Lesson learned is worth repeating up top: Do not browse the web with IE under a user context with Administrator privileges.
I normally use FireFox 1.5 as my Internet browser, with JavaScript turned off and no flash plug-in. However if I find an amusing or intriguing link on Slashdot, Digg, or Reddit that is highly recommended but requires those features, I’ll use Internet Explorer to peruse the link, because the flash plugin and Javascript works there. Last time I did this (Yesterday) I got “hijacked”. I don’t know when it happened. All I know is that sometime later, I got a piece of yellow “toast” popping up in the system tray with a red “X” icon saying, “Windows Firewall has detected that your computer may be under attack”. Now, I don’t use Windows Firewall – it’s turned off. (Call me stupid, but that’s how it is.)
When I clicked on the “system” popup, it took me to a website for “Tesla Plus – top-rated spyware removers”. Ooookay. Doesn’t feel very “Microsoft” to me. When I launch IE again, I notice that my default home page – normally “about:blank” is now set to a fake microsofty-looking search page, with a bunch of additional links at the bottom for Viagra, home shopping, internet music – the usual spam garbage. Oh, and an official-looking link at the top for www.pcadprotector.cc which – surprise, surprise – goes to that Tesla Plus page.
The interesting thing is that it didn’t just change my browser home page preference. This thing changed where “about:blank” actually goes to!
Aiiee. Deep nasty. My browser had been “hijacked”.
After some exploring looking for traces of “pcadprotector” on the web and on my harddrive, I found many articles recommending Hijack This as a detector for browser problems of this nature. It certainly shows up all the possible ways evil programs can get into your system.
Hijack This showed that in addition to the Adobe Acrobat Reader and Java web plugins, there was another one that didn’t look familiar: c:\windows\system32\sdkec.exe. The file was dated a few days ago, which seemed odd for a resident of the windows\system32 directory. Upon viewing the contents of the application (via NOTEPAD.EXE – a rough but illuminating method) I found reference to “pcadprotector”. Busted!
I terminated the process using Task Manager, used HiJack_This to remove the extra plugin reference, and rebooted with a sigh.
Except… it didn’t fix the problem. IE’s home page was still hijacked. I ran HiJack_This again, and found that there was another extra plugin that had taken the place of the first one. This one had a different application file: c:\windows\system32\d3ds32.exe. I repeated the fix process one more time to see if the pattern would repeat itself, and it did. This time: c:\windows\appuw32.exe. Clearly there was another rogue process running on my machine that was creating copies of the hijack with different file names, ensuring that it would always be launched and installed. Ergh.
After a clean reboot, I checked Task Manager again for unfamiliar processes. One was c:\windows\atlue.exe. (At least, that is what it was called on my system, at this time.) I did a google search for “atlue.exe” and the only hits that came back were from people complaining of spyware problems so I was pretty sure I’d found the “mother” trojan. I couldn’t terminate this process – I didn’t have permission! (I hate it when that happens.) So I used Process Explorer to examine what DLLs it relied on, and then changed the Windows ACL entry for one of the DLL files so that it couldn’t be executed. After a reboot, It wasn’t running and I was able to delete the atlue.exe file and clean up the plugin entries one final time using Hijack_This.
Moral: Do not browse the web with Internet Explorer under a user context with Administrator privileges. It’s just not safe anymore.
Editor’s Note, August 2020: We’re a long way from 2006 and although web browsing still has various associated risks, we can be thankful that OS and Application security improvements over the years has made incidents like this one largely a thing of the past. Also, I use Windows Firewall enabled like any sensible netizen, and have done so since, oh, Windows 7, when it became less intrusive.
Recent Comments