Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've Got Monkeys In My Browser! (picture Hijacking)


  • Please log in to reply
17 replies to this topic

#1 mike18xx

mike18xx

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 07 February 2008 - 09:09 PM

This little odditty affects only Internet Explorer, IE shell-clones such as SlimBrowser, and open windows which have had URLs dropped into their address fields. Firefox (except for IEtab) is immune. ComboFix has been run, as well as many other utilities, and I've pawed through RegEdit. I've ripped out IE lock, stock and barrel and restarted in SafeMode to kill all the remnants, then reinstalled -- but the monkeys are still there. ...I'm assuming at this point that a default "blank picture frame-space holder" icon/gif/whatever in Windows itself has been replaced, and been given "instructions" somehow to not remove itself when the actual picture begins to load....no?)

The "monkeys" obscure the names of tabs and anything else on a website that is a jpg, gif, png, etc.; and make it impossible to interpret "letter code" graphics. (Hunch: Possibly the doing of a "fake" version of a RapidShare/MegaUpload "queuing" utility such as RapGet or USleecher or ?).

At no time were there any "alerts" from my anti-virus and anti-spyware utilities, and I haven't noticed any other unusual behavior.

"Monkey" or rodent pic (zoomed): Posted Image

Bleedpingcomputer covered with monkeys:
Posted Image

Edited by mike18xx, 07 February 2008 - 09:18 PM.


BC AdBot (Login to Remove)

 


#2 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 February 2008 - 06:32 AM

1. Well, it's not something inside the Windows folder, because I replaced that completely with an archive.....

2. Upgrading ie6 to ie7 didn't help.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:43 AM

Posted 08 February 2008 - 10:30 AM

Hello mike18xx and welcome to BC :flowers:

What security programs did you run?

Did you run them in Safe Mode?

What is your operating system: Windows XP, Vista etc.?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 February 2008 - 12:08 PM

1) ComboFix, and: PestPatrol, AVG7.5, Spybot 1.4 (....not exactly powerful, but generally catch most things that aren't zero-day.)
2) Safemode (....F8 is great!)
3) XPproSP2 (....Vista is DRM malware!)

I could toss ya a Hijack report, but really there's nothing on it. This particular machine runs very lean, and I've always been able to clean any messes up on my own. The "monkeys", however, have me stumped, as a Google-hunt is turning up dry. It might help if I knew what that blurry critter actually was...mouse? hamster? gerbil? meercat? Whatever they are, they're not black-listed yet.

When I said I replaced the OS, the way I did that was to take the drive out and hook it up to the chain in a tower, and swap in a whole backup Windows folder from an archival DVD. The monkeys were stills there, however, meaning that they're taking up residence somewhere else in the system that pertains, presumably, to Internet Explorer. If I could get a checklist of every single place in Program Files and Documents and Settings (etc.) that IE touches, then I'd know what to nuke.

What would really be neat: A "clean-slate" wiper utility which would systematically hunt down and gun down every single last bit of Internet Explorer, including registries, and restore it to a particular version number (which the system could then update automatically to the user's tastes). I have the Favorites pulled off the side, but even that's not really important, because the only thing I used MSIE for is on the rare sites that don't work with FireFox, and when I'm running down a list of stuff off RapidShare in "SlimBrowser" (a browser shell for MSIE that supports easy proxy shuffling).

Edited by mike18xx, 08 February 2008 - 12:16 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:43 AM

Posted 08 February 2008 - 12:23 PM

1) ComboFix, and: PestPatrol, AVG, Spybot 1.4 (....not exactly powerful, but generally catch most things that aren't zero-day.)


General alert: You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
----------
----------

I could toss ya a Hijack report, but really there's nothing on it.


HiJack This logs are to be posted only in the HJT forum, so please do not post one here.
----------
----------
I would like you to try another antispyware program: SUPERAntiSpyware. Please scan with it in Safe Mode and post the log in your next reply.

Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
Reboot into Normal Mode
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please paste the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 M...

M...

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 08 February 2008 - 01:47 PM

Hello mike18xx,

This may be way off base, but are you using a neighbor's unsecured wireless connection to the Internet? What you are describing somehow reminded me of a variation of the following:

The "Upside-Down-Ternet" -- or, why you want to be very careful when using someone else's unsecured wireless connection to the Internet:

http://www.ex-parrot.com/~pete/upside-down-ternet.html

#7 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 February 2008 - 05:46 PM

1. No wireless on this machine. Ever.

2. Super found one thing; I took a look at it before killing it, and it appears to be half a year old judging from the last modification date. Whether it's actually been on the machine fore half a year, I dunno.

3. After removing it and restarting in normal mode, I discovered that no version of Internet Explorer could connect (this affects Firefox's IEtab, shell-browsers, and manual attempts to update windows). Every other application I have which connects to the internet is working properly. Upgrading IE6 to IE7 (I have a manual installer) did not restore connectability, nor did manually adding it to Windows firewall exceptions. Restarting a couple times after fiddling with the Network Setup Wizard had no effect.

4. I noticed a new explorer Bookmark, saved and moved to the top of the list. (It was easy to notice because I don't add IE bookmarks, as I prefer Firefox.) This bookmark, and no other bookmark, caused Internet Explorer to crash when I clicked on it. I deleted it, then fished it out of the recycle bin to examine (second cut/paste below). As you note from the first post, I suspect that the monkey/malware was associated with an alleged RapidShare queuing utility. Hopefully the link will provide you with enough clues to verify whether or not that's true.

5. Since I can't get Internet Explorer to open any pages other that it's own built-in all-text error page, as of the moment I don't know if the "monkeys" are gone, or still lurking.



==//==



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2008 at 02:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3398
Trace Rules Database Version: 1390

Scan type : Complete Scan
Total Scan Time : 01:37:02

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 5606
Registry threats detected : 0
File items scanned : 30266
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\win98\Cookies\win98@msnportal.112.2o7[1].txt
C:\Documents and Settings\win98\Cookies\win98@ads.locators[2].txt
C:\Documents and Settings\win98\Cookies\win98@1.adbrite[1].txt
C:\Documents and Settings\win98\Cookies\win98@ad.zanox[1].txt

Trojan.WinUp
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\WIN32.DLL



==//==



[DEFAULT]
BASEURL=http://www.netscape.com/viewstory/2006/09/16/how-to-bypass-rapidshare-download-limits/?url=http%3A%2F%2Ftech-buzz.net%2F2006%2F09%2F11%2Ftricks-to-bypass-rapidshare-download-limits%2F&frame=true
[DOC__fs__right]
BASEURL=http://tech-buzz.net/2006/09/11/tricks-to-bypass-rapidshare-download-limits/
ORIGURL=http://tech-buzz.net/2006/09/11/tricks-to-bypass-rapidshare-download-limits/
[InternetShortcut]
URL=java script:var%20c=0;
Modified=50CD4E0B50C4C70152

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:43 AM

Posted 08 February 2008 - 10:21 PM

2. Super found one thing; I took a look at it before killing it, and it appears to be half a year old judging from the last modification date. Whether it's actually been on the machine fore half a year, I dunno.

3. After removing it and restarting in normal mode, I discovered that no version of Internet Explorer could connect (this affects Firefox's IEtab, shell-browsers, and manual attempts to update windows).


Malware will sometimes change the date of things to make them look legit or older than they actually are.

What do you mean by "killing" the thing SUPERAntiSpyware found? Do you mean that you had it quarantine it? Also, what was that "thing"?

I think what has happened is that a legitimate file of IE was corrupted with the malware and when SAS quarantined it, it caused IE to not work.

To try to fix this first try this:

Start --> Run

In the box type sfc /scannow Make sure there is a space between the c and the / . The computer will then check for corrupt or missing system files and try to fix or replace them. In order for it to do that, you need to have either the I386 folder in your computer. If you don't have one, have your XP disk at hand ready to put in if it asks for it.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 February 2008 - 03:37 AM

What do you mean by "killing" the thing SUPERAntiSpyware found? Do you mean that you had it quarantine it? Also, what was that "thing"?

WIN32.DLL; before Super dealt with it, I went to take a peek at it.

sfc /scannow....

Well, I got to watch a progress bar for a bit, and nothing visible happened ... so-? IE still won't connect.

Malware will sometimes change the date of things to make them look legit or older than they actually are.

Actually the same win32.dll was present in my archive copy of a couple months ago, so I'm leaning toward thinking it's just a remnant, and probably has/had nothing to do with the present monkey and IE problems.

Edited by mike18xx, 09 February 2008 - 04:45 AM.


#10 M...

M...

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 09 February 2008 - 09:51 AM

mike18xx,

Have you tried starting Internet Explorer 7 with no Add-ons?

Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons).

#11 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 February 2008 - 03:05 PM

Internet Explorer (No Add-ons).


That choice does not appear for me in System Tools. (I'm using XPpro; should it w/IE7?)

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:43 AM

Posted 09 February 2008 - 03:07 PM

That's certainly a good idea to try, though I wonder since IE6 won't connect whether this will work. Unless there were add-ons to IE6 as well causing the problem.

I just noticed something a little 'odd' in the SAS report: the cookies all have "Windows 98" listed in the file path. Did this machine used to have Windows98 on it?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#13 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 February 2008 - 04:15 PM

I just noticed something a little 'odd' in the SAS report: the cookies all have "Windows 98" listed in the file path. Did this machine used to have Windows98 on it?

Yeah; many, many years ago. "win98" is just the user name (and thus the name of the Doc/set folder), which I never bother to change.

#14 M...

M...

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 09 February 2008 - 05:57 PM

I'm using Windows XP Professional with Service Pack 2 and Internet Explorer 7, with all current updates from Microsoft (both required and optional).

I can access the "Start Without Add-ons" variation of Internet Explorer 7 in two ways.

1. Right-click on the Internet Explorer icon on the Desktop and click Start Without Add-ons:

http://img150.imageshack.us/img150/3694/scrn001kh7.png

2. As described before: Start -> All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons).

http://img150.imageshack.us/img150/5320/scrn002rq3.png

#15 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 February 2008 - 07:34 PM

OK, got it launched without Add-Ons.

...still won't connect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users