Link to home
Start Free TrialLog in
Avatar of stevebootes
stevebootesFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Default Browser continually reset after hacking attempt

My customer has an issue where the default browser keeps changing to Opera.  Any attempt to change it back (for non-Administrator level users) is instantly undone.

Bear with me on this one, it's long-winded but I want to give you all the full picture:

The machine is running Windows 2003R2 x64 Standard functioning as a Terminal Server for around 50 users.  Yesterday we were alerted to Opera [the web browser] software appearing on the Start Menu.  Whilst looking through logs to see where this came from, we saw a successful login attempt under the Administrator account from an IP address somewhere in Russia.  Knowing this NOT to be any genuine user, I immediately: Reset all Administrator-level passwords, put a firewall block on the entire IP range the login came from and set about removing Opera.  This was hampered initially by the Add/Remove programs list being completely empty, but used the Nirsoft tool to uninstall it instead.  As I logged off the Administrator account, a profile error alerted me to a possible virus in the local profile.  An AVG scan (AVG Internet Security v9 loaded and functioning up-to-date definition) found a Trojan "PSW.Agent.AKNN" which was quarantined successfully.
Later in the day, the client called to say several users couldn't click on hyperlinks from within Outlook (or other software too).  On investigation, the default browser was set to Opera, which had since been removed so generated an error.  When we tried to set the default browser back to IE (using Tools/Internet Options), the setting was accepted but it immediately reverted back to using Opera (even before exiting IE).  The same procedure carried out as Administrator worked however and IE remained the default.
I've since scanned the system using AVG (nothing found), ran Hijack This (nothing obvious found) and installed Opera again in order to uninstall it, all with no result.  Add/Remove programs is still blank too.
Any help appreciated!
Avatar of optoma
Flag of United States of America image

1>Along with scanning with AVG run these scanners(they run quick quickly) which will scan for other types of nasties which maybe "cloaked" from AV scans.
Save logs if needed.
TdssKiller and Hitmanpro.

2> add/remove programs>appears blank but can you keep scrolling down + down... Anything at the bottom?

Avatar of Jonvee

You might try to run CCleaner. I had a web browser hijack because of a registry key that was left over after a complete AV scan and "clean" of the computer...

Needless to say, I had to resort to a registry cleaner because unistalling the programs as well as AV and AS cleans didn't remove all the metadata in registry... Here was the thread I was having a somewhat similar issue.
Avatar of stevebootes


TdsKiller/HitManPro found nothing except cookies.  Add/Remove list is completely empty, not just large amounts of white space - there are no scroll bars.  Nirsoft MyUninstall lists all of the programs correctly and allows uninstall, so data is there in registry ok.
@Jonvee: No -1 settings in registry, no large gap - just nothing. Ran REGSVR32 APPWIZ.CPL - no effect.
@CheifIT:  CCleaner ran, no effect.

Opera is still being set as the default browser, even though it's been removed.
Thanks ....well, another option now seems to be to run ComboFix.

If that doesn't resolve it, its beginning to look as though an XP repair install may be necessary:
After consideration, running ComboFix appears to be the next move particularly as you've already removed a Trojan "PSW.Agent.AKNN.

You can download ComboFix from here, and save to your Desktop >

ComboFix must be run in normal mode.
Before using ComboFix, please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
It may also be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Can you post that log here please.
Do not mouseclick Combofix's window while it is running, because it may stall.  

If needed>

Note:  If you have difficulties downloading or running it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.
You can try this key combination to reach a Run box >>
Windows Logo+R: Run dialog box

If that doesn't resolve the 'empty Add/Remove list', lets see if you get further suggestions, before moving on to the suggested repair install ....
Another idea ...after running ComboFix, but before considering an XP repair, you could try the System File Checker at repairing Add/Remove programs.
If you insert your CD, while simultaneously depressing the Shift key, this will prevent autorun.  Release the key after 10 to 15 seconds.

Start>Run       .. and then type SFC /scannow
Does combofix even work on Windows 2003R2 x64?
This isn't going to be a thing I can do in the day as there are lots of people using this Terminal Server, and I'd want to be VERY sure that I had an image backup of this machine before I ran that.
I'm also seriously considering restoring the registry back a few days before this happened if I can't get this sorted in the next 8 working hours or so.  It may be quicker than working through these repair and cleanup tools - I'm never 100% convinced you can recover from these things if something has messed up the registry.
I'll see if a simpler (less invasive) solution presents itself during the day, if not I'll progress with this option out of hours.
Verify you have an up to date backup, image ect...Then restore back prior to when this happened :)
Yes, coming to the same conclusion myself.  I can't do anything until tonight anyway, so unless something magical happens before then I think that's what I'll be doing.
Yes, be a safer route to take. Combofix isn't recommended to be ran on those systems. Some people do, others do not :)
What does this key read?


        (Default) REG_SZ "C:\Program Files (x86)\Opera\Opera.exe"
malwarebytes might find it.
download the free one and make sure you update the database.
Avatar of younghv
MalwareBytes is not designed for Server OS and should not be used on them.

CCleaner is for PC's, not servers.

Piriform have a product designed for servers.
Read about it here:

Download free trial here:

One of the things you will able to do is 'scrub' the registry and ensure that any residue left over from Opera is completely removed.

As always with CCleaner, click the 'Yes' when it asks if you want to back up your registry.
Malwarebytes has this list of operating systems:
"Operating systems: Windows 2000/XP/2003/Vista/Server 2008/7"
It would be prudent to use the scan and not just remove all. However, it would point you toward the issue.
In my link to the actual Malwarebytes web page, they do not show that list:

If you have another link, please share it. I love the product, but did not know it could be used on anything but PC's.
Price: Free; $24.95 to buy (Buy it now) .
Operating system: Windows 2000/XP/2003/Vista/Server 2008/7 .
Date added: December 21, 2010 .
Total Downloads: 60,477,985 .
Downloads last week: 387,960 .

Again, I'd just use the scan, not the remove all.

Has anyone recommended looking at the hosts file?
I think we need to use the actual information from MalwareBytes and not from a third-party download site.

From MBAM:
Key Features
•Support for Windows 2000, XP, Vista, and 7 (32-bit and 64-bit).
•Operating Systems: Microsoft ® Windows 2000, XP, Vista, 7.
Okay, I agree with you. I sent support a query about it.

Now, how about that hosts file? DNS? Have we tried a ping to see where the query points?  
Here you go. From the forum on :

Will Malwarebytes run on Server 2003?

Yes it will run just fine. Is this a legal and activated version of Windows Server 2003 ?

Ron Lewis
Manager of Online Support

Avatar of stevebootes
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Here is an actual link to the MBAM forum where the Moderator clarifies a few things.

Further clarification from Tom Mercado regarding the use of Malwarebytes on servers:
(Note: I asked support to clarify the point that Server 2003 is not on the supported operating systems lists)

"No, it is not. Malwarebytes' Anti-Malware does not 'officially' support any server operating systems.
However, licensed corporate users can get any support they need through the corporate helpdesk. The corporate team has enough experience using it on servers to be able to assist with any issues that arise."

>I can confirm that ComboFix doesn't run on Windows 2003R2 x64<
@ stevebootes:  .... thanks for the confirmation.

@ lscarbor   ...thanks for the clarification.
MalwareBytes does run on the server as long as you don't do an update when the setup finishes.  I did that the first time around and it complained (something about the files not being right for this system - not the exact wording).  After removing and reinstalling without running the update afterwards it did run successfully and let me start a scan, though of course the definitions were older than I would have liked (+2 months).
It did find a couple of remnants of items that nothing else did (leftover registry entries mainly), but nothing changed on the system after removing them.

Even after waiting for 4 hours the Add/Remove list didn't update.  There aren't any more files in \Documents and Settings or \Program Files than there were last week.

Registry restore this weekend I think.
Could it be that the hack affected your domain policies?
Shooting from the hip here, but a customer of mine got a hack at home that changed everyone's program access to a non-existent browser--at which point everyone got the error
So, I wonder if the problem is in a policy. No amount of malware removal paid off, the only thing that worked was changing the access.
I know it's not an exact match but . . .
There is a policy for start menu.

>>>For information sake:
>>>This is the location we found that was changed--
>>>'Program Access and Defaults'
>>>(Control Panel, Program Access and Defaults, Custom, then pick IE)

So I wonder if the policy for Start Menu was altered.
(Sorry I don't have the actual setting for policies in hand, but I'll look in policies this AM and see how the setting works.)
This might help as well:
Set Default Browser via Group Policy / Registry:
Once you do a repair install, I would consider a good reg cleaner. It appears you have a lot of registry metadata within the registry. I can see that you still have Opera keys within the registry after removing it.
Given up on this for the time being.  We have plenty of backups but none with recent system state :-(
System working fine apart from the MS Add/Remove programs list coming up blank but we can work around using NirSoft MyUninstall.
We're considering whether to use the "software" registry node from a 4 month old System State to repair this or whether that's going to cause us more problems than it will solve.
Problem was not fully resolved but worked around the original issue by re-installing IE8.