OT, Help, Browser take over attack Options

[rhodyguy]

travis, how is the hk_local_machine... actually performed? do you mean go to goggle and type in the new registry to find it? example, i clicked on a ebay link in a thread, the change in browser notice came up and i went through the nurmerous clicking to retain the current one, back here and the notice came back, and went throught the drill again.

k

[JB 914]

download mozilla. problem solved.

[TravisNeff]

A file is downloaded into your temp directory, it places an .exe file probably in your windows or windows\system directory, it then places a call to start that .exe file in the "run" entry of the registry; thus every time you boot your computer and login - the file is launched. If you delete the entry, a few seconds later that file in your temp directory re-enters that run command. It's a pain, you can't delete the file in windows as it is running and in use most of the time. A trick that has worked for me a couple times is to put a bogus .exe filename in the registry in place of the one you want to delete, reboot then delete the registry entry, the file in the windows dir and also the one in your temp area.

They all operate a little differently - so you may have to dream up a few different ways to get around it.

What I meant by a google search was, take a look in the "run" area of your registry, write down each of the .exe files that are running, rule out the ones you know are supposed to be there (and if you don't this is where google will help). After you wrote down all those file names, hit google and search for each of those files. If you have a popup program running and you did a search on the .exe file, you most likely will get a ton of sites that tell you how to remove that program. make sense?

[rhodyguy]

i sent the data to you travis. for you other computer guys, here is what is going on with me. "Your I.E. search page has been changed". from http://mynetzero.net/s/search?r=minisearch, to http://websearch.dsnsvch.com/sidesearch.cg...867807806id=5.0

it takes 6 restore old search page clicks to make the notice go away. if i click on the link for the wcc the notice is there all over again. i have a notation in the registry of,

Default Reg SZ value not set. ? i did not intend to add the links. first time i've ever added one and i didn't mean to.

k

This post has been edited by rhodyguy: Feb 21 2005, 06:13 PM

[Pnambic]

Just some little tricks that might help you along the way.

ALT F4 Kills the active window. Its a lot easier than searching for the "X" in the top right of the window especially when many of the pop-ups purposfully make the windows so big that the X is outside the viewable section of window. Closing a window quickly may also prevent it from opening up additional windows itself.

Some registry folders are not writable while Windows is running. So you can tell it to delete an item, and the computer will at first act like it did it, but won't actually delete the reference. A cheap trick here is to rename the folder itself, then delete the item and then rename the folder back.

Hope some of this helps. (IMG:http://www.914world.com/bbs2/html/emoticons/beerchug.gif)

[Bruce Allert]

I was scourged with the "About:blank" take over (IMG:http://www.914world.com/bbs2/html/emoticons/mad.gif)
I did spybot... no help. it kept coming back. I did adaware... nadda...... I did another one that MSN voted best download for free 30 day trial, it did better than the rest but the "blank" shit thing eventually came back. (IMG:http://www.914world.com/bbs2/html/emoticons/headbang.gif)
The only way I got rid of it was to do a complete restore of my computer (IMG:http://www.914world.com/bbs2/html/emoticons/screwy.gif)

It's O K now......

.........b (IMG:http://www.914world.com/bbs2/html/emoticons/cool_shades.gif)

[SirAndy]

QUOTE (joe buckle @ Feb 21 2005, 12:32 PM)

download mozilla.  problem solved.

nope, problem *NOT* solved because he would still have the spyware on his computer!

and if it's one of the better spy-apps, it'll read your online banking password just as well from a mozilla displayed web-page than from a IE displayed web-page!


dude, make sure to get rid of *ALL* that spycrap before you even think about installing another browser !!!

(IMG:http://www.914world.com/bbs2/html/emoticons/smash.gif) Andy

[SirAndy]

QUOTE (Bruce Allert @ Feb 21 2005, 07:03 PM)

I was scourged with the "About:blank" take over (IMG:http://www.914world.com/bbs2/html/emoticons/mad.gif)

huh? (IMG:http://www.914world.com/bbs2/html/emoticons/confused24.gif)
"about:blank" is one of the default settings for your browsers homepage!

i have this as my default setting ...
(IMG:http://www.914world.com/bbs2/html/emoticons/cool.gif) Andy

[rhodyguy]

are there any concrete indicators in the registry for the shite? for the example i displayed, would my i have to be off line to try to delete the attempted i.e.change?

k

[Rusty]

When I've run into computers that are severely corrupted with Spyware, I find it helpful to disconnect from the internet while I'm doing the cleanup.

Are you on broadband cable/DSL? Do you have a firewall?

-Rusty (IMG:http://www.914world.com/bbs2/html/emoticons/smoke.gif)

[rhodyguy]

dial up. i won't give comcast another penny other than my basic cable. the way it was explained to me, there are not enough houses on my street to warrent quest making dsl available. firewall?, i don't know. the laptop came to me, legally i want to add, fully loaded at a near free price. i run spybot regularly and know to go offline to run it. most times i get "no immediate threat detected". until yesterday i was not even aware of the registry, let alone how to find it. another member was kind enough to offer some help and i sent some data from the registry to him to look at. some people can walk through a computer and operations. i had never even touched one until 2001.

k

[Bruce Allert]

QUOTE (SirAndy @ Feb 21 2005, 08:28 PM)

QUOTE (Bruce Allert @ Feb 21 2005, 07:03 PM) I was scourged with the "About:blank" take over (IMG:http://www.914world.com/bbs2/html/emoticons/mad.gif) huh? (IMG:http://www.914world.com/bbs2/html/emoticons/confused24.gif) "about:blank" is one of the default settings for your browsers homepage! i have this as my default setting ... (IMG:http://www.914world.com/bbs2/html/emoticons/cool.gif) Andy

Something cause this to become a pop up and take over while I'd surf the net. It wouldn't let me view Ebay! Open Ebay then POOF I'd be at the aboutblank page. Try this site & same thing I tried everything to get that to stop. Did a Google search about it and it seems I wasn't the only one to have this happen. (IMG:http://www.914world.com/bbs2/html/emoticons/confused24.gif) I dunno (IMG:http://www.914world.com/bbs2/html/emoticons/confused24.gif)

.........b

[rhaas]

microsoft has a great antispyware. It if free in beta form right now. It notifies you of any changes to the registry. This has fixed stuff on my computer that the others couldn't.

[skline]

I do this everyday for clients, the ones you delete in the registry that keep coming back are sevices that are running at that time. To delete them, you need to boot the computer into safe mode. Then delete the registry entries. Then go into the windows explorer and manually go through all executables in your windows and system and system32 folders and delete the ones that dont belong there. Its easy to tell, if you hold the curser over the file name, it will tell you who wrote it, if it doesnt say anything but the file name and date, its probably not supposed to be there. Group all files by name, it makes it easier. Also, look at the date of the file as well. Check your startup folder also, remove anything you dont want in there. Any DO use Mozilla instead of Internet Exploder.

Also, you need to check all of the keys in the registry, not just local machine. And Microsoft does not sugguest that you edit your own registry, they will not support you if you do it without guided help. Their exact words when I was taking their classes were, "If you dont know what you are doing, Dont edit the registry, changes are immediate and not reversable."

[rhodyguy]

that's the problem scott. i don't know what i'm doing and the constant notifications are driving me crazy. did you take one of those intensive ms tech programs? do offense, half of your proceedure's tech references gave me a headache. for instance, what is booting the computer into a safe mode?

k

[skline]

Yes, I took a lot of classes from Microsoft, got certified back in the early 90's. There are books out there on mastering the Windows registry. At least there used to be.

Edited for spelling, sometimes I just go to fast.

[rhodyguy]

"matering" (IMG:http://www.914world.com/bbs2/html/emoticons/headbang.gif) (IMG:http://www.914world.com/bbs2/html/emoticons/headbang.gif) (IMG:http://www.914world.com/bbs2/html/emoticons/headbang.gif) . tylenol please.

k

[reverie]

I don't think an amateur should do any file deletions. That strategy should only be used by someone who is very knowledgeable. From an amateur's perspective, we don't know what's important and what's not important. Deleting the wrong files could give you a non-functional computer.

IMO, it's much better to use the free downloadable versions of Spybot and Spysweeper (as per a recent review in PC World Magazine, both of those together will provide excellent coverage), and also purchase a one-year downloadable subscription to McAfee Antivirus (rated better than Norton at finding and removing viruses and trojans).

[SirAndy]

QUOTE (rhodyguy @ Feb 22 2005, 06:23 AM)

for instance, what is booting the computer into a safe mode?

i highly recommend you not touching the registry by hand ...


start in safe mode, open the task manager (ctrl-alt-delete), take a screenshot,
restart normally and post it here.
we'll be able to tell you which tasks to kill.

then start in safemode again, open the task manager (ctrl-alt-delete), kill all the threads we told you to, then run spybot ...

that should do the trick ...
(IMG:http://www.914world.com/bbs2/html/emoticons/type.gif) Andy

[rhodyguy]

all well and good. reread what i've been posting roger.

andy, please explain the following:

1. what is "starting in safe mode"?
2. "alt clear delete" is what i have to type to enter the password. is that what you mean?
3. what is, and how does one take a screenshot to post here? how the heck would i post it?

i'll be waiting. if someone wants to call me collect and walk me through this, it would be most excellent also.

k