Malware sets IE to thearticlebay.com

W

William Lipp

While my wife was in Mexico her laptop picked up malware that
automatically launches IE pointed to www.thearticlebay.com - even
though the default browser is firefox.

We know the bugger checks for internet access before launching. We
know this because the laptop has an external switch to turn off
wireless, and the launch never happens with wireless is off, but
happens in less than one minute from turning wireless on.

We know the bugger checks for internet access using the default
browser. We know this because when ZoneAlarm is installed and denies
internet access to firefox, the IE launch never happens. When
ZoneAlarm is told to permit firefox, the launch happens in less than
a minute.

Googling thearticlebay,com virus turns up only Spanish language hits -
translating them shows a lot of generic help about malware programs,
but nothing specific to the problem and no indication anybody solved
it.

TrendMicro, Norton (google packs), AdAware, and SpyBot all failed to
find it.

Any ideas on how proceed?

William
 
D

David H. Lipman

From: "William Lipp" <w.b.(MyLastNameHere)@ieee.org>

| While my wife was in Mexico her laptop picked up malware that
| automatically launches IE pointed to www.thearticlebay.com - even
| though the default browser is firefox.

| We know the bugger checks for internet access before launching. We
| know this because the laptop has an external switch to turn off
| wireless, and the launch never happens with wireless is off, but
| happens in less than one minute from turning wireless on.

| We know the bugger checks for internet access using the default
| browser. We know this because when ZoneAlarm is installed and denies
| internet access to firefox, the IE launch never happens. When
| ZoneAlarm is told to permit firefox, the launch happens in less than
| a minute.

| Googling thearticlebay,com virus turns up only Spanish language hits -
| translating them shows a lot of generic help about malware programs,
| but nothing specific to the problem and no indication anybody solved
| it.

| TrendMicro, Norton (google packs), AdAware, and SpyBot all failed to
| find it.

| Any ideas on how proceed?

| William




1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
L

Lon

William Lipp wrote:
> While my wife was in Mexico her laptop picked up malware that
> automatically launches IE pointed to www.thearticlebay.com - even
> though the default browser is firefox.
>
> We know the bugger checks for internet access before launching. We
> know this because the laptop has an external switch to turn off
> wireless, and the launch never happens with wireless is off, but
> happens in less than one minute from turning wireless on.
>
> We know the bugger checks for internet access using the default
> browser. We know this because when ZoneAlarm is installed and denies
> internet access to firefox, the IE launch never happens. When
> ZoneAlarm is told to permit firefox, the launch happens in less than
> a minute.
>
> Googling thearticlebay,com virus turns up only Spanish language hits -
> translating them shows a lot of generic help about malware programs,
> but nothing specific to the problem and no indication anybody solved
> it.
>
> TrendMicro, Norton (google packs), AdAware, and SpyBot all failed to
> find it.
>
> Any ideas on how proceed?
>
> William
>
>

I would create a hosts file and set 127.0.0.1 to www.thearticlebay.com
so it cannot connect.

Then pick your favorite malware scrubber.
 
W

William Lipp

On Sun, 20 Jul 2008 18:49:21 -0600, Lon <lon.stowell@comcast.net>
wrote:

>William Lipp wrote:
>> While my wife was in Mexico her laptop picked up malware that
>> automatically launches IE pointed to www.thearticlebay.com - even
>> though the default browser is firefox.
>>
>> We know the bugger checks for internet access before launching. We
>> know this because the laptop has an external switch to turn off
>> wireless, and the launch never happens with wireless is off, but
>> happens in less than one minute from turning wireless on.
>>
>> We know the bugger checks for internet access using the default
>> browser. We know this because when ZoneAlarm is installed and denies
>> internet access to firefox, the IE launch never happens. When
>> ZoneAlarm is told to permit firefox, the launch happens in less than
>> a minute.
>>
>> Googling thearticlebay,com virus turns up only Spanish language hits -
>> translating them shows a lot of generic help about malware programs,
>> but nothing specific to the problem and no indication anybody solved
>> it.
>>
>> TrendMicro, Norton (google packs), AdAware, and SpyBot all failed to
>> find it.
>>
>> Any ideas on how proceed?
>>
>> William
>>
>>
>
>I would create a hosts file and set 127.0.0.1 to www.thearticlebay.com
>so it cannot connect.
>
>Then pick your favorite malware scrubber.

I forget to mention - that was the first thing I did. I still get
regular launches of internet explorer attempting to connect. None of
the malware scrubbers I've tried have fixed it, though.
 
N

Newell White

"William Lipp" wrote:

> On Sun, 20 Jul 2008 18:49:21 -0600, Lon <lon.stowell@comcast.net>
> wrote:
>
> >William Lipp wrote:
> >> While my wife was in Mexico her laptop picked up malware that
> >> automatically launches IE pointed to www.thearticlebay.com - even
> >> though the default browser is firefox.
> >>
> >> We know the bugger checks for internet access before launching. We
> >> know this because the laptop has an external switch to turn off
> >> wireless, and the launch never happens with wireless is off, but
> >> happens in less than one minute from turning wireless on.
> >>
> >> We know the bugger checks for internet access using the default
> >> browser. We know this because when ZoneAlarm is installed and denies
> >> internet access to firefox, the IE launch never happens. When
> >> ZoneAlarm is told to permit firefox, the launch happens in less than
> >> a minute.
> >>
> >> Googling thearticlebay,com virus turns up only Spanish language hits -
> >> translating them shows a lot of generic help about malware programs,
> >> but nothing specific to the problem and no indication anybody solved
> >> it.
> >>
> >> TrendMicro, Norton (google packs), AdAware, and SpyBot all failed to
> >> find it.
> >>
> >> Any ideas on how proceed?
> >>
> >> William
> >>
> >>
> >
> >I would create a hosts file and set 127.0.0.1 to www.thearticlebay.com
> >so it cannot connect.
> >
> >Then pick your favorite malware scrubber.
>
> I forget to mention - that was the first thing I did. I still get
> regular launches of internet explorer attempting to connect. None of
> the malware scrubbers I've tried have fixed it, though.
>

Since you know the dates the computer was in Mexico, try searching for all
..exe, .dll, .bat, and other command files modified between these dates.

Then:

1) Record modified date/time of the suspect file(s).
2) Rename it by adding zzx_ prefix.
3) Get Internet Explorer to delete all temporary files and downloaded
program files.
4) Reboot.

If the suspect file re-appears, continue:
5) Rename it again
6) In Explorer, search C:\ for all files modified on the date you recorded
in (1) above. Sort into time order and rename all files of the same size as
bogus lsass.exe modified within 2 minutes of the time you recorded.
7) Record paths of all other files modified in this time window - they are
suspects.
8) Reboot with no network connection.
9) If the suspect file does not appear, the only other thing to guard
against is an intruder program that calls home to download the files you
renamed.
10) Plug into the network, and if you don't have a software firewall which
alerts on outgoing traffic, install one - e.g. free version of Zone Alarm.
11) Make sure the infection has not already re-appeared, and reboot again.
12) Zone alarm should alert you if one of the suspects tries to call home.
Re-name it.
13) If you want to, delete the renamed files.

--
Regards,
Newell White
 
G

Gary

On 20-Jul-2008, William Lipp <w.b.(MyLastNameHere)@ieee.org> wrote:

> I forget to mention - that was the first thing I did. I still get
> regular launches of internet explorer attempting to connect. None of
> the malware scrubbers I've tried have fixed it, though.

Did you try this one http://www.superantispyware.com/ if not try it.
 
W

William Lipp

On Mon, 21 Jul 2008 16:39:17 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Have you posted to an Expert Forum as I suggested ?

Yes, I'm several cycles into running programs and posting new logs
with Derek at your primary recommendation, TheSpyKiller.co.uk. The
last log I posted had messages about a root kit.
 
G

GuavaFoo

So, I just recently went to Costa Rica and took my iPod with me. At one
point, I connected my ipod to a computer and when I came home to put the
ipod in my computer... www.thearticlebay.com pops up in IE- and I use
firefox religiously. I believe I have spotted the problem- a process
called sajko.exe has appeared and I have never seen it before. Searches
on Google come up with nothing. I have spooted a few txt files in
C:/windows with the code referring to the .exe file. I delete
sajko.exe( which is located in C:/ Windows) and it comes back and opens
up IE. I moved the affected text files, and thats where I am now.
I am afraid to hook up any external hard drive or another ipod to
computer because of fear that it will keep spreading.

Any help is greatly appreciated!!!!!!!

Also... I have created a hosts file and named the host IP to
thearticlebay.com so that it cannot gain any information from the
computer.


--
GuavaFoo
------------------------------------------------------------------------
GuavaFoo's Profile: http://forums.techarena.in/members/guavafoo.htm
View this thread: http://forums.techarena.in/security-virus/1005854.htm

http://forums.techarena.in
 
D

David H. Lipman

From: "GuavaFoo" <GuavaFoo.3e7avc@DoNotSpam.com>

| So, I just recently went to Costa Rica and took my iPod with me. At one point, I
| connected my ipod to a computer and when I came home to put the ipod in my computer...
| www.thearticlebay.com pops up in IE- and I use firefox religiously. I believe I have
| spotted the problem- a process called sajko.exe has appeared and I have never seen it
| before. Searches on Google come up with nothing. I have spooted a few txt files in
| C:/windows with the code referring to the .exe file. I delete sajko.exe( which is
| located in C:/ Windows) and it comes back and opens up IE. I moved the affected text
| files, and thats where I am now.
| I am afraid to hook up any external hard drive or another ipod to computer because of
| fear that it will keep spreading.

| Any help is greatly appreciated!!!!!!!

| Also... I have created a hosts file and named the host IP to thearticlebay.com so that
| it cannot gain any information from the computer. -- GuavaFoo



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...

{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
You must log in or register to reply here.

Similar threads

P
  • Article
Update on the Recall preview feature for Copilot+ PCs
Replies
0
Views
62
Pavan Davuluri
P
N
  • Article
How to unlock new experiences on your Copilot+ PC
Replies
0
Views
69
Nicci Trovinger
N
I
Unwanted Microsoft Edge Shortcut on Desktop
Replies
0
Views
98
Ian McCamy
I
R
  • Article
Our top smart browser features can give you an edge this back-to-school season
Replies
0
Views
106
Roger Capriotti
R
B
  • Article
Announcing Windows 11 Insider Preview Build 22621.2050 and 22631.2050
Replies
0
Views
152
Brandon LeBlanc
B
Back
Top Bottom