Re: IE redirects to some other page.

anonymous_at_discussions.microsoft.com
Date: 09/24/04 

Date: Thu, 23 Sep 2004 23:17:03 -0700

Thank you very much for your help. I will try the things
you mentioned. God Bless

>-----Original Message-----
>Hi Andy - Note that such symptoms often indicate the
possibility of various
>possible malware parasites. You might want go to this
page at Jim
>Eshelman's site, here: http://aumha.org/a/noads.htm or
here:
>http://inetexplorer.mvps.org/parasite.htm and wait a
little bit (be
>patient), while an analysis of a number of possible
parasites on your
>machine will be made to help you identify and remove
them. NOTE: You will
>need to disable Ad Blocking in Zone Alarm 3.x or later,
if present or any
>other Ad Blocking software which interferes with Java
Scripting for this
>scan to work. You should get a message between the two
lines of **** giving
>the results of the scan.
>
>
>
>#########IMPORTANT#########
>Before you try to remove spyware using any of the
programs below, download
>both a copy of LSPFIX here:
>
>http://www.cexx.org/lspfix.htm
>
>AND a copy of Winsockfix
>http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
>Directions here: http://www.tacktech.com/display.cfm?
ttid=257
>The process of removing certain malware may kill your
internet connection.
>If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
>to regain your connection.
>
>NOTE: It is reported that in XP SP2, the command
netsh winsock reset
>will fix this problem without the need for these
programs.
>#########IMPORTANT#########
>
>
>
>
>#########IMPORTANT#########
>In the following, all of these removal tools should be
run from Safe mode
>when possible. Reboot and test if the malware is fixed
after using each
>tool.
>#########IMPORTANT#########
>
>
>Download and run Stinger.exe, here:
>http://download.nai.com/products/mcafee-
avert/stinger.exe or from the link
>on this page: http://vil.nai.com/vil/stinger/
>
>
>Download sysclean.com , from Trend Micro, here:
>http://www.trendmicro.com/download/dcs.asp along with
the latest pattern
>file, here:
http://www.trendmicro.com/download/pattern.asp Be sure
to read
>the "How-to" info here:
>http://www.trendmicro.com/ftp/products/tsc/readme.txt
(You might also want
>to get Art's updater, SYS-UP.Zip, here for future
updating of these:
>http://home.epix.net/~artnpeg/). (If you download and
use the updater from
>the beginning, it will automatically handle downloading
the other files.)
>Place them in a dedicated folder after appropriate
unzipping. Disable
>Restore if your on XP or ME (directions here:
>http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.h
tm), then boot to
>Safe mode (HowTo here:
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001052409420406)
>Do a complete scan of your system in Safe mode and clean
or delete anything
>it finds. Reboot to normal mode and re-run the scan
again.
>
>This scan may take a long time, as Sysclean is VERY
extensive and thorough.
>
>
>
>Sometimes the tools below will find files which they are
unable to delete
>because they are in use. A program called Copylock,
here,
>http://noeld.com/programs.asp?cat=misc#CopyLock can aid
in the process of
>"replacing, moving, renaming or deleting one or many
files which are
>currently in use (e.g. system files like comctl32.dll,
or virus/trojan
>files.)" Another is Killbox, here:
>http://download.broadbandmedic.com/Killbox.exe
>
>
>For the general hijack case, the best way to start is to
get Ad-Aware SE
>Personal Edition, here:
http://www.lavasoftusa.com/support/download/.
>UPDATE, set it up in accordance with this:
>http://forum.aumha.org/viewtopic.php?t=5877 and run this
regularly to get
>rid of most "spyware/hijackware" on your machine. If
it has to fix things,
>be sure to re-boot and rerun AdAware again and repeat
this cycle until you
>get a clean scan. The reason is that it may have to
remove things which
>are currently "in use" before it can then clean up
others.
>
>Then, courtesy of NonSuch at Lockergnome, open Ad-aware
then click the gear
>wheel at the top and check these options to configure Ad-
aware for a
>customized scan:
>
>General> activate these: "Automatically save log-file"
and "Automatically
>quarantine objects prior to removal"
>
>Scanning > activate these: "Scan within archives", "Scan
active processes",
>"Scan registry", "Deep scan registry," "Scan my IE
Favorites for banned
>sites," and "Scan my Hosts file"
>
>Tweaks > Scanning Engine> activate this: "Unload
recognized processes during
>scanning."
>
>Tweaks > Cleaning Engine: activate these: "Automatically
try to unregister
>objects prior to deletion" and "Let Windows remove files
in use after
>reboot."
>
>Click "Proceed" to save your settings, then
click "Start." Make sure
>"Activate in-depth scan" is ticked green, then scan your
system. When the
>scan is finished, the screen will tell you if anything
has been found, click
>"Next." The bad files will be listed. Right click the
pane and click "Select
>all objects" - This will put a check mark in the box at
the side, click
>"Next" again and click "OK" at the prompt "# objects
will be removed.
>Continue?"
>
>Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html:
HINT: If
>Ad Aware is automatically shut-down by a malicious
software, first run
>AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
>opening Ad Aware. When AAWCloak is open, click "Activate
Cloak". Than open
>Ad Aware and scan your system.
>
>
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/ SpyBot
Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. After UPDATING and fixing ONLY RED
things with SpyBot
>S&D, be sure to re-boot and rerun SpyBot again and
repeat this cycle until
>you get a clean "no red" scan. The reason is that
SpyBot sometimes has to
>remove things which are currently "in use" before it can
then clean up
>others.
>
>
>Note that sometimes you need to make a judgement call
about what these
>programs report as spyware. See here, for example:
>http://www.imilly.com/alexa.htm
>
>
>A currently common parasite is some malware called
CoolWebSearch. Do the
>following:
>
>Download, UPDATE before running, and run:
>http://209.133.47.200/~merijn/files/CWShredder.exe or
here:
>http://hem.bredband.net/b157129/f/cwshredder.zip or here:
>http://www.softpedia.com/public/scripts/downloadhero/10-
17-150/ or here:
>http://www.zerosrealm.com/downloads/CWShredder.zip
>to remove the parasite. Be sure to close all instances
of IE and OE.
>
>
>There's a good tutorial about CWS and using CWShredder
here:
>http://www.bleepingcomputer.com/forums/index.php?
showtutorial=47#domain
>
>
>You will need to show Hidden files first and then at the
end clear the
>malware garbage from your System Restore backups after
you've cleaned up.
>It's best to perform CWShredder (and most other malware
fixers too) from
>Safe mode and then reboot. AFTER cleaning things up,
then you can disable
>and then re-enable System Restore. See ******** below.
>
>The following links give instructions on how to do these
various functions:
>
>
>HOW TO Restart in Safe Mode
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid
/2001052409420406>
>
>HOW TO Enable Hidden Files
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid
/2002092715262339>
>
>HOW TO Disable/Flush System Restore (do this at the end
AFTER cleaning or
>use the suggested procedure for XP at the ******'s)
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid
/2001111912274039>
>(WinXP)
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid
/2001012513122239>
>(WinME)
>
>
>
>Then download and run:
>http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
>tabs and remove any restrictions that the parasite has
put in place.
>
>Now download and run:
>http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
>your search functions if they've been affected (as they
probably will have
>been).
>
>
>Be sure that you also download and install hotfix
Q816093, here:
>
>http://support.microsoft.com/?kbid=816093
>
>which blocks the exploit upon which this parasite family
depends.
>
>
>If they don't fix it then start here:
>
>Download HijackThis, free, here:
>http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
>fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
>You may also get it here if that link is blocked:
>http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>or here:
http://www.bleepingcomputer.com/files/spyware/hijackthis.z
ip
>
>There's a good "How-to-Use" tutorial here:
>http://computercops.biz/HijackThis.html
>
>In Windows Explorer, click on Tools|Folder Options|View
and check "Show
>hidden files and folders" and uncheck "Hide protected
operating system
>files". (You may want to restore these when you're all
finished with
>HijackThis.)
>
>Place HijackThis.exe or unzip HijackThis.zip into its
own dedicated folder
>at the root level such as C:\HijackThis (NOT in a Temp
folder or on your
>Desktop), reboot to Safe mode, start HT (have ONLY HT
running - IE MUST be
>closed) then press Scan. Click on SaveLog when it's
finished which will
>create hijackthis.log. Now click the Config button, then
Misc Tools and
>click on Generate StartupList.log which will create
Startuplist.txt.
>
>Then go to one of the following forums:
>
>Spyware and Hijackware Removal Support, here:
>http://216.180.233.162/~swicom/forums/
>
>or Net-Integration here:
>http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
>or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>
>or Jim Eshelman's site here: http://forum.aumha.org/
>
>or Bleepingcomputer here:
http://www.bleepingcomputer.com/
>
>Register if necessary, then sign in and READ THE
DIRECTIONS at the beginning
>of the particular sites HiJackThis forum, then copy and
paste both files
>into a message asking for assistance, Someone will
answer with detailed
>instructions for the removal of your parasite(s). Be
sure you include at
>the beginning of your post "What problem(s) you're
trying to solve" and
>"What steps you've already taken."
>
>
>
>*******
>ONLY IF you've successfully eliminated the malware, you
can now make a new,
>clean Restore Point and delete any previously saved
(possibly infected)
>ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
>you can run a Disk Cleanup cycle and then look in the
More Options tab. The
>System Restore option removes all but the latest Restore
Point. If there
>hasn't been one made since the system was cleaned you
should manually create
>one before dumping the old possibly infected ones.
>*******
>
>
>Once you get this cleaned up, you might want to consider
installing Eric
>Howes' IESpyAds, SpywareBlaster and SpywareGuard here to
help prevent this
>kind of thing from happening in the future:
>
>IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-
SPYAD adds
>a long list of sites and domains associated with known
advertisers,
>marketers, and crapware pushers to the Restricted sites
zone of Internet
>Explorer. Once you merge this list of sites and domains
into the Registry,
>the web sites for these companies will not be able to
use cookies, ActiveX
>controls, Java applets, or scripting to compromise your
privacy or your PC
>while you surf the Net. Nor will they be able to use
your browser to push
>unwanted pop-ups, cookies, or auto-installing programs
on your PC." Read
>carefully.
>
>http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active
>X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or memory
>load - but keep it UPDATED) The latest version as of
this writing will
>prevent installation or prevent the malware from running
if it is already
>installed, and it provides information and fixit-links
for a variety of
>parasites.
>
>http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
>install malware) Keep it UPDATED. All three Very Highly
Recommended
>
>Next, install and keep updated a good HOSTS file. It
can help you avoid
>most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm
>(Be sure it's named/renamed HOSTS - all caps, no
extension) Additional
>tutorials here:
>http://www.bleepingcomputer.com/forums/index.php?
s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
>(detailed) and here:
http://www.spywarewarrior.com/viewtopic.php?t=410
>(overview)
>
>Finally, go to Windows Update and ensure that ALL
Critical updates are
>installed.
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
>In news:2c0701c4a1ea$f028ee50$a601280a@phx.gbl,
>Andy <anonymous@discussions.microsoft.com> typed:
>> I am running IE 6. After I dial up to connect to the
>> internet something happens and my browser is (the only
>> term I can think of) redirected multiple times to the
>> same web site and then hangs there for a long time. At
>> the bar on the bottom it looks sort of like this -
>>
http:\\www.euniverse.com\redir.cfmwww.euniverse.com\redir.
>> cfm again and again and again.No web site ever comes
up.
>> And when I stop it and type in another site it gets
>> redirected again.It does that every time and I never
get
>> anywhere. Does anyone know how to fix this?
>
>.
>