Browser Hijacking

[extropalopakettle]

While I never seem to stumble into this problem myself, quite a few times recently I've been asked by a friend or relative to help them with computer problems that, to me, are mind-boggling. Such as, the browser home page being replaced with something else. coolwebsearch seems to be a notorious one - AdAware and Spybot don't fix it - there's a special util called cwsshredder specifically written to fix that one. But they don't just replace the home page. In the worst case, they infest the machine with repeated spontaneous browser openings (when no browser is initially open) to porn sites. I'm not sure, but I think some of them also sell the "cure" to the problem they create for something like $130, while warning the victim that the cops may find out about the underage porn on their machine. If you want to screw somebodies machine, go to teenhqpics.com (WARNING: PORN, and it won't go away), but I tried it with Norton Antivirus running, and it caught it - not an actual virus, I don't think. cwsshredder clears it up. If anyone isn't doing it already, I recommend going to http://windowsupdate.microsoft.com/ for the latest "critical" security updates (free, and painless web based install, though you may have to reboot once or more). I don't recommend non-critical updates (having had a bad experience with an upgrade to Windows Media Player 9.0). We always do it where I work, but I never saw the need for doing it at home until I saw these browser hijackings happening.

Anyway, I'm seeing these problems more and more, and they're more and more difficult to clean up each time. What I haven't seen is exactly how people are getting into these messes. Well, one way would be by going to that porn site without protection.

Anyone else seen this stuff?

[edit]Because not everybody reads the warning, I have disabled the link.[/edit]

[This message has been edited by DP (edited 02-14-2004 02:39 AM).]

[The Ktulu]

Yeah, I hate when my home page changes to something stupid. But it hasn't happened so much lately. Maybe giving up porn helps...who knows?...

[Burglyrm]

You mean, it just changes, or it continues to change, even after you've reset it to your normal homepage? Cause you can just go into internet properties and reset it for internet explorer, and the same thing (although you have to go into netscape preferences) for netscape.

------------------
You see, a sphere is actually a dice infinity.....

[Vegetable]

I had a nasty bit of spyware on my computer a bit ago that would do something like that. Constantly reroute the homepage to some site, that gave me 2 popups, 1 in notepad, 1 that opened my CD rom. Then tried to tell me these were signs that i needed to buy their antivirus software or something. Ad-aware nuked the hell out of it.

[Beartalon]

Most of there are generally spy/ad-ware programs that keep changing the settings of IE or Netscape on a regular basis (restart, timed, when the browser is opened). I can write a VB script that looks for an open browser instance and meddles with it, so it's not difficult. What is hard is sometimes getting rid of it.

Two friends I have can't uninstall one particular program. I can't recall the name - savenow? When uninstalled by AdAware, they lose the ability to change their system settings in Control Panel.

Between ZoneAlarm, Norton Systemworks, XP firewall and AdAware, with the preview panes turned off in Outlook and Eudora, I only receive virus/ad/spyware through email attachments and I don't open any attachment before it's scanned. What I hate is that I can't check to see if an HTML-based email has web scripting in it that's going to perform some trick.

[This message has been edited by Beartalon (edited 02-10-2004 09:30 PM).]

[extropalopakettle]

[Qirat]

I had a problem with random pop-ups. The best thing to do, if nothing else works, is look at one of the popups (the porn ones work best, you'll understand why in a sec) and find an e-mail address corresponding to the webmaster or something. e-mail that address and tell whomever is the recipient that these pop-ups are occurring, their material is shown on them, and it's pissing you off. Even if it's not their software, they likely know what's involved in getting rid of it, and will tell you rather than risking a lawsuit from irate people over a shady business practice.

------------------
How many vegetables had to die for your stupid salad???

[Ghost Post]

I download p0rn all the time and never have this problem.

Here's what I do, cause I fix shit like this all the time AND the university pays me to do such.
1) Install Adaware
-Do a full scan, in safe mode (twice if necessary)

2) Install Spy-bot
-Make sure you do the updates, otherwise, it's worthless
-Do the immunize
-Do a full scan, in safe mode (twice if necessary)

3) Get HijackThis!
-Run it
-Look for unifimiliar stuff (especially in 01 category)
-Delete stuff associated with the crap your getting

4) Use Mozilla (I prefer FireFox) if you're going to go looking for cracks or p0rn.

5) Once all that is done and you can't access important system files. Start->Run->sfc /scannow

Works for me, works for my clients

[This message has been edited by Merc's Boyfriend (edited 02-10-2004 09:54 PM).]

[Courk]

My homepage should be google. Key word: should.

Sometimes when I open it I get a search engine (that I've never been to in my life). It's red and white with a little bit of black.

Other times it opens a different search page, this one blue and yellow and white.

It's funny to watch, because the two different virii or whatever are fighting with each other to see who gets to infect my computer at that time.

I have virtually every problem possible with my computer. I'm actually beyond caring. Remember that one Simpson's episode when the doctor told Mr. Burns that he was alive only because he had EVERY disease and their struggle with each other was keeping them distracted and keeping him alive? Yeah. I like to call mine Mr. Burns.

[Mercuria]

hun, i look for that stuff on my computer all the time, and i never get infected... not even at CRACKS.AM... stop giving bad advice ;p

you just have to click no/cancel, and then click away from the dialogue box that pops up in some kind of order (if you do it right, the "you have to click yes" dialogue will *not* pop back up--try a few times if it's a problem), and then you're free to download the cracks for, uhm... educational study.

of course, this only works if you've updated since... uhm... a couple months ago? something like that.

aim virus going around, in messages this time (as opposed to in the profile), so watch out for that... avoid links from friends that contain osama ;p

[wordcross]

yeah, i just got that from someone. The page comes up and gives you one of those "do you accept such and such download" thing about capturing Osama. Down at the bottom of the page it says something about it not being a real news story, just the trailer for a video game or something. I didn't open it beyond that page, and when i tried to IM the person back, they weren't responding, so i figured it was a crap-link

[HappyMutant]

*Enters, leaves a stack of Linux CDs on a prominent table, walks away* ^^^

[extropalopakettle]

yeah, yeah. There have been linux worms and viruses though. Not that microsoft products aren't crap, security-wise especially, but due to their prevelance (and the fact that l33t h4x0rs and script kiddies alike hate them) they are targeted far more often.

[Werebear]

If you have Windows XP, there's a system setting that allows "messages" to be sent to your computer. So even when you're not web surfing, you get popup ads. Nearly drove me nuts until someone shut the messaging off for me.

[Beartalon]

Mercuria, clicking "no" or "cancel" doesn't protect you that simply. Those can be mapped to anything commands the programmer wants.

Speaking of such, something that really bothers me is looking in my IE history and seeing pages that I know I never surfed AND never saw the address in the address bar. It's these hidden popups or browser redirects that happen so fast you don't notice.

Last night, while surfing, my computer was suddenly taken over by ginst_001_1234_4201.exe and ran my CPU to 100%, disabusing my access to whatever I was running. ZoneAlarm didn't ask if it could run. It was the Internet install of Gator software (a whole suite of annoyware) and I never explicitly said "yes" to any download nor visited a site with explicitly labelled downloads on it. In order to get control, I had to reboot, use ZoneAlarm to refuse it Internet access and it tried 53 times in a few seconds before it stopped trying. I found the program in my IE Temp folder, which means some page I went to placed the file there. When it ran, it had put itself into the start-up files as a process. I stopped the service, removed it from msconfig, rebooted and deleted the folder and files after uninstalling what it tried to add to my system.

As much as they do well in protecting, these spam and spy killing software just don't work in every situation.

[This message has been edited by Beartalon (edited 02-11-2004 10:04 AM).]

[Bo]

Here's a good tool to run to see everything that is starting up when your computer boots. The result will help you track down where programs are starting from.

http://www.merijn.org/files/StartupList.exe

[Bo]

Also, it's much better to learn where and how a virus can run on your PC than to depend solely on all these anti-virus or anti-ad/spyware programs. There's only so many ways to hide and execute these programs.

For instance, a lot of them hide executables and .dll files in your C:\WINDOWS\Fonts directory since even if you have all hidden and system files displayed, they won't show up in explorer. You have to right click on the folder and do a search for *.*
Test it out and you'll see that the folder has twice as many files in it than explorer normally shows you since it is a system font folder. If you see any dll files or exe files in there delete them right away. There should only be ttf and fon files there.

[extropalopakettle]

Beartalon - sounds like you need to install the MS security patches. Most of the time stuff like that happens, it's an exploit of a known flaw that a patch has already been released for. It's easy (all done through IE) and free - http://windowsupdate.microsoft.com/ That teenhqpics site is a classic example using the flaw described here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

[Samadhi]

Also, most crap comes in through DirectX. I disable mine everywhere except a few trusted sites.

I recommend EVERYONE does this. If you don't know how:
Blocking
Tools-->Internet Options-->Security
Highlight Internet. Medium is usually good enough. Still allows activeX that you've OK'd, like from Microsoft or something, prompts you for permission to run signed activeX and disables any unsigned activeX.

Allowing
Highlight Trusted Sites. Choose low. Be really sure you can depend on this site to not abuse you, because they can if they're on the list. Click the sites button. Type in the url you want to give an open door to and click add. If they aren't HTTPS you'll need to uncheck the box at the bottom.

Also, I remember that WhenUSaveNow crap. Installed by driveby ActiveX and initiated my education about this mierda. You can see it in your processes and can end it and even delete it. But it hides a registry key that reinstalls it at start up. At the time, adaware and spyware did not remove it. They do now.

If you ever run into something that won't go away, this is a pretty good site for manual removal of most parasites.

[Beartalon]

extro - I've downloaded all the MS Security patches, unless there are ones Windows Update doesn't give me.

Samadhi - that might be my issue.

[Ghost Post]

You can go through and disable all the stuff you don't agree with in ActiveX settings, but, if you use Spybot S&D and the immunize option, it automatically sets all these settings to a custom method.

Those settings have never interfered with my browsing and I'm crap free.

[Mercuria]

[Antrax]

Other than installing all these fine programs (Ad-Aware and Spybot I know and recommend of, and it's no secret I've been using Mozilla ever since it came out, more or less), I strongly advise to disable windows services if you don't need them. I'm talking especially about things like the RPC service, DCOM, Messanger and the such.
Antrax

------------------
"Look, that's why there's rules, understand? So that you think before you break 'em" - Lu-Tze, Thief of Time

[Mercuria]

oh, and,

[KingPin]

Anti-spyware vendors come under fire

[edit to fix link]

[This message has been edited by mith (edited 02-13-2004 03:55 PM).]

[Chuck]

http://msnbc.msn.com/id/4243032

[Samadhi]

[Antrax]

RPC is "remote procedure call". I'm not quite sure what its real purpose is, but worms love it because it lets them execute instructions on remote machines.
DCOM is Distributed Common something something. It's meant to let you view, say, Word documents on my computer, even if you don't have Word but I do, by querying your computer. It's very object-oriented, and also very loved by worms, who again can execute code.
Messanger is meant to send messages between computers in a network. It's also used to send annoying pop-up spam.
You can view your services in one of two ways:
Under control panel, "Administrative Tools", services.
Or Start->Run. Type "msconfig". Look under the "services" tab.
Since windows has many components, you might not know what's legit and what's not, or what's dangerous and what isn't. There are two solutions. Firstly, in msconfig you can check the box that says "hide Microsoft services" and see what's left over. This will help you recognise spyware that disguises itself like a legitimate service (some just add a service called "haha screwed you" or something similar), and just services you don't need.
The other way is slower, but much more informative and reliable -- you can just google for the service name (and on many cases, the executable name). If it's a virus, you'll probably get Symantec.com explaining what virus it is. If it's a legit Windows service, you'll get a site like lilutils.com explaining what the service is and what it does. If it's neither, you'll just know what it does by the name (like I have ATI Display control, etc).
Antrax

------------------
"Look, that's why there's rules, understand? So that you think before you break 'em" - Lu-Tze, Thief of Time

[mudbuck]

Bah. In accordance my one time clicking on links before I even read the text, I got the nasties on the computer.

Extro, please unlink that link.

[Vinny]

Extro, you need an adwares killer program. The good one out there is Adaware and SpyHunter.

Huey purchased a valid licensed SpyHunter program. Seems to work pretty well in eliminating all the adwares on our computers. I'll get him to lend you a copy in a little bit.

[Samadhi]

RPC - "Essential service" It won't let me stop that.

[Martin_levi3935]

Hmm I found out that if you are easy going life goes better for ya. And I'm living proof. So maybe become more easy going and maybe your computer will be easy going with no problems. That also goes for cheese of baby back ribs of the council of Teletubies.

[Ghost Post]

RPC is actions that remote admins or users can do...

You can't disable RPC, but you can disable Remote Registry (RPC) etc etc etc...

Anything that ends in (RPC)

And don't just turn it off, stop it and disable it

[Beartalon]

RPC = Remote Procedure Call (as stated)
DCOM = Distributed Common Object Model (to complete Antrax)

[MatthewV]

This looks like a problem that is solved by using a Mac. Or maybe just a less used broswer that has twice as many holes in it but nobody wants to find them.

[Ghost Post]

I have a Mac, a very sweet PowerBook, but I still have a PC, therefore must protect myself.

On the other hand, I don't like a lot of programs on my PC and since you can't uninstall IE (being that it's engine is what powers windows explorer) I just make it nice and secure.

Although FireFox is very now (I use it on my Mac, since it seems to support a lot more than Safari)

[Chuck]

Someone should invent a browser that does nothing but display text and pictures. It would be hard to exploit software that doesn't know how to do anything.

[Ghost Post]

I'm sure if you went putting around oldversion.com you could find yourself a nice version of IE 3 or 4 =]

Then again, I don't think it supports xml, asp, or java...

So... you'd be really limited

I think Mozilla/Firefox is the best you can go with

[DP]

I have disabled the porn link, as apparently a warning in bold is not enough for some click-happy members.

[Antrax]

Explorer 3 or 4 are anything BUT secure. If you want that, Chuck, go get Lynx
Antrax

------------------
"Look, that's why there's rules, understand? So that you think before you break 'em" - Lu-Tze, Thief of Time