Computer Hijacked Again!

Ozarker · Jul 22, 2005

You need to go to the Spyware Info forum. But first download a copy of Hijack This, run it, and post the log created by Hijack This on that forum with your request for help.

One of the experts over there will tell you exactly what hijacked your browser and give you detailed instructions on how to remove the infection.

JayC · Jul 22, 2005

I had the same thing happen to me and i switched to firefox had toudle there after a will and just the last week or so have downloaded avant browser, its been great so far. try a new browser there are many. Bill is an idiot, forget IE. The more that leave IE the better they all will get. 

You're still using IE. /forums/images/graemlins/grin.gif Avant is just a flashy add-on, so to speak. You are still using the IE core.

Jagmandave · Jul 22, 2005

Is that true of Firefox as well? A number of folks are telling me Firefox is the answer, but I'm not convinced.

Also I have run "hijack this", but I was unsure of some of the entries, so I didn't clear everything up yet, also, I have read the instructions for others to remove this, and they talk about editing the registry - and I'm not confident enough yet with my skills to tackle that. Thanks for all the suggestions, guys!

Jagmandave · Jul 22, 2005

( If you can, you might want to try a system restore to a previous date. )

I tried that, but it said it couldn't. Either I didn't pick a far enough back date, or there's something else going on there.

JayC · Jul 22, 2005

Is that true of Firefox as well? 

Do you mean like Avant? No. Firefox is a standalone browser. It is developed my Mozilla. Mozilla also has their "own" browser, too. I think it is called Mozilla Suite or something like that. Firefox doesn't have the many security holes like IE has. Mozilla is also very quick at getting updates out for Firefox if there are any security holes. I've been using Firefox for a while now and really like it. I like the features alot better than IE. It also loads pages faster, too.

/forums/images/graemlins/grin.gif

TheKid · Jul 22, 2005

Here are some things to check in Spybot.

Make sure you have version 1.3 They don't make updates for 1.2
Check for any updates.
Make sure that immunize has been run. Should be blocking 2365 bad products.
Make sure that "Enable permanent blocking of bad addresses in Internet Explorer" is checked.

Close Spybot and reboot your computer into Safe Mode.
Start Spybot and run a scan.

I've used these steps to clean a lot of systems at work.

Amontilado · Jul 22, 2005

I personally take a two pronged approach. Fist, I have Spybot and MacAffee loaded on my systems. That's if anything gets past the router on my DSL line. I have the router set up to send a log message to my e-mail account, letting me know where all the traffic goes/comes from. If anything gets by and tries to access its base site, I block it, permanently at the router. From there, I clean it out of the systems. I also helps that we use I.E. as little as possible, preferring Netscape/FireFox.

Steve

SnowRidge · Jul 22, 2005

Firefox is not without its own vulnerabilities, but it is far, far less susceptible than I.E. The real problem with I.E. is the integration with the OS, Windows, which was done deliberately by Micro$haft for marketing control purposes, but ends up exposing the user to the endless nefarious exploits of the bad guys. Any time you can break that integration, you are streets ahead in the safety and security department.

Firefox is a great step. Switching to a non-Micro$haft email client and not using Outlook anything is another. Switching to Mac is better yet. Running Linux behind a hardware firewall, if you have the abilities, is about as safe as you can reasonably get.

If you stay with Windows, learning what not to download or open is absolutely essential.

Paying Bill Gates to help you clean up the mess he got rich from by forcing it down the World's throat is like paying one bank robber for directions to where another stashed the loot.

getut · Jul 22, 2005

Current versions of Firefox have no vulnerabilities that have exploits on the internet.

Here is a regurgitation from advice I gave in an older thread and I have added some additional information. But in short, you really can't currently get spyware through a new version of Firefox or Opera. If you switch and get it, then the spyware came from somewhere/something else. Here are the most likely culprits:

1) You didn't get your computer 100% clean before switching to Mozilla/Firefox or Opera. Spyware makers have gotten smart to spyware removal tools and they commonly utilize "sleeper" programs that do not get caught by the spyware removal tools. The sleeper routines nowadays are updated ***DAILY***. They go out and get a slightly modified but new copy of themselves every day. Therefore the definitions for spyware removal tools never detect the loader/sleeper routine. So in effect, as soon as you clean your machine, the next day the sleeper routing has fired up and re-downloaded all the junk to your machine again. Many true viruses are downloaders/sleepers/entry points for spyware. Only 2 ways to clean these: Leave the machine OFF the internet for about 2 weeks (long enough for spyware definitions to catch up), using another PC, download the spyware updates and put them on the infected machine with a floppy disk. The loader/sleeper program will be detected and removed. Either that or just reformat. Use antivirus to clean the true viruses from your machine.

2) You are still using IE on questionable sites. This does not NECESSARILY mean that the top level site you are going is not legit. It can also mean that the operators of that site (such as TBN for example) may inadvertently let an unsrupulous advertiser advertise. Their advertisement may link back to somewhere else that carries a spyware payload. So in effect, you can still be infected using IE on even credible, respected internet sites. All it takes is the marketing person to mess up and let one single ad slip through and be advertised on their credible site.

3) You may not be using IE, but may still be using other software that uses IE as the rendering engine. For example, some alternate browsers such as the Avant browser mentioned in this thread is just a pretty face for IE. It has all the same security issues. Or you may still be using outlook or outlook express as your email client. Web enabled email received in those browsers will still use IE as the rendering engine. So the same issues apply. Use Media Player Classic as an alternative to Windows Media Player, Quicktime, and Real Player. Do a search for "Quicktime Alternative", you will find it and it will bring media player classic with it.

4) You have a rootkit. That involves more than I am willing to type. Google for windows rootkit and do some research.

5) You are running a very old version of Mozilla/Firefox that has a security problem. New versions have no issues that allow spyware to install themselves in a manner that the user would not know about.

6) This is the worst one and can only be protected against with user education. Some spyware is USER initiated. In other words users are TRICKED into installing software that is either directly a spyware package, or carries a spyware package with it. It uses no security hole to install itself. It simply asks the unknowing user if they want to install X or Y software package and the unknowing user allows it to happen. Many so called FREE software packages fund themselves using this tactic. You want the software, so you also unknowingly agree to allow this other package to install itself as part of the deal... but you may not know exactly what you are agreeing to. Kazaa is an example of this... Free software that people want, yet it carries spyware with it. Many free software packages are not truly free. They most likely have a spyware component that the user ALLOWS to run.

Many web sites with multimedia content embed movies in the web page that automatically show the movie in the player of THEIR choice... meaning you can't download the content and choose your own viewer to view it in and it automatically uses Windows Media Player inside of the web browser (even if you go to the site with Firefox). These are potentially very dangerous. A work around is to disable WMP completely so that it errors out if a page attempts to use it, and then for these types of sites, make use of utilities such as the spiderzilla plugin for firefox. It lets you download the complete page (whether they want you to or not) then find the multimedia content file and view it in the viewer of your own choosing.

Ozarker · Jul 23, 2005

There is no way around editing the registry. You either have to do it or get someone else to do it for you.

After you get everything back in order, get a copy of Spyware Guard. It will prevent future hijacks.