How Deb and I Spent Last Night and Today

August 5, 2004

Deb has put a password on her Content Advisor (in Windows XP Home) and now wants to remove it, but has no idea what she put in as a password. The hint is totally meaningless. So she asks me (on the phone) how she can reset the password. Believe me, that was the easy thing to fix on her computer.

She is also getting her search seemingly hijacked by a hijacker called Shopnav that keeps popping up. The big problem: she is unable to go to any secure sites. She isn’t sure when the problem started, but it is preventing Deb from logging into her homepage which happens to be a secure site.

Last night I had Deb download, install and run Spy-bot Search and Destroy, Ad-aware and SpywareBlaster. After each program was installed and updated, she ran Spybot and found 111 instances of spyware. Ad-aware then found 37 more spyware files.

Deb still could not get to her secure sites. Opened Internet Options and went to the Security tab. No secure sites listed in restricted sites. Checked Trusted sites, at first nothing appears here. Then when Deb starts to add her home page to the Trusted site zone, as soon as she types the first h (as in http) a list of sites appear in the zone. Every site she goes to is being added to the Trusted zone! There are also five very strange entries, something like this:

http://www.newwebsearch-https://login.hersecuresite.comAAXCE(these are not the exact characters) and a long string of other characters. The sites appear to be identical, but the last few characters are different. When she highlights one of the entries to remove it, the Remove button is greyed out, inactive.

Now we are both very perplexed and frustrated. We decided I will go to her house tomorrow and see what we can do. I spend the rest of the evening searching for answers and posting to a Yahoo Group for help. I have found what seems to be some solutions and print them off to try tomorrow.

August 6, 2004

After a nice lunch out (Deb paid!) we go to her house and see what we can do to fix this strange problem. Someone on a YahooGroups list, Mike, to be exact, suggested it could be something in the hosts file. (That makes sense, why didn't I think of that?) So I do a search on her computer and look at the hosts files, nothing there. Deb has a Trackball instead of a mouse and it took me forever to use it. (I won't be getting one!)
So maybe CWShredder will fix this hijacker! I download the program and run it, it doesn't find anything. Well, it hasn't been updated for a while.

The strange thing, Symantec has a fix for Shopnav and the virus updates should have caught this a long time ago. I open her Norton and nearly choke. The virus definitions expired December 31, 2003! Live update decides to run so we let it run as she also has Norton Internet Security. I think I must have been asleep about now, but more about that later. Deb has been off work for a while so she needs to watch her money and I suggest we download and install AVG free version. So we do get to Grisoft's site and get AVG, downloaded and installed. For some reason it couldn't get updated but we ran it anyway and AVG found 6 virus files. (This is starting to get really serious!) So, after we run the virus scan and remove the bad files, turn off System Restore, reboot and turn it back on, we still cannot get to her secure sites. When the system comes backup, AVG updates and find more virus files! I did remember to turn off Norton.

We looked in the Add/Remove programs and find some stuff she didn't know what it was (some kind of spyware) so we removed it. It fought hard, kept saying 'are you sure you want to remove this?' 'Yes'. 'Do you really want to remove this?' 'Yes'. It stayed on the remove screen so long we thought the system had frozen, but it finally removed.

We check Windows update, it is broken, can’t connect!

Last night while searching for Shopnav in Google, I found a link for PestPatrol that promised it could remove this pest, Shopnav. Since Spybot or Ad-aware didn't do the trick she decided she couldn't have this junk on her computer and would buy PestPatrol. I told her I couldn't guarantee this would work. Well, remember, she can't get to secure sites, so she can't make the purchase!

Deb and her husband each have their own profiles so Deb goes into his profile and connects to PestPatrol's site, and gets to the secure purchase screen with no problem. (Is her profile corrupted by spyware?) She downloaded PestPatrol and installed it. When PestPatrol is updated and run, it found 77 instances of spyware, including several trojans and a keylogger!

I finally wake up and realize, why hasn't her Norton firewall been alerting her about all this spyware calling home? Checked the firewall and it is DISABLED! (Virus did it? Spyware?) It will not let us enable it! Not in Deb's profile or her husband's profile. This is really getting frustrating! Checked and Windows firewall is turned on, so at least the computer is protected from incoming hacks. If we can't enable the Norton Internet Security, we decide to uninstall it.

So, off to Zone Alarm's site. She downloads and installs ZoneAlarm and we get it configured. We install Firefox. The really strange entries are still in the Trusted site zone, (I really have to find out how to fix this) but she can now connect to her home page, the secure site. Oh, yes, Windows update now works as well. That was the one good thing; all of the critical updates had been installed.

Before I go home, I show her how to edit the Registry to remove the Content Advisor Password. (That was easy!)

Deb learned a big lesson today; she thought her husband was taking care of all this, from now on, she's in charge!

May 19, 2005
After some further testing, I discovered that the behavior of typing an 'h' in the trusted zone that seems to add every site you have been to, is by design. If the Control Panel is opened and Internet Options is selected, Temporary Internet files deleted and History is cleared, go to Security/Trusted Zone and type in an 'h', no new sites will show up, only what has been placed there already by the user.