Solved

Default Browser continually reset after hacking attempt

Posted on 2011-02-15
32
883 Views
Last Modified: 2013-12-06
My customer has an issue where the default browser keeps changing to Opera.  Any attempt to change it back (for non-Administrator level users) is instantly undone.

Bear with me on this one, it's long-winded but I want to give you all the full picture:

The machine is running Windows 2003R2 x64 Standard functioning as a Terminal Server for around 50 users.  Yesterday we were alerted to Opera [the web browser] software appearing on the Start Menu.  Whilst looking through logs to see where this came from, we saw a successful login attempt under the Administrator account from an IP address somewhere in Russia.  Knowing this NOT to be any genuine user, I immediately: Reset all Administrator-level passwords, put a firewall block on the entire IP range the login came from and set about removing Opera.  This was hampered initially by the Add/Remove programs list being completely empty, but used the Nirsoft tool to uninstall it instead.  As I logged off the Administrator account, a profile error alerted me to a possible virus in the local profile.  An AVG scan (AVG Internet Security v9 loaded and functioning up-to-date definition) found a Trojan "PSW.Agent.AKNN" which was quarantined successfully.
Later in the day, the client called to say several users couldn't click on hyperlinks from within Outlook (or other software too).  On investigation, the default browser was set to Opera, which had since been removed so generated an error.  When we tried to set the default browser back to IE (using Tools/Internet Options), the setting was accepted but it immediately reverted back to using Opera (even before exiting IE).  The same procedure carried out as Administrator worked however and IE remained the default.
I've since scanned the system using AVG (nothing found), ran Hijack This (nothing obvious found) and installed Opera again in order to uninstall it, all with no result.  Add/Remove programs is still blank too.
Any help appreciated!
0
Comment
Question by:stevebootes
  • 8
  • 8
  • 5
  • +3
32 Comments
 
LVL 22

Expert Comment

by:optoma
ID: 34901305
1>Along with scanning with AVG run these scanners(they run quick quickly) which will scan for other types of nasties which maybe "cloaked" from AV scans.
Save logs if needed.
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

2> add/remove programs>appears blank but can you keep scrolling down + down... Anything at the bottom?

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34901623
These two earlier threads may help>

add/remove programs list empty win xp:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22158393.html

Large Empty Gap In The Add/Remove Programs List:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22017310.html
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34903859
You might try to run CCleaner. I had a web browser hijack because of a registry key that was left over after a complete AV scan and "clean" of the computer...

Needless to say, I had to resort to a registry cleaner because unistalling the programs as well as AV and AS cleans didn't remove all the metadata in registry... Here was the thread I was having a somewhat similar issue.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_26497877.html
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:stevebootes
ID: 34904242
@optoma:
TdsKiller/HitManPro found nothing except cookies.  Add/Remove list is completely empty, not just large amounts of white space - there are no scroll bars.  Nirsoft MyUninstall lists all of the programs correctly and allows uninstall, so data is there in registry ok.
@Jonvee: No -1 settings in registry, no large gap - just nothing. Ran REGSVR32 APPWIZ.CPL - no effect.
@CheifIT:  CCleaner ran, no effect.

Opera is still being set as the default browser, even though it's been removed.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34904361
Thanks ....well, another option now seems to be to run ComboFix.

If that doesn't resolve it, its beginning to look as though an XP repair install may be necessary:
http://www.michaelstevenstech.com/XPrepairinstall.htm
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34904422
After consideration, running ComboFix appears to be the next move particularly as you've already removed a Trojan "PSW.Agent.AKNN.

You can download ComboFix from here, and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

ComboFix must be run in normal mode.
Before using ComboFix, please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
It may also be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Can you post that log here please.
Do not mouseclick Combofix's window while it is running, because it may stall.  

If needed>http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note:  If you have difficulties downloading or running it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.
You can try this key combination to reach a Run box >>
Windows Logo+R: Run dialog box


If that doesn't resolve the 'empty Add/Remove list', lets see if you get further suggestions, before moving on to the suggested repair install ....
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34904547
Another idea ...after running ComboFix, but before considering an XP repair, you could try the System File Checker at repairing Add/Remove programs.
If you insert your CD, while simultaneously depressing the Shift key, this will prevent autorun.  Release the key after 10 to 15 seconds.

Start>Run       .. and then type SFC /scannow

http://www.updatexp.com/scannow-sfc.html
0
 

Author Comment

by:stevebootes
ID: 34904603
@Jonvee:
Does combofix even work on Windows 2003R2 x64?
This isn't going to be a thing I can do in the day as there are lots of people using this Terminal Server, and I'd want to be VERY sure that I had an image backup of this machine before I ran that.
I'm also seriously considering restoring the registry back a few days before this happened if I can't get this sorted in the next 8 working hours or so.  It may be quicker than working through these repair and cleanup tools - I'm never 100% convinced you can recover from these things if something has messed up the registry.
I'll see if a simpler (less invasive) solution presents itself during the day, if not I'll progress with this option out of hours.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34905042
Verify you have an up to date backup, image ect...Then restore back prior to when this happened :)
0
 

Author Comment

by:stevebootes
ID: 34905058
@optoma:
Yes, coming to the same conclusion myself.  I can't do anything until tonight anyway, so unless something magical happens before then I think that's what I'll be doing.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34905308
Yes, be a safer route to take. Combofix isn't recommended to be ran on those systems. Some people do, others do not :)
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34906057
What does this key read?


HKEY_LOCAL_MACHINE
   SOFTWARE
      Clients
         StartMenuInternet
            IEXPLORE.EXE
            BROWSER2.EXE
            BROWSER3.EXE
0
 

Author Comment

by:stevebootes
ID: 34906121
@ChiefIT:

StartMenuInternet
+IEXPLORE.EXE
-OPERA.EXE
 -shell
   -open
     -command
        (Default) REG_SZ "C:\Program Files (x86)\Opera\Opera.exe"
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34907033
malwarebytes might find it.
malwarebytes.org
download the free one and make sure you update the database.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34914590
MalwareBytes is not designed for Server OS and should not be used on them.

CCleaner is for PC's, not servers.

Piriform have a product designed for servers.
Read about it here:
http://www.piriform.com/business/ccleaner-network-edition

Download free trial here:
http://www.piriform.com/business/ccleaner-network-edition/trial-download

One of the things you will able to do is 'scrub' the registry and ensure that any residue left over from Opera is completely removed.

As always with CCleaner, click the 'Yes' when it asks if you want to back up your registry.
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34915461
Malwarebytes has this list of operating systems:
"Operating systems: Windows 2000/XP/2003/Vista/Server 2008/7"
It would be prudent to use the scan and not just remove all. However, it would point you toward the issue.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34915484
@lscarbor,
In my link to the actual Malwarebytes web page, they do not show that list:
http://www.malwarebytes.org/mbam.php

If you have another link, please share it. I love the product, but did not know it could be used on anything but PC's.
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34915525
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Price: Free; $24.95 to buy (Buy it now) .
Operating system: Windows 2000/XP/2003/Vista/Server 2008/7 .
Date added: December 21, 2010 .
Total Downloads: 60,477,985 .
Downloads last week: 387,960 .

Again, I'd just use the scan, not the remove all.

Has anyone recommended looking at the hosts file?
0
 
LVL 38

Expert Comment

by:younghv
ID: 34915529
I think we need to use the actual information from MalwareBytes and not from a third-party download site.

From MBAM:
Key Features
•Support for Windows 2000, XP, Vista, and 7 (32-bit and 64-bit).
•Operating Systems: Microsoft ® Windows 2000, XP, Vista, 7.
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34915577
Okay, I agree with you. I sent support a query about it.

Now, how about that hosts file? DNS? Have we tried a ping to see where the query points?  
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34915603
Here you go. From the forum on Malwarebytes.org :

Will Malwarebytes run on Server 2003?

Yes it will run just fine. Is this a legal and activated version of Windows Server 2003 ?

Ron Lewis
Manager of Online Support



0
 

Accepted Solution

by:
stevebootes earned 0 total points
ID: 34915968
Update:
I've solved the original problem - default browser keeps resetting to [non-existant] Opera - by re-installing Internet Explorer 8.  It took a couple of goes, first time (after a reboot) I had IE6 rather than IE8 (!), second time the install locked up downloading updates, third time (after saying no to download updates) worked ok.  Browser now stays put at IE8.
I'm still left with the Add/Remove programs empty list (but I can work around that for the time being with Nirsoft MyUninstall which works fine).
I couldn't do a restore last night due to the correct backup tape not being present (and the disk copy not having System State, just files) so that will have to wait until the weekend.  I'm not sure I trust this system now anyway.
I can confirm that ComboFix doesn't run on Windows 2003R2 x64 by the way.

I'll keep this thread updated until the problem is resolved and post the results of the Malwarebytes scan, depending upon whether it runs or not..

0
 
LVL 22

Expert Comment

by:optoma
ID: 34916835
0
 
LVL 38

Expert Comment

by:younghv
ID: 34917264
Here is an actual link to the MBAM forum where the Moderator clarifies a few things.

http://forums.malwarebytes.org/index.php?showtopic=75679&pid=390396&start=&st=#entry390396

0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34918545
Further clarification from Tom Mercado regarding the use of Malwarebytes on servers:
(Note: I asked support to clarify the point that Server 2003 is not on the supported operating systems lists)

"No, it is not. Malwarebytes' Anti-Malware does not 'officially' support any server operating systems.
However, licensed corporate users can get any support they need through the corporate helpdesk. The corporate team has enough experience using it on servers to be able to assist with any issues that arise."

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34924096
>I can confirm that ComboFix doesn't run on Windows 2003R2 x64<
@ stevebootes:  .... thanks for the confirmation.

@ lscarbor   ...thanks for the clarification.
0
 

Author Comment

by:stevebootes
ID: 34924144
MalwareBytes does run on the server as long as you don't do an update when the setup finishes.  I did that the first time around and it complained (something about the files not being right for this system - not the exact wording).  After removing and reinstalling without running the update afterwards it did run successfully and let me start a scan, though of course the definitions were older than I would have liked (+2 months).
It did find a couple of remnants of items that nothing else did (leftover registry entries mainly), but nothing changed on the system after removing them.

@optoma:
Even after waiting for 4 hours the Add/Remove list didn't update.  There aren't any more files in \Documents and Settings or \Program Files than there were last week.

Registry restore this weekend I think.
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34925183
Could it be that the hack affected your domain policies?
Shooting from the hip here, but a customer of mine got a hack at home that changed everyone's program access to a non-existent browser--at which point everyone got the error
So, I wonder if the problem is in a policy. No amount of malware removal paid off, the only thing that worked was changing the access.
I know it's not an exact match but . . .
There is a policy for start menu.

>>>For information sake:
>>>This is the location we found that was changed--
>>>'Program Access and Defaults'
>>>(Control Panel, Program Access and Defaults, Custom, then pick IE)

So I wonder if the policy for Start Menu was altered.
(Sorry I don't have the actual setting for policies in hand, but I'll look in policies this AM and see how the setting works.)
0
 
LVL 5

Expert Comment

by:lscarbor
ID: 34925306
This might help as well:
Title:
Set Default Browser via Group Policy / Registry:

http://www.experts-exchange.com/Security/Q_22070471.html
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34931993
Once you do a repair install, I would consider a good reg cleaner. It appears you have a lot of registry metadata within the registry. I can see that you still have Opera keys within the registry after removing it.
0
 

Author Comment

by:stevebootes
ID: 35067227
Given up on this for the time being.  We have plenty of backups but none with recent system state :-(
System working fine apart from the MS Add/Remove programs list coming up blank but we can work around using NirSoft MyUninstall.
We're considering whether to use the "software" registry node from a 4 month old System State to repair this or whether that's going to cause us more problems than it will solve.
0
 

Author Closing Comment

by:stevebootes
ID: 35115488
Problem was not fully resolved but worked around the original issue by re-installing IE8.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now