Default Browser continually reset after hacking attempt
Posted on 2011-02-15
My customer has an issue where the default browser keeps changing to Opera. Any attempt to change it back (for non-Administrator level users) is instantly undone.
Bear with me on this one, it's long-winded but I want to give you all the full picture:
The machine is running Windows 2003R2 x64 Standard functioning as a Terminal Server for around 50 users. Yesterday we were alerted to Opera [the web browser] software appearing on the Start Menu. Whilst looking through logs to see where this came from, we saw a successful login attempt under the Administrator account from an IP address somewhere in Russia. Knowing this NOT to be any genuine user, I immediately: Reset all Administrator-level passwords, put a firewall block on the entire IP range the login came from and set about removing Opera. This was hampered initially by the Add/Remove programs list being completely empty, but used the Nirsoft tool to uninstall it instead. As I logged off the Administrator account, a profile error alerted me to a possible virus in the local profile. An AVG scan (AVG Internet Security v9 loaded and functioning up-to-date definition) found a Trojan "PSW.Agent.AKNN" which was quarantined successfully.
Later in the day, the client called to say several users couldn't click on hyperlinks from within Outlook (or other software too). On investigation, the default browser was set to Opera, which had since been removed so generated an error. When we tried to set the default browser back to IE (using Tools/Internet Options), the setting was accepted but it immediately reverted back to using Opera (even before exiting IE). The same procedure carried out as Administrator worked however and IE remained the default.
I've since scanned the system using AVG (nothing found), ran Hijack This (nothing obvious found) and installed Opera again in order to uninstall it, all with no result. Add/Remove programs is still blank too.
Any help appreciated!