been changed. So I dug a bit deeper in the installed software and finally
found a small batch-file which had the timestamp of the installation of GuitarFX and which was manipulating my hosts-file:

copy C:\WINDOWS\system32\drivers\etc\hosts.001 C:\WINDOWS\system32\drivers\etc\hosts
copy C:\WINDOWS\system32\drivers\etc\hostsb C:\WINDOWS\system32\drivers\etc\hosts

That was the culprit! I thought my hosts file was write protected – but maybe the software did clear that too. I gave Spybot S&D a run at it, filled it with its default entries and write protected it again – and now the ads are not showing anymore.

I’m pretty disappointed about this behaviour. The program looked good and was very versatile – I was even considering to buy the full version. But implanting spyware on my system is so out of bounds! I should have been warned though. The creaters of GuitarFX made such a pathetic approach at search engine spamming, distributing their program across various domains and Geocities accounts. It made me smile inwardly. But they caught me. They did. And that’s the part that really surprised me since I consider myself a Pro at spotting shady methods like that.

So, beware of GuitarFX (.net, .org, .info) – unless you want to get your browsers hijacked! Gladley there are alternatives who are playing fair. I’m currently evaluating Guitar FX Box and it looks good.

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

20 Comments

  1. You do play the e-guitar? Interesting. I have a task too. To take guitar lessons in L….atvia. But (first?) an acoustic one.
    And a very intersting hijacking story.

  2. Well, they promise that uninstalling the software should revert everything. I haven’t tried it yet but I have a hard time believing it.

    To manually revert the hijacked ads you must edit your “hosts” file. The file resides in C:\WINDOWS\system32\drivers\etc – and it only needs to contain a single line saying “127.0.0.1 localhost”. It may contain much more, but this is the minimum. After editing the file, you should set it to read-only via the Windows Explorer.

  3. bob

    Sorry, I don’t understand what i have to do with the files and I don’t have that file anyway…thanks

    bob

  4. […] As mentioned in an earlier post I am brushing up my guitar – ahem – “skills” during my vacation. Yesterday I was sitting with my friend Holger who dusted off his old electric bass in a similar attempt. I told him about my guitar and when I mentioned the manufacturer’s name “Framus” he raised an astonished eyebrow. Since I bought the guitar back in the early Eigthies from a classmate for 100 DM (”felt” value today ~100 EUR) I always thought it was some cheap far-east factory stuff. But as it turned out Framus is a respected German guitar, bass and banjo manufacturer founded back in 1946. They went bankrupt in 1975, but began production again in 1995. Among the artists playing Framus instruments, there are the “German Elvis” Peter Kraus, John Lennon, George Harrison and Rolling Stones bassman Bill Wyman. There is quite an extensive article on Wikipedia as well as the history section on the bilingual homepage. […]

  5. Well man, It seems you was in bad mind tunings! GuitarFX well explained about banners. Right? You uninstall it via Windows Control Panel (i.e. very STANDARD way) and banners disapiared. Right? So, why you said so bad opinions about this software?! Well, it shows banners but works as full pid version without money asking!!! You recomend another software, but IT’S ASK FOR MONEY!!! and this another software HAS LIMITATIONS in free download version! So, see, GuitarFX has NO limitations, works like full paid version without money, next, you can delete it (uninstall) by very standard way and see your “favorite” untargeted ads instead of guitar related ads. Oposite this guitarfxbox does not work without money, the availabl demo can’t record and work only 1 min. Very bad! I personally do not use GuitarFX coz I have Digitech and Tonelab, but I do not uninstall GuitarFX coz I like to see targeted guitar related ads instead of “dating” and “smile” cursors ads. I recomend GuitarFX specialy for this ads replacing feature even you don’t need in fx software itself.

  6. Great comment, without a valid email address to reply to… Have you read my post? MY copy didn’t inform me that it hijacked my browser. If it had done so, I would have never installed it!

  7. Garcia

    I just got had by this bastard too. Obviously, the poorly spoken [—PEEP—] who left that comment about how GREAT his software is is the creator of such monstrocity. In my case, the hosts file was replaced which is a BIG hassle since I am a web developer and that file was highly customized. May you [—PEEP—], writer of GUITARFX! DO NOT INSTALL THIS SOFTWARE UNDER ANY CIRCUMSTANCES!!!

    [Strong language removed]

  8. Dimey

    I like this program, but i also noticed the overriding of adds and also found the host file had been altered. Spyware searched with 4 programs didnt show anything, so i hope its nothing more.

    I will keep using this program but im going to monitor every single bit that is going in or out from this program thru my internettconnection 🙂
    Realy dont trust programs from .ru 😛

    I would have payed for this program too, but the information that it contained adware was not stated good enough. Bad move of the developer in my opinion…

  9. Dimey

    Sorry forgot, Garcia, not sure if guitarFX did this, but i had a backup hosts file called hosts.001. May be my antivirus program (avg) that has done that. Not sure

    So i may want to see if u got some backup

  10. Frank Z

    Well the stupid part of this is that he asks you to register for his software by pissing you off first! I would have considered buying as I’ve been on a music buying spree but after seeing those obnoxious ads I removed it and never looked back. He violated the implicit trust of shareware selling. You don’t know what else they can install if they do that BEFORE they’ve even made the sale! Hiding the terms in some obscure license.txt file doesn’t make it legit either. Otherwise, he would have had it right on the install screen prominently display. Adware and spyware are hated universally, there’s no way this guy can be surprised. He’s a friggin mental midget. His atrocious (see Tester above) vocabulary attests to that!

  11. Pat

    Hey, I got hit by the adware/spyware of this program too. >:-(

    Seemed every site I went to had ads with the same terrible grammar that “Tester” up above had (coincidence???).

    I also was a little annoyed that I didn’t see a clear explanation of how to fix the problem, but I believe I found the way! I tried googling “default hosts file” and this website showed up:

    http://www.mvps.org/winhelp2002/hosts.htm

    They say it blocks many ad servers by overwriting your hosts file. I didn’t care what it did, as long as it got rid of all those stupid ads! Sure enough, it did. 🙂 I always got a ton of popups and guitar-related ads on myspace…now I don’t get any popups and the ads are back to what they used to be (which, contrary to “Tester” I really don’t mind as much as the crappy guitar ones before).

    I’ll note here that they say on the site I’m posting that large hosts files may cause Windows to load a little slower, so be aware of that. Hope everyone has the same nice experience I’ve been having! Oh yeah, and I tried doing the whole uninstall thing of GuitarFX before this, didn’t do crap.

  12. Arpee Ong

    I emailed guitarfx guys some days ago even before i read this article. I complained that they never mentioned that they would hack my Windows Messenger as well, the disclaimer says it would affect IE only.. but it does affect FF, IE and Windows Messenger. I told them that I have informed authorities in my area about their adware/spyware, but the guitarFX guys emailed me back with a threat saying that they will sue me for “LYING” and “TRING”?! i was gracious enough to give them my full name and address so they can proceed with the case.. 🙂 I recommend GNUitar .. its a bit slower in windows but behold under linux, the average latency is .2 ms.. try it..

  13. ZeroKOS

    GuitarFX writers please note you are infringing on the ads of other website ownerts this is ILLEGAL. Your program does not follow any kind of programming ethics and honestly I believe your #1 priority is to rake in ad profits. Please note the people who your software is STEALING from do have the right and the ability not only to press charges for your website removing their ads but to collect damages for lost revenue due to your software.

  14. Anonymous

    Installed this crap yesterday & noticed the ads today…
    Unfortunately i didn’t read the license.txt close enough.
    Especially:
    “The Demo version can change some defaults of MS IE and can show banners.”

    Anyway I wasn’t expecting the software to rape my system by replacing my highly customized host-file completly. The total brainf**k who came up with this shit should be shot (figuratively speaking).
    Obviously just another obnoxiouis adspammer.
    Well I uninstalled it (good riddance) but it didn’t restore my host file.
    But I did discover http://www.mvps.org/winhelp2002/hosts.htm in the process (thanks Pat!).

    The guy “Tester” is obviously behind this unscrupulous load-of-manure software in some way. Folks, stay clear of it!

  15. Pilot

    Thanks a bunch for this blog entry. I installed the guitarFX few days ago, and today i finally had enough of the ads. Although i strongly oppose the methods of the software, i enjoyed the (albeit small) challenge of hacking away the nasty bits.

    It’s sad really that such a seemingly nice proggie is spoiled with this adware nonsense. However, i’ll continue using it, since i got rid of the ads, and with that, tricked the trickster. 😉

    I hope +10 guitar xp for you Michael! 🙂

  16. Chivo

    Uninstalling seems to have done the trick. *.001 and ?b seem to be backup copies. I’ve monitored changes in the /etc folder and it looks fine now. Anyway I’ll pick an older restorepoint just in case.

  17. I was stupid enough to try it on 2 machines. It doesn’t recognize the sound driver on either. I say it’s just trojan software. My laptop sound doesn’t work for other things now and it worked fine before. I blame google for it being a top hit.

  18. Erdiawan

    Im not stupid enough to run the program with the porn ads would appear on my screen. So i waited 2 minutes for that. Even in 20 minutes, the program didnt run. So i believe that this software is a bad stuff for my computer’s health.

Leave a Reply

Your email address will not be published. Required fields are marked *