Those spyware boys are getting smarter! Recently had a remote laptop user that kept having his home page hijacked by www.securitynetpage.net even though the home page in Internet Explorer was set to our company web site. Autoruns showed no suspicious BHOs. After poking around in the registry and finding nothing, I took a look at the Internet Explorer Addins and lo and behold: isaddon.dll. Sounds important, doesn’t it? Appears to be related to some SmitFraud spyware.
Here’s one of the prompts from the web site. The user in question thought he was infected:
Note the spelling mistakes. A lookup of the domain name on www.whois.sc shows that the web site is blacklisted by many other sites.
I found another useful site for slamming down spyware: Jotti. You know those little pests like to randomize the filenames so you cannot find them via Google? Well, you can submit a suspicious file to Jotti and it will tell you what it is!
Just for the record: I again recommend you use Ewido for cleaning off spyware. You can install and run it within Windows PE: it does work.
– Soli Deo Gloria