Re: hi-jacked browser

From: dave11 (dave11.1jlis3_at_mail.mcse.ms)
Date: 01/29/05 

Date: Fri, 28 Jan 2005 18:58:05 -0600

well, i am semi-experienced as yourself and did become obsessed with
issues nearly identical to yours and can share the ideas that helped me
alot. First off, I think you had a reasonable good approach...i would
have been a bit more conservative at first but I realize that at
certain levels of exasperation we get more savage. OK...my quest began
when i could not get rid of mxtarget.dll Reg edits wouldn't, as it
placed pieces of itself all over and any reboot brought it back.
spysweeper by webroot happened to get rid of that one....and i had
downloaded many programs all claiming to get rid of that one. I also
use adaware pro SE which i'm sure you've heard of and something called
Hijack This, HJT, which creates a log that you can send to several
online forums for fast evaluation. also go here:
http://www.jasons-toolbox.com/BrowserSecurity/

and download a tool called script sentry...he has a number of different
tests and tools to try ou.

Lavasoft is an excellent forum
http://www.lavasoftsupport.com/index.php?showforum=44
as is:
http://forums.techguy.org/index.php
as is:
http://www.theeldergeek.com/forum/index.php?
as is:
where we are now...i sometimes have to contact the universe.
Ok...also..I almost NEVER use outlook expree or IE in any form. I
consider them virus and spyware traps at this point. use mozilla or
something else. this proactive step will solve 99% of your problems.
you can use the xp disk to uninstall both of them and good riddance or
go to the registry and modify the value IsInstalled from a 1 to a zero
here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\InstalledComponents\{89820200-ECBD-11cf-8B85-00AA005B4383}

I use sygate as a firewall and its always on with script sntry and
adwatch (part of adaware and spysweeper. Also in xp i control which
ports i want open: you can do that here:

control panel/network connections/double click local area
connections/properties/highlight
TCP/IP/properties/advanced/options/properties

in there you can control exactly what ports you want to leave open.
also jasons toolbox has a sript that will show you exactly what ports
are open and what they are doing.

if i must use IE6 for something..and some sites force that..i use it as
briefly as possible with MAXIMUM security settings..make sure you
disable third party browser extensions in the advanced tab..this step
alone will stop many hijackers from executing. I do other stuff too
but these steps above should clear up a lot.

hope this helps......dave

flintridgeparkenfarker vonkerschnauzerheiden wrote:
> *Xref: TK2MSFTNGP08.phx.gbl
> microsoft.public.windows.inetexplorer.ie6.browser:317602
>
> This is my first and I think I've gotten rid of it, but we'll see.
>
> Fortunately for me, I had taken a screenshot of my processes running
> just
> prior to this wicked infiltration so I had a great starting point.
> You know,
> the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab.
> It's
> good to view this once in awhile to keep abreast of what is running
> normally. Hit the "print screen," button, open "Paint" or whatever,
> and
> paste it, or make a list of all the processes that normally are
> running.
> This is very valuable information.
>
> Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
> and I
> was immediately warned by XP's firewall that a possibility of
> malicious
> stuff was going on with port 443 [or something]. By the time I
> disconnected,
> the damage was done. Everytime I got online IE got hi-jacked.
>
> So, I copied the URL of the site to which I was taken, did a registry
> search
> and changed all the entries that matched, back to my home page. (I
> know,
> very crude) I did this several times after re-booting only to find
> the
> entries back to the evil site's URL.
>
> I did the 3-fingered salute to see what processes were running. I
> found one
> with an ugly name that didn't belong there because it didn't match
> my
> picture taken just days before. I opened Windows Explorer, did a file
> search
> and I deleted it. I checked my internet connections folder and found
> that
> the *.exe file had created it's own connection configuration, so I
> deleted
> that.
>
> I went to C:\Windows\System32 and sorted all the files by creation
> date. I
> couldn't believe it! I had files in there with the ".dll" extension
> concatenated about a dozen times on some of them so that some of the
> file
> names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll.
> [etc])
> was one of them. Anyway, I tried to delete all the .dll files that
> were
> created between Jan 25 [the fateful day] and today since I know I
> didn't
> install any programs in that timeframe.
>
> I was denied access to several of these files because either IE or
> Explorer
> was using them (I guess) as an IE third party add-in (thank you very
> much
> M$). I noticed also that they (.dll files) were being re-created
> after I
> would delete them and restart my computer. (This may have taken place
> before
> I checked the processes running and deleted the .exe file, I'm not
> sure--probably though).
> So anyway, for the .dll's that wouldn't give me access for deletion,
> I
> closed Explorer and IE and opened a DOS window. I typed:
> del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
> So now
> I had 2 left. I changed the filenames, rebooted, and then was allowed
> to
> delete the last 2 .dll files.
>
> I didn't do this methodically and/or scientifically. I was pissed and
> wanted
> results so the exact sequence of my actions cannot be verified;
> therefore,
> I'm not entirely sure if I got the executable file that was slipped
> into my
> backside so quickly, but I think I at least broke the chain needed
> to
> hi-jack my browser.
>
> At any rate, so far so good. I can't believe I had to spend that much
> time
> fixing my computer from simply visiting a web site, but then, maybe
> it
> wasn't the website. Maybe it was simply a derelict scanning the web
> for
> suckers with a vulnerable port like me. I can only blame myself. I
> actually
> expected the firewall to not only detect and warn me of malicious
> goings on,
> but to PREVENT the infiltration. Shows ya how much I know.
>
> For what it's worth, I don't know if I'm out of the woods yet, but
> maybe
> someone can get some useful tips out of what I've experienced. I
> don't like
> downloading bloated patches from M$. I like to know what's going with
> this
> box as probably most of you do [excluding the seasoned,
> propellor-headed
> veterans--naturally]. Of course, I DON'T know what's going on, but I
> try.
> I'll probably have to eat my post later when I'm forced into using
> the
> dreaded, bloated, patch. I hope not. I've re-booted and gotten
> online
> several times now without being hi-jacked and no new .dll files have
> been
> created, so I think I got rid of it.
>
> Oh yeah, I'm not sure how much of a pain in the XXX this is going to
> be, but
> I changed my Advanced Internet Options to not allow any third party
> add-ins.
> I don't know if this change will be effective for prevention.
>
> --
> joe
> /*------- A new survey of online daters found that
> 47% of people believe that their online date will
> go well... the other 53% are still missing. -------*/ * 

--
dave11
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1381029.html