J
Jason
Hi,
A work colleague's computer (XP sp 1, IE 6) has been infected with some
sort of spyware, he is getting a ring tones advertising window appearing
occasionally, but most the most worrying problem is that he is getting
redirected from a URL. Whenever he visits one of our customers https sites
he gets redirected to:
http://www.art.com/asp/display_artist-asp/_/Aff--CONF/CTID--46302150/RFID--
028648/TKID--
or similar!
I've run Ad-aware 6.0, spybot & CWS Shredder and removed everything harmful
found, I've done an ipconfig /flushdns & also removed all cookies & offline
content. A full AV scan (NAV corporate) didn't bring anything up either.
After searching the registry:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run (I think?)
I found a reference to a file called "automove.exe" in c:\windows\system32.
I removed the "automove.exe" registry entry but it keeps reappearing, I
then moved the file away but we're still getting the same problem. I've
recently tried uninstalling IE, running reclean & then reinstalling IE,
again to no avail. Finally I installed Mozilla on his PC which accesses the
site OK, but unfortunately some important pages (using flash) don't
display; I know these pages are OK as they can be displayed correctly using
IE on another PC.
Does anyone have any ideas of other things I can try.
TIA, Jase.
A work colleague's computer (XP sp 1, IE 6) has been infected with some
sort of spyware, he is getting a ring tones advertising window appearing
occasionally, but most the most worrying problem is that he is getting
redirected from a URL. Whenever he visits one of our customers https sites
he gets redirected to:
http://www.art.com/asp/display_artist-asp/_/Aff--CONF/CTID--46302150/RFID--
028648/TKID--
or similar!
I've run Ad-aware 6.0, spybot & CWS Shredder and removed everything harmful
found, I've done an ipconfig /flushdns & also removed all cookies & offline
content. A full AV scan (NAV corporate) didn't bring anything up either.
After searching the registry:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run (I think?)
I found a reference to a file called "automove.exe" in c:\windows\system32.
I removed the "automove.exe" registry entry but it keeps reappearing, I
then moved the file away but we're still getting the same problem. I've
recently tried uninstalling IE, running reclean & then reinstalling IE,
again to no avail. Finally I installed Mozilla on his PC which accesses the
site OK, but unfortunately some important pages (using flash) don't
display; I know these pages are OK as they can be displayed correctly using
IE on another PC.
Does anyone have any ideas of other things I can try.
TIA, Jase.