Browser Bug? Virus?


  #1  
Old 10-14-06, 05:01 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 583
Upvotes: 0
Received 0 Upvotes on 0 Posts
Browser Bug? Virus?

As I mentioned in another thread, I cleared up some abnormal CPU activity by uninstalling/reinstalling Zone Alarm but I still have, what appears to be, a browser infection of some sort.

When running Firefox OR Internet Explorer, clicking on a site in a page of search results will sometimes be redirected to another search page, usually Google. Other times I am taken to finance sites or travel offers pages. So far, nothing too malicious ... just annoying.

I thought Firefox was supposed to be immune or less prone to this type of thing?

I reinstalled Firefox but the problem still pops up.

AVG, Spybot, AdAware find nothing. Incidentally, I notice that my AVG scans now take less than 5 minutes to complete where they used to take close to 1/2 hour. The scan stops at around 5000 files ... not nearly what I have on disk. (Complete Scan set to 'scan all files)
 
  #2  
Old 10-14-06, 09:29 AM
tae's Avatar
tae
tae is offline
Member
Join Date: Nov 2002
Posts: 2,451
Upvotes: 0
Received 0 Upvotes on 0 Posts
ready to have some fun?

get hijack this:
http://www.tomcoyote.com/hjt/
run it.
Put a check mark next to every search and start page setting it lists which you haven't put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7*, fix those as well.
*Note: Spybot S&D, Start Page Guard, Settings Sentry, and similar programs may provide options to lock settings against unauthorized changes. If you have these options enabled, HijackThis will detect that as a restrictions hijack. Disable those options before scanning with HijackThis.

Second, you have to put Internet Options back into the control panel. Do a file search and look for a file named "control.ini". Open it in Notepad. You may see something like this:

[don't load]
inetcpl.cpl=yes

Delete the "inetcpl.cpl=yes" line under "[don't load]". Save and close the file, then try the control panel again. If it's still not there, restart your machine and it should be there.

For Windows 2000 and XP, you will need to edit the registry to do this. Go to the start menu > RUN command > type REGEDIT and press enter. Navigate through the registry keys until you get to HKEY_CURRENT_USER\Control Panel\don't load\. Look and see if inetcpl.cpl is listed. If it is, delete the entry for it and log off.

Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn't hurt, unlike dll's which are also used sometimes for this purpose.

HijackThis will list any BHO installed on your computer. Check the BHOs listed against the list of all known BHOs. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it.(the list)http://www.castlecops.com/CLSID.html


Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry.

Look in HijackThis for 04 startup items. Check the entries listed against Pacman's List. (the list)(under "the programs"
http://www.pacs-portal.co.uk/startup_content.php
Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and "fix" it.

Again, it will be absolutely necessary for you to close all open windows before any of these changes will take effect. That includes this window. Some changes may even require a log off or even a reboot before they have any effect.

See if this helps any.
 
  #3  
Old 10-15-06, 07:42 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 583
Upvotes: 0
Received 0 Upvotes on 0 Posts
I have been nosing around the Hijack This forum(s) but it was a little over my head. After clearing my temp files & cleaning up my browsers' history, the problem seems to have abated but if it comes back, I guess I will have to knuckle down and do some studying (of Hijack).

BTW, I'm running XP Pro & Internet Options IS in the Control Panel.

Thanks for all the tips. I'll let you know the results.
 
  #4  
Old 10-15-06, 07:48 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 583
Upvotes: 0
Received 0 Upvotes on 0 Posts
As long as I am here ...

... I have a second hard drive that I use only for data storage and was thinking of putting all my reecords (finances, pictures, personal stuff) there while keeping only programs on my main (C drive, just in case I needed to do a 'flush-and-fill' (reformat).

Will my data be resonably safe from infection if I do this? I know it won't be completely safe but I think it would be better would it not?
 
  #5  
Old 10-16-06, 06:27 PM
F
Member
Join Date: Feb 2005
Location: Northern New Jersey
Posts: 468
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by Editor
As long as I am here ...

... I have a second hard drive that I use only for data storage and was thinking of putting all my reecords (finances, pictures, personal stuff) there while keeping only programs on my main (C drive, just in case I needed to do a 'flush-and-fill' (reformat).

Will my data be resonably safe from infection if I do this? I know it won't be completely safe but I think it would be better would it not?


If the drive is internal (on at all times), it may not be any safer.

If you have an external (USB) drive that you want to use only for backups, then you would just have it "ON" while the backups are being taken, and "OFF" the rest of the time. This is what I do once a week. It may seem wasteful, but "OFF" is obviously 100% safe.

I would do a full blown scan of the original drive before backing up anything to the alternate. AVG, Norton, McAfee, whatever....just make sure everything is up to date on the definitions.
 
  #6  
Old 10-16-06, 07:10 PM
tae's Avatar
tae
tae is offline
Member
Join Date: Nov 2002
Posts: 2,451
Upvotes: 0
Received 0 Upvotes on 0 Posts
you can password protect, or set certain user rights or file sharing on the second drive. you can get software that will "freeze" the second drive allowing no access.
Stay away from those :high risk" web sites!!
 
  #7  
Old 10-16-06, 08:24 PM
G
Member
Join Date: Feb 2006
Posts: 94
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by fxcarden
If the drive is internal (on at all times), it may not be any safer.

If you have an external (USB) drive that you want to use only for backups, then you would just have it "ON" while the backups are being taken, and "OFF" the rest of the time. This is what I do once a week. It may seem wasteful, but "OFF" is obviously 100% safe.
the second it's on, it's just as prone to any infection as any other writable drive in the system .. it's just hooked up through a different mechanism (SATA/PATA vs USB) and isn't always on


Originally Posted by fxcarden
I would do a full blown scan of the original drive before backing up anything to the alternate. AVG, Norton, McAfee, whatever....just make sure everything is up to date on the definitions.
As a long time computer user and programmer, I recommend staying away from Norton A/V ... it used to be *the* A/V solution, but anymore I've seen it cause WAY more problems than it is worth ... besides, AVG (www.grisoft.com) has a completely free home version and oftentimes their virus database is more updated than the more major players like McAfee and Norton

Similar to the old adage (sp?), "Save Early, Save Often" .. if you're super concerned about your data, get a Dual-Layer (DVD-9) DVD burner ... this gives you 9GB per disc ... burn two copies and store one in a safety deposit box ... much faster/more efficient than old tape backups and not prone to electromagnetic degradation ...

but, i have to admit i'm being hypocritical, since i've got 659GB on a 1TB (~1,000GB) drive in my file server that isn't backed up anywhere ... hopefully soon, i'll upgrade to a RAID array so if a drive fails i don't lose anything ... of course, if you get some nasty virus, it won't protect against that (10 years in the industry and i've yet to have a virus ... and that's with running A/V about 4 of those 10 years ... it's 90% thinking before clicking and 10% running A/V in my personal and professional opinion)
 
  #8  
Old 10-16-06, 08:27 PM
G
Member
Join Date: Feb 2006
Posts: 94
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by Editor
As long as I am here ...

... I have a second hard drive that I use only for data storage and was thinking of putting all my reecords (finances, pictures, personal stuff) there while keeping only programs on my main (C drive, just in case I needed to do a 'flush-and-fill' (reformat).

Will my data be resonably safe from infection if I do this? I know it won't be completely safe but I think it would be better would it not?
oh, by the way, not for exactly the same reason, but this definitely is the way to do it (programs on one drive, data on another) ... this is how i've run my systems for years now... most data is stored on my file server in the basement (which also has separate OS/data drives), but video from my DV cam is on a secondary drive in my main video editing system ...

recently, i had a drive go bad in my file server ... fortunately, it was my OS drive and i had backups of all my configuration files (it runs Linux, not that nasty Windows thing :P) ... popped in a new 320GB SATAII drive, reinstalled Fedora Core 5 and off i went .... up and running mostly to the place i was at within a few hours
 
  #9  
Old 10-17-06, 11:42 AM
AxlMyk's Avatar
Banned. Rule And/Or Policy Violation
Join Date: Dec 2005
Location: Earth
Posts: 869
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by glandix
(10 years in the industry and i've yet to have a virus ... and that's with running A/V about 4 of those 10 years ... it's 90% thinking before clicking and 10% running A/V in my personal and professional opinion)
I've been using computers since 1989, and I also have yet to get a virus.. It's just a matter of being careful..
The one virus I did get, I had asked someone to send me his infected file, just for "Play around" value, and it never did infect my machine..
I use AVG, Spybot/Spyware blaster, and I have no firewall installed.. If your router (if you have one) is properly configured, you are safe to all but the most hardcore hackers.. 99+% of potential hackers are kids messing around, and I have nothing of value that the Pros want..
 
  #10  
Old 10-17-06, 03:51 PM
G
Member
Join Date: Feb 2006
Posts: 94
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by AxlMyk
I've been using computers since 1989, and I also have yet to get a virus.. It's just a matter of being careful..
The one virus I did get, I had asked someone to send me his infected file, just for "Play around" value, and it never did infect my machine..
absolutely ... last one i got was around the "happy99" era ... purposely infected my machine so i could figure out how to reverse the changes and write a script to clean the computers in the lab i was working in at the time


Originally Posted by AxlMyk
I use AVG, Spybot/Spyware blaster, and I have no firewall installed.. If your router (if you have one) is properly configured, you are safe to all but the most hardcore hackers.. 99+% of potential hackers are kids messing around, and I have nothing of value that the Pros want..
*shudder* .. coming from a background in administration for various ISPs and hosting companies, it make me nervous not having both a border firewall and then an internal firewall inside of that running NAT and iptables! :P

but a typical DSL/Cable router should be ok for keeping most script kiddies out
 
 

Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: