Advice please-browser hijacker..

On Fri, 31 Dec 2004 17:07:56 +0000, tarquinlinbin wrote:

> Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
> browser hijacker on board which may also have been linked to a porn
> dialler but not sure.... Its all down to his teenage son who is
> obviously at a curious age. The last time I had his latop,it was a
> full reformat and rebuilt but thats not required now. When MSIE is
> lanuched it automatically goes to http://angels****ed.com/se,html and
> prompts for a download (activex maybe or dialler??)anyway its about
> impossible to navigate away from this page and so the web broswer is
> practically unuseable. Ive tried adaware/spybot S&D and neither will
> clear it. Ive run regedit and browsed/deleted reg entries but they
> return!!.

Check the hard drive. I had a friend who also had the same problem with
loading a porn site every time you started EI. Even after he set the
homepage to blank. There was a register entry that told EI to look for a
directory on his hard drive. Once this directory was removed we could
set the home page to a blank screen.


--

Regards
Robert

Smile... it increases your face value!

Robert

Hello,
I am currently troubleshooting a friends toshiba laptop which has a
browser hijacker on board which may also have been linked to a porn
dialler but not sure.... Its all down to his teenage son who is
obviously at a curious age. The last time I had his latop,it was a
full reformat and rebuilt but thats not required now. When MSIE is
lanuched it automatically goes to http://angels****ed.com/se,html and
prompts for a download (activex maybe or dialler??)anyway its about
impossible to navigate away from this page and so the web broswer is
practically unuseable. Ive tried adaware/spybot S&D and neither will
clear it. Ive run regedit and browsed/deleted reg entries but they
return!!.

My latest attempt is with Hijack this,,again,if i delete the obvious
hijack this entries then they return,,the log is as follows:

Logfile of HijackThis v1.99.0
Scan saved at 16:54:51, on 31/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\JOHNDO~1\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.btopenworld.com/searchpane
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://angels****ed.com/se.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://angels****ed.com/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://angels****ed.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless
Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program
Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk =
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
https://register.btinternet.com/temp...control013.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
https://register.btinternet.com/temp...control024.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

*****end of log


As a temporary measure ive installed mozilla firefox as a web browser.
I have also installed MS SP2 and all updates..

any ideas gratefully received!!

jo

tarquinlinbin

"tarquinlinbin" <> wrote in message
news:...
> Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
> browser hijacker on board which may also have been linked to a porn
> dialler but not sure.... Its all down to his teenage son who is
> obviously at a curious age. The last time I had his latop,it was a
> full reformat and rebuilt but thats not required now. When MSIE is
> lanuched it automatically goes to http://angels****ed.com/se,html and
> prompts for a download (activex maybe or dialler??)anyway its about
> impossible to navigate away from this page and so the web broswer is
> practically unuseable. Ive tried adaware/spybot S&D and neither will
> clear it. Ive run regedit and browsed/deleted reg entries but they
> return!!.
>
> My latest attempt is with Hijack this,,again,if i delete the obvious
> hijack this entries then they return,,the log is as follows:
>
> Logfile of HijackThis v1.99.0
> Scan saved at 16:54:51, on 31/12/2004
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\00THotkey.exe
> C:\WINDOWS\system32\TPWRTRAY.EXE
> C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
> C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
> C:\WINDOWS\system32\TFNF5.exe
> C:\Program Files\Apoint2K\Apoint.exe
> C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
> C:\Program Files\Microsoft Works\WksSb.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\wkcalrem.exe
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> C:\Program Files\Apoint2K\Apntex.exe
> C:\WINDOWS\system32\ntvdm.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\Grisoft\AVG Free\avgcc.exe
> C:\Program Files\Grisoft\AVG Free\avgemc.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\DOCUME~1\JOHNDO~1\LOCALS~1\Temp\Temporary Directory 1 for
> hijackthis.zip\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.btopenworld.com/searchpane
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://angels****ed.com/se.html
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://angels****ed.com/se.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://bt.yahoo.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://angels****ed.com/se.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
> /Spoil /RemAdvDef /Migration32
> O4 - HKLM\..\Run: [MSPY2002]
> C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
> O4 - HKLM\..\Run: [PHIME2002ASync]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
> O4 - HKLM\..\Run: [PHIME2002A]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
> initialize
> O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
> O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
> O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
> O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
> O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless
> Hotkey\TosHKCW.exe"
> O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
> O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
> O4 - HKLM\..\Run: [TouchED] C:\Program
> Files\TOSHIBA\TouchED\TouchED.Exe
> O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
> Works\wkfud.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
> Files\Microsoft Works\WksSb.exe /AllUsers
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
> Files\Microsoft Works\WkDetect.exe
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
> O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk =
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
> O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
> http://messenger.zone.msn.com/binary...r.cab31267.cab
> O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
> Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
> O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
> https://register.btinternet.com/temp...control013.cab
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
> (MessengerStatsClient Class) -
> http://messenger.zone.msn.com/binary...t.cab31267.cab
> O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
> https://register.btinternet.com/temp...control024.cab
> O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
> C:\WINDOWS\System32\nvsvc32.exe
> O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
>
> *****end of log
>
>
> As a temporary measure ive installed mozilla firefox as a web browser.
> I have also installed MS SP2 and all updates..
>
> any ideas gratefully received!!
>
> jo

Run HijackThis and delete anything suspicious. Then install hguard to keep
your home page.

V.B.

vb

On Fri, 31 Dec 2004 17:07:56 +0000, tarquinlinbin
<> wrote:


>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
>http://angels****ed.com/se.html
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>http://angels****ed.com/se.html
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
>http://bt.yahoo.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
>http://angels****ed.com/se.html
###################################
Obviously you have to delete those registry keys. Then I would
disable java scripting, CaptiveX and all other active scripting in the
browser. That's in tools, internet options, security, custom level.
Also look in the advanced tab. Also, if it's a version of Windows
that has msconfig, look at the startup. Other places to look are
autoexec.bat, config.sys, and win.ini.
donnie.

donnie

You need to also dump the .tmp files as well. Much of what returns does so
from there.

If this kid is at a "curious age" then its time to introduce him to fixing
the problems he creates. People rarely change their behavior when they have
someone else doing the mop-up work for them.

You might also want to check out www.mozilla.org for their Firefox browser.
It prevents the active X installs and other nasties that IE seems to thrive
on.


"tarquinlinbin" <> wrote in message
news:...
> Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
> browser hijacker on board which may also have been linked to a porn
> dialler but not sure.... Its all down to his teenage son who is
> obviously at a curious age. The last time I had his latop,it was a
> full reformat and rebuilt but thats not required now. When MSIE is
> lanuched it automatically goes to http://angels****ed.com/se,html and
> prompts for a download (activex maybe or dialler??)anyway its about
> impossible to navigate away from this page and so the web broswer is
> practically unuseable. Ive tried adaware/spybot S&D and neither will
> clear it. Ive run regedit and browsed/deleted reg entries but they
> return!!.
>
> My latest attempt is with Hijack this,,again,if i delete the obvious
> hijack this entries then they return,,the log is as follows:
>
> Logfile of HijackThis v1.99.0
> Scan saved at 16:54:51, on 31/12/2004
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\00THotkey.exe
> C:\WINDOWS\system32\TPWRTRAY.EXE
> C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
> C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
> C:\WINDOWS\system32\TFNF5.exe
> C:\Program Files\Apoint2K\Apoint.exe
> C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
> C:\Program Files\Microsoft Works\WksSb.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\wkcalrem.exe
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> C:\Program Files\Apoint2K\Apntex.exe
> C:\WINDOWS\system32\ntvdm.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\Grisoft\AVG Free\avgcc.exe
> C:\Program Files\Grisoft\AVG Free\avgemc.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\DOCUME~1\JOHNDO~1\LOCALS~1\Temp\Temporary Directory 1 for
> hijackthis.zip\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.btopenworld.com/searchpane
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://angels****ed.com/se.html
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://angels****ed.com/se.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://bt.yahoo.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://angels****ed.com/se.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
> /Spoil /RemAdvDef /Migration32
> O4 - HKLM\..\Run: [MSPY2002]
> C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
> O4 - HKLM\..\Run: [PHIME2002ASync]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
> O4 - HKLM\..\Run: [PHIME2002A]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
> initialize
> O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
> O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
> O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
> O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
> O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless
> Hotkey\TosHKCW.exe"
> O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
> O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
> O4 - HKLM\..\Run: [TouchED] C:\Program
> Files\TOSHIBA\TouchED\TouchED.Exe
> O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
> Works\wkfud.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
> Files\Microsoft Works\WksSb.exe /AllUsers
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
> Files\Microsoft Works\WkDetect.exe
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
> O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk =
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
> O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
> http://messenger.zone.msn.com/binary...r.cab31267.cab
> O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
> Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
> O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
> https://register.btinternet.com/temp...control013.cab
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
> (MessengerStatsClient Class) -
> http://messenger.zone.msn.com/binary...t.cab31267.cab
> O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
> https://register.btinternet.com/temp...control024.cab
> O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
> C:\WINDOWS\System32\nvsvc32.exe
> O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
>
> *****end of log
>
>
> As a temporary measure ive installed mozilla firefox as a web browser.
> I have also installed MS SP2 and all updates..
>
> any ideas gratefully received!!
>
> jo

Sasquatch

On Fri, 31 Dec 2004 17:07:56 +0000, tarquinlinbin <>
wrote:

>Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
>browser hijacker on board which may also have been linked to a porn
>dialler but not sure.... Its all down to his teenage son who is
>obviously at a curious age. The last time I had his latop,it was a
>full reformat and rebuilt but thats not required now. When MSIE is
>lanuched it automatically goes to http://angels****ed.com/se,html and
>prompts for a download (activex maybe or dialler??)anyway its about
>impossible to navigate away from this page and so the web broswer is
>practically unuseable. Ive tried adaware/spybot S&D and neither will
>clear it. Ive run regedit and browsed/deleted reg entries but they
>return!!.
>
>My latest attempt is with Hijack this,,again,if i delete the obvious
>hijack this entries then they return,,the log is as follows:

<SNIP>

>As a temporary measure ive installed mozilla firefox as a web browser.
>I have also installed MS SP2 and all updates..
>
>any ideas gratefully received!!
>
>jo

Jo,

If the items deleted thru HijackThis return after deletion, then there's an
invisible process that you haven't deleted. This is similar to CoolWebSearch, a
very noxious pest that mutates frequently.
http://www.spywareinfo.com/~merijn/cwschronicles.html

IMHO, you'll need expert advice from one of the expert HTML forums. SpywareInfo
Forum, for instance, has a formal training and certification program, and a
management structure to deal with help requests.
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

On Fri, 31 Dec 2004 17:07:56 +0000, tarquinlinbin
<> wrote:

>Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
>browser hijacker on board which may also have been linked to a porn
>dialler but not sure.... Its all down to his teenage son who is
>obviously at a curious age. The last time I had his latop,it was a
>full reformat and rebuilt but thats not required now. When MSIE is
>lanuched it automatically goes to http://angels****ed.com/se,html and
>prompts for a download (activex maybe or dialler??)anyway its about
>impossible to navigate away from this page and so the web broswer is
>practically unuseable. Ive tried adaware/spybot S&D and neither will
>clear it. Ive run regedit and browsed/deleted reg entries but they
>return!!.
Snip
>
>
>As a temporary measure ive installed mozilla firefox as a web browser.
>I have also installed MS SP2 and all updates..
>
>any ideas gratefully received!!
>
>jo

In respect of these nasties, I have found the following also helps.
Because these use Browser Helper Objects (BHO) I have found that
BHODemon is a useful program. www.DefinitiveSolutions.com
This will list all dll which are also BHO. It will also tell you
which are friendly, which are hostile & which are unknown. It is the
latter two you need to look at - unknown is important as these nasties
tend to create random names for the BHO dll. When you find one
(BHODemon will pop up if it has just been created/modified), note its
name & find it - search with the exact name. Don't delete it just
yet; repeat the find using *.dll & the date created. This will give
you a list of dll created that day. Now delete all dll with exactly
the same creation date & time as the BHO dll - this will usually
delete the dropper dll that respawns the offender. Now use
ad-aware/spybot to clean up, preferably in safe mode.

Ken Ward

I'm having the same issue. I have tried manually removing all file,
registry entries, Norton antivirus doesn't detect anything, hijackThis
did not do anything, BHO Demon does not see anything malicious, and no
spyware removal will get ridd of it.

.... I think I'll take the ultimate measure and format everything,
reinstall. However, I'm still afraid that it'll come back before i get
a chance to install all the security fixes and whatever else I can to
protect.

mihaiyx@yahoo.com

On 13-Jan-2005, wrote:

> I'm having the same issue. I have tried manually removing all file,
> registry entries, Norton antivirus doesn't detect anything, hijackThis
> did not do anything, BHO Demon does not see anything malicious, and no
> spyware removal will get ridd of it.
>
> ... I think I'll take the ultimate measure and format everything,
> reinstall. However, I'm still afraid that it'll come back before i get
> a chance to install all the security fixes and whatever else I can to
> protect.

Before reformatting you may want to try the 'new' anti-spyware program from
Microsoft at:
http://www.microsoft.com/athome/secu...pyware/product
It is free, and, although a beta, it seems to do a pretty good job.
Good luck.
--
Don't Panic!

ArtDent

We had a similar problem with CoolWebSearch. It was my first experience
with this type of product. It was on a Windows XP computer and the initial
tech had tried for two days to remove it using AdAdware and SpyBot S&D.
Both products removed it but it came back the next boot.

I found the tech had omitted turning off System Restore so I did that first
thing. I ran the utilities and also got a clean machine until reboot. I
then looked at the Hidden Folders option and it was set to Hide System
folders. I un-hid the folders and low and looked in the Windows\System32
folder for anything that looked abnormal. I didn't see anything. So I went
to the event viewer and in an error file it pointed me to a folder in the
Program File directory. Sure enough I found the offending folder and got
rid of it.

I'm not sure if you've tried to un-hide folders yet but it's worth a try
before wiping out the machine.

Also if any of you know where I can get 5 minutes alone in a room with
someone who writes these programs please pass along the information.


"ArtDent" <> wrote in message
news:68DFd.6199$ ink.net...
>
> On 13-Jan-2005, wrote:
>
>> I'm having the same issue. I have tried manually removing all file,
>> registry entries, Norton antivirus doesn't detect anything, hijackThis
>> did not do anything, BHO Demon does not see anything malicious, and no
>> spyware removal will get ridd of it.
>>
>> ... I think I'll take the ultimate measure and format everything,
>> reinstall. However, I'm still afraid that it'll come back before i get
>> a chance to install all the security fixes and whatever else I can to
>> protect.
>
> Before reformatting you may want to try the 'new' anti-spyware program
> from
> Microsoft at:
> http://www.microsoft.com/athome/secu...pyware/product
> It is free, and, although a beta, it seems to do a pretty good job.
> Good luck.
> --
> Don't Panic!

OldCoyote