HijackThis! Is good for giving you a quick look at what's running on the
PC.
I generally run it from the desktop and look for unfamiliar programs and
URLs in the results. I Google anything I don't recognize as benign.
This usually tells me if I have some kind of bug and what it's called so
I can search for removal instructions. There are a lot of Forums out
there where you can get a "security expert" to review your log and make
recommendations. http://www.tech-forums.net/ is one that I've used for
this purpose.
Java Cool Software makes a couple of blocking programs that I have my
telecommuters use: Spyware Blaster and Spyware Guard. They are free for
the basic and you can make a donation for additional features.
TrendMicro has a free web page called House Call that will scan for
malware and even remove things for you.
Damon's suggestion is great, just make sure you get the program that
changed the hosts file as well, or it will do it again at the next
reboot.
Good Luck!
Alice Hart-Johansson
email: ahart (at) vipdesk (dot) com [email concealed]
visit us at http://www.vipdesk.com/
-----Original Message-----
From: Damon McMahon [mailto:damon.mcmahon (at) gmail (dot) com [email concealed]]
Sent: Tuesday, January 03, 2006 11:07 PM
To: Chris Barber
Cc: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Hijacked Internet Explorer
Chris,
Check your HOSTS file for rogue entries:
%SystemRoot%\system32\drivers\etc\HOSTS
Also check proxies in Control Panel > Internet Options | Connections
for rogue entries.
Best wishes,
Damon
On 04/01/2006, at 6:31 AM, Chris Barber wrote:
> I have a user on a home network that has an oddity I have not seen
> before while using search engines. On the PC we have tried Yahoo,
> Google, MSN, Lycos, not sure but we may have done a few other, but the
> actions are all the same. We enter a search item, say ACE, and the
> results come back of course ACE Hardware is in the list. When I mouse
> over the link the URL displayed IE Status indicates the correct URL
> for ACE Hardware. Now when I or he clicks on the link we go to some
> other ads page, we click back and click the link a second time and get
> sent to a second ad site. After clicking back a second time and then
> clicking the link for the third time we get to the ACE Hardware site.
> One note on this is that the URL we are directed to is not the same as
> the link so I know it is not a DNS Hijack, but more of a redirect
>
> This happens with any and every site we have looked for in the last
> week or so. The "Anomaly" began shortly before Christmas.
>
> The PC is currently running ZoneAlarm and no messages have indicated
> any new software trying to gain access to the network. I have also
> run AdAware SE, Spybot, and MS Anti-Spyware. Currently running on the
> PC is Symantec AV with the latest updates, I have also run McAfee from
> a boot Disk.
>
> At this point I am thinking it may be some form of Browser Helper
> Object or some registry hack, but I am out of ideas to further
> investigate, clean and protect against this in the future.
>
> Does anyone have any suggestions or ideas on what I could try next?
>
> Thanks in advance for the help.
>
> Chris.
PC.
I generally run it from the desktop and look for unfamiliar programs and
URLs in the results. I Google anything I don't recognize as benign.
This usually tells me if I have some kind of bug and what it's called so
I can search for removal instructions. There are a lot of Forums out
there where you can get a "security expert" to review your log and make
recommendations. http://www.tech-forums.net/ is one that I've used for
this purpose.
Java Cool Software makes a couple of blocking programs that I have my
telecommuters use: Spyware Blaster and Spyware Guard. They are free for
the basic and you can make a donation for additional features.
TrendMicro has a free web page called House Call that will scan for
malware and even remove things for you.
Damon's suggestion is great, just make sure you get the program that
changed the hosts file as well, or it will do it again at the next
reboot.
Good Luck!
Alice Hart-Johansson
email: ahart (at) vipdesk (dot) com [email concealed]
visit us at http://www.vipdesk.com/
-----Original Message-----
From: Damon McMahon [mailto:damon.mcmahon (at) gmail (dot) com [email concealed]]
Sent: Tuesday, January 03, 2006 11:07 PM
To: Chris Barber
Cc: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Hijacked Internet Explorer
Chris,
Check your HOSTS file for rogue entries:
%SystemRoot%\system32\drivers\etc\HOSTS
Also check proxies in Control Panel > Internet Options | Connections
for rogue entries.
Best wishes,
Damon
On 04/01/2006, at 6:31 AM, Chris Barber wrote:
> I have a user on a home network that has an oddity I have not seen
> before while using search engines. On the PC we have tried Yahoo,
> Google, MSN, Lycos, not sure but we may have done a few other, but the
> actions are all the same. We enter a search item, say ACE, and the
> results come back of course ACE Hardware is in the list. When I mouse
> over the link the URL displayed IE Status indicates the correct URL
> for ACE Hardware. Now when I or he clicks on the link we go to some
> other ads page, we click back and click the link a second time and get
> sent to a second ad site. After clicking back a second time and then
> clicking the link for the third time we get to the ACE Hardware site.
> One note on this is that the URL we are directed to is not the same as
> the link so I know it is not a DNS Hijack, but more of a redirect
>
> This happens with any and every site we have looked for in the last
> week or so. The "Anomaly" began shortly before Christmas.
>
> The PC is currently running ZoneAlarm and no messages have indicated
> any new software trying to gain access to the network. I have also
> run AdAware SE, Spybot, and MS Anti-Spyware. Currently running on the
> PC is Symantec AV with the latest updates, I have also run McAfee from
> a boot Disk.
>
> At this point I am thinking it may be some form of Browser Helper
> Object or some registry hack, but I am out of ideas to further
> investigate, clean and protect against this in the future.
>
> Does anyone have any suggestions or ideas on what I could try next?
>
> Thanks in advance for the help.
>
> Chris.
[ reply ]