Re: Advice please-browser hijacker..

From: Ken Ward (kwar6996_at_bigpond.net.au)
Date: 01/01/05 

Date: Sat, 01 Jan 2005 13:53:17 GMT

On Fri, 31 Dec 2004 17:07:56 +0000, tarquinlinbin
<braantispam@hotmail.com> wrote:

>Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
>browser hijacker on board which may also have been linked to a porn
>dialler but not sure.... Its all down to his teenage son who is
>obviously at a curious age. The last time I had his latop,it was a
>full reformat and rebuilt but thats not required now. When MSIE is
>lanuched it automatically goes to http://angelsfucked.com/se,html and
>prompts for a download (activex maybe or dialler??)anyway its about
>impossible to navigate away from this page and so the web broswer is
>practically unuseable. Ive tried adaware/spybot S&D and neither will
>clear it. Ive run regedit and browsed/deleted reg entries but they
>return!!.
Snip
>
>
>As a temporary measure ive installed mozilla firefox as a web browser.
>I have also installed MS SP2 and all updates..
>
>any ideas gratefully received!!
>
>jo

In respect of these nasties, I have found the following also helps.
Because these use Browser Helper Objects (BHO) I have found that
BHODemon is a useful program. www.DefinitiveSolutions.com
This will list all dll which are also BHO. It will also tell you
which are friendly, which are hostile & which are unknown. It is the
latter two you need to look at - unknown is important as these nasties
tend to create random names for the BHO dll. When you find one
(BHODemon will pop up if it has just been created/modified), note its
name & find it - search with the exact name. Don't delete it just
yet; repeat the find using *.dll & the date created. This will give
you a list of dll created that day. Now delete all dll with exactly
the same creation date & time as the BHO dll - this will usually
delete the dropper dll that respawns the offender. Now use
ad-aware/spybot to clean up, preferably in safe mode.