Thursday, January 31, 2008

Ask The Wizard (System Hi-Jack )


The Wunnerful Wizard of 'OZ' Dear Wizard of 'OZ',

I have a Windows XP SP1 system that was hi-jacked. There seems to be a program that is now loaded at startup that redirects the homepage for IE 7 to through allaboutsearching.com. If the browser is opened to this page a number of DLL's are loaded that inundate the system with popup's.

I've run Spybot 1.3 with updates, AdAware SE with updates, Panda virus scan and Norton virus scan using Bloodhound. These cleared out all the popup SW that was loaded, but the startup program appears to remain (looks like it might be loaded then swapped into paged memory.) I need help in locating this program and getting rid of it.

Signed,

Hi-Jacked

Dear Hi-Jacked,

Have you tried msconfig.exe? You can disable startup items there. Try disabling certain startup items until it seems you got the right one, then delete that one.

Alternatively, you can search the registry. Most start up items are in:

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\Current_Version\Run; or

HKEY_CURRENT_USER\Software\Windows\Current_Version\Run.

Examine the registry under \Software\Microsoft\Internet Explorer in each branch. Make sure the homepage and search url's are legit or delete. I have cleaned systems to the point of knowing every running process is legit, then open IE and have malicious apps launched with IE due to these entries. One this is clean you should be okay.

I would also suggest these additional steps:

1. Go to Folder Options and enable "Show hidden files & Folders.

2. Go to %SYSTEMROOT%\Prefetch\ and delete all files

3. Go to C:\Documents and Settings\CURRENT_USER\ Local_Settings\Temp and delete all files.

4. Do a search for all folders called "Temporary Internet Files" and delete all files in them.

5. Look in any "Temp" directory where the files used to re-install the hijack software may be.

6. Use a more comprehensive utility than Task Manger to see what processes are running (just look around the web a bit). Look for processes you can't identify.

7. I have found MSCONFIG to be useless for this kind of thing so you're better off manually editing the registry. Go to the following keys:

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\

Look for items you can't identify. See if you can trace the executable using the values in the associated PATH or IMAGEPATH keys.

HKEY_LOCAL_MACHINE\SOFTWARE and

HKEY_CURRENT_USER\SOFTWARE should be checked.

Look for vendor key names you don't know and look into them. You may find the culprit lurking there.

Another key to examine is...

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\

Now the reason for all of this deleting and such is that I have found that many of these browser hijackers can re-install themselves using boot calls to install programs hiding in the places noted. Often these will be CAB files in Prefetch, TEMP directories, and the BHO or Activex directories.

It may take some diligence but using these methods I was able to track down a particularly nasty hijaker on a customer's PC.

Prevention is simple, don't go to porn or gambling sites without having some decent security software running along with a firewall. My customer had neither. I charged him a "reasonable" amount for these hours of work (I'm a soft touch, I guess) but told him that if he didn't acquire the software/hardware required to protect himself I would charge him by the hour instead of by the task. This will cost him around $800.

Hope this helps.

Yrs,

The Wizard

No comments:

Post a Comment

Contact The Wizard!
(he/him)