F
flintridgeparkenfarker vonkerschnauzerheiden
This is my first and I think I've gotten rid of it, but we'll see.
Fortunately for me, I had taken a screenshot of my processes running just
prior to this wicked infiltration so I had a great starting point. You know,
the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab. It's
good to view this once in awhile to keep abreast of what is running
normally. Hit the "print screen," button, open "Paint" or whatever, and
paste it, or make a list of all the processes that normally are running.
This is very valuable information.
Anyway, I went to this website "here4search.com" (DON'T GO THERE!!) and I
was immediately warned by XP's firewall that a possibility of malicious
stuff was going on with port 443 [or something]. By the time I disconnected,
the damage was done. Everytime I got online IE got hi-jacked.
So, I copied the URL of the site to which I was taken, did a registry search
and changed all the entries that matched, back to my home page. (I know,
very crude) I did this several times after re-booting only to find the
entries back to the evil site's URL.
I did the 3-fingered salute to see what processes were running. I found one
with an ugly name that didn't belong there because it didn't match my
picture taken just days before. I opened Windows Explorer, did a file search
and I deleted it. I checked my internet connections folder and found that
the *.exe file had created it's own connection configuration, so I deleted
that.
I went to C:\Windows\System32 and sorted all the files by creation date. I
couldn't believe it! I had files in there with the ".dll" extension
concatenated about a dozen times on some of them so that some of the file
names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll. [etc])
was one of them. Anyway, I tried to delete all the .dll files that were
created between Jan 25 [the fateful day] and today since I know I didn't
install any programs in that timeframe.
I was denied access to several of these files because either IE or Explorer
was using them (I guess) as an IE third party add-in (thank you very much
M$). I noticed also that they (.dll files) were being re-created after I
would delete them and restart my computer. (This may have taken place before
I checked the processes running and deleted the .exe file, I'm not
sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4. So now
I had 2 left. I changed the filenames, rebooted, and then was allowed to
delete the last 2 .dll files.
I didn't do this methodically and/or scientifically. I was pissed and wanted
results so the exact sequence of my actions cannot be verified; therefore,
I'm not entirely sure if I got the executable file that was slipped into my
backside so quickly, but I think I at least broke the chain needed to
hi-jack my browser.
At any rate, so far so good. I can't believe I had to spend that much time
fixing my computer from simply visiting a web site, but then, maybe it
wasn't the website. Maybe it was simply a derelict scanning the web for
suckers with a vulnerable port like me. I can only blame myself. I actually
expected the firewall to not only detect and warn me of malicious goings on,
but to PREVENT the infiltration. Shows ya how much I know.
For what it's worth, I don't know if I'm out of the woods yet, but maybe
someone can get some useful tips out of what I've experienced. I don't like
downloading bloated patches from M$. I like to know what's going with this
box as probably most of you do [excluding the seasoned, propellor-headed
veterans--naturally]. Of course, I DON'T know what's going on, but I try.
I'll probably have to eat my post later when I'm forced into using the
dreaded, bloated, patch. I hope not. I've re-booted and gotten online
several times now without being hi-jacked and no new .dll files have been
created, so I think I got rid of it.
Oh yeah, I'm not sure how much of a pain in the ass this is going to be, but
I changed my Advanced Internet Options to not allow any third party add-ins.
I don't know if this change will be effective for prevention.
Fortunately for me, I had taken a screenshot of my processes running just
prior to this wicked infiltration so I had a great starting point. You know,
the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab. It's
good to view this once in awhile to keep abreast of what is running
normally. Hit the "print screen," button, open "Paint" or whatever, and
paste it, or make a list of all the processes that normally are running.
This is very valuable information.
Anyway, I went to this website "here4search.com" (DON'T GO THERE!!) and I
was immediately warned by XP's firewall that a possibility of malicious
stuff was going on with port 443 [or something]. By the time I disconnected,
the damage was done. Everytime I got online IE got hi-jacked.
So, I copied the URL of the site to which I was taken, did a registry search
and changed all the entries that matched, back to my home page. (I know,
very crude) I did this several times after re-booting only to find the
entries back to the evil site's URL.
I did the 3-fingered salute to see what processes were running. I found one
with an ugly name that didn't belong there because it didn't match my
picture taken just days before. I opened Windows Explorer, did a file search
and I deleted it. I checked my internet connections folder and found that
the *.exe file had created it's own connection configuration, so I deleted
that.
I went to C:\Windows\System32 and sorted all the files by creation date. I
couldn't believe it! I had files in there with the ".dll" extension
concatenated about a dozen times on some of them so that some of the file
names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll. [etc])
was one of them. Anyway, I tried to delete all the .dll files that were
created between Jan 25 [the fateful day] and today since I know I didn't
install any programs in that timeframe.
I was denied access to several of these files because either IE or Explorer
was using them (I guess) as an IE third party add-in (thank you very much
M$). I noticed also that they (.dll files) were being re-created after I
would delete them and restart my computer. (This may have taken place before
I checked the processes running and deleted the .exe file, I'm not
sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4. So now
I had 2 left. I changed the filenames, rebooted, and then was allowed to
delete the last 2 .dll files.
I didn't do this methodically and/or scientifically. I was pissed and wanted
results so the exact sequence of my actions cannot be verified; therefore,
I'm not entirely sure if I got the executable file that was slipped into my
backside so quickly, but I think I at least broke the chain needed to
hi-jack my browser.
At any rate, so far so good. I can't believe I had to spend that much time
fixing my computer from simply visiting a web site, but then, maybe it
wasn't the website. Maybe it was simply a derelict scanning the web for
suckers with a vulnerable port like me. I can only blame myself. I actually
expected the firewall to not only detect and warn me of malicious goings on,
but to PREVENT the infiltration. Shows ya how much I know.
For what it's worth, I don't know if I'm out of the woods yet, but maybe
someone can get some useful tips out of what I've experienced. I don't like
downloading bloated patches from M$. I like to know what's going with this
box as probably most of you do [excluding the seasoned, propellor-headed
veterans--naturally]. Of course, I DON'T know what's going on, but I try.
I'll probably have to eat my post later when I'm forced into using the
dreaded, bloated, patch. I hope not. I've re-booted and gotten online
several times now without being hi-jacked and no new .dll files have been
created, so I think I got rid of it.
Oh yeah, I'm not sure how much of a pain in the ass this is going to be, but
I changed my Advanced Internet Options to not allow any third party add-ins.
I don't know if this change will be effective for prevention.