Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware. Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type. Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well. Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer, which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite button to click on as well :) HTH jp >> -----Original Message----- >> From: aborg@xxxxxxxxxx [mailto:aborg@xxxxxxxxxx] >> Sent: Monday, August 02, 2004 9:20 AM >> To: Windows NTBugtraq Mailing List; bugtraq@xxxxxxxxxxxxxxxxx >> Subject: SideFind >> >> >> >> >> >> >> >> Hi .. >> >> Has anyone heard of this IE hijacker? >> >> One of our uses went through a devastating Sunday when he >> tried to remove >> this piece of software from his PC. It appears as a side >> panel (on the >> left) and prompts with suggestions when the user utilises >> Google to perform >> a search. Essentially, it notices what Google searches you >> do and comes up >> with suggestions in its own little window. However, if you >> try to remove >> the item using "Add/Remove Programs" (since it's listed), >> you can end up >> with massive problems with your computers. This user ended >> up losing all >> files on a secondary partition of his hard disk. I found >> one post in a >> forum where the poster claimed that it "trashed his OS" but >> did not say >> what was specifically affected. >> >> The user was wise enough to try an undelete utility which >> restored most but >> not all of his files and then used XP's system restore >> feature to attempt >> to restore things back to a day before but this obviously >> meant that the >> utility re-appeared in "Add/Remove" and under "Program Files". >> >> I didn't find much help on the net and no one seems to be >> flagging it as a >> potentially disturbing piece of malware except for the >> poster mentioned >> above. Disassembling it showed that it has an embedded >> registry resource >> and by using that I removed all traces to it from the registry. >> >> The only files that were not recovered were images (mainly >> belonging to his >> daughter - and which weren't backed up; hereby proving >> Murphy's law) and it >> seems as if there was some kind of cross-linked references >> in the file >> table since opening some pics in an ASCII viewer shows quite >> clearly that >> they are not pics but either PDFs, MP3s, etc. I renamed a >> few of the files >> and they worked. I'm not sure if this is SideFind or the >> undelete utility >> that did this though ... >> >> What I'd like is more information as to how this damn >> utility installed >> itself on the user's PC. He claims to have never >> intentionally installed >> it and he's a reliable enough user for me to believe that he >> didn't just >> click on "Yes" w/o reading the dialog first ... >> >> Antoine Borg >> Network Administrator >> >> Malta Communications Authority >> Suite 43/44, "Il-Piazzetta" >> Tower Road >> Sliema SLM 16 >> Malta G.C. >> >> Tel: +356 21 336840 >> Fax: +356 21 336846 >> Mob: +356 79 271852 >> >> ---------- >> "This is a lesson that the stars in the sky teach us - they >> may be related >> to the sun, and just as brilliant, but they never appear in >> her company" >> Baltasar Gracian, 1601 - 1658 >> >>
