Desktop Hijack
- Thread starter JabbaJawz
- Start date
S
scupper trout
Guest
JabbaJawz said:My desktop was taken over a few weeks back when I acquired a trojan. Supposedy the Trojan is gone, but no matter what I do I still can't get my damned desktop back. It has some funky crap on it. Assitance, please!
http://www.tomcoyote.org/hjt/
This site will help. The top of the page is just an ad.
"HiJack This" Webpage
I know it's your desktop, but I think you have a registry issue:
The above site is for browser highjacking issues (pop ups, homepage gets changes and can't get it back or delete the existing "hijacked" one). Download the program..follow the steps. You may need to post the log if it's a registry issue but they will help you in their forums. Helped me out a year ago when my better half got the browser hijacked when surfing and I went nuts for 2 weeks.
Then, sh*tcan (don't use) Micro Soft Internet Explorer (MSIE). It has so many flaws that that hijackers and spyware websites absolutely love MSIE.
If you HAVE to use MSIE
Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.
The most important thing is to update your browser and operating system. Go to WindowsUpdates and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.
After you've done that, replace Microsoft Java VM with Sun Java. You can download that from http://www.java.com/. There are several hijackers that exploit flaws in Microsoft Java VM. Sun's Java is more secure and more up to date. Make certain, in Java's options, that Sun Java JRE is set to work with Internet Explorer.
Open Internet Options from the Windows control panel and click the "Security" tab. Highlight the "Internet" icon and then click "Custom Level". Choose "Medium" from the drop-down box at the bottom, then click the "Reset" button. Click ok, then click "Custom Level" again.
Set your options just as I have listed below:
.NET Framework-reliant components
* Run components not signed with Authenticode (Disable)
* Run components signed with Authenticode (Prompt)
ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)
Miscellaneous
* Access data sources across domains (Disable)
* Drag and drop or copy and paste files (Prompt)
* Installation of desktop items (Prompt)
* Launching programs and files in an IFRAME (Prompt)
* Navigate sub-frames across different domains (Prompt)
* Software channel permissions (High safety)
* Userdata persistance (Disable)
Scripting
* Allow paste operations via script (Prompt)
* Scripting of Java applets (Prompt)
Next, you need to run a registry script called IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.
Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.
Now you need to install SpywareBlaster. ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a "kill bit" in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.
As a final safeguard, install a program called Browser Hijack Blaster. This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.
Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.
Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote's site for instructions on doing that.
Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D for antispyware and Nod32 for antivirus.
__________________________________________________________________
I use Firefox as my browser, never had a problem since:
First and most simply, stop using Internet Explorer. If you use either Mozilla, Firefox or Opera, you are immune to all known browser hijackers.
You are immune for two reasons. First, most people use Internet Explorer, so most malicious code is custom built to exploit it. Second, Opera's and Mozilla's programmers take security very seriously and have made these browsers very secure. It is not possible to install software from a web site using these browsers without at least seeing a prompt of some sort asking permission.
http://www.mozilla.org/
Last edited by a moderator:
scupper trout said:
Use Thunderbird for your default email client if you use Firefox. The Mozilla suite has a built in email client. The Firefox and Thunderbird products are the latest and greatest. Outlook and InternetExplorer are the two most exploited programs on the Internet. Why anyone is still using them is beyond me.
If you don't have Adaware and Spybot, you need both of them. http://www.safer-networking.org/en/index.html is where Spybot is and http://www.lavasoftusa.com/software/adaware/ is for Adaware. You also need to keep your anti-virus software up to date or get one or more if you don't have any. The is a good anti-virus anti-spywear product and it is free based on the Clam AntiVirus which runs on Linux. Here is the write up.
Walk in to any computer store or electronic store and you will no doubt
see an aisle dedicated to anti-spyware or anti-virus software. Viruses
are a real problem in today's computing world and the problem has grown
to such an extent that a cottage industry has appeared to try to combat
all the virus variants introduced seemingly daily. Of course, if you
run Windows, there is a real need to run some sort of anti-virus
software. Whether it's the Operating System, the programs (IE or
Outlook) or the size of its market share, Windows tends to attract
virus writers.
SourceForge.net's February project of the month, ClamWin, is an
Open Source licensed virus checker for Microsoft Windows
98/Me/2000/XP. It is a GUI front-end to the popular Clam AntiVirus
engine which is also Open Source. ClamWin Free Antivirus comes with an
easy installer and is licensed under the GPL (General Public License).
The software has been a top project since its inception. ClamWin has
had over a quarter of a million downloads in the past 10 months alone.
The SourceForge.net team is proud to make ClamWin Project of the month.
Project of the month: http://sourceforge.net/potm/potm-2005-01.php
Home Page: http://www.clamwin.com/
Project Page: https://sourceforge.net/projects/clamwin/
Agee
Well-Known Member
Excellent posts, Scupper and 2A. I have considered the change from Microsoft IE to one of the browers you two have suggested. I keep my anti-virus updated, and run, Spybot, ad-aware, and hijack this, often.
Recently, my machine was infected with A "backdoor trojan". My anti-virus appeared to clean it, but I have a feeling the registry has malisous code still installed. I have turned off the restore function (Windows XP) since my last virus cleanse.
The issue I am still fighting, and one of which I have never heard of, is control of my dial-up status/properties. The connection shows no status, no traffic indications (even though I connect and browse), and most annoying, I cannot disconnect from provider. I have to physically, pull the modem connection from the wall jack. I get a message when trying to disconnect:
"It is not possible to disconnect at this time. The connection is currently busy with a connect or disconnect operation.
Anyone experienced this, any ideas?
TIA, and Good Luck Jawz with your desktop.
Recently, my machine was infected with A "backdoor trojan". My anti-virus appeared to clean it, but I have a feeling the registry has malisous code still installed. I have turned off the restore function (Windows XP) since my last virus cleanse.
The issue I am still fighting, and one of which I have never heard of, is control of my dial-up status/properties. The connection shows no status, no traffic indications (even though I connect and browse), and most annoying, I cannot disconnect from provider. I have to physically, pull the modem connection from the wall jack. I get a message when trying to disconnect:
"It is not possible to disconnect at this time. The connection is currently busy with a connect or disconnect operation.
Anyone experienced this, any ideas?
TIA, and Good Luck Jawz with your desktop.
FromTexas
This Space for Rent
JabbaJawz said:My desktop was taken over a few weeks back when I acquired a trojan. Supposedy the Trojan is gone, but no matter what I do I still can't get my damned desktop back. It has some funky crap on it. Assitance, please!
Sorry! I thought I could access to your web cam as you came out of the shower...
sowwy to hear that son
You have a back door open. As soon as you connect, some program is connecting and may be sending everything you do to some other site including passwords, sites browsed, ids, everything you type.Airgasm said:
Disconnect from the Internet. Disconnect your phone line. Schedule your anti-virus software to run on boot so that it loads and cleans before allowing anything else to load beside the operating system. I think Spybot and Ad-aware can be scheduled too, but not sure. Shtudown and turn off the computer. That is the only way you can be absolutely sure the menory is clear. Boot your computer. Repeatedly run the anti-spyware and anti-virus until nothing is found. You might have to do this a couple of times. As soon as you are totally clean. Log onto the Micorsoft site and make sure your OS is completely upto date and all the applications too. On dial up this can take hours, maybe days, but do it before you start browsing again.
You might want to try ClamWin. The guy in the office next to me ran it and it found things Norton, Spybot, and Ad-aware did not find. The ClamWin databases are updated at least 4 times a day.
Good luck!
Tomcat
Anytime
Airgasm said:
Stop going online until you get it fixed, or know what's happening. Grandson picked up some kind of virus on my home computer, sounds very familiar. It was re-directing our dial up connection, We got a phone bill for a long distance (Bermuda or Bahamas or somewhere). Since we have an 2nd phone line for the computer it wasn't any of us making the calls.
Someone recommend PC-Cillin on this board. I have recently purchased their Internet Security 2005 program. It does it all - anti-spam, anit-virus, anti-ads, firewall for about $50. I don't even have to run Spybot and Adware any more. After a month of PC-Cillin the other 2 programs were never finding anything. Plus it can be setup to automatically update DAILY!!! and it scans your computer for viruses and spywar BEFORE it it installs the program. You can download a trial version for 30 days from the Trend Micro website. Awesome program!
woodchuck70
I'm your huckleberry!
Don't jump to Firefox just yet. An independent study was done and it had more vulnerability than IE. The problem isn't Microsoft the problem is that hackers like to hack, and they will do so on whatever will effect the most people. And now since Firefox has become so popular it is under attack. Try downloading the Microsoft Anti-spyware application from their site, it is only in Beta right now but is probably the best spyware removal tool out there for MS based systems. It has an intensive registry search and has gotten me out of several problems at work.
Also get an anti-virus program with a firewall installed on your machine. That should help prevent this kind of thing from happening again while you fix it. Because most patches are on-line and it sounds like you have one of those bugs that continue to download scripts whenever you are on-line. Good luck and be sure to update us when you get this think fixed.
Agee
Well-Known Member
woodchuck70 said:
Thanks, finally.Tried the beta download. It found a browser hijack buried in my registry, which in turn elimanated suspect .dll files in my windows/system32 folder.
Mcafee, adaware, Spybot, and hijack this (did show the suspect.dll files) didn't find it.