Browser infiltrators - help

Discussion in 'Off Topic' started by Streaky, Feb 7, 2008.

Thread Status:
Not open for further replies.
  1. dmccunney

    dmccunney Mobile Deity

    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    198
    I run Symantec Corporate as my A/V software here. It works fine. I wouldn't run Norton, the consumer oriented version.
    ______
    Dennis
     
  2. AKAJohnDoe

    AKAJohnDoe Mobile Deity

    Messages:
    6,551
    Likes Received:
    6
    Trophy Points:
    213
    It is extremely difficult to analyze these sorts of problems on the 'net without data. This Posting lists many of the better tools available for fighting an infestation.

    A HiJackThis log would probably help, but I'm not sure the Off-Topic forum at Brighthand is the best place to post that. Over at the sister site, http://forum.notebookreview.com/ might be a better place.
     
  3. Konrad Pierce

    Konrad Pierce Village Idiot 2.0

    Messages:
    4,704
    Likes Received:
    9
    Trophy Points:
    213
    Spyware infestation, no doubt about it. A brief synopsis:
    • Your IE7 is obviously compromised. I'd bet you have some new "Search Toolbars" and other things installed now that you never asked for.
    • Your Windows Defender has likely been reconfigured to allow exceptions, at the very least to sites affiliated with the malware authors, it's possibly been configured to "authorize" all sorts of innumerable "back doors" and other nastiness. You have to assume that it's no longer secure.
    • Bad news: ErrorKiller is just another name for "Spyware Warrior", and guess what? It's a rogue product full of spyware - a fake, a threat. It's blacklisted by McAfee, and you now definitely suffer from browser hijacking, toolbar hijacking, DNS hijacking, firewall logging, several spambots, and a clumsy keylogger. You've probably only noticed the extra popups, but I guarantee you have plenty of problems now. If not, don't worry - the pop-ups get more numerous and more frantic as more pop-up generating spambots and spyware gets silently installed on a daily basis. It's sure to get your attention eventually. <g>
    • Bad news: Oh my, Adwarealert is another fake (blacklisted by Norton, but not McAfee). You just got another search toolbar, LOP.COM, and some more lovely RATs installed, plus a few more open ports on your firewall "for later".
    • Bad news: SpywareBlaster ... is yet another copy of Spyware Warrior under a different name. Same as above (except, oddly, it's blacklisted by Trend Micro and not by McAfee), except that it's delivered another payload of garbage onto your PC. (Hey, learn more about RATs from Steal This Computer Book 4.0 if you're not scared enough yet ...)

    (Incidentally: Avast! isn't a bad product by any means, but it isn't manly enough, doesn't have robust enough development to keep up with the "bigger" AV companies; for example, it doesn't detect/repair/kill any of the problems you're having now ...)

    Quite a mess. Your machine may have been slowed to the point where cleaning it all up before the 2010 Olympics is no longer possible, short of a complete format and Vista reinstall. If your Windows install is getting a little cranky, old and tired anyways - and if you can reinstall all of your software, data, settings, and other stuff from original CDs and whatnot - then it might even be better to do a clean install on such a machine. Remember to take careful notes of stuff like your hardware configuration (ie: which drivers you need to install) and your network settings (IP configuration and such) before you erase it all.

    You should be able to salvage the system, though. I recommend the following:
    1. Forget IE - it's hopeless now, at least until it's cleaned up. Install Firefox. Even so, your problems won't go away until you've completely nuked them off your system, but at least FF might have a chance of downloading the stuff you do need without DNS redirection, hijacking, substitution, keylogging, etc. Begin with the F-Secure Online Virus Scanner.
    2. Did I mention keylogging? You don't want to risk typing any passwords, account information, credit card numbers, and other confidential/personal information at all until you know your PC is secure - otherwise you might find this info being sent to armies of teenaged hackers who happen to be scanning ports and running the correct RAT client software.
    3. Download, install, update, and run Lavasoft Ad-Aware, Spybot Search & Destroy (not to be confused with Search and Destroy - Free - yet another fake/destructive product), and ZoneAlarm.
    4. Obviously, you want to remove all the nasties named above. This will involve several Restarts and successive scans (with each product listed above) until you get "clean" results from every one of them.
    5. Let's visit the Gibson Research site and run the ShieldsUP! and LeakTest security checks. It won't hurt to download and install some of the free GRC tools: DCOMbobulator, Shoot The Messenger, UnPlug n' Pray, are all good choices.
    6. Pull up your Task Manager ([Ctrl][Alt][Delete]) and take note of every running process, then take a look at an online Windows (Vista) Process Library (like this one) to see what's what. Obviously, everything that's running better be kosher parts of Windows and software, not malware.
    7. If you know (or suspect you know) of any files on your system that carry malware or trojans, delete them all manually. Some of the trickier malware will attempt to identify itself within the Registry as critical system components and whatnot - doesn't matter, kill 'em all. If your technical knowledge of Windows is strong enough, you can't lose by manually cleaning up your directories, files, and Reg keys as well - this may not actually make much of a difference, so if you can do it then great, if you can't then don't worry too much.
    8. It's a good idea to confirm the Security Settings and such for your browsers (even if you don't intend to use them). Here's a good starting point.
    9. Oh yes ... don't forget to go through all your Certificates. It might even be best to just delete the whole lot of them and reinstall what's needed by installing the Windows Vista Root Certificates Update - you'd be able to reinstall most or all of any "missing" certs for your work-at-home-login or online-banking or whatever the first time you login anyways, and you wouldn't be saddled with your computer "trusting" some rather unsavoury sorts. Maybe overkill, but you can never be careful about wiping away every last trace of spyware - the first mission of every spyware app is to burrow deep into the system and making itself hard to remove, primarily by using every trick imaginable to give other spyware easy access to the machine ...
    10. Take a look at all the User Accounts on your machine. There might be one or two (or hundreds!) more than you'd think should be there ... obviously you just delete anybody you don't know. ;)
    11. Not a bad idea to check your Network Properties. Most especially, don't allow your File Sharing to be enabled unless that's the way you need it to be.
    12. Don't forget your Windows Updates - at least, don't neglect any "security" or "critical" updates that relate to Windows, IExplorer, Office, and Media Player.
    13. While you're at it - it's probably not a bad idea to update all of your software (stuff like your Flash plugins or Adobe Reader), just to help patch up any little holes that might still exist.
    14. You can't go far wrong with buying yourself the latest Norton product or somesuch, though it's expensive option and I don't really think it's necessary unless you really want an added layer of protection at the point of entry to catch such garbage. The more stuff you run, the slower things will get.

    Hmmm. I've probably forgotten at least one important thing. Hope this helps, though. Have patience - it tends to get faster and faster as successive problems are removed.

    [Edit]
    A slightly improved approach, faster and more secure (especially since you may have a hell of a time getting to the "real" websites you want to find on your hijacked machine): download all the stuff you need on some other (clean) computer, burn it onto a CD if you can, put it on write-protected floppies if you must, put it onto a USB drive or flash media if you have no other options - then install all this stuff on your machine from there.

    [Edit]
    Re-reading this thread, it seems like you're a teeny bit angry. I heartily recommend you direct your swearing and abuse to Hotbar and 180solutions (now merged under Zango) - the fine people who've carefully crafted your problems. Any 733t h4x0rs who've decided to take advantage of your downed machine certainly didn't help, but aren't the initial cause, they're just bored underskilled vultures.
     
  4. Konrad Pierce

    Konrad Pierce Village Idiot 2.0

    Messages:
    4,704
    Likes Received:
    9
    Trophy Points:
    213
    Then again, you could always just install linux or buy a Mac ...
     
  5. headcronie

    headcronie Greyscale. Nuff Said. Super Moderator

    Messages:
    14,487
    Likes Received:
    6,231
    Trophy Points:
    113
    Oh crud, I'm horribly sorry Konrad. Meant that as a Red rep. Shame on me and all that. :eek:

    Regardless, thanks for the footwork. Indeed some terrible software on there. Best wishes to you Streaky as you work through this very challenging task. Keep us posted. There's enough tech smarts here to get you through it. :D
     
  6. jigwashere

    jigwashere Mobile Deity

    Messages:
    17,935
    Likes Received:
    14,793
    Trophy Points:
    288
    I have SpywareBlaster installed! :mad:

    EDIT: Spyware Search and Destroy finds no immediate threats.
    Norton 360 is coming up clean.
    Ran CCleaner
    I do have ZoneAlarm anti-spyware installed.
    Running F-Secure right now
     
  7. BrentDC

    BrentDC Perspective is everything

    Messages:
    1,347
    Likes Received:
    0
    Trophy Points:
    213
    I've always used Kerio Personal Firewall, and Avira AntiVir (the latter of which I've been extremely happy with it), and have never had a problem with them on WinXP SP2. I also use FireFox exclusively, so...? (they are both probably bogus, right? :rolleyes: )
     
  8. r0k

    r0k Dazed

    Messages:
    9,750
    Likes Received:
    1,264
    Trophy Points:
    288
    The way I got this sort of stuff off of my kids' machines was to boot in safe mode and then go out to the file system and look for exe files around the date of the infestation. The infestations came in waves and by deleting all the exe's around that date I made a lot of progress. On my daughter's machine, she had 1500 virii exe files, most of them replicas of the original infection. There was spyware that would shut down task manager and regedit if I tried to run them. There was spyware that would restart if I killed its process. It was quite a battle but I eventually won. Now they run macs on limited accounts. I gave my daughter system preferences access, but the second I catch her up to something like extending the hours she is allowed to ichat or installing any binaries whatsoever, she goes back in kiddie status.

    Mac parental controls work well and are easy to configure. Unfortunately, some settings I wish were in there are not there. No big deal. I make do**. ;)


    (** crontab)
     
  9. BrentDC

    BrentDC Perspective is everything

    Messages:
    1,347
    Likes Received:
    0
    Trophy Points:
    213
    Out of curiosity r0k, how old are your kids?
     
  10. jigwashere

    jigwashere Mobile Deity

    Messages:
    17,935
    Likes Received:
    14,793
    Trophy Points:
    288
Thread Status:
Not open for further replies.

Share This Page