On Tue, Jun 08, 2004 at 10:51:06PM -0700, mark wrote: > > Anybody know about some trojan(s) that spawn a "tvm.exe" process, a > "poll each.exe" process, inserts a "blehdefyreal" toolbar into IE, and > hijacks the IE homepage to point to allaboutsearching.com? This thing > also opens pop-ups pointing to this page: > > http://69.20.62.53/yyy3.html > > If the registry entries related to these processes are deleted then they > keep being recreated. > > What is it? And how does one remove it? > It sounds like CWS. http://www.wired.com/news/infostructure/0,1377,63391,00.html
After about 4 hours of trying on a client's PC, I was unable to remove it and resorted to a reformat/reinstall. It's incredibly persistent and probably not worth your time to remove it. hth, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
