Could someone explain these registry items that ad-aware found?

Discussion in 'Computer Support' started by systemtool, May 6, 2004.

  1. systemtool

    systemtool Guest

    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet
    Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : .Default\Software\Microsoft\Internet
    Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_USERS
    Object : .Default\Software\Microsoft\Internet
    Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 2

    The above is from my Ad-aware log (Ad-aware Personal Build 6.181,
    Using reference-file :01R302 03.05.2004). This is the second time in
    two days it has flagged these two registry keys.

    Yesterday, prompted by Ad-aware noticing this, I launched IE and found
    that yes, the start page HAD been changed from about:blank to msn.com.

    I quarantined what it had found, set up the preferred start page in
    IE, and thought I was done. But now, it's again flagging these
    registry entries.

    Ad-aware doesn't have much info for me. Here's the only detail I got:

    Possible Browser Hijack attempt RegData Data Miner
    HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Start
    Page" ("about:blank") Possible browser hijack attempt
    Possible Browser Hijack attempt RegData Data
    Miner HKEY_USERS:.Default\Software\Microsoft\Internet
    Explorer\Main"Start Page" ("about:blank") Possible browser
    hijack attempt

    What is going on here? And is this somehow related to AOL IM? I'd
    banned my daughter from using it for a week and we'd been living
    spyware-free; the two instances of this happening have both occurred
    after she's been doing IM. She isn't providing me with meaningful
    information about exactly WHAT she's doing that could be causing this
    though. She claims she's "just" sending messages back and forth.
     
    systemtool, May 6, 2004
    #1
    1. Advertisements

  2. systemtool

    Unknown Guest

    The data at that location should contain the start page. It is the location
    you wany to go to when you first start I.E.
    Such as httw://www.ebay.com
     
    Unknown, May 6, 2004
    #2
    1. Advertisements

  3. Make sure you run windows update regularly. If IE isn't updated,
    certain websites will change your default startup page even without you
    authorizing such changes.
     
    Tom - safercomputing.com, May 6, 2004
    #3
  4. systemtool

    systemtool Guest

    Yes, I ran IE 6.0 Windows Update as recently as yesterday, and as
    usual, my machine was up to date on the critical updates

    To clarify my initial question, I understand what my IE start page is.
    I want to know though (1) if there are known spyware, linked to AIM
    use, that change an IE start page from about:blank to msn.com, and (2)
    How would my changing the start page from msn.com back to about:blank
    through the normal IE tools : options, have caused AdAware to flag the
    registry key as spyware?

    My wording is hard to understand above, but I hope someone can answer
    the questions.
     
    systemtool, May 6, 2004
    #4
  5. systemtool

    Dan Shea Guest

    I looks to me like you are tracking a woozle, or, as it might be, a
    wizzle...

    In other words, AdAware is finding "about:blank" as the possible
    hijack attempt -- that is, it thinks the change you yourself made is
    potentially the work of some malware. You then ask it to fix these
    issues, so it restores the original IE start page -- which, IIRC, is
    www.msn.com. You change it back to "about: blank" manually, and so it
    goes...

    Cheers,
    dan
     
    Dan Shea, May 6, 2004
    #5
  6. systemtool

    ImhoTech Guest

    You set your homepage to about :Blank ? Then you don't have a problem. Using
    that for a homepage is an Adaware trigger. You did it, no problem, something
    else did it, maybe a problem.
     
    ImhoTech, May 6, 2004
    #6
  7. systemtool

    Nobody Guest

    Regarding AIM - Have you recently downloaded and installed the
    latest version? If so, it may contain an adware program called
    WildTangent, which is pretty much used for gaming purposes.
    It will also install itself if you download some games from
    Yahoo's site.

    However, the other posters who provided info about your start
    page options seems to be the most plausible explanation, because
    it doesn't sound like WildTangent is what's causing your problem
    due to the info you provided from the ad-Adware scan.

    Also, you'd know if you had that or many other ad/spyware programs
    installed due to the fact you would have definitely noticed that y
    our computer, browser, apps, etc. are performing at a substantially
    slower rate than normal.

    Although, you might want to check out the link below to PestPatrol's
    site with some information on WildTangent, because if you or your
    daughter are using AIM, Yahoo and other IM programs or sites for
    gaming, it or similar programs could have been installed.

    http://www.pestpatrol.com/pestinfo/w/wildtangent.asp
     
    Nobody, May 6, 2004
    #7
  8. systemtool

    systemtool Guest

    I'm afraid you're right Dan. I think a relatively new reference file
    is suddenly flagging my browser start page as evidence of spyware.
    I've used about:blank forever as the home page, and probably update
    the reference file 2-3 times a week, running Adaware all the time I
    do.

    After running Ad-Aware this morning and "fixing" the registry entries,
    I was back to msn.com as the home page.

    Why this (about:blank) never bothered Ad-Aware before, I don't know!
     
    systemtool, May 6, 2004
    #8
  9. systemtool

    °Mike° Guest

    It's a warning about *possible* changes. The CWS
    hijacker is known to use this. See:

    http://www.spywareinfo.com/~merijn/cwschronicles.html
    CWS.Winres
    Variant 33: CWS.Winres - About:blank hacked

    If it bothers you, you can add it to your ignore list.


    <snip>
     
    °Mike°, May 6, 2004
    #9
  10. systemtool

    John Edwards Guest

    AOL IM WILL NOT GIVE YOU SPYWARE BECAUSE I USE IT MYSELF
     
    John Edwards, May 6, 2004
    #10
  11. systemtool

    °Mike° Guest

    And *this* from somebody advertising his email only "help"?


    <snip>
     
    °Mike°, May 7, 2004
    #11
  12. systemtool

    BoB Guest

    There are others on this forum asking the same question:

    http://www.lavasoftsupport.com/index.php?showforum=24

    They are looking into it.

    Make a blank html page, give it another name. You will save load
    time, not give Adaware a target and still have protection from
    CWS.

    BoB
     
    BoB, May 7, 2004
    #12
  13. So are you saying you know for sure that Ad-Aware's reporting of
    about:blank as a possible hijacking attempt is a false alarm if the user
    set it to that on purpose? I've had Ad-Aware report this same thing. When
    I next opened IE (completely updated BTW) its' default home page was set
    to msn.com. Could it be that Ad-Aware deleted the registry entry and IE
    is hardheaded to insert www.msn.com when the registry entry is missing.

    I would really like to hear from people who really know, rather than just
    a bunch of speculation.
     
    Grant Robertson, May 8, 2004
    #13
  14. [f'ups set to <alt.privacy.spyware>, exclusively]

    [90-line snip -- was it *really* necessary for you to re-quote the
    entire thread-to-date?]
    [snip]

    This is true (in fact, you're understating the case -- WildTangent is known
    spyware, not just "adware"), but not relevant to the OP's query.
    [snip]

    Incorrect -- and dangerous advice, to boot. There is all manner of malware,
    including various forms of adware and/or spyware, which will impose little or
    no *noticeable* performance degradation on a modern system

    If you assume that just because your computer doesn't "seem" to be running
    slowly, everything must be OK, you're setting yourself up for a BIG fall.

    --

    Jay T. Blocksom
    --------------------------------
    Appropriate Technology, Inc.
    usenet01[at]appropriate-tech.net


    "They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety."
    -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Unsolicited advertising sent to this E-Mail address is expressly prohibited
    under USC Title 47, Section 227. Violators are subject to charge of up to
    $1,500 per incident or treble actual costs, whichever is greater.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     
    Jay T. Blocksom, May 8, 2004
    #14
  15. [f'ups set to <alt.privacy.spyware>, exclusively]

    [snip]

    A word of advice, "Stoner": Lay off the crack/hash/opium pipe, and hope the
    brain damage isn't permanent:

    <http://www.google.com/search?q=AIM+spyware&hl=xx-elmer&btnG=Google+Seawch>
    ["Wesults 1 - 10 of abouwt 173,000 fow AIM spyware. (0.16 seconds)"]

    (And quit top-posting and full-quoting!)

    --

    Jay T. Blocksom
    --------------------------------
    Appropriate Technology, Inc.
    usenet01[at]appropriate-tech.net


    "They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety."
    -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Unsolicited advertising sent to this E-Mail address is expressly prohibited
    under USC Title 47, Section 227. Violators are subject to charge of up to
    $1,500 per incident or treble actual costs, whichever is greater.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     
    Jay T. Blocksom, May 8, 2004
    #15
  16. [f'ups set to <alt.privacy.spyware>, exclusively]

    [snip]

    As you have by now discovered, this is essentially a false alarm.
    [snip]

    Near-certainly, no; but above and beyond this specific alarm, AIM is itself
    Bad
    <http://www.google.com/search?q=AIM+spyware&hl=xx-elmer&btnG=Google+Seawch>

    If you *must* use an IM client, I suggest Trillian:

    <http://www.ceruleanstudios.com/>

    --

    Jay T. Blocksom
    --------------------------------
    Appropriate Technology, Inc.
    usenet01[at]appropriate-tech.net


    "They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety."
    -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Unsolicited advertising sent to this E-Mail address is expressly prohibited
    under USC Title 47, Section 227. Violators are subject to charge of up to
    $1,500 per incident or treble actual costs, whichever is greater.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     
    Jay T. Blocksom, May 8, 2004
    #16
  17. systemtool

    Toolman Tim Guest

    And that would surprise you because....? Microsoft wrote it. Microsoft makes
    money from advertisers putting their crap there. Why would they *not* make
    it their default?
    Well, then call Microsoft and ask *them*.
     
    Toolman Tim, May 8, 2004
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.