Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE Browser Hijack Google Search Results Re-directed


  • Please log in to reply

#31
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Hi frw28;

Cretemonster asked me to take a look here.

I hope you didn't dump your restore points yet. We would love a sample of that infected file sitting in restore.
Hopefully that is a copy of whatever is having the spam party on your computer.

Download Killbox from here if you don't have it already:

http://www.killbox.n...ads/KillBox.exe

Place it in your system32 folder. If you already have killbox; copy it to your system32 folder.

Attached is a file called "run killbox with privs.zip" created by Mosaic1

Download and save it to your desktop.
Unzip it to your desktop.
You can delete the zip.

Watch the clock in your systray.
When the minuite turns over double click "run killbox with privs.vbs"
If you get warning from your antivirus please let it run. It is not dangerous. It just gives killbox higher permissions than it has now.
It will take about a minuite before killbox opens.

When killbox opens..

Paste this into the full path of file to delete box:

C:\System Volume Information\_restore{2CBB8F3F-6DF1-4FF5-AE43-31A952EB419C}\RP797\A0045651.exe

Press the red circle with white X
Say yes to the "back up & delete" prompt.

You should get "file has been deleted" messege.

Exit killbox.

Please zip up c:\!killbox and upload it here:

http://uploadmalware.com

Put your username from here & link to this thread when you submit the file.

Once uploaded you can delete both the zip and !killbox folder.
Then delete the vbs file.
Empty recycle bin.

Thanks! :whistling:

<<edit to remove attachment after OP downloaded it>>

Edited by Blender, 05 October 2006 - 05:16 AM.

  • 0

Advertisements


#32
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Let me know when you have the attachment please. I will remove it when you get it.

In case you missed it; it is at the very top of my first reply. I am not used to how files are attached here.

Thanks :whistling:
  • 0

#33
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
TY Blender!! :whistling:

Im off to work,Ill have look in later on.

Try Blenders suggestions and see how it goes.
  • 0

#34
frw28

frw28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks Blender. I have done as you asked and uploaded file.
  • 0

#35
frw28

frw28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Again Guys - I have just turned on my AVG mail scanner and the mailer is still active.

Any ideas?
  • 0

#36
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I need you to pick through AVG and find me as many logs from it as you can.

I dont care what the logs are,this will take some doing on your part too.

We have to begin to depend on you for as much information as you can share.

I have the file and will get it to the proper places to be examined and will disassemble myself to see what clues it may reveal.

Understand this please,I can not kill what I can not see.

So gather as many AVG logs as you can find and lets have a look.
  • 0

#37
frw28

frw28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi there,

Back again feeling better. Attached are a couple of log files I have found. The first is an extract from the mail scanner log which covers the period wher I believe the mailer starts up. The second - which I'm not sure you can read is the virus scan log which shows various things being found and supposedly dealt with. It is possible to see the details wher a problem is found but I am not sure how to pass them to you other than maybe doing a screen print and dropping into an image file. If this would be useful let me know. I have also installed MSN and sent you a message with my identity if you want to message me.

Thanks again - sorry for delay in my reply.

Attached Files


  • 0

#38
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I didnt recieve the PM with contact info.

Is the infected computer on a network or does it have multiple drives and user accounts?


Also,will you run the filelist program again and attach the results.

Also,WinPfind, I want you to check every possible box under configuration.

The click each of the tabs at the top and scan for each catagory.

Attach those results as well.

Both logs will be big,so attaching is best idea.
  • 0

#39
frw28

frw28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The infected computer is on a small home network it is the main windows machine. There is only one user myself with administrator rights. There are two linux machines on the network these have samba servers running on them and so it possible to connect to their hard drives this require use of a password to connect the drives on start up. The infected machine has two hard drives one the C drive has the operating system on it and the other disk is partitioned into drive E for data and drive F for backup of the c drive using Acronis True Image. Occasionally there are up to 2 other windows machines on the network.

I have attached the files as you requested. However with WinPfind I could not scan for plugins as the program froze each time I tried.

Attached Files


  • 0

#40
frw28

frw28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
After a frenzied MSN exchange last night I think we sorted out the problem my AVG mail scanner appeared to have been corrupted. After a uninstall / reinstall everything now seems fine. Thanks Cretemonster and everyone else who helped with this.
  • 0

Advertisements


#41
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Glad we were able to get things sorted out,read through the below items and see if there is anything you like in there.


Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft...ty/current.aspx

Office downloads
http://office.micros...te/default.aspx

Download Center
http://www.microsoft...ads/search.aspx

Microsoft Security Advisories
http://www.microsoft...ry/default.mspx

Recently Published
http://www.microsoft...nt/default.mspx

Make your Internet Explorer more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click on the Security tab
  • Click the Internet icon so it becomes highlighted.
  • Click on Default Level and click Ok
  • Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Resources for using Internet Explorer 6
http://support.micro...om/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft...xp/iesecxp.mspx

Microsoft Malicious Software Removal Tool
http://www.microsoft...e/families.mspx

Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 9
http://java.sun.com/...loads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
And in the future, remember to remove older versions of Java when you update to a newer version to avoid exploitation of older versions left on your system.

Check out these topics for more information:
http://spywarewarrio...pic.php?t=17910
http://spywarewarrio...pic.php?t=17598

Free programs that may help you in keeping the PC clean
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
  • MVPS Hosts File
    You can download the MVPS Hosts File here
    Furthermore the website contains useful tips and links to other resources and utilities.
  • Bluetack's Hosts File and Hosts Manager
    Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
    Download Bluetack's Hosts file here
    Download Bluetack's HostsManager here
Free Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

AVG Anti-Spyware (formerly Ewido)

Realtime protection against these threats:
  • Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
  • Worms
    Nobody should receive e-mails in your name with malicious files in the appendix anymore.
  • Dialers
    Security against all kinds of dialers. No fear when receiving the next phone bill.
  • Trojans and Keyloggers
    No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.
Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends the following features will stop working:
  • Scheduled scans.
  • Real-time monitoring of the entire system.
  • Memory Scan detects active threats.
  • Self-protection at kernel layer guarantees gapless monitoring.
  • Automatic online-update.
The manual memory scan will work in the free version and you can manually update the definitions by clicking on the "Start Update" button under Manual update in the update module.

You can download AVG Anti-Spyware here
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

For advanced users : ProcessGuard

ProcessGuard blocks rootkits, prevents spyware, guards your computer from DLL trojans...
For more information take a moment to read the Introduction and the Known Attacks information pages.
You can download Process Guard here

For advanced users : System Safety Monitor

System Safety Monitor (SSM) allows you to track down Microsoft Windows operating system activity in real-time and to prevent undesirable actions from various malware and spyware programs. SSM's main goal is to discover and block malicious actions of any application.
For more information take a moment to read the Main features of the program.
You can download SSM here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malware...pic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malware...pic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingc....com/tutorials/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-to...rowserSecurity/
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP