I’ve talked before about my dad’s problems using the internet and how he’s inundated with IE and Outlook Express exploits, but he surprised me today by showing me his copy of Firebird has been hijacked by something (I insisted he move to Firebird to avoid IE exploits last summer).
Here’s a screenshot showing what you get if you try to go to google or yahoo in his copy of Firebird 0.61 (I’m currently downloading 0.7 for him). I’ve never seen anything like this before, hopefully it’s not a sign of things to come.
update: I’ve done a bit more investigation and it’s really weird but google works fine in IE (IE may be running through an ISP proxy — I forgot to check the settings). I ran ad-aware and removed a couple processes a couple dozen registry keys and a few apps that were clearly spyware, and yet the problem persists in even the newly downloaded firebird after Ad-Aware gives a clean bill of health.
I suspect it’s got something to do with the PeoplePC dialup package he has to use to connect to the web. They do offer cheap dialup, I wouldn’t be surprised if they made money in other ways such as these (he’s had problems in the past with PeoplePC).
another update: looks like it’s this coolweb search trojan (thanks brad), which rewrote the hosts file. They exploited a java bug in IE (I told him not to use IE, but does he listen?) that allows them to install their spyware. I wonder why the search page is still up, if it’s easy to trace it back to who did it and where they host. I would expect most hosting contracts to boot trojan horse spyware spammers.