![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
denI let a kid on my system to "look for game cheats." As soon as I left the room he surfed for porn and something (not Gater or Kaza) installed on my system. There were a bunch of icons for porn, adult material, free music etc on my desktop.
But
Something has installed into my registry that kicks off a little thinky in my systray. It calls itself "Music Search Online" but clicking on it takes me to a hard-core porn site. I CAN'T GET RID OF IT!
Every time I boot windows something in the regsitry kicks off and creates a *random_name*.TPM file in the windws/temp dir, and runs THAT. I can't find the reg key! dammit! I really don't want to delete system.dat and user.dat and reload windows again. What a pain in the arse.
Any gurus out there?
actually, I might del the registry. It's badly bloated.
But
Something has installed into my registry that kicks off a little thinky in my systray. It calls itself "Music Search Online" but clicking on it takes me to a hard-core porn site. I CAN'T GET RID OF IT!
Every time I boot windows something in the regsitry kicks off and creates a *random_name*.TPM file in the windws/temp dir, and runs THAT. I can't find the reg key! dammit! I really don't want to delete system.dat and user.dat and reload windows again. What a pain in the arse.
Any gurus out there?
actually, I might del the registry. It's badly bloated.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Before you do anything rash
Date: 3 Dec 2002 01:33 (UTC)This should, if you can get it to install, scan your registry and HD and remove all the offending and offensive programs. I use it at work (well, *used* it at work) periodically to clean up after people who install stuff without asking.
no subject
Date: 3 Dec 2002 01:45 (UTC)That or you could use and download ad-ware which could scan the registry and startup files to see where it's at.
Also, have a look in autoexec.bat, config.sys, win.ini, system.ini and startup list in msconfig. Type that in run command. Then you can go to system configuration.
Take a look in there for any entries that you know for certain shouldn't be in there and un-tick it. Then go into the registry and look for any instances that go to the path on the drive for a particular item, name of start up. You could get rid of the button thing by checking explorer settings. But I ain't in 98 right now so I can't give you the exact path in the registry to check.
Only other solution is to look in your history and see just where he had surfed to and see what would've been installed.
That or format and start again from scratch and don't let him near the computer again to do this.
Re: Before you do anything rash
Date: 3 Dec 2002 02:34 (UTC)no subject
Date: 3 Dec 2002 02:57 (UTC)salvation
Date: 3 Dec 2002 07:10 (UTC)no subject
Date: 3 Dec 2002 09:24 (UTC)no subject
Date: 3 Dec 2002 10:21 (UTC)I hope you can get your computer back.
Re: salvation
Date: 3 Dec 2002 14:12 (UTC)http://www.spyware.co.uk/downloads.shtml
Here's another site, but their database didn't find anything:
http://www.spychecker.com/
Since you've already been tinkering around in the registry, you might want to check (although it sounds like you've already done this) all of the startup keys (including Run, Run- , RunOnce, RunServices, RunServicesOnce). Also get a good process checker, and look up everything you're unsure about. Start killing process one by one, and same with stuff in your start up keys. Even this trial and error might not get it. Like you said, it could be buried somewhere else.
Frustrating, I know.
Since I don't have it, I can't play with it, if you find a copy let me know. Maybe I'll get brave and do some self-experimenting (self-mutilation?), as my system is really clean and I'd recognize anything new right away (maybe). Good luck!
Re: salvation
Date: 3 Dec 2002 14:43 (UTC)When windows is started emylthro.exe is executed and resides in mem. All it does is set the homepage on IE to a porn site, and create in /windows/temp a .tmp file with a random name like hxvc7391.TMP They were always llllnnn.TMP Emylthro.exe stayed resident in mem but did nothing after it executed the .TMP. This .tmp created an icon in the systray called Music Search Online, but actually linked to a hard-core porn site. I connected once to see where it took me, but hit the LOCK switch on ZoneAlarm as soon as it started asking to upload some more s/ware. I set the firewall to deny the Music Search Online access to all networks. Proxomitron killed all the popups and ads so I don't know how many there were, but I expect the site is popoup central.
anyway. That's the story. Time to run regclean. Again.
no subject
Date: 3 Dec 2002 14:54 (UTC)no subject
Date: 3 Dec 2002 14:55 (UTC)I told his mum exactly what he was doing: looking for lesbian porn on the internet.
Re: salvation
Date: 3 Dec 2002 15:02 (UTC)by the way...
Date: 3 Dec 2002 15:13 (UTC)oushfa "C:\WINDOWS\APPLIC~1\emylthro.exe-QuieT"
Unfortunately I killed it all last night so I have nothing to send you.
another useful tip
Date: 1 Jan 2003 07:44 (UTC)Re: another useful tip
Date: 5 Jan 2003 20:21 (UTC)This little guy frustrated me for a couple days, but this is what I got on it. I think it randomly assigns itself a label, because for me it was listed as jhieklnq.exe. I found it nested under C:\Documents And Settings\{Your User Name Here}\Application Data. That is for anyone using Windows XP. It seems to have hidden itself from a standard windows search, because I even copied and pasted that title directly, and windows failed to find it. I found it by going through msconfig in the startup tab. The only thing similar to the other ones posted here is that it had "-Quiet" at the end of the title, which I used to confirm its presence. And no, I wasn't looking for any kind of porn. It came from an mp3 album website in which I carelessly let it in thinking it was an unremarkable plug-in... I should have known better. I hope this info helped.