Solved

Default Browser continually reset after hacking attempt

Posted on 2011-02-15
32
872 Views
Last Modified: 2013-12-06
My customer has an issue where the default browser keeps changing to Opera.  Any attempt to change it back (for non-Administrator level users) is instantly undone.

Bear with me on this one, it's long-winded but I want to give you all the full picture:

The machine is running Windows 2003R2 x64 Standard functioning as a Terminal Server for around 50 users.  Yesterday we were alerted to Opera [the web browser] software appearing on the Start Menu.  Whilst looking through logs to see where this came from, we saw a successful login attempt under the Administrator account from an IP address somewhere in Russia.  Knowing this NOT to be any genuine user, I immediately: Reset all Administrator-level passwords, put a firewall block on the entire IP range the login came from and set about removing Opera.  This was hampered initially by the Add/Remove programs list being completely empty, but used the Nirsoft tool to uninstall it instead.  As I logged off the Administrator account, a profile error alerted me to a possible virus in the local profile.  An AVG scan (AVG Internet Security v9 loaded and functioning up-to-date definition) found a Trojan "PSW.Agent.AKNN" which was quarantined successfully.
Later in the day, the client called to say several users couldn't click on hyperlinks from within Outlook (or other software too).  On investigation, the default browser was set to Opera, which had since been removed so generated an error.  When we tried to set the default browser back to IE (using Tools/Internet Options), the setting was accepted but it immediately reverted back to using Opera (even before exiting IE).  The same procedure carried out as Administrator worked however and IE remained the default.
I've since scanned the system using AVG (nothing found), ran Hijack This (nothing obvious found) and installed Opera again in order to uninstall it, all with no result.  Add/Remove programs is still blank too.
Any help appreciated!
0
Comment
Question by:stevebootes
  • 8
  • 8
  • 5
  • +3
32 Comments
 
LVL 22

Expert Comment

by:optoma
Comment Utility
1>Along with scanning with AVG run these scanners(they run quick quickly) which will scan for other types of nasties which maybe "cloaked" from AV scans.
Save logs if needed.
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

2> add/remove programs>appears blank but can you keep scrolling down + down... Anything at the bottom?

0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
These two earlier threads may help>

add/remove programs list empty win xp:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22158393.html

Large Empty Gap In The Add/Remove Programs List:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22017310.html
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
You might try to run CCleaner. I had a web browser hijack because of a registry key that was left over after a complete AV scan and "clean" of the computer...

Needless to say, I had to resort to a registry cleaner because unistalling the programs as well as AV and AS cleans didn't remove all the metadata in registry... Here was the thread I was having a somewhat similar issue.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_26497877.html
0
 

Author Comment

by:stevebootes
Comment Utility
@optoma:
TdsKiller/HitManPro found nothing except cookies.  Add/Remove list is completely empty, not just large amounts of white space - there are no scroll bars.  Nirsoft MyUninstall lists all of the programs correctly and allows uninstall, so data is there in registry ok.
@Jonvee: No -1 settings in registry, no large gap - just nothing. Ran REGSVR32 APPWIZ.CPL - no effect.
@CheifIT:  CCleaner ran, no effect.

Opera is still being set as the default browser, even though it's been removed.
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Thanks ....well, another option now seems to be to run ComboFix.

If that doesn't resolve it, its beginning to look as though an XP repair install may be necessary:
http://www.michaelstevenstech.com/XPrepairinstall.htm
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
After consideration, running ComboFix appears to be the next move particularly as you've already removed a Trojan "PSW.Agent.AKNN.

You can download ComboFix from here, and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

ComboFix must be run in normal mode.
Before using ComboFix, please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
It may also be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Can you post that log here please.
Do not mouseclick Combofix's window while it is running, because it may stall.  

If needed>http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note:  If you have difficulties downloading or running it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.
You can try this key combination to reach a Run box >>
Windows Logo+R: Run dialog box


If that doesn't resolve the 'empty Add/Remove list', lets see if you get further suggestions, before moving on to the suggested repair install ....
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Another idea ...after running ComboFix, but before considering an XP repair, you could try the System File Checker at repairing Add/Remove programs.
If you insert your CD, while simultaneously depressing the Shift key, this will prevent autorun.  Release the key after 10 to 15 seconds.

Start>Run       .. and then type SFC /scannow

http://www.updatexp.com/scannow-sfc.html
0
 

Author Comment

by:stevebootes
Comment Utility
@Jonvee:
Does combofix even work on Windows 2003R2 x64?
This isn't going to be a thing I can do in the day as there are lots of people using this Terminal Server, and I'd want to be VERY sure that I had an image backup of this machine before I ran that.
I'm also seriously considering restoring the registry back a few days before this happened if I can't get this sorted in the next 8 working hours or so.  It may be quicker than working through these repair and cleanup tools - I'm never 100% convinced you can recover from these things if something has messed up the registry.
I'll see if a simpler (less invasive) solution presents itself during the day, if not I'll progress with this option out of hours.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Verify you have an up to date backup, image ect...Then restore back prior to when this happened :)
0
 

Author Comment

by:stevebootes
Comment Utility
@optoma:
Yes, coming to the same conclusion myself.  I can't do anything until tonight anyway, so unless something magical happens before then I think that's what I'll be doing.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Yes, be a safer route to take. Combofix isn't recommended to be ran on those systems. Some people do, others do not :)
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
What does this key read?


HKEY_LOCAL_MACHINE
   SOFTWARE
      Clients
         StartMenuInternet
            IEXPLORE.EXE
            BROWSER2.EXE
            BROWSER3.EXE
0
 

Author Comment

by:stevebootes
Comment Utility
@ChiefIT:

StartMenuInternet
+IEXPLORE.EXE
-OPERA.EXE
 -shell
   -open
     -command
        (Default) REG_SZ "C:\Program Files (x86)\Opera\Opera.exe"
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
malwarebytes might find it.
malwarebytes.org
download the free one and make sure you update the database.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
MalwareBytes is not designed for Server OS and should not be used on them.

CCleaner is for PC's, not servers.

Piriform have a product designed for servers.
Read about it here:
http://www.piriform.com/business/ccleaner-network-edition

Download free trial here:
http://www.piriform.com/business/ccleaner-network-edition/trial-download

One of the things you will able to do is 'scrub' the registry and ensure that any residue left over from Opera is completely removed.

As always with CCleaner, click the 'Yes' when it asks if you want to back up your registry.
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
Malwarebytes has this list of operating systems:
"Operating systems: Windows 2000/XP/2003/Vista/Server 2008/7"
It would be prudent to use the scan and not just remove all. However, it would point you toward the issue.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 38

Expert Comment

by:younghv
Comment Utility
@lscarbor,
In my link to the actual Malwarebytes web page, they do not show that list:
http://www.malwarebytes.org/mbam.php

If you have another link, please share it. I love the product, but did not know it could be used on anything but PC's.
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Price: Free; $24.95 to buy (Buy it now) .
Operating system: Windows 2000/XP/2003/Vista/Server 2008/7 .
Date added: December 21, 2010 .
Total Downloads: 60,477,985 .
Downloads last week: 387,960 .

Again, I'd just use the scan, not the remove all.

Has anyone recommended looking at the hosts file?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I think we need to use the actual information from MalwareBytes and not from a third-party download site.

From MBAM:
Key Features
•Support for Windows 2000, XP, Vista, and 7 (32-bit and 64-bit).
•Operating Systems: Microsoft ® Windows 2000, XP, Vista, 7.
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
Okay, I agree with you. I sent support a query about it.

Now, how about that hosts file? DNS? Have we tried a ping to see where the query points?  
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
Here you go. From the forum on Malwarebytes.org :

Will Malwarebytes run on Server 2003?

Yes it will run just fine. Is this a legal and activated version of Windows Server 2003 ?

Ron Lewis
Manager of Online Support



0
 

Accepted Solution

by:
stevebootes earned 0 total points
Comment Utility
Update:
I've solved the original problem - default browser keeps resetting to [non-existant] Opera - by re-installing Internet Explorer 8.  It took a couple of goes, first time (after a reboot) I had IE6 rather than IE8 (!), second time the install locked up downloading updates, third time (after saying no to download updates) worked ok.  Browser now stays put at IE8.
I'm still left with the Add/Remove programs empty list (but I can work around that for the time being with Nirsoft MyUninstall which works fine).
I couldn't do a restore last night due to the correct backup tape not being present (and the disk copy not having System State, just files) so that will have to wait until the weekend.  I'm not sure I trust this system now anyway.
I can confirm that ComboFix doesn't run on Windows 2003R2 x64 by the way.

I'll keep this thread updated until the problem is resolved and post the results of the Malwarebytes scan, depending upon whether it runs or not..

0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Here is an actual link to the MBAM forum where the Moderator clarifies a few things.

http://forums.malwarebytes.org/index.php?showtopic=75679&pid=390396&start=&st=#entry390396

0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
Further clarification from Tom Mercado regarding the use of Malwarebytes on servers:
(Note: I asked support to clarify the point that Server 2003 is not on the supported operating systems lists)

"No, it is not. Malwarebytes' Anti-Malware does not 'officially' support any server operating systems.
However, licensed corporate users can get any support they need through the corporate helpdesk. The corporate team has enough experience using it on servers to be able to assist with any issues that arise."

0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
>I can confirm that ComboFix doesn't run on Windows 2003R2 x64<
@ stevebootes:  .... thanks for the confirmation.

@ lscarbor   ...thanks for the clarification.
0
 

Author Comment

by:stevebootes
Comment Utility
MalwareBytes does run on the server as long as you don't do an update when the setup finishes.  I did that the first time around and it complained (something about the files not being right for this system - not the exact wording).  After removing and reinstalling without running the update afterwards it did run successfully and let me start a scan, though of course the definitions were older than I would have liked (+2 months).
It did find a couple of remnants of items that nothing else did (leftover registry entries mainly), but nothing changed on the system after removing them.

@optoma:
Even after waiting for 4 hours the Add/Remove list didn't update.  There aren't any more files in \Documents and Settings or \Program Files than there were last week.

Registry restore this weekend I think.
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
Could it be that the hack affected your domain policies?
Shooting from the hip here, but a customer of mine got a hack at home that changed everyone's program access to a non-existent browser--at which point everyone got the error
So, I wonder if the problem is in a policy. No amount of malware removal paid off, the only thing that worked was changing the access.
I know it's not an exact match but . . .
There is a policy for start menu.

>>>For information sake:
>>>This is the location we found that was changed--
>>>'Program Access and Defaults'
>>>(Control Panel, Program Access and Defaults, Custom, then pick IE)

So I wonder if the policy for Start Menu was altered.
(Sorry I don't have the actual setting for policies in hand, but I'll look in policies this AM and see how the setting works.)
0
 
LVL 5

Expert Comment

by:lscarbor
Comment Utility
This might help as well:
Title:
Set Default Browser via Group Policy / Registry:

http://www.experts-exchange.com/Security/Q_22070471.html
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Once you do a repair install, I would consider a good reg cleaner. It appears you have a lot of registry metadata within the registry. I can see that you still have Opera keys within the registry after removing it.
0
 

Author Comment

by:stevebootes
Comment Utility
Given up on this for the time being.  We have plenty of backups but none with recent system state :-(
System working fine apart from the MS Add/Remove programs list coming up blank but we can work around using NirSoft MyUninstall.
We're considering whether to use the "software" registry node from a 4 month old System State to repair this or whether that's going to cause us more problems than it will solve.
0
 

Author Closing Comment

by:stevebootes
Comment Utility
Problem was not fully resolved but worked around the original issue by re-installing IE8.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now