browser hijacked

Ok, here is a puzzler. Yesterday afternoon after I got home my brother told
me that there was an attack on the computer from the internet and all of a
sudden a series of pop-ups appeared and the browser homepage was immediately
changed to http://www.bilfen-kizlari.com I have used HijackThis, and Spybot
S&D and though HijackThis did find a couple things--nothing that would
indicate to me any type of browser hijacker. I went into the registry and
eliminated the three references that I could find of the website--I have
went into the registry and manually set my homepage back to my original
homepage. The problem is--in Internet Explorer--tools\options, the option
to change and set my homepage is now greyed out with no visible way of
fixing it. I have also just finished using spybot S&D and it found
absolutely nothing that would indicate any kind of problem--it literally
found nothing. I have used adaware and it found only a couple of things
from Alexa and a couple cookies. So I am at a loss. There are no visible
signs of spyware installed. I am using an XP Pro machine with 512mb DDR
SDRAM on an Athlon 3000+ with a 256mb DDR video card. I am using a
firewall which detected and intercepted the attack, and I also using a popup
blocker that came with adaware. All known registry entries to this website
have been deleted, and apparently Spybot nor HijackThis can find anything.
I have looked in Msconfig to see what was starting up--and the only things
in that are my normal software. I have looked at the running processes and
there seems to be nothing out of the ordinary.

So that is the background. Does anyone have any ideas for me?

me

"me" <> wrote in
news:z_aGf.483$:

> The problem is--in Internet Explorer--tools\options, the option
> to change and set my homepage is now greyed out with no visible
> way of fixing it.

Download Spyware Blaster....there is an option to lock the home page
(i.e. grey it out so users cannot change it). So lock it and then
unlock it.

Adam
--
Visit my PC Tech blog at www.leinss.com/blog

Adam Leinss

doing a reinstall for something like this is unacceptable.
"Mark Mandell" <> wrote in message
news:7KcGf.15234$ link.net...
>
> "me" <> wrote in message
> news:z_aGf.483$...
> > Ok, here is a puzzler. Yesterday afternoon after I got home my brother
> > told
> > me that there was an attack on the computer from the internet and all of
a
> > sudden a series of pop-ups appeared and the browser homepage was
> > immediately
> > changed to http://www.bilfen-kizlari.com I have used HijackThis, and
> > Spybot
> > S&D and though HijackThis did find a couple things--nothing that would
> > indicate to me any type of browser hijacker. I went into the registry
and
> > eliminated the three references that I could find of the website--I have
> > went into the registry and manually set my homepage back to my original
> > homepage. The problem is--in Internet Explorer--tools\options, the
option
> > to change and set my homepage is now greyed out with no visible way of
> > fixing it. I have also just finished using spybot S&D and it found
> > absolutely nothing that would indicate any kind of problem--it literally
> > found nothing. I have used adaware and it found only a couple of things
> > from Alexa and a couple cookies. So I am at a loss. There are no
visible
> > signs of spyware installed. I am using an XP Pro machine with 512mb
DDR
> > SDRAM on an Athlon 3000+ with a 256mb DDR video card. I am using a
> > firewall which detected and intercepted the attack, and I also using a
> > popup
> > blocker that came with adaware. All known registry entries to this
> > website
> > have been deleted, and apparently Spybot nor HijackThis can find
anything.
> > I have looked in Msconfig to see what was starting up--and the only
things
> > in that are my normal software. I have looked at the running processes
> > and
> > there seems to be nothing out of the ordinary.
> >
> > So that is the background. Does anyone have any ideas for me?
> >
> First of all, if your sure the HiJack This doesn't have that site, then
> check into a program called Ewido.net which you can find on Google.
> Download and run this.
>
> Do you have SP2 with the pop up blocker set to be enabled? If not, it
> probably wouldn't work out anyway(if you try downloading) because that
site
> might create problems in the installation. So you might wind up having to
> uninstall and reinstall Internet Explorer. If that doesn't work, you'd
most
> likely have to reformat and reinstall Windows.
>
>

me

I would also try downloading and updating a trial version of webroot
spysweeper - I have found it can sort out most problems without having to
mess about too much. Although not sure if the latest version is fully
enable in trial mode. If not let me know as I have the earlier version.

Lizzzie

"me" <> wrote in message
news:z_aGf.483$...
> Ok, here is a puzzler. Yesterday afternoon after I got home my brother
> told
> me that there was an attack on the computer from the internet and all of a
> sudden a series of pop-ups appeared and the browser homepage was
> immediately
> changed to http://www.bilfen-kizlari.com I have used HijackThis, and
> Spybot
> S&D and though HijackThis did find a couple things--nothing that would
> indicate to me any type of browser hijacker. I went into the registry and
> eliminated the three references that I could find of the website--I have
> went into the registry and manually set my homepage back to my original
> homepage. The problem is--in Internet Explorer--tools\options, the option
> to change and set my homepage is now greyed out with no visible way of
> fixing it. I have also just finished using spybot S&D and it found
> absolutely nothing that would indicate any kind of problem--it literally
> found nothing. I have used adaware and it found only a couple of things
> from Alexa and a couple cookies. So I am at a loss. There are no visible
> signs of spyware installed. I am using an XP Pro machine with 512mb DDR
> SDRAM on an Athlon 3000+ with a 256mb DDR video card. I am using a
> firewall which detected and intercepted the attack, and I also using a
> popup
> blocker that came with adaware. All known registry entries to this
> website
> have been deleted, and apparently Spybot nor HijackThis can find anything.
> I have looked in Msconfig to see what was starting up--and the only things
> in that are my normal software. I have looked at the running processes
> and
> there seems to be nothing out of the ordinary.
>
> So that is the background. Does anyone have any ideas for me?
>
>

lizzieb

"me" <> wrote in message
news:kPcGf.1113$...

> doing a reinstall for something like this is unacceptable.

Even if it's the path of least resistance? I'm of the philosophy that some
things just aren't worth beating your head bloody over...

smackedass

smackedass

This is an update as to my dilemma and the tad bit of confusion I am
experiencing as I deal with this. I have used the following programs to try
and root out this little problem with my computer browser.
Ewido 3.5
Spybot S&D
Adaware
ES Trust EZ Antivirus
HijackThis

You would think that one of these would detect the little bug that cuased
this problem but thus far--absolutely nothing has been found by any of these
programs that would indicate to me there was ever a problem with my
browser--and yet there is. EZ Antivirus did find some Java based virii in
my separate 40Gb hard drive that is acting as a backup, but other than that
and a few cookie issues detected by Ewido--absolutely NOTHING has been found
to indicate any type of problem ever existed with my computer and yet my
browser option in Tools\Options is still greyed out.
I am totally befuddled by this--either this attack is extremely new and
nothing has been developed to detect it yet or my computer was actually
hacked from the internet without ever having to install anything. I am very
confused now, but still refuse to give up on this. I'm hard headed on some
things and I am not yet ready to cut my losses and reinstall.

me

yes, everything is taken care of properly--my browser automatically deletes
all temp files on exiting. I clear all cookies, all sites, everything every
time I exit the internet.

me

yes it does--I set it up to delete everything on exiting.
"Thumper" <> wrote in message
news:...
> On Wed, 8 Feb 2006 16:09:33 -0500, "me" <> wrote:
>
> >yes, everything is taken care of properly--my browser automatically
deletes
> >all temp files on exiting.
>
> No it doesn't.
>
>
>
> > I clear all cookies, all sites, everything every
> >time I exit the internet.
> >
>
> Clear ALL temporary files.
> Thumper

me

On Tue, 7 Feb 2006 16:35:28 -0800 , "me" <> wrote:

>Ok, here is a puzzler. Yesterday afternoon after I got home my brother told
>me that there was an attack on the computer from the internet and all of a
>sudden a series of pop-ups appeared and the browser homepage was immediately
>changed to http://www.bilfen-kizlari.com I have used HijackThis, and Spybot
>S&D and though HijackThis did find a couple things--nothing that would
>indicate to me any type of browser hijacker. I went into the registry and
>eliminated the three references that I could find of the website--I have
>went into the registry and manually set my homepage back to my original
>homepage. The problem is--in Internet Explorer--tools\options, the option
>to change and set my homepage is now greyed out with no visible way of
>fixing it. I have also just finished using spybot S&D and it found
>absolutely nothing that would indicate any kind of problem--it literally
>found nothing. I have used adaware and it found only a couple of things
>from Alexa and a couple cookies. So I am at a loss. There are no visible
>signs of spyware installed. I am using an XP Pro machine with 512mb DDR
>SDRAM on an Athlon 3000+ with a 256mb DDR video card. I am using a
>firewall which detected and intercepted the attack, and I also using a popup
>blocker that came with adaware. All known registry entries to this website
>have been deleted, and apparently Spybot nor HijackThis can find anything.
>I have looked in Msconfig to see what was starting up--and the only things
>in that are my normal software. I have looked at the running processes and
>there seems to be nothing out of the ordinary.
>
>So that is the background. Does anyone have any ideas for me?


An attack on the computer from the Internet?! That's a good one.
Couldn't have had anything to do with stuff he was downloading and/or
web sites he was visiting, huh?

Anyway, one of the best anti-spyware apps I've found lately is the one
from Microsoft (believe it or not). Download & run that, and it may
find something.

But what I've run into lately is a few baddies that have managed to
hide their entries in the registry. IOW, the entries are there, but
Regedit (and you) can't see them. These entries will load files that
themselves are hidden.

In order to clean this, you have to access the disk & registry while
Windows is not running. Winternals has their Administrator's Pak,
which includes their ERD Commander - let's you boot from a CD, then
access a Windows instalation without it running. Unfortunately,
that's $500 for a temp license. You might try RegMon from
SYSINTERNALS.COM to see if it lets you watch whats going on in the
registry....or do a Google search on Hidden registry keys and see what
turns up.

Also, get a copy of one of the utilities that lets you read NTFS files
from DOS, then look in the regular startup folders and any temporary
folders for hidden files. You may have to use the ATTRIB command to
unhide them.

Good luck! Took me a few hours to discover this latest spyware trick.
Once I did, it was a quick clean....(but we have the Winternals
product).

M

mhaase-at-springmind.com

me wrote:

> I am totally befuddled by this--either this attack is extremely new and
> nothing has been developed to detect it yet or my computer was actually
> hacked from the internet without ever having to install anything. I am very
> confused now, but still refuse to give up on this. I'm hard headed on some
> things and I am not yet ready to cut my losses and reinstall.

Did you try my suggestion? The home page can be locked via the Local
Security Policy...that's probably why the scans do not find anything.

Adam

aleinss@hotmail.com