Blacksheep

I've just had my PC highjacked while doing some innocent browsing in Google and my PC no longer belongs to me.

To begin, I have an IBM Thinkpad R40 running XP Professional. BlackIce is installed and runs in paranoia mode (because I'm paranoid) Gibson's 'Shields Up' site can't see it, so the stealth presumably works at full strength. My Norton virus definitiion file was last updated on 07/04/2004 and was set, as usual, to auto-protect mode.

My niece is thinking of taking up a job offer in Qatar so I looked the place up in Google and clicked on the first country information site in the list. Blackice went into an immediate frenzy, so I hit the back button and had a look at the record - something like 23 hits in the time it took from the first audio alarm until getting back to Google. No harm seemed done and all hits were indicated as blocked so I continued the session and shut down when finished. Next day when I fired up the PC I found that I couldn't sign in. Three shots at my password and then I was locked out, so I shut down and tried starting up again. This time my name had disappeared from the list of users and was replaced with an anonymous Administrator account. I logged in as administrator without needing a password and the PC booted to a blank desktop with only three icons - IE, Trash and My PC. I went into control panel, turned off system restore and ran a virus check - nothing found. I then reset system restore, and did a restore that brought me back to 25 March. Upon rebooting, my account appeared as usual and I logged in successfully using my old password. Then I tried resetting my password, but a message says that my new password doesn't meet the password criteria, although it clearly does - ten characters including upper and lower case, numbers and symbols. I tried different combinations all to the same effect; I cannot change my password. After shutting down the PC and rebooting again I found myself back to square one - user name missing from the user list and replaced by an anonymous Administrator account which requires no password. Leaving the password blank, I logged in and repeated the above process - with the same result.

Someone else now 'owns' my pooter and I can't safely use it on the internet any more. The paranoid firewall was useless and so was the bang up-to-date virus protection. Does anybody have any idea what is happening? Visit an innocent looking site, and bang! - your computer is no longer yours to play with. If hackers can so easily work around firewalls and virus protection the Internet seems far too dangerous a place to be anymore....

Does this mark the end of the Internet as we know it?

sprocket

Sorry I can't offer any advice Blacksheep but I did read somewhere very recently that hackers etc have been using Google to obtain website codes which enables them to embed nasties into those sites.
I dont know how you can protect your PC from such attacks.

Blacksheep

Its nothing that a reformat and reload of the O/S and applications won't fix, sprocket - all my data is backed up externally on CD anyway. The problem is that firewalls and virus protection systems seem to be no longer any use. The morons are attacking directly, infecting the site code itself; code that our browsers necessarily have permission to import into our computers. There is no longer any such thing as a safe site - by the way, I even have java disabled so I don't think that the guilty code was embedded in java script. There was an image file on the site - a map of the country - and it was when the map was downloading that the alarms went off. That may be a clue...

E-Liam

Hi Blacksheep,

EDIT: Can you PM me the URL for that site please, if you can remember it?

Hava a look for a file called msg120.dll or msg121.dll or msg122.dll. Usually it'll be found in C:\Windows\System32\...

It's a new one that strips admin privileges, and a colleague at another site is working on a resolution for 122 as we speak. If it's one of the earlier ones, it's fixable now.

You'll need to unhide files by double clicking on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

If it's not that, then please send me a HJT log, and I'll check it out. One C&P coming up.. :)

Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a PM to me.

This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Cheers

Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.

TheShadow

Had something similar happen when I activated the PRIVACY SERVICE that comes with Mcafee 8. The World as I'd known it suddenly changed, I had a split personality and two users (plus a requirement to satisfy numerous onboard protesting pop-ups (i.e. not web-based but installed programs that had suddenly had an identity failure or felt suddenly alienated or disenfranchised).

In fact McAfee 8 has so many inbuilt fiascoes that you can waste days trying to track down their unpublicised hotfixes and apply them. The inability to send email attachments from Outlook or OE has been going on now for over 8 months). Only Mandrake can locate the hotfix (and that is a debilitating workaround only).

The rest of the McAfee alienation story is too long to tell here. Check the Forums for unhappy punters.

Blacksheep

Thanks for the info E-Liam. I haven't had a chance to touch anything yet and I suppose the IE History file will still be there. Also the Blackice log contains the IP address that the attack seemed to originate from. I'll have a look tonight and get back to you through a PM.

Cheers...

BTW, after reading all that stuff on the HighjackThis info page, I haven't checked back with my IE Browser so i don't know if its been highjacked to some other home page or if any changes were made to my Favourites list. I'll probably still have the original code for the guilty website page in my Temporary internet files if its any use to you. My gut reaction is to simply reformat and start again but i'm happy to keep the laptop in its present condition for a while if it can help with eliminating the problem for others.

It also seems to mean that such damage to my operating system would be actionable if the perpetrators could ever be tracked down. I'd love to have a chance to financially ruin one of these b*st*trds!!!

Globaliser

I know it's too late for Blacksheep's problem, which is a shocking and unsettling tale, but will Microsoft's raft of security updates yesterday (13 April) do anything to help with this? KB828741, KB835732 and KB837001 for Windows XP and KB831167 for IE6, which are all downloading onto my computer now.

goates

Blacksheep,

Try Mozilla, or Mozilla Firefox for a web browser when you have things cleaned up or reinstalled. They may not be perfectly secure themselves, but are far better than IE when it comes to allowing websites to run code at random on your machine. I only use IE for the Windows and Office update sites, and sites I know for sure are safe. So far no trouble.

goates

Blacksheep

Thanks goates,

I've looked at what was happening at the time of the hit and it looks like the culprit was a *.js file - Java script. I run IE with Java disabled but unfortunately, disabling Java doesn't seem to be a defence.

As to switching browsers, I still think that using a Microsoft machine on the internet is no longer an option and I have an old P2 desktop that's not doing much. In future I'll convert it to Linux and use that one for internet work and keep the laptop off-line for private use.

I was playing with some splendid Mac machines last month when I was on UK leave - I especially liked the futuristic 24 inch wide screen model that even a blind old bat like me can see clearly. The quality just stands out, even in the graphics. I guess the future is predicted in that old addage -

with an Apple you may, keep PC Doctor away.

goates

Blacksheep,

Just curious, did you have Java disabled or javascript? They are two different things. Javascript is far more dangerous in IE than other browsers. Microsoft likes to add features that make it easy to create fancy websites with all kinds of interactive content etc. They do the same with Outlook and Outlook Express, although Outlook 2003 looks to be better so far. This makes it much easier for virus writers to take over your computer.

Mozilla and Mozilla Firefox are designed to just display web pages and don't have the many extra scripting abilities (or security holes as some might call them) that IE has.

Then again, if you have the money, get a Mac. They are much nicer to work with if they have the programs you need. Linux isn't bad either, it just takes a little more knowledge and experience to maintain. Just be aware that they too can be susceptible to similar attacks, although it's far less likely to cause as much trouble.

goates

stickyb

Any further update bs?