Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt
From: PA Bear (PABear_at_mvps.org)
Date: 05/27/04
- Next message: Brian: "Re: Automatic redirection when IE 6 is opened"
- Previous message: PA Bear: "Re: Wont do "windows update" just shows a blank page"
- In reply to: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Next in thread: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Reply: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 May 2004 13:02:23 -0400
Robert, both current versions of Ad-aware and Spybot are identifying this
and some other keys as /possible/ hijacking*. If user has intentionally
selected a blank homepage (about:blank), the report should be viewed as a
false-positive and ignored.
*CWS.Aboutblank, CWS.Searchx, et alia
--
~PA Bear
Robert Aldwinckle wrote:
>> TODAY, it found it again. My question is: What do I do??!?!?!
>> I'm running WinXP.
>
> It looks as if that proxy if it is going to work has to be running
> somewhere
> on your machine (e.g. ProxyServer address like 127.0.0.1)
> If so, you could probably see it with
> netstat -ao
> (e.g. that would show "listening" PID so then you would match up the PID
> with an imagename using Task Manager.)
>
> Since you know the port involved you can actually make the output even
> more particular with the following pipeline:
>
> netstat -ano | find /i ":9002"
>
> XP's netstat can give you even more detail about the process involved
> including the .dlls it is using.
>
> netstat -abvon -p tcp
>
> However, the -b option seems to slow it down absurdly.
>
> What I would do instead is once I got the PID from the -o option
> I'd use the tasklist command and use the PID for a filter criterion.
> E.g. say your netstat told you that the PID was 1234 then the tasklist
> command you would enter would be:
>
> tasklist /m /fi "PID eq 1234"
>
> That gives essentially the same information much quicker.
>
>
> Since you suspect that "something" is adding those registry entries
> another diagnostic I would use is RegMon with an input filter of Proxy
> (RegMon is freeware from SysInternals.) This would be especially easy
> if the changes are being made after boot time but RegMon for NTx also
> has a way of tracing activity during the boot too. To set the filter I
> find it simplest just to press Ctrl-L then type my input criteria in
> the Include box. Alternatively use the filter icon in the toolbar.
> Unless you find a good reason to use a more inclusive input criterion I
> think you may find that that one
> is sufficient without being overwhelming.
>
>
> Good luck
>
> Robert Aldwinckle
> ---
>
>
> "Debbie" <anonymous@discussions.microsoft.com> wrote in message
> news:uQJBMwfQEHA.3596@tk2msftngp13.phx.gbl...
>> Hello-
>> Two days ago Ad-aware found:
>> Possible Browser Hijack attempt -
>> RegData -HKEY_CURRENT_USER:Software\Microsoft\Internet
>> Explorer\Main"Start Page" ("about:blank")
>> So, I just got rid of it (even the quarantine one) . Then, TODAY, it
>> found it again. My question is: What do I do??!?!?!
>> I'm running WinXP.
>>
>> Thanks
- Next message: Brian: "Re: Automatic redirection when IE 6 is opened"
- Previous message: PA Bear: "Re: Wont do "windows update" just shows a blank page"
- In reply to: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Next in thread: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Reply: Robert Aldwinckle: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
