[dba-Tech] Compromised Internet Explorer?

Peter Brawley peter.brawley at earthlink.net
Thu May 5 12:51:39 CDT 2005 

Steve, John

I saw something similar with an infected PC running w2k and NAV. The 
only remedy I could find: removed NAV completely (not trivial), ran two 
spyware removers till they each found nothing, ran Grisoft Antivirus 
repeatedly till it found nothing, ran a registry repair utility, and 
installed Firefox as the default browser.

PB

-----

John Bartow wrote:

>Steve,
>Sounds like you've run the gamut! In really bad cases (I've got two sitting
>here now) I run multiple Spyware detectors (after the initial Trend-Micro,
>MS-AS) and then manually remove the detections (if the free version won't do
>it). Panda, CA, X-Cleaner, Norton, F-Secure, Ad-Aware, Spybot S&D, Webroot,
>CheckPoint(Zone Alarm), Aluria. Can all be run one at a time (or many at the
>same) so I just do that while I'm working on other things.
>
>Have you booted into safe mode and tried resetting the windows update
>settings as the administrator account? Also try the repair feature of IE.
>Turn off the software firewall and set the IE settings back to the defaults.
>(I'm assuming you're behind a router/HW firewall.) Try running the updates
>after that. Also try a registry optimizer on it if you have one. Systemworks
>or Vcom, etc. or try http://www.pcpitstop.com/pcpitstop/default.asp if you
>don't.
>
>You could also download the updates from another PC using the Windows Update
>Catalog. I used to make CDs of all the updates once a month or so and then
>use the CD with dial-up customers. It was kind of putsy but better than
>waiting for dialup downloads (Thankfully most of my customers have DSL now!)
>
>Another possible issue - NAV 2005 has some major quirks about it. Up until
>2004 it was my top recommendation for home users (or NIS) but I have run
>into many issues with it and unfortunately Symantec's answer always seems to
>come down to "uninstall all Symantec software and re-install". I would
>suggest uninstalling it. I suggest, if its OK with your friend, that you try
>AVG or another free for personal use AV. For home users I now recommend
>AVG/Sygate personal firewall and MS-AS (which I don't care for but hey, its
>free and it works pretty good).
>
>Anyway, there's my 2 scents...
>
>John B.
>
>
>-----Original Message-----
>From: dba-tech-bounces at databaseadvisors.com
>[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Steve Erbach
>Sent: Thursday, May 05, 2005 8:55 AM
>To: Discussion of Hardware and Software issues
>Subject: [dba-Tech] Compromised Internet Explorer?
>
>Dear Group,
>
>I'm working on a PC that belongs to my wife's best friend. I've gone through
>all the standard routines: Trend Micro Housecall on-line virus check,
>Windows System File Checker, update to Windows XP SP2, download and install
>Windows Anti-Spyware Beta, Gibson Research SpinRite 6, update Ad-Aware SE
>and run it, and even repair the Windows XP installation. My only concerns
>with this system are: 1) that Norton Anti-Virus 2005 doesn't start properly
>and I don't have the lady's installation CD; 2) that the ZoneAlarm Pro
>subscription expired almost two years ago; and 3) that the Windows Update
>site doesn't work.
>
>Regarding #3, When I get to the page that says that it checks for the latest
>version of the Windows Update software, there is a flurry of "activity" in
>that the progress bar in IE 6 goes all the way to 100%...but the "checking
>for latest version" screen doesn't go away.
>My suspicion is that IE itself is compromised.
>
>I used an XP SP2 upgrade CD that I have, hoping that it would take care of
>the problem. But after I ran Belarc Advisor and saw that a good dozen of the
>Windows security updates had NOT been installed, I went to the individual
>Microsoft KB articles on the upgrades and clicked on the links to get the
>security update...and each time I was directed to the Windows Update page
>where it doesn't go past the "Checking for the latest version of the Windows
>Update software..."
>stage.
>
>For what it's worth, this copy of IE is "branded" with the original ISP that
>the lady signed up with, ComCast. I see that logo in the upper right-hand
>corner of the IE window instead of the Windows logo.
>
>Something is stopping this PC from being updated in the normal way. I have
>also set the automatic updates option, but when I open the Security Center,
>it shows that the automatic updates option has not been configured. If I
>click on 'Turn on automatic updates,' I see
>this:
>
>"We're sorry. The Security Center could not change your Automatic Updates
>settings. To try changing these settings yourself, go to System in Control
>Panel. On the Automatic Updates tab, select Automatic (recommended), and
>then click OK."
>
>Needless, to say, that's how I tried to change the setting. If I go to
>System and look at the Automatic Updates tab, first of all it takes FOREVER
>for the Automatic Updates tab to actually show its information. Last night I
>waited it out. Several minutes went by and then I saw the Update
>information. It was set to Automatic Updates, but I wanted to change the
>time that it would check for updates. So I changed it to 11:00pm and clicked
>Apply. I had to wait another interminable time before I could click OK.
>We're talking 20 minutes or so in total for those two simple acts: click the
>Automatic Updates tab and Apply the new setting.
>
>Clearly something is compromised. If it's Internet Explorer then, what? Do I
>have to re-install Windows from scratch? I would recommend doing that to
>this lady since the drive is formatted as FAT32, not NTFS....but, like, I've
>spent way too much time on this already.
>
>Anybody ever see anything like I've described?
>--
>Regards,
>
>Steve Erbach
>Scientific Marketing
>Neenah, WI
>www.swerbach.com
>Security Page: www.swerbach.com/security
>_______________________________________________
>dba-Tech mailing list
>dba-Tech at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-tech
>Website: http://www.databaseadvisors.com
>
>_______________________________________________
>dba-Tech mailing list
>dba-Tech at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-tech
>Website: http://www.databaseadvisors.com
>
>
>  
>


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 5/4/2005

More information about the dba-Tech mailing list