Print Story Ask Husi: Malware
Diary
By Gully Foyle (Mon May 24, 2004 at 10:58:27 AM EST) (all tags)
So, some bastard thing is resetting my IE homepage to http://cashsearch.biz/redir.php (URL provided for ID purposes only. Don't go there, it's gross, and half the time it crashes IE).


I've run up to date versions of Ad-Aware and McAfee, and neither have stopped it, although Ad-Aware seems to find new stuff every time I've run it in the last day or so. I've gone through the processes in task manager, and haven't found anything obvious (I guess these things can hide from the task manager?).

Oh yeah, and I went to Windows Update and got the latest updates (of which there were 3). I'd like to get this nailed down, since I don't like having nasty processes running on a machine that I type passwords into.

Posting from Firefox, since IE tends to crash on startup (should have installed it long ago).

< Fear my tomatoes! | BBC White season: 'Rivers of Blood' >
Ask Husi: Malware | 31 comments (31 topical, 0 hidden) | Trackback
two things before you go further? by yankeehack (6.00 / 2) #1 Mon May 24, 2004 at 11:01:28 AM EST
Is the program hiding in add/remove programs?

Also, spybot.
"...she dares to indulge in the secret sport. You can't be a MILF with the F, at least in part because the M is predicated upon it."-CBB

Thanks, but no by Gully Foyle (3.00 / 0) #19 Tue May 25, 2004 at 06:06:27 AM EST
No suspicious entries in Add/Remove programs. Spybot finds some of the symptoms of the infection, but hasn't managed to cure it.

[ Parent ]
I'd hazard a guess. by dmg (6.00 / 1) #2 Mon May 24, 2004 at 11:08:32 AM EST
That you have been visiting porn sites!!!
--
dmg - HuSi's most dimwitted overprivileged user.
Are those your favourites? by Gully Foyle (3.00 / 0) #20 Tue May 25, 2004 at 06:07:26 AM EST
Cute.

[ Parent ]
No, but I am a 'spyware' developer. by dmg (3.00 / 0) #25 Tue May 25, 2004 at 06:55:42 AM EST
And I know who uses certain spyware 'products'.
--
dmg - HuSi's most dimwitted overprivileged user.
[ Parent ]
Okay, if you're a developer by Gully Foyle (3.00 / 0) #28 Tue May 25, 2004 at 09:25:55 AM EST
How do I get rid of this embarassing social disease?

[ Parent ]
Well the easiest way by dmg (3.00 / 0) #29 Tue May 25, 2004 at 11:20:59 AM EST
Is to buy a Mac, and run the stunning MacOS X Panther. This has so far proved extremely resistant to spyware.
Alternatively you should patch your Microsoft OS up with the latest patches and get Lavasoft Ad-Aware, SpyBot Search and Destroy, Grisoft Anti Virus and Proxomitron. Those four seem to cope with most things. As for the thing that won't go away, its probably replaced some .dll or executable. The main thing to do is get an up-to-date version of spybot&ad-aware.

--
dmg - HuSi's most dimwitted overprivileged user.
[ Parent ]
Block popups by webwench (6.00 / 1) #3 Mon May 24, 2004 at 12:23:48 PM EST
whether you do it in Mozilla (where it's just a preference) or IE (where you have to go find an add-on or get Google toolbar), you gotta block popups.

Then you have to go clean your registry of any references to the thingy that's resetting your homepage. Figuring out what the thingy is will take some detective work and possibly a littole voodoo.


One word. by CrocoStimpy (3.00 / 0) #4 Mon May 24, 2004 at 05:37:20 PM EST
Knoppix.

Seriously, I've been using Mozilla since 0.8, and I had no idea just how bad things had gotten with IE until just recently.  You don't even have to visit porn sites, apparently.  Once you've downloaded some innocent-looking toolbar, or just visited the wrong page, your browser is raped and passed around like some Hell's Angels old lady.

Hhhmmmm by Cloaked User (3.00 / 0) #6 Mon May 24, 2004 at 06:17:00 PM EST
Once you've downloaded some innocent-looking toolbar

People download unknown executables and application extensions from untrusted sites, and are then surprised when bad things happen to their PC?

I've been using XP for about 2 years now, and have had zero problems with malware. My secret? Up to date anti-virus software, a software firewall, adaware, keeping up to date with patches, and some common sense. Oh, and I don't use IE (see my final point).


--
This is not a psychotic episode. It is a cleansing moment of clarity.

[ Parent ]
None of the above by Gully Foyle (3.00 / 0) #9 Mon May 24, 2004 at 11:45:03 PM EST
I was just browsing when it happened. Not installing anything from untrusted sites. I'm not completely clueless, but I've got caught anyway. I keep pretty up to date with patches (it had been maybe three weeks since I last updated), and have a bsd based firewall. As I mentioned in my post, I will no longer be using IE, but this damn process is still resident.

[ Parent ]
Oh yeah, and... by Gully Foyle (3.00 / 0) #14 Tue May 25, 2004 at 01:02:22 AM EST
Neither Ad-Aware or McAfee have managed to fix this problem.

[ Parent ]
No by CrocoStimpy (3.00 / 0) #30 Tue May 25, 2004 at 04:46:24 PM EST
Some of this malware downloads and installs in the background, without any user notification.

My secret?  SuSE 9.0, Mozilla, and an external dsl modem/router that does NAT and has every damned port turned off.

[ Parent ]
I have heard that by Cloaked User (3.00 / 0) #31 Tue May 25, 2004 at 07:09:24 PM EST
I was responding directly to the comment about having "downloaded some innocent-looking toolbar", although I suppose I wasn't really begin fair to the average user (and you did also say that sometimes you just have to visit the wrong site).

That said, my gf (who is about as average a user as you can get) has had no problems, despite using IE. I make sure her machine is kept up to date with patches, though, and it's behind mine; if it were connecting to the net directly and unpatched, it would probably be a different story.


--
This is not a psychotic episode. It is a cleansing moment of clarity.

[ Parent ]
If Adaware's not getting it by Cloaked User (3.00 / 0) #7 Mon May 24, 2004 at 06:29:32 PM EST
Try Spybot Search and Destroy. I've not used it much, but it seems pretty good, and is generally raved about on slashdot (but don't let that put you off).

I think it also has a "resident mode", in which it'll zap nasty stuff as it starts up. The paid version of Adaware definitely does, although I've not used it.

If that still doesn't get it, then try taking a look at the stuff here; you may need to use regmon or something to watch the registry and see what is being changed, and by what.

Oh, and good luck.



--
This is not a psychotic episode. It is a cleansing moment of clarity.

Some kind of success with RegMon by Gully Foyle (3.00 / 0) #11 Tue May 25, 2004 at 12:11:36 AM EST
The process that's periodically checking and updating the keys is none other than Explorer.EXE

Fuxor.

[ Parent ]
It may be something it's downloaded by Cloaked User (3.00 / 0) #15 Tue May 25, 2004 at 01:17:30 AM EST
Try having a look in C:\WINDOWS\Downloaded Program Files - that's where IE stores stuff it's downloaded. If in doubt, just move everything in there somewhere else, and try putting it back one at a time.

If that doesn't work, then something may have messed with IE or one of its dlls or something, in which case a reinstall may be the only option :-(


--
This is not a psychotic episode. It is a cleansing moment of clarity.

[ Parent ]
Looks promising by Gully Foyle (3.00 / 0) #18 Tue May 25, 2004 at 05:40:06 AM EST
Some of the files in the C:WINNTDownloaded Program Files look like the new registry key that Spybot-SD found. I'll have a play.

[ Parent ]
Nope. Not it. by Gully Foyle (3.00 / 0) #27 Tue May 25, 2004 at 08:09:49 AM EST
Blast and buggery and eternal damnation in the fiery pits of hell.

[ Parent ]
Spybot S&D by Gully Foyle (3.00 / 0) #12 Tue May 25, 2004 at 12:32:17 AM EST
Well, spybot detected another couple of problems, neither of which have fixed the underlying problem. The resident mode thingie is detecting the attempts to change the registry, but can't tell me what's doing it.

Oddly, IE is also modifying the registry entry on startup. The more I mess with this, the more I think that a reformat would be a good idea.

Thanks for the suggestions.

[ Parent ]
Top Tip by codemonkey uk (3.00 / 0) #8 Mon May 24, 2004 at 07:30:23 PM EST
Don't use IE.

--- Thad ---
Almost as Smart As you.
No shit by Gully Foyle (3.00 / 0) #17 Tue May 25, 2004 at 05:38:13 AM EST
Not using it any more. Should have ditched it months ago, but it's taken something like this to make me switch. I feel pretty stoopid now.

[ Parent ]
Hmm... by Gully Foyle (3.00 / 0) #24 Tue May 25, 2004 at 06:46:17 AM EST
Google searching on this topic, it seems that there are lots of posts from people with the same problem, but no-one's been able to fix it. This is a total pain in the arse.

One last resort by Cloaked User (3.00 / 0) #33 Tue May 25, 2004 at 07:29:13 PM EST
Boot off the Win2k installation CD and use the recovery console (if you haven't installed it). If I recall correctly, you can theoretically use it to restore your Windows install to the state it was in when you installed it. Hopefully, that will restore IE to its correct state, but it will complain about any patched files (ie from service packs, etc) and replace them, too.

Of course, if it's an exta file that's being loaded, rather than a genuine one that's been replaced/modified, you might well still be out of luck...


--
This is not a psychotic episode. It is a cleansing moment of clarity.

[ Parent ]
Ask Husi: Malware | 31 comments (31 topical, 0 hidden) | Trackback