One of my friends got a trojan on his computer. Its pretty basic, it just has a built in list of ad sites, and every minute or so, it does what i think is a ShellExecute to open another ad. Even if IE isnt running, the ads still come. So is there a way that i could hook the launch of IE so i could see who is requesting it. If its just a regular launch, thats fine. But if its getting a ShellExecute or something, i want to find the proggy thats requesting the launch. Thanx, cheers!
Posted on 2003-11-04 22:52:56 by Snoopy2K
Make a proggie, that will temporarily take the place of iexplore.exe . This program will have to be like this:


_start:
invoke Sleep,8000
invoke ExitProcess,0
end _start

during those 8 seconds, using a process viewer (not the crappy ctrl+alt+del) , see which process has been started before iexplore.exe . That's the malicious proggie. The 8 seconds thing is because by default executing another program returns just after the first DispatchMessage of the child process returns . Maybe SpyXX (by MS) will tell better.
Posted on 2003-11-04 23:17:50 by Ultrano
The chances are extremely high that it uses a Browser Companion Object to do it, I'd recommend something like BCO Cop to check that first before trying to hook anything...
Posted on 2003-11-04 23:18:06 by Homer
Im not exactly sure what you want me to do with that code. I made the program, and it hangs the OS just fine. But how am i supposed to know which process launched it?
Posted on 2003-11-04 23:26:27 by Snoopy2K
The code doesn't hang the OS, it hangs only the program that launched it, and in your case this is explorer.exe (the shell). Anyway, I got it wrong :(. Sorry. The thing you maybe should do is see with Process Viewer, or something similar, what processes are running, and meanwhile see the Run->msconfig startup apps. This trojan probably has registered itself there, and is probably running from the \system dir. Kill the suspicious program(s), and unregister them in the msconfig. No need to restart, but when the PC gets restarted you'll see the results of the changes.
Or , after seeing a suspicious program's name, try to google for it - you'll immediately understand if it's a trojan or not. And you'll find a finer way to remove it.
Posted on 2003-11-05 04:48:44 by Ultrano
you can download an ietools that can repair your ie'setup in your pc's regedit.
you can download the ietool from my attach file.but it's chinese.
Posted on 2003-11-06 00:47:12 by jefeng
Are you sure that it's a trojan? It sounds exactly like the ads that comes with Kazaa (a filesharing software).
Posted on 2003-11-06 06:00:40 by Delight
There is another way to, if it is XP/win2000..

Win2K: Start/Settings/Control Panel/

WinXP: Start/Control Panel/

It's something under System Services or Administrative Tools.. look for Services (icon is two gears meshing)..

look for Messenger in the list (has nothing to do with MSN but rather messages from the Administrator, in this case a spammer heh).. Double click it, drop the drop-down box to disabled and click the 'STOP' button to Stop Service, it might fix it.

You would only need it if you are on a network and you know how to use it.. don't you love windoze?
Posted on 2003-11-06 07:21:42 by drarem
oops found this a few minutes ago:

http://www.reuters.com/printerFriendlyPopup.jhtml?type=internetNews&storyID=3764014

Also you can download a shareware product which is pretty good at keeping out advertisers, it is called SpySweeper..
Posted on 2003-11-06 09:04:40 by drarem
Hi, everyone.
My 0.02:
Ad-Aware
Posted on 2003-11-06 16:43:11 by QvasiModo