Re: Website URL Hacked - Stays Forever

From: Chuck (none_at_example.net)
Date: 08/11/04

• Next message: Robert Moir: "Re: Does Microsoft use Unix/Apache for THEIR security"
• Previous message: Bill: "Does Microsoft use Unix/Apache for THEIR security"
• In reply to: Kevin: "Website URL Hacked - Stays Forever"
• Next in thread: Lawrence Abrams: "Re: Website URL Hacked - Stays Forever"
• Reply: Lawrence Abrams: "Re: Website URL Hacked - Stays Forever"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 11 Aug 2004 16:18:15 -0500

On Wed, 11 Aug 2004 11:54:19 -0700, "Kevin"
<anonymous@discussions.microsoft.com> wrote:

>Basically, it is bizzare. Whenever I open my IE or click
>on a link, IE will try to goto www.ads234.com . It is
>not set as my homepage, but it just seems to want to go
>there by itself. How can I fix this?
>
>Here is an example... I took a screenshot and I was at
>this webpage and I wanted to go to paypal.com, and you
>can see it wants to go to ads234.com on it's own.
>
>http://photos.e46fanatics.com/data/3350/22348ads234.jpg
>
>Notice the URL on the bottom of this picture.
>
>I used the Bazooka Spyware Scanner, Ad-Aware 6.0, and
>McAfee Virus Scanner. And they all are updated to the
>newest definitions. None of those scanners picked this
>thing up.

Kevin,

Looks like a hijack of some type to me. AA may not be the best tool here (I
don't know Bazooka), and this most likely is NOT a virus so McAfee is not
relevant. Give AA another shot, though, in intensive scan mode. And try these
other tools - all are free, so you have only your time to lose.

This looks to me like the same trick as was used in phishing attempts a couple
months ago - overlay the toolbar (including the URL) in the browser with a legit
URL, throw the hijacking webpage out where the legit one should be, and hope
that the victim doesn't spot the hijacking webpage URL in the status bar at the
bottom (but you did HaHa).

Start by downloading each of the following free tools:
CWShredder <http://www.majorgeeks.com/download4086.html>
CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
<http://www.majorgeeks.com/download4113.html>
HijackThis <http://www.majorgeeks.com/download.php?det=3155>
LSP-Fix and WinsockLSPFix <http://www.cexx.org/lspfix.htm>
Spybot S&D <http://www.safer-networking.org/index.php?page=download>

Install and run Stinger.
<http://us.mcafee.com/virusInfo/default.asp?id=stinger>

Install and run AboutBuster.
<http://www.downloads.subratam.org/AboutBuster.zip>

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. Spybot S&D has an install routine - run it. The other
downloaded programs can be copied into, and run from, any convenient folder.

Start by closing all Internet Explorer and Outlook windows, and running
CoolWWWSearch.SmartSearchMiniRemoval, then CWShredder. Have the latter fix all.

Next, run AdAware. First update it ("Check for updates now"), configure for
full scan (<http://www.lavahelp.com/howto/fullscan/>), then scan ("Start" - "Use
custom scanning options" - "Next"). When scanning finishes, select everything,
and hit Next again.

Next, run Spybot S&D. First update it ("Search for updates"), then run a scan
("Check for problems"). Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<http://forums.spywareinfo.com/index.php?showtopic=227>

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and post a link to your forum posts, here):
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

---

• Next message: Robert Moir: "Re: Does Microsoft use Unix/Apache for THEIR security"
• Previous message: Bill: "Does Microsoft use Unix/Apache for THEIR security"
• In reply to: Kevin: "Website URL Hacked - Stays Forever"
• Next in thread: Lawrence Abrams: "Re: Website URL Hacked - Stays Forever"
• Reply: Lawrence Abrams: "Re: Website URL Hacked - Stays Forever"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Web pages not loading on XP - a virus ? ... Create a separate folder for HijackThis, such as C:\HijackThis - copy the ... Spybot S&D has an install routine - run it. ... First update it, ... Spyware Warrior: ... (microsoft.public.windowsxp.network_web) Re: Internet Dialler wont hang up ... Create a separate folder for HijackThis, such as C:\HijackThis - copy the ... Spybot S&D has an install routine - run it. ... First update it, ... Spyware Warrior: ... (microsoft.public.windowsxp.network_web) Re: Porn on my computer ... You need a thorough adware / spyware scan, including CWShredder, AdAware, Spybot ... S&D, and HijackThis, with expert advice to interpret the HijackThis log. ... First update it, ... (microsoft.public.windowsxp.network_web) Re: Website URL Hacked - Stays Forever ... Create a separate folder for HijackThis, such as C:\HijackThis - copy the ... Have the latter fix all. ... First update it, ... Spyware Info: ... (microsoft.public.security) Re: Processes Not Cancelling ... Create a separate folder for HijackThis, such as C:\HijackThis - copy the ... AdAware and Spybot S&D have install routines - run them. ... First update it, ... Spyware Warrior: ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2004-08