Browser Hijacking

KB ID 0000056 

Also See KB0000183 Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

Problem

There is currently an alarming trend of companies and websites that think its quite OK to change your web browser without your permission. What most of them try to do is,

1. Modify your homepage.

2. Modify your default search page.

Sometimes your default connection will be pointed at sites that carry adult material or sites that are simply selling something. Another thing these guys do is drop items into your favorites, quicklinks folder and even to your desktop. Most of the time they are simple to fix and simply resetting your homepage will cure the problem, but if they have been really malicious this can be automatically set back to the “Rouge” page by executing code.

Solution

Normally I would put “How to Prevent Being Hijacked” First, but sadly the fact that your reading this probably means you have already been stung 🙁

You can start manually digging through the registry if you wish, but most people will not know where to start, so we are going to need to get help from a third party vendor (don’t panic this wont cost you anything) any of the following can find and remove your problem.

Option 1 (This is what I use)

Simplicity itself, load it up, click start, leave it on its default setting of “perform smart system-scan”, Click Next. It will take a while to scan the entire registry and your hard drive (Time for a coffee!) When Its done click Next, Tick EVERYTHING in the obj. column and click next, you will have to click OK to confirm. NOTE Sometimes Ad-aware cannot remove them right away and will ask if you want to remove them on reboot select yes and reboot the PC, when it comes back up Ad-aware will reload and finish its job 🙂

Option 2

Option 3

HELP! Its not fixed

OK If the above software didn’t solve the problem then your next step is to download the following piece of software.

Run this little doohickey, and it will list registry entries and running processes that it considers suspicious (NOTE a lot of innocent entries will be listed). OK now you have a list of what’s running you need to analyzed it (Gulp!) Don’t panic the good thing is, if you haven’t got a clue, DONT go posting your hijack list to a forum like EE It just gums up the message boards.

How To Prevent being hijacked

Well to be honest the best way is stop using Internet Explorer and use another browser like Opera (Free). But seeing as the vast majority of you will be using IE, I’ll give you some pointers.

The very first thing to do is update your browser (And Operating System) with all the latest security patches and hotfixes, CLICK HERE

Open your Control Panel and select Internet options or from internet explorer click Tools > Internet options.

<

1.vClick the security tab

2. Click Internet then custom level.

3. Click the drop down arrow, select Medium, click reset, then click OK.

4. You should now be back where you were at step 2 click the custom button again

5. You will see more options than these I’ve cut the others out, set yours to the same.

NOTE: If you are bugged to death being asked if you want to run scripts then set the Scripting>Active Scripting to enable (But I warned you 🙂

6. Click OK and accept the warning by clicking “Yes”

OK now your browser is set up, there a a few more steps you can take to remain “Hijack free”

1. Download in Install IE-SPYAD this will add a raft of “Known abusers” web sites to your restricted zone, you will still be able to go there but the sites wont be able to abuse you.

2. Ensure you have installed the following (MS00-075)

3. Now install some software to sit and monitor your browser while you are online in case any “Miscreant” tries to hijack your browser. Already listed above SPYWARE BLASTER

Related Articles, References, Credits, or External Links

SpyWareGuard

BHODemon

Malwarebytes – Manually Update Database/Definitions

KB ID 0000629

Problem

I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.

That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?

Solution

WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.

1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).

2. Find out what version of Malwarebytes you are running (on the about tab).

3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.

Windows 7 / Vista / 2008 / 2008 R2

[box]C:ProgramDataMalwarebytesMalwarebytes’ Anti-Malware[/box]

Windows XP / 2000 / 2003 / 2003 R2

[box]C:Documents and SettingsAll UsersApplication DataMalwarebytesMalwarebytes’ Anti-Malware[/box]

4. If your version is 1.60 or newer you also need to take a copy of the database.conf file that’s in the same folder, but in the configuration folder.

5. Copy the file(s) to the corresponding folder(s) on the affected machine, and paste them over the copies that exist there.

6. Then launch Malwarebytes on the affected machine, and scan with the updated database.

 

Related Articles, References, Credits, or External Links

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

KB ID 0000750 

Problem

If I’m working on a machine that I suspect is infected by Malware/Spyware then one of the first tools I reach for is Malware Bytes.

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

As it’s one of the most popular repair tools, it’s not uncommon for the writers of these pieces of malicious code, to actively block the installation of Malwarebytes. So the publishers of Malwarebytes have come up with a solution called Chameleon.

Solution

1. Head over to the Malwarebytes download site > For Home > Other Tools.

2. Download Chameleon.

3. The files will come down in a zip file > Extract them > Locate the Chameleon.chm file and run it.

4. You can now attempt to install Malwarebytes by using the install options presented, start with the first and work your way down.

5. When running, a command window will open, and ask you to press any key > It will see if the software is installed, if not it will download and install it.

6. Then it will update the software with the latest definitions.

7. When complete the software will start and begin a scan.

 

Related Articles, References, Credits, or External Links

Malwarebytes – Manually Update Database/Definitions

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

KB ID 0000183 

Problem

The last time I wrote any information on Spyware was a while ago. When I wrote that article the main problem was browser hijacking – while that’s still a problem more recently the trend is towards infecting your machine with “Scareware”. This is software that pretends to be either an antivirus program or an antispyware program and tells you to either install something – or perform a scan (which installs something) or forces you to buy some useless software etc.

A lot of my clients who get infected justifiably ask “Well I’ve got up to date AV and Antispy software, how did I get infected?” The simple answer is (In most cases) because you clicked the button that said “Yes” when proper text on the button should have said “Yes, please slow my machine down and infect it horribly”. Some programmers of these Scareware applications have produced some awesome professional looking programs, that would fool even the more “Technically aware” user.

The Best form of Defense is Offence (And common sense!)….

Error Reads: Windows Title: “Windows Internet ExplorerWindow Text: “This computer is under attack.They can seriously harm your private data or files, and should be healed immediately. Return to Antivir and download it secure to your PC.

Windows Internet explorer is telling you you’re infected? How would an internet Browser know you are infected? And If you actually read the text, the grammar is terribly bad (Even by my D Grade O Level Standards!) But click anything (OK, Cancel, The Red X to close the window) you will probably drag some nastiness into your PC. Also look at the URL “http://my6-antivirus-scanner.com/” Google that (that’s search for it in Google NOT type it in the address bar!) And you will see its bogus.

Here’s Another Example

Solution

I’ve got a window just like that one, what do I do?

Right Click Your Taskbar and select “Task Manager” or “Start Task Manager” > On the applications Tab select the instance of Internet Explorer > Click “End Task” > Accept any warnings > Close Task Manager. If you still worried run a full AV and Antispy scan on the machine.

 

Help! – I’ve been infected and now my machine tells me I’m infected all the time!

1. Before you do anything make sure you have a backup of anything important. (Your documents, emails, photos internet favorites, programs etc) just in case.

To Fix things you need to install some software. If you are so badly infected that you cannot install the software, or the infection you have specifically stops the removal tools from working, (some do!) Then reboot the PC, and Press F8 – and select Safe mode.

2. Install Malwarebytes, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

3. Install SuperAntispyware, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

4. When done, make sure you have good, up to date, Antivirus software, a personal firewall, (The Windows one is better than nothing). Then periodically run one of the above products.

Hang On! I’ve done that and its not worked (I’m still Infected).

The two products above are usually all you should need, if an infection gets past one, the other usually gets it. However in some cases the code writers will get something on your PC quicker than the good guys can defeat it, if that’s happened to you, you have a choice.

1. Consider reinstalling Windows (For everyone who has just rolled back in their seat, I charge £75.00 an hour for desktop work, it might take me 4-8 hours to clean a machine manually, how much is your PC worth?). And its the ONLY way to make sure you’ve got all remnants of nastiness away (You’re looking at about 4 hours work with a modern PC to rebuild it, patch it, and reinstall everything).

2. Roll your sleeves up and get on the internet, the chances of you being the first person infected are pretty slim. Download HijackThis and get the log it generates, posted in an online forum or check it online(Warning: Automated systems).

3. If you have tried everything then your last port of call should be COMBOFIX this is a VERY powerful tool and if used incorrectly can destroy Windows (hence why i’ts at the bottom of the list).

Gallery Of Nastiness Note: Here’s just a few – there are tons more – If you want to send me a screenshot of anymore please do so

Security Sheild (Seen 22/12/10 – Infected by an email attachment) SecurityTool Security system Protection Control Panel WinReanimator VirusHeat Virus Protect IE Defender 2.2 VirusRay AntiVirGear SpyShredder 2.1 VirusProtect Pro Windows Security Center (No It is’nt) Spyware Protect 2009 VIRUSBUSTERS Personal AntiVirus ExtraAntivirus System Antivirus 2008 IE Antivirus 3.3 Fast AntiVirus 2009

Related Articles, References, Credits, or External Links

Malwarebytes – Manually Update Database/Definitions