I’ve Been Hijacked, Again

So, after 4 years or so of being error free and thinking I was protected (I do, after all run a web site devoted to teaching people how to protect themselves against Identity Theft), my laptop has been hijacked.
I thought other people might be interested in my process for getting rid of stuff from my computer. So I’ve included helpful links to the free software I use in this post.
Here’s how my computer got hijacked:
“Hey Jonathan, you have a great web site. We’ve already linked to you from www.DorksWhoHijackedMyBrowser.com (not the actual address they used) and we’d like you to link back to us.”
Well, I wanted to check out their site first (otherwise I’d be sending you along to junk that could infect your computer…)
So I clicked… landed on the web site, and WHAMMO!
Spybot Resident (free software I use in the background on my computer) starts going CRAZY and blocking tons of stuff that’s trying to change my system registry.
I couldn’t believe how quickly it happened, but with all the stuff hitting my computer at the same time, something got through. (Actually, a lot of stuff got through.)
So, I’ve run:
Spybot
CWShredder
Ad Aware
ComboFix
I’ve run ComboFix in SafeMode and Spybot in SafeMode.
I’ve downloaded Windows Malicious Software Removal Tool and gotten all the latest updates from Microsoft.
Every program has gotten rid of a variety of stuff running on my laptop, which is a good thing.
However, there’s still something running.
I finally resulted to HiJackThis (NOTE: do not use unless you know what you’re doing or will post to a web site where someone does know what they’re doing), which I ran in normal mode, and then in safe mode.
There is a process I can’t block or stop from running which I can’t figure out.
The reason I know something is still running is because Internet Explorer and Firefox both take a LONG time to open, and about every 6th click on a search result from Google lands me on a page that’s not actually what Google is showing.
I posted the HJT log to www.BleepingComputer.com, but so far no response to my post.
Here’s what I’ve got:
4/14/2009 1:34:27 PM Allowed (based on user decision) value “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}” (new data: “”) added in Internet Explorer searches!
4/15/2009 12:33:20 AM Allowed (based on user decision) value “BootExecute” (new data: “autocheck autochk *
lsdelete
“) changed in Session manager!
4/15/2009 9:53:14 AM Denied (based on user blacklist) value “Qbihasamoqixate” (new data: “rundll32.exe “C:\WINDOWS\ifizuhifucize.dll”,e”) added in System Startup global entry!
I denied the process for ifizuhifucize.dll, but it’s running and I don’t know how to block/remove it (or what it’s doing).
Anyone have any suggestions?


This is a highly basic and mildly boring, but good overview of how spyware ends up on your computer.

 

One Response to “I’ve Been Hijacked, Again”

  1. Kevin Says:

    Hey there. I just signed up for your site this morning (9:50 EST 5.2.09) and I think I can help you with this malware issue.
    This information involves editing the registry so be very careful.
    You’ll need a couple of tools to start with. The SysInternal Suite from Microsoft Technet, for one. Once you download that, run the component called “Root Kit Revealer” and identify the registy keys and files that aren’t visible to Windows.
    Next, edit the registry to remove them, and, here’s a catch that not many people are aware of: Registry keys can have permissions just like files. The regedit program can’t change those permissions, but regedt32 (standard in windows, just like regedit) can. I’ll bet, if you find those keys with regedit and try to delete them, you’ll get an ‘access denied’ error, so use regedt32 to change the permissions and delete the keys. Givng “everyone” “full control” is sufficient to accomplish this process.
    Next, you may have to download a program called regdelnull to remove registry keys that have a null value. Standard tools won’t touch those keys and they are frequently used to hook an operating system.
    At that point, you should be able to boot without the offender running, but, I’d also suggest running “procmon” from the sysinternals tools for a while to make sure that you’ve killed the bug completely. Procmon can affect system performance, so it’s not something to run all the time, but if you want a detailed report of all the system processes, what they’re doing, what ports they’re opening, file paths, and command lines, it’s definitely the way to go.
    Hope this helps.