Attacked by an executable (IE5) - suggestions?

[Wiggum]

Hey all,

I'm usually the guy that friends come to with computer problems, but this one has me stumped.....

A friend of mine was surfing the web with Win98 and IE5, and during his last session, he noticed some odd behavior.

His computer was responding slower than usual, so he checked what was running in the background (via ctrl-alt-delete). He noticed a new file (bootconf.exe), and disabled it in msconfig / startup.

But when he used his computer the next day and launched IE5, his Home page (or start-up page) was no longer MSN.com, but some cheap-o search engine.

He then opened up the Tools / Internet Options dialog of IE5 and clicked "default", but instead of getting MSN.com (the Win98 standard default), he got the same cheesy search engine.

He also claims that a pop-up from this site appears more frequently than coincidence would allow, but I can't verify or disprove that.

When he called me, I deleted the bootconf.exe file, but the problem with the default home page remained. I then checked all of the standard places that a sinister file might reside (cookies, temp files, .ini files, the registry, etc.), but I still can't find the culprit.

Any suggestions as to what might be going on? Any suggestions as to how to correct it (other than a complete reinstall of Win98)?

If I could find where IE5 stores the default home page (MSN.com), I might be able to find the file(s) that are causing the unwanted behavior.

Any help is appreciated.

Wiggum

 

[Toejam31]

Sounds like the system has been hijacked by some kind of spyware or a virus.

Use these programs to check and remove any spyware. These are the common, preferred tools for removing applications of this type.

<A HREF="http://security.kolla.de/" target="_new">Spybot</A>

<A HREF="http://www.lavasoftusa.com/" target="_new">Adaware</A>

If your friend needs a quick online virus scanner, go here:

<A HREF="http://www.pandasoftware.com/activescan/com/default.asp?language=2" target="_new">Panda ActiveScan</A>

Afterwards, you might want to boot the system into Safe Mode, and remove "C:\WINDOWS\SYSTEM\bootconf.exe".

You also might need to search the Registry for instances of this file loading during the boot, such as in keys like: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run.

If you are not sure how to access the Registry, go to Start\Run, and type "regedit" (without the quotes). Use the "Find" feature under the Edit context menu on the toolbar to search.

You should be able to manually change the start page assigned to Internet Explorer by searching for "Start Page" in the Registry, and changing the URL assigned to the "Data" for any of these entries, such as in:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.

Mind you, I'm looking through a WinXP Registry to find these key paths as I write them down, but you should be able to find similar keys in the Win9x Registry.

Hopefully, with the spyware or virus removed, you will once more be able to assign the start page through Internet Options, without needing to edit the Registry. But just in case, it's good to have the information on hand.

Note: Always use the export feature under "File" to back up a copy of the Registry before editing, so it can be replaced if something goes wrong! The Registry is completely unforgiving of mistakes, so use caution when in this area, or you could render the system unbootable.

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

 

[Crashman]

People often click "Yes" without thinking about it. He probably went to a site (usually by mistake) and had a popup window ask him if he wanted to set it as his default homepage. When he clicked yes by mistake, it edited his registry entry for default homepage...etc.

This often happens when you type a wrong/mispelled entry into the address bar and click enter. The reason it happens is that these places buy up "junk" addresses, just for this purpose.

You can run regedit from run under the start menu and do a search for that domain name in the registry, and change it back to www.msn.com or whatever, and that should fix the defualt thing. Then when he sets homepage to default, it should bring up msn.com.

After setting IE to it's new default homepage, run AdAware to remove the adware that this page loads every single time that page opens.

<font color=blue>Watts mean squat if you don't have quality!</font color=blue>

 

[nach]

I'd like to point out that there are also some unscrupulous web sites that prompt the user to install an object onto IE which afterwards changes the theme in your browser including home page, also icons, etc.

It happened to me once and luckily there was an uninstall program with it. You could be inflicted with this bug, I cannot remember exactly which site it was but beware.

 

[nach]

Look for the program in Windows add/remove programs, if none you could try installing IE6 which should overwrite all the IE5 files.

 

[Wiggum]

Thanks guys for all of the suggestions......

We sat down the other night and tried many of the fixes, and achieved some success.

We successfully restored the default Home Page feature (Tools / Internet Options) with the registry editor, and also cleared out a bunch of other entries that shouldn't have been there.

We found an unknown internet plug-in that was created around the same time that the problem was discovered (and deleted it), and system performance appears to be improving.

But we haven't been able to beat one symptom, and that's the redirect behavior of the browser.

If you type a nonsense URL into the IE5 command line, you should (by default) get a Microsoft site (searchMSN/dnserror) that tells you that the URL cannot be found. With his computer, you get the sinister, el cheap-o search engine that is the culprit behind this debacle. We changed some entries in the registry and thought we had it beat (one instance did produce the correct results), but the redirect behavior is back to misbehaving.

I don't honestly think we're going to beat this thing without the help of clean-up software (or a complete reinstall). I *hope* that the effects of this problem are limited to the above symptoms, and that the app isn't pulling private info off the computer. But I can't verify that without running a clean-up app.

<b>Do these clean-up apps function by locating known trojan horses and viruses, or do they look for trojan-like behavior?</b>

The reason I ask is, if this is a *new* internet problem (and these apps function off known lists or DAT files), they may not find the culprit. If they seek out and identify trojan-like behavior, then any deviant app should be spotted.

I'll check the websites for these apps and see if I can determine how they work.

Thanks again for all of the help.

Wiggum

 

[Toejam31]

Spybot (with the latest set of updates) can currently search a system for over 7800 known types of spyware applications that may have accidentally been installed by a user, or managed to install on the system through something like a breach in the browser's security. I've seen that happen, just by accessing a website. No clicking required.

Many of these kinds of applications are unstable, and function in a virus-like manner, such as contacting different areas on the 'Net to send out collected personal information on the user. Identification of the application is crucial, in order to affect a complete removal.

Adaware functions in a similar manner.

For the best results, use both. And it might be a good idea to start recommending to the users in your area that they begin installing and use these utilities on a regular basis; spyware is rapidly becoming a greater threat (and a constant irritation) than spam or viruses.

Neither program is designed to identify or remove trojans or viruses ... this is not their purpose. If you suspect a virus, the best solution would be to either boot the system with an Anti-Virus CD to check the system, or create a bootable floppy disk set with a DOS-based Anti-Virus on another computer, and scan the computer while the operating system is not loaded and running.

Another thought, while I'm on the subject -- check the Windows\Downloaded Program Files folder, and see if any unknown or unusual ActiveX controls have been recently installed on the system.

I might be able to tell you more about the type of spyware or virus that might be inhabiting the system, but first, you'll need to give me more information ... such as, what is the name of the internet plug-in that you discovered, and when the browser is being redirected, what is the URL of the "sinister" search engine? Knowing the characteristics of the problem application in question might have already allowed one of us to come up with the solution you need for complete removal.

Everything is in the details.

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>