Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Robert Aldwinckle (robald_at_techemail.com)
Date: 05/27/04

Next message: DUtch: "problems with encoding in ie"
Previous message: saman: "weird language characters in internet explorer"
In reply to: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Next in thread: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Reply: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 27 May 2004 17:11:17 -0400

>>> Two days ago Ad-aware found:
>>> Possible Browser Hijack attempt -
>>> RegData -HKEY_CURRENT_USER:Software\Microsoft\Internet
>>> Explorer\Main"Start Page" ("about:blank")

> Robert, both current versions of Ad-aware and Spybot are identifying this
> and some other keys as /possible/ hijacking*.

Oops. I think I must have been replying to something in the AUMHA
thread. My reply doesn't make much sense just from the point of view
of this one. There the only problem with Home page mentioned was
having About:Blank change to MSN.com. The last I saw of the thread
she was still complaining about seeing undesired changes in proxy settings. That is what my reply was addressing.

Sorry for the confusion.

Robert

---
"PA Bear" <PABear@mvps.org> wrote in message
news:%23FxqnxAREHA.1004@TK2MSFTNGP10.phx.gbl...
> Robert, both current versions of Ad-aware and Spybot are identifying this
> and some other keys as /possible/ hijacking*.  If user has intentionally
> selected a blank homepage (about:blank), the report should be viewed as a
> false-positive and ignored.
>
> *CWS.Aboutblank, CWS.Searchx, et alia
> -- 
> ~PA Bear
>
> Robert Aldwinckle wrote:
>>> TODAY, it found it again. My question is: What do I do??!?!?!
>>> I'm running WinXP.
>>
>> It looks as if that proxy if it is going to work has to be running
>> somewhere
>> on your machine  (e.g. ProxyServer address like 127.0.0.1)
>> If so, you could probably see it with
>>     netstat  -ao
>> (e.g. that would show "listening" PID so then you would match up the PID
>> with an imagename using  Task Manager.)
>>
>> Since you know the port involved you can actually make the output even
>> more particular with the following pipeline:
>>
>>     netstat  -ano  |  find  /i  ":9002"
>>
>> XP's  netstat   can give you even more detail about the process involved
>> including the .dlls it is using.
>>
>>     netstat  -abvon  -p tcp
>>
>> However, the -b option seems to slow it down absurdly.
>>
>> What I would do instead is once I got the PID from the -o option
>> I'd use the  tasklist  command and use the  PID  for a filter criterion.
>> E.g. say your netstat  told you that the PID was 1234 then the tasklist
>> command you would enter would be:
>>
>>     tasklist  /m  /fi  "PID eq 1234"
>>
>> That gives essentially the same information much quicker.
>>
>>
>> Since you suspect that "something" is adding those registry entries
>> another diagnostic I would use is  RegMon  with an input filter of  Proxy
>> (RegMon is freeware from SysInternals.)   This  would be especially easy
>> if the changes are being made after boot time but  RegMon  for  NTx  also
>> has a way of tracing activity during the boot too.   To set the filter I
>> find it simplest just to press  Ctrl-L  then type my input criteria in
>> the Include box. Alternatively use the filter icon in the toolbar.
>> Unless you find a good reason to use a more inclusive input criterion I
>> think you may find that that one
>> is sufficient without being overwhelming.
>>
>>
>> Good luck
>>
>> Robert Aldwinckle
>> ---
>>
>>
>> "Debbie" <anonymous@discussions.microsoft.com> wrote in message
>> news:uQJBMwfQEHA.3596@tk2msftngp13.phx.gbl...
>>> Hello-
>>> Two days ago Ad-aware found:
>>> Possible Browser Hijack attempt -
>>> RegData -HKEY_CURRENT_USER:Software\Microsoft\Internet
>>> Explorer\Main"Start Page" ("about:blank")
>>> So, I just got rid of it (even the quarantine one) . Then, TODAY, it
>>> found it again. My question is: What do I do??!?!?!
>>> I'm running WinXP.
>>>
>>> Thanks
>

Next message: DUtch: "problems with encoding in ie"
Previous message: saman: "weird language characters in internet explorer"
In reply to: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Next in thread: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Reply: PA Bear: "Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt
... Robert, both current versions of Ad-aware and Spybot are identifying this ... > (e.g. that would show "listening" PID so then you would match up the PID ... > XP's netstat can give you even more detail about the process involved ... > another diagnostic I would use is RegMon with an input filter of Proxy ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: [PATCH 0/3] ftrace: updates for tip
... I added a "trace" flags field in the task structure. ... The second patch uses this for the ftrace pid code. ... Regarding the filter functions, ... to only specify the PID, ...
(Linux-Kernel)
Re: PID Controller
... I would love to see your solution for the Bode plot below. ... If you ask me for good, I will design the PID function which compensates ... >> How do you use it to determine the filter and the coefficients? ... > higher order loop. ...
(comp.dsp)
Re: PID Controller
... >> How do you use it to determine the filter and the coefficients? ... > higher order loop. ... takes some calculations for a small PID augmentation. ... How many customers can tune a lead lag filter ...
(comp.dsp)
Re: PID Controller
... algorithm from a block diagram of a controller. ... John Shaw's and Tim Wescott's sites with PID examples. ... 2nd derivative and/or an output filter. ... How do you get the Bode plot? ...
(comp.dsp)