Return to
Return to SpywareInfo Home


A visitor to the site wrote me about something happening to him and a client.



I have a client who was having problems with one of his computers. Every time it booted, an IE window would open and try and bring up a (www.e-ren.net). When I went to change the IE properties, many of the options were greyed out and inaccessable. OK, time to edit the registry. Uh-oh, when I attempt to run regedit.exe, it tells me that the administrator hasn't given me that priveledge. Huh?

That site is apparently a Chinese-language porn site (and not a very good one };-) ) that is somehow altering the windows registry. My suspicion is an ActiveX control or maybe javascript. I suggest that everyone add www.e-ren.net to your block list(s), or at least to your restricted zones. I've asked him to look for any files that mention that web site in it's contents, particularly startup files. We'll see what he finds.

Here was my advice on how to deal with his problem.



Most likely that is ActiveX. I can't imagine any other way for all those changes to take place with no prompting.You really should set ActiveX to prompt or disable, especially for shady sites like that one and most certainly if you're heading for the seamier side of the web. Javascripting too for that matter.

Regedit can probably be brought back with an XSetup plugin. http://www.xteq.com Install that and open it in the defaut UI. Navigate to System > Security > Common and there is a plugin to disable regedit/regedit32. Leave that box unchecked and click the apply button. If that doesn't do it, I don't know what to say. Perhaps you could try Reghance from Lavasoft. http://www.lavasoftusa.com/downloads.html Run a search on both machines for any files that contain that in it's text. Especially dll files as they're often used to hide registry hacks. IF you find something, could you send it to me?

That 2K machine won't have msconfig, so go here ( http://www.mlin.net/StartupCPL.shtml ) and install this. It works on 9x/2K. Not sure of XP. See if there are any rundll entries or regedit -s entries, or anything suspicious looking. If all that fails, try disabling things one at the time to see if that popup goes away. Also look at win.ini and see if run= or load= has a suspicious entry. Good luck, Mike Healan (Dingo) http://www.spywareinfoforum.info

Update
Nov. 17, 2001

This has been solved! The advice to use X-Setup worked and he was able to use Regedit once again. After removing some references to that site in the computers' registries, he went back to the site with ActiveX set to prompt him. Prompt him it did, and when he said no, no changes occurred. Another sleazy registry hack undone. I'd go find everyone contact information for that site, but since I don't speak Chinese..... };-)


Previous page

Have a suggestion?
Notice an error or a dead link?
Then click here to email me.


For those with javascript disabled browsers, copy the address below:



Site Privacy Policy