Toolbar Hijacking attempt in progress

Discussion in 'Computer Security' started by Allan Waghalter, Feb 25, 2006.

  1. Spybot search and destroy is preventing an attempted hijack of my google
    toolbar and/or home page. Because I told Spybot search and destroy to
    remember that I didn't want the global browser toolbar @ 2318CB1=4965-11d4
    9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    assume that if I uninstall Spybot the infiltrator will go ahead and change
    the toolbar. It may then be difficult to get their stuff off as it is so
    persistent in wanting on. Can anyone advise me what to do?
    Thanks,
    Allan
     
    Allan Waghalter, Feb 25, 2006
    #1
    1. Advertising

  2. Allan Waghalter wrote:
    > Spybot search and destroy is preventing an attempted hijack of my google
    > toolbar and/or home page. Because I told Spybot search and destroy to
    > remember that I didn't want the global browser toolbar @ 2318CB1=4965-11d4
    > 9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    > assume that if I uninstall Spybot the infiltrator will go ahead and change
    > the toolbar. It may then be difficult to get their stuff off as it is so
    > persistent in wanting on. Can anyone advise me what to do?


    1. The CLSID refers to the Google Toolbar for IE. You shouldn't misuse
    it as a webbrowser.
    2. ActiveX install prevention on IE is more like cleaning up after the
    mess actually happened than prevention in first place.
    3. Your system is compromised. If you have restricted user rights
    flatten the user's account + profile and rebuild it. If you're with
    default admin rights, then the same thing applies to the entire system:
    Flatten and rebuild.
     
    Sebastian Gottschalk, Feb 25, 2006
    #2
    1. Advertising

  3. Allan Waghalter

    donnie Guest

    On Sat, 25 Feb 2006 21:18:52 GMT, "Allan Waghalter"
    <> wrote:

    >Spybot search and destroy is preventing an attempted hijack of my google
    >toolbar and/or home page. Because I told Spybot search and destroy to
    >remember that I didn't want the global browser toolbar @ 2318CB1=4965-11d4
    >9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    >assume that if I uninstall Spybot the infiltrator will go ahead and change
    >the toolbar. It may then be difficult to get their stuff off as it is so
    >persistent in wanting on. Can anyone advise me what to do?
    >Thanks,
    >Allan
    >

    ##########################################
    Are you sure that the attempt to change it is from the outside and not
    somehing that's already loaded on your PC? I didn't know that spybot
    had that option but I'll look for it. In any event, I would port scan
    my PC to see what ports are opened.
     
    donnie, Feb 25, 2006
    #3
  4. I am not as experienced as most of you so bear with me. I turned off my
    modem and my router an re-booted. I get the same thing:
    "Registry change denied! Registry denied change of 2318CB1=4965-11d4
    9818-009027 AF CD4F (category global browser toolbar) based on your
    blacklist). That tells me the attack is from a file that has already been
    downloaded to my machine and not from an open outside port. Am I correct?

    How do I check for open ports?
    What do you think of my exporting the current registry, turning off Spybot
    and allow the hijacking to take place and then import the saved registry
    back?
    Thanks for your help!
    Allan

    It is in a loop and keeps recycling itself. This has gone on now for three
    days so it shows no signs of timing out.
    "donnie" <> wrote in message
    news:...
    > On Sat, 25 Feb 2006 21:18:52 GMT, "Allan Waghalter"
    > <> wrote:
    >
    >>Spybot search and destroy is preventing an attempted hijack of my google
    >>toolbar and/or home page. Because I told Spybot search and destroy to
    >>remember that I didn't want the global browser toolbar @ 2318CB1=4965-11d4
    >>9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    >>assume that if I uninstall Spybot the infiltrator will go ahead and change
    >>the toolbar. It may then be difficult to get their stuff off as it is so
    >>persistent in wanting on. Can anyone advise me what to do?
    >>Thanks,
    >>Allan
    >>

    > ##########################################
    > Are you sure that the attempt to change it is from the outside and not
    > somehing that's already loaded on your PC? I didn't know that spybot
    > had that option but I'll look for it. In any event, I would port scan
    > my PC to see what ports are opened.
     
    Allan Waghalter, Feb 26, 2006
    #4
  5. Allan Waghalter

    donnie Guest

    On Sun, 26 Feb 2006 17:44:25 GMT, "Allan Waghalter"
    <> wrote:

    >That tells me the attack is from a file that has already been
    >downloaded to my machine and not from an open outside port. Am I correct?
    >
    >How do I check for open ports?
    >What do you think of my exporting the current registry, turning off Spybot
    >and allow the hijacking to take place and then import the saved registry
    >back?
    >Thanks for your help!
    >Allan
    >
    >It is in a loop and keeps recycling itself. This has gone on now for three
    >days so it shows no signs of timing out.

    #######################################
    Since it seems to be focused on the google toolbar, uninstall it. You
    can always download it again later.
    Yes, it's probably already on your machine, which is why I would run
    msconfig and look at the startup tab. If you don't know what you are
    looking at, post it here or search google. Run netstat -an from the
    command prompt. If you don't understand that, post it here.
    Next, click start, run, type in regedit, press enter and click on the
    following plus signs until you get to the run folder.
    HKLM
    software
    microsoft
    windows
    currentversion
    run
    Look in the run folder for anything that doesn't belong. Again, if you
    don't understand it, post it here.
    Don't let any hijacking take place. It will just happen again later.
     
    donnie, Feb 26, 2006
    #5
  6. I didn't see anything that didn't belong under MSConfig nor did anything
    look wrong in netstat. I uninstalled Spybot Search and destroy, re-booted
    and then re-installed it. Voila! No more loop and the problem seems to be
    gone. I think Spybot had successfully blocked the attack and just got stuck
    in a portion of the deletion. Google Toolbar was gone, but I reinstalled
    that too.

    Thank you for all the help! I appreciate it.
    Allan

    "Allan Waghalter" <> wrote in message
    news:ZNlMf.1764$...
    >I am not as experienced as most of you so bear with me. I turned off my
    >modem and my router an re-booted. I get the same thing:
    > "Registry change denied! Registry denied change of 2318CB1=4965-11d4
    > 9818-009027 AF CD4F (category global browser toolbar) based on your
    > blacklist). That tells me the attack is from a file that has already been
    > downloaded to my machine and not from an open outside port. Am I correct?
    >
    > How do I check for open ports?
    > What do you think of my exporting the current registry, turning off Spybot
    > and allow the hijacking to take place and then import the saved registry
    > back?
    > Thanks for your help!
    > Allan
    >
    > It is in a loop and keeps recycling itself. This has gone on now for
    > three days so it shows no signs of timing out.
    > "donnie" <> wrote in message
    > news:...
    >> On Sat, 25 Feb 2006 21:18:52 GMT, "Allan Waghalter"
    >> <> wrote:
    >>
    >>>Spybot search and destroy is preventing an attempted hijack of my google
    >>>toolbar and/or home page. Because I told Spybot search and destroy to
    >>>remember that I didn't want the global browser toolbar @
    >>>2318CB1=4965-11d4
    >>>9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    >>>assume that if I uninstall Spybot the infiltrator will go ahead and
    >>>change
    >>>the toolbar. It may then be difficult to get their stuff off as it is so
    >>>persistent in wanting on. Can anyone advise me what to do?
    >>>Thanks,
    >>>Allan
    >>>

    >> ##########################################
    >> Are you sure that the attempt to change it is from the outside and not
    >> somehing that's already loaded on your PC? I didn't know that spybot
    >> had that option but I'll look for it. In any event, I would port scan
    >> my PC to see what ports are opened.

    >
    >
     
    Allan Waghalter, Feb 27, 2006
    #6
  7. "Allan Waghalter" <> wrote in message
    news:7xDMf.16953$...
    >I didn't see anything that didn't belong under MSConfig nor did anything
    >look wrong in netstat. I uninstalled Spybot Search and destroy, re-booted
    >and then re-installed it. Voila! No more loop and the problem seems to be
    >gone. I think Spybot had successfully blocked the attack and just got
    >stuck in a portion of the deletion. Google Toolbar was gone, but I
    >reinstalled that too.
    >
    > Thank you for all the help! I appreciate it.
    > Allan
    >
    > "Allan Waghalter" <> wrote in message
    > news:ZNlMf.1764$...
    >>I am not as experienced as most of you so bear with me. I turned off my
    >>modem and my router an re-booted. I get the same thing:
    >> "Registry change denied! Registry denied change of 2318CB1=4965-11d4
    >> 9818-009027 AF CD4F (category global browser toolbar) based on your
    >> blacklist). That tells me the attack is from a file that has already been
    >> downloaded to my machine and not from an open outside port. Am I
    >> correct?
    >>
    >> How do I check for open ports?
    >> What do you think of my exporting the current registry, turning off
    >> Spybot and allow the hijacking to take place and then import the saved
    >> registry back?
    >> Thanks for your help!
    >> Allan
    >>
    >> It is in a loop and keeps recycling itself. This has gone on now for
    >> three days so it shows no signs of timing out.
    >> "donnie" <> wrote in message
    >> news:...
    >>> On Sat, 25 Feb 2006 21:18:52 GMT, "Allan Waghalter"
    >>> <> wrote:
    >>>
    >>>>Spybot search and destroy is preventing an attempted hijack of my google
    >>>>toolbar and/or home page. Because I told Spybot search and destroy to
    >>>>remember that I didn't want the global browser toolbar @
    >>>>2318CB1=4965-11d4
    >>>>9818-009027 AF CD4F changed, it in a loop trying to make the change. I
    >>>>assume that if I uninstall Spybot the infiltrator will go ahead and
    >>>>change
    >>>>the toolbar. It may then be difficult to get their stuff off as it is
    >>>>so
    >>>>persistent in wanting on. Can anyone advise me what to do?
    >>>>Thanks,
    >>>>Allan
    >>>>
    >>> ##########################################
    >>> Are you sure that the attempt to change it is from the outside and not
    >>> somehing that's already loaded on your PC? I didn't know that spybot
    >>> had that option but I'll look for it. In any event, I would port scan
    >>> my PC to see what ports are opened.

    >>
    >>

    >


    To get these type of reports you must have been using the tea timer option
    which is like a process and registry live protection tool - In your system
    tray you should see a window like icon with a pad lock on it, right click
    that and then select settings, you are now viewing your black listed and
    white listed items, they will enable you to fine tune what system changes
    are allowed and those that are blocked.

    TpwUK
     
    Martin Spencer-Ford, Feb 27, 2006
    #7
  8. Allan Waghalter

    donnie Guest

    On Mon, 27 Feb 2006 13:55:15 GMT, "Allan Waghalter"
    <> wrote:

    >I didn't see anything that didn't belong under MSConfig nor did anything
    >look wrong in netstat. I uninstalled Spybot Search and destroy, re-booted
    >and then re-installed it. Voila! No more loop and the problem seems to be
    >gone. I think Spybot had successfully blocked the attack and just got stuck
    >in a portion of the deletion. Google Toolbar was gone, but I reinstalled
    >that too.
    >
    >Thank you for all the help! I appreciate it.
    >Allan

    ###########################################
    I'm glad to hear that the problem is solved.
     
    donnie, Feb 28, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ringo
    Replies:
    5
    Views:
    1,316
    ringo
    Dec 13, 2004
  2. Brian H¹©

    Hijacking a thread

    Brian H¹©, Jul 6, 2003, in forum: Computer Support
    Replies:
    19
    Views:
    824
  3. Bob Brister

    Hijacking

    Bob Brister, May 22, 2004, in forum: Computer Support
    Replies:
    16
    Views:
    1,038
    St?phane
    Jun 9, 2004
  4. Replies:
    3
    Views:
    868
    no way
    Aug 2, 2004
  5. Dribbler

    Toolbar behind toolbar help pls?

    Dribbler, Apr 28, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    737
    °Mike°
    May 1, 2005
Loading...

Share This Page