Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Hijacked Internet Explorer

from [Mike] Network Security [Permanent Link]
Subject: RE: Hijacked Internet Explorer
Date: Wed, 4 Jan 2006 08:30:39 -0500 
Check out HijackThis. As well, enumerate anything suspicious in
HKLM/Software/Microsoft/Windows/CurrentVersion/Run, RunOnce, etc. and
boot to Safe Mode, disable System Restore and manually delete the files.
While you're in Safe Mode, look in the Services applet for anything
suspicious.  Also look in %Systemroot%\system32 and sort files by date
created.  Look for anything out of the ordinary that has been created
within the past 2-3 weeks.

This should help you track down and eliminate any of the more "easily"
removed spyware.  Some of the nastier stuff (vundo comes to mind) hooks
into explorer through the registry and will even start in safe mode.  In
that case - you see it reappear after attempting to remove it with all
known methods - put the hard drive in another system, boot to Safe Mode
Command Prompt only and manually remove the files.

HTH,

Mike Fetherston


-----Original Message-----
From: Chris Barber [mailto:cmbarber@gmail.com]
Sent: Tuesday, January 03, 2006 3:01 PM
To: focus-virus@securityfocus.com
Subject: Hijacked Internet Explorer

I have a user on a home network that has an oddity I have not seen
before while using search engines.  On the PC we have tried Yahoo,
Google, MSN, Lycos, not sure but we may have done a few other, but the
actions are all the same.  We enter a search item, say ACE, and the
results come back of course ACE Hardware is in the list.  When I mouse
over the link the URL displayed IE Status indicates the correct URL
for ACE Hardware.  Now when I or he clicks on the link we go to some
other ads page, we click back and click the link a second time and get
sent to a second ad site. After clicking back a second time and then
clicking the link for the third time we get to the ACE Hardware site.
One note on this is that the URL we are directed to is not the same as
the link so I know it is not a DNS Hijack, but more of a redirect

This happens with any and every site we have looked for in the last
week or so.  The "Anomaly" began shortly before Christmas.

The PC is currently running ZoneAlarm and no messages have indicated
any new software trying to gain access to the network.  I have also
run AdAware SE, Spybot, and MS Anti-Spyware.  Currently running on the
PC is Symantec AV with the latest updates, I have also run McAfee from
a boot Disk.

At this point I am thinking it may be some form of Browser Helper
Object or some registry hack, but I am out of ideas to further
investigate, clean and protect against this in the future.

Does anyone have any suggestions or ideas on what I could try next?

Thanks in advance for the help.

Chris.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hijacked Internet Explorer, francois
Next by Date:  Re: Hijacked Internet Explorer, Damon McMahon
Previous by Thread:  RE: Hijacked Internet Explorer, Mark P. Larios
Next by Thread:  RE: Hijacked Internet Explorer, Alice Hart
Indexes:  [Date] [Thread] [Top] [All Lists]