• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

Strange Browser Hijacking +

pseudo_cool

FPCH New Member
Joined
Jan 7, 2007
Messages
3
#1
About two weeks ago after arriving home from vacation I noticed in the user drop down box of the chat client I use a foreign handle. It didn' belong to me or the other user of my computer so of course this led me to the suspicion that my computer had been compromised. I am a very security conscious person and take all the standard precautions. Firewall ( kerio ) router (cisco 1200 series). I also use a custom configured ids along with kernel level rootkit detector. Even after all these measures it seems that I have fallen victim to the nocturnal wiles of Mr. Blackhat. Most likely through some sort of IE bug. Despite my insistence for my girlfriend to use firefox she refuses. I know that firefox has recently been proven to have many of its own faults but I took steps to prevent atleast the known bugs from being exploited. There are so many holes in the ms browser thats its near impossible to stay on top of it. Anyhow now that I have given you a short history I will move into the symptoms which the subject of this post suggest.

Originally when I first was compromised I found a basic server for a primitive essentially reverse connect cmd shell and a remote keylogger injected into svchost.exe. I removed these infections. I do not believe that I am currently the host of a pc voyeur but I do believe he has left something adulterated on my pc.

The chat handle that did not belong had been added to the user list of both the first party yahoo instant messenger chat client and a third party client yahelite. The screen named ended in _(shellcode adress) . Where shellcode address was "0x0045e000". In addition I noticed that any time I started a chat program yahoo, yahelite, live messenger that when I opened my browser I would have one of three things happen to me. I would see in plain black text do you Yahoo? or I would be shown a fictitious cpanel login or I would be redirected to a random webpage.
These symptoms lead me to believe that some module loaded by these applications is loading an additional un wanted process into memory.

What can I do to locate this compromised .dll and cleanse it of this nuisance code? Icesword was my first thought however it can be more than timely using it. Does any one have a more efficient method of finding suspect code like this?

I have already examined hosts and lmhosts and checked for other standard browser hijackers using hijackthis.


Thanks alot for your time
 

Jamey

FPCH Member
Joined
Jan 21, 2006
Messages
333
Location
Telford, UK
#2
I think the best idea is to perform a clean reinstallation of Windows. Or, uninstall all of these messaging applications and then run a plethora of malware detection tools on your system in safe mode. There's no point in spending all that time trawling through various DLLs and so on trying to find malicious code. It is simpler to just wipe it out and reinstall with fresh.

Even though you employ arguably good security techniques, you are clearly skipping an essential one: Running as non administrator.
 

andyf1805

FPCH New Member
Joined
Apr 8, 2007
Messages
1
#3
Dear Sir,
I would like You to help me in this Malicious Problem with my Internet (BSNL Broadband DataOne)
I Use a:
Smart AX MT882
Intel Desktop Board D915GAV

Sir. My problem is that suddenly my internet connection gets restarted or disconnected
And after this my songs wont play on any player i.e. WMP 11, WinAmp
WMP11 prompts me a message stating that I have a problem with my sound card
But only my songs won’t play but other sounds like a mouse click and other default sounds play but the audio files wont
This problem persists until I restart my system .
Afterwards also when I connect to the internet its happens again

Sir plz reply back with a suitable solution at your nearest convenience
Thanking you
ANdrew