Re: Internet explorer has been "modified"....

• Previous message: Marc A. Donges: "Re: Internet explorer has been "modified"...."
• In reply to: autocol: "Internet explorer has been "modified"...."
• Next in thread: Lik Mai Sak: "Re: Internet explorer has been "modified"...."
• Reply: Lik Mai Sak: "Re: Internet explorer has been "modified"...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 May 2003 19:35:10 +1000

autocol wrote:

> Hi guys. I use zone alarm at home as a firewall, and here at work I
> can't remember exactly what we use but apparently it failed to work.
> I've visited some website, either accidentally or not, I'm not sure,
> but they've installed all sorts of stuff into my internet explorer.It
> totally overwrote my favourites with a bunch of crap, put some foreign
> toolbar in and changed my homepage, etc...
> I've manually reset the favourites and homepage, but even if I hide
> the toolbar, it's still there, in the list. This makes me worry that
> perhaps they've installed a whole bunch of other stuff that I'm
> unaware of, too. I've searched my computer using the freebie ad-aware,
> but this hasn't removed it...
> Can anyone tell me if I can remove the stuff these people installed
> without my permission, or do I just have to be happy with hiding the
> toolbar?
> Thanks,
> Col.

Assuming you've got an up to date AV program and haven't picked up a
JS/Seeker style greeblie.......
Check add/remove programs, run spybot from security.kolla.de(adaware is
useful, but it's not the golden bullet people think it is), ..... Then
restart in *safe mode and.....
Check all the startup areas, using msconfig to see if unknown programs are
being loaded, and disable them. Also run regedit** and check the
HKLM+HKCU+HKDU\software\m'soft\windows\current version run* entries.
Then check the c:\win..\Downloaded program files for greeblies and remove
them (also do this from a command shell, using dir /ah + dir /as to view
hidden stuff - attrib -r -h -s <filename> will allow you to delete things)
Usually you find controls for Windoze update and Flash plugins in that
dir.
Check what urls's are opening by default, then google on these sites to
see if anyone has hit it before. Search for these file names in the
registry and +modify+ them to google or something. Also search for all
files 'containing' the site addresses/names. ***Rename them or delete
them.
Have a squizz at the wsock2 providers in the registry to see if anything
has been added.
The site names can also be hijacked by adding them to your HOSTS file with
a redirection to yahoo or google's IP or whatever.

E.

*Some of the nastier spyware puts in startup stuff that undoes your fixes
when you shutdown/logout. Running in safe mode should stop it loading so
you can get rid of it.
**First thing to when running regedit is to do a complete registry backup.
While changing any entries, backup that Key individually - just in case.
***Renaming them to a given standard is my preferred method eg renaming
stupidscript.ocx to stupidscript.ocxRENAMED. That way you can change them
back if needed, and if after a few reboots all is well you can just search
on *RENAMED* and delete the files.

• Previous message: Marc A. Donges: "Re: Internet explorer has been "modified"...."
• In reply to: autocol: "Internet explorer has been "modified"...."
• Next in thread: Lik Mai Sak: "Re: Internet explorer has been "modified"...."
• Reply: Lik Mai Sak: "Re: Internet explorer has been "modified"...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]