hi-jacked browser

[flintridgeparkenfarker vonkerschnauzerheiden]

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running just
prior to this wicked infiltration so I had a great starting point. You know,
the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab. It's
good to view this once in awhile to keep abreast of what is running
normally. Hit the "print screen," button, open "Paint" or whatever, and
paste it, or make a list of all the processes that normally are running.
This is very valuable information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!) and I
was immediately warned by XP's firewall that a possibility of malicious
stuff was going on with port 443 [or something]. By the time I disconnected,
the damage was done. Everytime I got online IE got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry search
and changed all the entries that matched, back to my home page. (I know,
very crude) I did this several times after re-booting only to find the
entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I found one
with an ugly name that didn't belong there because it didn't match my
picture taken just days before. I opened Windows Explorer, did a file search
and I deleted it. I checked my internet connections folder and found that
the *.exe file had created it's own connection configuration, so I deleted
that.

I went to C:\Windows\System32 and sorted all the files by creation date. I
couldn't believe it! I had files in there with the ".dll" extension
concatenated about a dozen times on some of them so that some of the file
names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll. [etc])
was one of them. Anyway, I tried to delete all the .dll files that were
created between Jan 25 [the fateful day] and today since I know I didn't
install any programs in that timeframe.

I was denied access to several of these files because either IE or Explorer
was using them (I guess) as an IE third party add-in (thank you very much
M$). I noticed also that they (.dll files) were being re-created after I
would delete them and restart my computer. (This may have taken place before
I checked the processes running and deleted the .exe file, I'm not
sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4. So now
I had 2 left. I changed the filenames, rebooted, and then was allowed to
delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and wanted
results so the exact sequence of my actions cannot be verified; therefore,
I'm not entirely sure if I got the executable file that was slipped into my
backside so quickly, but I think I at least broke the chain needed to
hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much time
fixing my computer from simply visiting a web site, but then, maybe it
wasn't the website. Maybe it was simply a derelict scanning the web for
suckers with a vulnerable port like me. I can only blame myself. I actually
expected the firewall to not only detect and warn me of malicious goings on,
but to PREVENT the infiltration. Shows ya how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but maybe
someone can get some useful tips out of what I've experienced. I don't like
downloading bloated patches from M$. I like to know what's going with this
box as probably most of you do [excluding the seasoned, propellor-headed
veterans--naturally]. Of course, I DON'T know what's going on, but I try.
I'll probably have to eat my post later when I'm forced into using the
dreaded, bloated, patch. I hope not. I've re-booted and gotten online
several times now without being hi-jacked and no new .dll files have been
created, so I think I got rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to be, but
I changed my Advanced Internet Options to not allow any third party add-ins.
I don't know if this change will be effective for prevention.

 

[Jim Byrd]

Hi Flintridge - You might want to take a look at my 'blog' about steps to
take to Defend Your Machine for some preventive measures to help stop this
from happening again:

http://defendingyourmachine.blogspot.com/

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running
just prior to this wicked infiltration so I had a great starting
point. You know, the 3-fingered salute: CTRL-ALT-DELETE and click the
"Processes" tab. It's good to view this once in awhile to keep
abreast of what is running normally. Hit the "print screen," button,
open "Paint" or whatever, and paste it, or make a list of all the
processes that normally are running. This is very valuable
information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
and I was immediately warned by XP's firewall that a possibility of
malicious stuff was going on with port 443 [or something]. By the
time I disconnected, the damage was done. Everytime I got online IE
got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry
search and changed all the entries that matched, back to my home
page. (I know, very crude) I did this several times after re-booting
only to find the entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I
found one with an ugly name that didn't belong there because it
didn't match my picture taken just days before. I opened Windows
Explorer, did a file search and I deleted it. I checked my internet
connections folder and found that the *.exe file had created it's own
connection configuration, so I deleted that.

I went to C:\Windows\System32 and sorted all the files by creation
date. I couldn't believe it! I had files in there with the ".dll"
extension concatenated about a dozen times on some of them so that
some of the file names were extremely suspicious
(5626kluujx5i.dll.dll.dll.dll.dll. [etc]) was one of them. Anyway, I
tried to delete all the .dll files that were created between Jan 25
[the fateful day] and today since I know I didn't install any
programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer was using them (I guess) as an IE third party add-in (thank
you very much M$). I noticed also that they (.dll files) were being
re-created after I would delete them and restart my computer. (This
may have taken place before I checked the processes running and
deleted the .exe file, I'm not sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
So now I had 2 left. I changed the filenames, rebooted, and then was
allowed to delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and
wanted results so the exact sequence of my actions cannot be
verified; therefore, I'm not entirely sure if I got the executable
file that was slipped into my backside so quickly, but I think I at
least broke the chain needed to hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much
time fixing my computer from simply visiting a web site, but then,
maybe it wasn't the website. Maybe it was simply a derelict scanning
the web for suckers with a vulnerable port like me. I can only blame
myself. I actually expected the firewall to not only detect and warn
me of malicious goings on, but to PREVENT the infiltration. Shows ya
how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but
maybe someone can get some useful tips out of what I've experienced.
I don't like downloading bloated patches from M$. I like to know
what's going with this box as probably most of you do [excluding the
seasoned, propellor-headed veterans--naturally]. Of course, I DON'T
know what's going on, but I try. I'll probably have to eat my post
later when I'm forced into using the dreaded, bloated, patch. I hope
not. I've re-booted and gotten online several times now without being
hi-jacked and no new .dll files have been created, so I think I got
rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to
be, but I changed my Advanced Internet Options to not allow any third
party add-ins. I don't know if this change will be effective for
prevention.

 

[flintridgeparkenfarker vonkerschnauzerheiden]

Hi Flintridge - You might want to take a look at my 'blog' about steps to
take to Defend Your Machine for some preventive measures to help stop this
from happening again:

http://defendingyourmachine.blogspot.com/

Thanks, Jim. I'll check that out.

In

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running
just prior to this wicked infiltration so I had a great starting
point. You know, the 3-fingered salute: CTRL-ALT-DELETE and click the
"Processes" tab. It's good to view this once in awhile to keep
abreast of what is running normally. Hit the "print screen," button,
open "Paint" or whatever, and paste it, or make a list of all the
processes that normally are running. This is very valuable
information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
and I was immediately warned by XP's firewall that a possibility of
malicious stuff was going on with port 443 [or something]. By the
time I disconnected, the damage was done. Everytime I got online IE
got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry
search and changed all the entries that matched, back to my home
page. (I know, very crude) I did this several times after re-booting
only to find the entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I
found one with an ugly name that didn't belong there because it
didn't match my picture taken just days before. I opened Windows
Explorer, did a file search and I deleted it. I checked my internet
connections folder and found that the *.exe file had created it's own
connection configuration, so I deleted that.

I went to C:\Windows\System32 and sorted all the files by creation
date. I couldn't believe it! I had files in there with the ".dll"
extension concatenated about a dozen times on some of them so that
some of the file names were extremely suspicious
(5626kluujx5i.dll.dll.dll.dll.dll. [etc]) was one of them. Anyway, I
tried to delete all the .dll files that were created between Jan 25
[the fateful day] and today since I know I didn't install any
programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer was using them (I guess) as an IE third party add-in (thank
you very much M$). I noticed also that they (.dll files) were being
re-created after I would delete them and restart my computer. (This
may have taken place before I checked the processes running and
deleted the .exe file, I'm not sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
So now I had 2 left. I changed the filenames, rebooted, and then was
allowed to delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and
wanted results so the exact sequence of my actions cannot be
verified; therefore, I'm not entirely sure if I got the executable
file that was slipped into my backside so quickly, but I think I at
least broke the chain needed to hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much
time fixing my computer from simply visiting a web site, but then,
maybe it wasn't the website. Maybe it was simply a derelict scanning
the web for suckers with a vulnerable port like me. I can only blame
myself. I actually expected the firewall to not only detect and warn
me of malicious goings on, but to PREVENT the infiltration. Shows ya
how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but
maybe someone can get some useful tips out of what I've experienced.
I don't like downloading bloated patches from M$. I like to know
what's going with this box as probably most of you do [excluding the
seasoned, propellor-headed veterans--naturally]. Of course, I DON'T
know what's going on, but I try. I'll probably have to eat my post
later when I'm forced into using the dreaded, bloated, patch. I hope
not. I've re-booted and gotten online several times now without being
hi-jacked and no new .dll files have been created, so I think I got
rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to
be, but I changed my Advanced Internet Options to not allow any third
party add-ins. I don't know if this change will be effective for
prevention.

 

[Jan Il]

Hi Jim

Hi Flintridge - You might want to take a look at my 'blog' about steps to
take to Defend Your Machine for some preventive measures to help stop this
from happening again:

http://defendingyourmachine.blogspot.com/

Well done....excellent reference. Got it!

Jan

In

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running
just prior to this wicked infiltration so I had a great starting
point. You know, the 3-fingered salute: CTRL-ALT-DELETE and click the
"Processes" tab. It's good to view this once in awhile to keep
abreast of what is running normally. Hit the "print screen," button,
open "Paint" or whatever, and paste it, or make a list of all the
processes that normally are running. This is very valuable
information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
and I was immediately warned by XP's firewall that a possibility of
malicious stuff was going on with port 443 [or something]. By the
time I disconnected, the damage was done. Everytime I got online IE
got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry
search and changed all the entries that matched, back to my home
page. (I know, very crude) I did this several times after re-booting
only to find the entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I
found one with an ugly name that didn't belong there because it
didn't match my picture taken just days before. I opened Windows
Explorer, did a file search and I deleted it. I checked my internet
connections folder and found that the *.exe file had created it's own
connection configuration, so I deleted that.

I went to C:\Windows\System32 and sorted all the files by creation
date. I couldn't believe it! I had files in there with the ".dll"
extension concatenated about a dozen times on some of them so that
some of the file names were extremely suspicious
(5626kluujx5i.dll.dll.dll.dll.dll. [etc]) was one of them. Anyway, I
tried to delete all the .dll files that were created between Jan 25
[the fateful day] and today since I know I didn't install any
programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer was using them (I guess) as an IE third party add-in (thank
you very much M$). I noticed also that they (.dll files) were being
re-created after I would delete them and restart my computer. (This
may have taken place before I checked the processes running and
deleted the .exe file, I'm not sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
So now I had 2 left. I changed the filenames, rebooted, and then was
allowed to delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and
wanted results so the exact sequence of my actions cannot be
verified; therefore, I'm not entirely sure if I got the executable
file that was slipped into my backside so quickly, but I think I at
least broke the chain needed to hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much
time fixing my computer from simply visiting a web site, but then,
maybe it wasn't the website. Maybe it was simply a derelict scanning
the web for suckers with a vulnerable port like me. I can only blame
myself. I actually expected the firewall to not only detect and warn
me of malicious goings on, but to PREVENT the infiltration. Shows ya
how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but
maybe someone can get some useful tips out of what I've experienced.
I don't like downloading bloated patches from M$. I like to know
what's going with this box as probably most of you do [excluding the
seasoned, propellor-headed veterans--naturally]. Of course, I DON'T
know what's going on, but I try. I'll probably have to eat my post
later when I'm forced into using the dreaded, bloated, patch. I hope
not. I've re-booted and gotten online several times now without being
hi-jacked and no new .dll files have been created, so I think I got
rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to
be, but I changed my Advanced Internet Options to not allow any third
party add-ins. I don't know if this change will be effective for
prevention.

 

[Jim Byrd]

Thanks Jan

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Hi Jim

Hi Flintridge - You might want to take a look at my 'blog' about
steps to take to Defend Your Machine for some preventive measures to
help stop this from happening again:

http://defendingyourmachine.blogspot.com/

Well done....excellent reference. Got it!

Jan

In

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running
just prior to this wicked infiltration so I had a great starting
point. You know, the 3-fingered salute: CTRL-ALT-DELETE and click
the "Processes" tab. It's good to view this once in awhile to keep
abreast of what is running normally. Hit the "print screen," button,
open "Paint" or whatever, and paste it, or make a list of all the
processes that normally are running. This is very valuable
information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
and I was immediately warned by XP's firewall that a possibility of
malicious stuff was going on with port 443 [or something]. By the
time I disconnected, the damage was done. Everytime I got online IE
got hi-jacked.

So, I copied the URL of the site to which I was taken, did a
registry search and changed all the entries that matched, back to
my home page. (I know, very crude) I did this several times after
re-booting only to find the entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I
found one with an ugly name that didn't belong there because it
didn't match my picture taken just days before. I opened Windows
Explorer, did a file search and I deleted it. I checked my internet
connections folder and found that the *.exe file had created it's
own connection configuration, so I deleted that.

I went to C:\Windows\System32 and sorted all the files by creation
date. I couldn't believe it! I had files in there with the ".dll"
extension concatenated about a dozen times on some of them so that
some of the file names were extremely suspicious
(5626kluujx5i.dll.dll.dll.dll.dll. [etc]) was one of them. Anyway, I
tried to delete all the .dll files that were created between Jan 25
[the fateful day] and today since I know I didn't install any
programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer was using them (I guess) as an IE third party add-in (thank
you very much M$). I noticed also that they (.dll files) were being
re-created after I would delete them and restart my computer. (This
may have taken place before I checked the processes running and
deleted the .exe file, I'm not sure--probably though).
So anyway, for the .dll's that wouldn't give me access for
deletion, I closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
So now I had 2 left. I changed the filenames, rebooted, and then was
allowed to delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed
and wanted results so the exact sequence of my actions cannot be
verified; therefore, I'm not entirely sure if I got the executable
file that was slipped into my backside so quickly, but I think I at
least broke the chain needed to hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that
much time fixing my computer from simply visiting a web site, but
then, maybe it wasn't the website. Maybe it was simply a derelict
scanning the web for suckers with a vulnerable port like me. I can
only blame myself. I actually expected the firewall to not only
detect and warn me of malicious goings on, but to PREVENT the
infiltration. Shows ya how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but
maybe someone can get some useful tips out of what I've experienced.
I don't like downloading bloated patches from M$. I like to know
what's going with this box as probably most of you do [excluding the
seasoned, propellor-headed veterans--naturally]. Of course, I DON'T
know what's going on, but I try. I'll probably have to eat my post
later when I'm forced into using the dreaded, bloated, patch. I hope
not. I've re-booted and gotten online several times now without
being hi-jacked and no new .dll files have been created, so I think
I got rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to
be, but I changed my Advanced Internet Options to not allow any
third party add-ins. I don't know if this change will be effective
for prevention.

 

[dave11]

well, i am semi-experienced as yourself and did become obsessed with
issues nearly identical to yours and can share the ideas that helped me
alot. First off, I think you had a reasonable good approach...i would
have been a bit more conservative at first but I realize that at
certain levels of exasperation we get more savage. OK...my quest began
when i could not get rid of mxtarget.dll Reg edits wouldn't, as it
placed pieces of itself all over and any reboot brought it back.
spysweeper by webroot happened to get rid of that one....and i had
downloaded many programs all claiming to get rid of that one. I also
use adaware pro SE which i'm sure you've heard of and something called
Hijack This, HJT, which creates a log that you can send to several
online forums for fast evaluation. also go here:
http://www.jasons-toolbox.com/BrowserSecurity/

and download a tool called script sentry...he has a number of different
tests and tools to try ou.

Lavasoft is an excellent forum
http://www.lavasoftsupport.com/index.php?showforum=44
as is:
http://forums.techguy.org/index.php
as is:
http://www.theeldergeek.com/forum/index.php?
as is:
where we are now...i sometimes have to contact the universe.
Ok...also..I almost NEVER use outlook expree or IE in any form. I
consider them virus and spyware traps at this point. use mozilla or
something else. this proactive step will solve 99% of your problems.
you can use the xp disk to uninstall both of them and good riddance or
go to the registry and modify the value IsInstalled from a 1 to a zero
here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\InstalledComponents\{89820200-ECBD-11cf-8B85-00AA005B4383}

I use sygate as a firewall and its always on with script sntry and
adwatch (part of adaware and spysweeper. Also in xp i control which
ports i want open: you can do that here:

control panel/network connections/double click local area
connections/properties/highlight
TCP/IP/properties/advanced/options/properties

in there you can control exactly what ports you want to leave open.
also jasons toolbox has a sript that will show you exactly what ports
are open and what they are doing.

if i must use IE6 for something..and some sites force that..i use it as
briefly as possible with MAXIMUM security settings..make sure you
disable third party browser extensions in the advanced tab..this step
alone will stop many hijackers from executing. I do other stuff too
but these steps above should clear up a lot.

hope this helps......dave

*Xref: TK2MSFTNGP08.phx.gbl
microsoft.public.windows.inetexplorer.ie6.browser:317602

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running
just
prior to this wicked infiltration so I had a great starting point.
You know,
the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab.
It's
good to view this once in awhile to keep abreast of what is running
normally. Hit the "print screen," button, open "Paint" or whatever,
and
paste it, or make a list of all the processes that normally are
running.
This is very valuable information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!)
and I
was immediately warned by XP's firewall that a possibility of
malicious
stuff was going on with port 443 [or something]. By the time I
disconnected,
the damage was done. Everytime I got online IE got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry
search
and changed all the entries that matched, back to my home page. (I
know,
very crude) I did this several times after re-booting only to find
the
entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I
found one
with an ugly name that didn't belong there because it didn't match
my
picture taken just days before. I opened Windows Explorer, did a file
search
and I deleted it. I checked my internet connections folder and found
that
the *.exe file had created it's own connection configuration, so I
deleted
that.

I went to C:\Windows\System32 and sorted all the files by creation
date. I
couldn't believe it! I had files in there with the ".dll" extension
concatenated about a dozen times on some of them so that some of the
file
names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll.
[etc])
was one of them. Anyway, I tried to delete all the .dll files that
were
created between Jan 25 [the fateful day] and today since I know I
didn't
install any programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer
was using them (I guess) as an IE third party add-in (thank you very
much
M$). I noticed also that they (.dll files) were being re-created
after I
would delete them and restart my computer. (This may have taken place
before
I checked the processes running and deleted the .exe file, I'm not
sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion,
I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4.
So now
I had 2 left. I changed the filenames, rebooted, and then was allowed
to
delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and
wanted
results so the exact sequence of my actions cannot be verified;
therefore,
I'm not entirely sure if I got the executable file that was slipped
into my
backside so quickly, but I think I at least broke the chain needed
to
hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much
time
fixing my computer from simply visiting a web site, but then, maybe
it
wasn't the website. Maybe it was simply a derelict scanning the web
for
suckers with a vulnerable port like me. I can only blame myself. I
actually
expected the firewall to not only detect and warn me of malicious
goings on,
but to PREVENT the infiltration. Shows ya how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but
maybe
someone can get some useful tips out of what I've experienced. I
don't like
downloading bloated patches from M$. I like to know what's going with
this
box as probably most of you do [excluding the seasoned,
propellor-headed
veterans--naturally]. Of course, I DON'T know what's going on, but I
try.
I'll probably have to eat my post later when I'm forced into using
the
dreaded, bloated, patch. I hope not. I've re-booted and gotten
online
several times now without being hi-jacked and no new .dll files have
been
created, so I think I got rid of it.

Oh yeah, I'm not sure how much of a pain in the XXX this is going to
be, but
I changed my Advanced Internet Options to not allow any third party
add-ins.
I don't know if this change will be effective for prevention.

--
joe
/*------- A new survey of online daters found that
47% of people believe that their online date will
go well... the other 53% are still missing. -------*/ *

 

[Tom H]

I know, how can they make a software product that vulnerable? But they do
....
I find a layered defense to be effective. Have firewalls and stuff, but
think, OK, if an attacker gets through what might happen? He might run a
script --- so I've got a program called Script Sentry (check it out), it
makes the default action for a script file to be examined instead of run,
this way when bozo the scriptkiddy manages to sneak the vanguard of his
exploit into your system (the vbs script disguised as whatever, that's
supposed to make reg entries and dnload further shit) you get a an alarm
bell and a window pops up displaying the script instead of the script just
silently running. I was amazed at how frequently scripts would have slid by
if I didn't have this. Another thing they want to do is put entries in the
reg where they start exe files or scripts on startup or reboot. TCMonitor
is software that continually monitors certain reg keys like "runonce", one
again, it's just amazing how frequently this alarm goes off, having
intercepted an attempt to slide a reg entry in there. Another area I have
software always watching is the browser helper object cache. It's called
BHO Demon, and it sets off an alarm bell and displays info whenever an
object tries to insert itself. Again, you'd be surprised at how often web
pages just try to go ahead and insert all this stuff.
Long story short --- yes, have firewalls, and AV stuff, but think, "OK, if
they get by all of this, what will they try to do?", and have software
monitor those sensitive areas:
-script interperetors,
-"runonce" type reg entries,
-browser helper objects
There's probably more, but I have ZoneAlarm, Script Sentry, BHODemon,
TCMonitor, and the antivirus/antitrojan trialware de jour --- and since I've
had this system (5 months) I have caught 8 or 9 serious, almost successfull
attempts to own my box where they got through a layer or two even, but
caught them because I had a multilayer defense system.
Good luck!

This is my first and I think I've gotten rid of it, but we'll see.

Fortunately for me, I had taken a screenshot of my processes running just
prior to this wicked infiltration so I had a great starting point. You
know,
the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab. It's
good to view this once in awhile to keep abreast of what is running
normally. Hit the "print screen," button, open "Paint" or whatever, and
paste it, or make a list of all the processes that normally are running.
This is very valuable information.

Anyway, I went to this website "here4search.com" (DON'T GO THERE!!) and I
was immediately warned by XP's firewall that a possibility of malicious
stuff was going on with port 443 [or something]. By the time I
disconnected,
the damage was done. Everytime I got online IE got hi-jacked.

So, I copied the URL of the site to which I was taken, did a registry
search
and changed all the entries that matched, back to my home page. (I know,
very crude) I did this several times after re-booting only to find the
entries back to the evil site's URL.

I did the 3-fingered salute to see what processes were running. I found
one
with an ugly name that didn't belong there because it didn't match my
picture taken just days before. I opened Windows Explorer, did a file
search
and I deleted it. I checked my internet connections folder and found that
the *.exe file had created it's own connection configuration, so I deleted
that.

I went to C:\Windows\System32 and sorted all the files by creation date. I
couldn't believe it! I had files in there with the ".dll" extension
concatenated about a dozen times on some of them so that some of the file
names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll. [etc])
was one of them. Anyway, I tried to delete all the .dll files that were
created between Jan 25 [the fateful day] and today since I know I didn't
install any programs in that timeframe.

I was denied access to several of these files because either IE or
Explorer
was using them (I guess) as an IE third party add-in (thank you very much
M$). I noticed also that they (.dll files) were being re-created after I
would delete them and restart my computer. (This may have taken place
before
I checked the processes running and deleted the .exe file, I'm not
sure--probably though).
So anyway, for the .dll's that wouldn't give me access for deletion, I
closed Explorer and IE and opened a DOS window. I typed:
del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4. So
now
I had 2 left. I changed the filenames, rebooted, and then was allowed to
delete the last 2 .dll files.

I didn't do this methodically and/or scientifically. I was pissed and
wanted
results so the exact sequence of my actions cannot be verified; therefore,
I'm not entirely sure if I got the executable file that was slipped into
my
backside so quickly, but I think I at least broke the chain needed to
hi-jack my browser.

At any rate, so far so good. I can't believe I had to spend that much time
fixing my computer from simply visiting a web site, but then, maybe it
wasn't the website. Maybe it was simply a derelict scanning the web for
suckers with a vulnerable port like me. I can only blame myself. I
actually
expected the firewall to not only detect and warn me of malicious goings
on,
but to PREVENT the infiltration. Shows ya how much I know.

For what it's worth, I don't know if I'm out of the woods yet, but maybe
someone can get some useful tips out of what I've experienced. I don't
like
downloading bloated patches from M$. I like to know what's going with this
box as probably most of you do [excluding the seasoned, propellor-headed
veterans--naturally]. Of course, I DON'T know what's going on, but I try.
I'll probably have to eat my post later when I'm forced into using the
dreaded, bloated, patch. I hope not. I've re-booted and gotten online
several times now without being hi-jacked and no new .dll files have been
created, so I think I got rid of it.

Oh yeah, I'm not sure how much of a pain in the ass this is going to be,
but
I changed my Advanced Internet Options to not allow any third party
add-ins.
I don't know if this change will be effective for prevention.

--
joe
/*------- A new survey of online daters found that
47% of people believe that their online date will
go well... the other 53% are still missing. -------*/