browser hijacked

Discussion in 'A+ Certification' started by me, Feb 8, 2006.

  1. me

    me Guest

    Ok, here is a puzzler. Yesterday afternoon after I got home my brother told
    me that there was an attack on the computer from the internet and all of a
    sudden a series of pop-ups appeared and the browser homepage was immediately
    changed to I have used HijackThis, and Spybot
    S&D and though HijackThis did find a couple things--nothing that would
    indicate to me any type of browser hijacker. I went into the registry and
    eliminated the three references that I could find of the website--I have
    went into the registry and manually set my homepage back to my original
    homepage. The problem is--in Internet Explorer--tools\options, the option
    to change and set my homepage is now greyed out with no visible way of
    fixing it. I have also just finished using spybot S&D and it found
    absolutely nothing that would indicate any kind of problem--it literally
    found nothing. I have used adaware and it found only a couple of things
    from Alexa and a couple cookies. So I am at a loss. There are no visible
    signs of spyware installed. I am using an XP Pro machine with 512mb DDR
    SDRAM on an Athlon 3000+ with a 256mb DDR video card. I am using a
    firewall which detected and intercepted the attack, and I also using a popup
    blocker that came with adaware. All known registry entries to this website
    have been deleted, and apparently Spybot nor HijackThis can find anything.
    I have looked in Msconfig to see what was starting up--and the only things
    in that are my normal software. I have looked at the running processes and
    there seems to be nothing out of the ordinary.

    So that is the background. Does anyone have any ideas for me?
    me, Feb 8, 2006
    1. Advertisements

  2. me

    Adam Leinss Guest

    Download Spyware Blaster....there is an option to lock the home page
    (i.e. grey it out so users cannot change it). So lock it and then
    unlock it.

    Adam Leinss, Feb 8, 2006
    1. Advertisements

  3. me

    me Guest

    doing a reinstall for something like this is unacceptable.
    me, Feb 8, 2006
  4. me

    lizzieb Guest

    I would also try downloading and updating a trial version of webroot
    spysweeper - I have found it can sort out most problems without having to
    mess about too much. Although not sure if the latest version is fully
    enable in trial mode. If not let me know as I have the earlier version.

    lizzieb, Feb 8, 2006
  5. me

    smackedass Guest

    Even if it's the path of least resistance? I'm of the philosophy that some
    things just aren't worth beating your head bloody over...

    smackedass, Feb 8, 2006
  6. me

    me Guest

    This is an update as to my dilemma and the tad bit of confusion I am
    experiencing as I deal with this. I have used the following programs to try
    and root out this little problem with my computer browser.
    Ewido 3.5
    Spybot S&D
    ES Trust EZ Antivirus

    You would think that one of these would detect the little bug that cuased
    this problem but thus far--absolutely nothing has been found by any of these
    programs that would indicate to me there was ever a problem with my
    browser--and yet there is. EZ Antivirus did find some Java based virii in
    my separate 40Gb hard drive that is acting as a backup, but other than that
    and a few cookie issues detected by Ewido--absolutely NOTHING has been found
    to indicate any type of problem ever existed with my computer and yet my
    browser option in Tools\Options is still greyed out.
    I am totally befuddled by this--either this attack is extremely new and
    nothing has been developed to detect it yet or my computer was actually
    hacked from the internet without ever having to install anything. I am very
    confused now, but still refuse to give up on this. I'm hard headed on some
    things and I am not yet ready to cut my losses and reinstall.
    me, Feb 8, 2006
  7. me

    me Guest

    yes, everything is taken care of properly--my browser automatically deletes
    all temp files on exiting. I clear all cookies, all sites, everything every
    time I exit the internet.
    me, Feb 8, 2006
  8. me

    me Guest

    yes it does--I set it up to delete everything on exiting.
    me, Feb 11, 2006

  9. An attack on the computer from the Internet?! That's a good one.
    Couldn't have had anything to do with stuff he was downloading and/or
    web sites he was visiting, huh?

    Anyway, one of the best anti-spyware apps I've found lately is the one
    from Microsoft (believe it or not). Download & run that, and it may
    find something.

    But what I've run into lately is a few baddies that have managed to
    hide their entries in the registry. IOW, the entries are there, but
    Regedit (and you) can't see them. These entries will load files that
    themselves are hidden.

    In order to clean this, you have to access the disk & registry while
    Windows is not running. Winternals has their Administrator's Pak,
    which includes their ERD Commander - let's you boot from a CD, then
    access a Windows instalation without it running. Unfortunately,
    that's $500 for a temp license. You might try RegMon from
    SYSINTERNALS.COM to see if it lets you watch whats going on in the
    registry....or do a Google search on Hidden registry keys and see what
    turns up.

    Also, get a copy of one of the utilities that lets you read NTFS files
    from DOS, then look in the regular startup folders and any temporary
    folders for hidden files. You may have to use the ATTRIB command to
    unhide them.

    Good luck! Took me a few hours to discover this latest spyware trick.
    Once I did, it was a quick clean....(but we have the Winternals

, Feb 11, 2006
  10. me

    aleinss Guest

    Did you try my suggestion? The home page can be locked via the Local
    Security Policy...that's probably why the scans do not find anything.

    aleinss, Feb 11, 2006
  11. me

    me Guest

    I managed to fix the problem, identify the virus, remove it, remove its
    registry components, and then re-grey the tools\options\ change your start
    page option myself to prevent future problems from other jackass websites
    who think they can change your start page without your knowledge. Thanks to
    everyone for their ideas and help on this one as I worked through the attack
    and the problems.
    me, Feb 11, 2006
  12. me

    me Guest

    The scumware was identified by EzAntivirus as W32.Aleurongeneric (I think I
    spelled it correctly). The fix came from manually editing the registry to
    find and get rid of the virus which was names something similar to
    A000013.exe I also deleted any references to the scum website, and then
    used Spybot S&D to again grey out my explorer option to change the website,
    and I have closed the gaps in my firewall that allowed the attack to begin
    with. The only thing I did not like was that, though Ez antivirus
    identified the virus, it did not remove it or give me the option to
    quarantine it,. so I had to manually find and delete the registry entry. I
    also turned off system restore to prevent the program from residing anywhere

    As for the reference from that the "story" about
    the attack from the internet was fact. My popupblocker identifies any
    websites the computer has visited--the computer did not visit any type of
    website that should have attracted an attack. I track things very carefully
    and this attack was unprovoked, and nothing out of the ordinary happened
    prior to provoke it--such as visiting sites that you shouldn't.
    me, Feb 11, 2006

  13. So your computer was just sitting there on line, and through no action
    of the operator:

    1) a virus/spyware from the Internet hit your IP address

    2) went through the firewall,

    3) somehow injected a program into your computer,

    4) then ran it

    thereby infecting the machine with a virus/spyware.

    Sorry, but that's extreeeeeeemely far fetched. The list of conditions
    that would have to exist for that to happen is really unlikely, and it
    would have to include things that the average home user doesn't do
    (like running servers with open ports).

    My point is that stories like this get spread around and the average
    (naive) computer user starts to believe "It's nothing *I* did that
    caused the spyware infection...that stuff happens by itself".
    Therefore they never learn what they *ARE* doing that's causing the
    problem, and therefore never stop.

    I can 99.9% guaranty that your infection was caused by something your
    brother did. Possibly clicking "yes" on something he shouldn't have,
    possibly downloading some "helpful utility", or possibly visiting a
    website that initiated "drive-by" spyware.

    You say:

    "I am using a firewall which detected and intercepted the attack"

    Please tell us what the firewall log said. If this is something I've
    never heard of, I'd like to learn about it.


, Feb 12, 2006
  14. He DID state he changed firewall settings, which I interpreted to mean
    he closed some open ports.

    While I agree, the intrusion WAS MOST LIKELY a result of something he or
    his brother did, it IS possible to have your computer attacked and
    hacked IF you leave it sitting online "exposed" (on a cable modem or DSL
    w/no router, for example). i.e. Bots that ping IP addresses
    sequentially, do port scans, etc.

    Unfortunately, part of this thread was already gone from the news server
    when I subscribed to this group. I did read some of the
    suggestions--change IE settings and local policy settings. To that I
    would add, shelve Internet Explorer and get Firefox and the extensions
    NoScript and Ad-Block Plus. THEN go directly to and
    take the time to go thru all the options of ShieldsUP to see IF and
    WHERE any vulnerabilities can be found.

    In my opinion, the exposure and programmability of IE's object model
    make it an insecure browser out-of-the-box.

    My .02 cents worth.
    PPP Does NOT Equal Ping Pong Paddle, Feb 17, 2006
  15. Of course, but the fact that he *does* have a firewall means that's
    extremely unlikely. Also, why would he have a firewall with any
    vulnerable ports open anyway? What's the purpose of the thing then?

    He also claims he's "very careful", which I would interpret to mean a)
    he *didn't* have any open ports (more evidence it was an operator
    error), and b) he probably *does* have a router.

    I simply asked him to tell us what his logs said so we/I could
    determine what happened.

    I get tired of people claiming that all sorts of wild unprovoked
    "attacks" are getting through to their computers. I'd like to help
    them get educated as to exactly what *IS* happening so they can
    prevent it, instead of spreading "Urban Computer Myths".

    I deal with clients everyday who, at the least little computing
    hiccup, claim their "computer must have a virus!" It's a VIRUS

, Feb 18, 2006
  16. me

    me Guest

    I don't believe I asked for supposition based on information not supplied to
    you. I asked for ideas which were based on the information provided. I do
    not doubt what was said by my brother. I state again that the attack
    occured for a period of approximately 10 minutes and after the attack which
    came from a website on the internet--which I tracked and contacted the ISP
    about that little issue--my brower homepage was changed to a Turkish site.
    As for what you personally believe, as to whether what I said was truth or
    not I really just don't give a crap about whether you think the attack was
    unprovoked or not.
    I maintain the attack was unprovoked, and yes, I am very careful about
    how I do things on my computer. Probably more so than many of the
    "professionals". So, get over yourself. I asked for ideas based on the
    information supplied, not suppositions which you dug up from the far nether
    reaches of your mind.
    me, Feb 20, 2006

  17. And I gave you ideas & suggestions based on the information you
    provided....or did you miss that?

    All I'm asking is for more information on "the atack" (firewall logs,
    router config if any, etc) so we/I can learn from it. Apparantly
    you're not interested in discovering what actually happened - so
    unfortunately, you're destined to be "attacked" again.

    You *do* get awfully upset over a simple request, don't you?

    Anyway, I'll know better than to offer any help next time you ask.
, Feb 20, 2006
  18. The fact that his PC was intruded MAY make it too late for anything but
    severe remedies.

    To my knowledge, there are 2 levels of security we all need to be
    concerned about: 1.)Intrusion and 2.)Rootkits (software that can hide
    and gain total control of the OS).

    IF a rootkit has made its way onto that PC, then wiping ALL the drives
    on it are the only sure remedy. If by chance, one of the rogue programs
    made its way onto a floppy disk or cd burned by the host, then it might
    easily get put right back on the machine.

    Most of the focus these days (media hype/press, anyway) is on viruses,
    spyware, and spam. Rootkits are much more threatening and are a prime
    reason we should all be so concerned about viruses, worms, spyware,
    malware, spam, etc.

    In my opion, anyway!

    WinXP_Powered, Feb 21, 2006
  19. me

    Butterfield Guest

    For best results run spyware cleaners in safe mode.
    Butterfield, Mar 2, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.