Re: IE Browser redirection

From: Dave (noone_at_nowhere.com)
Date: 07/17/04


Date: Sat, 17 Jul 2004 21:16:28 -0000

this is probably because there is a program running that replaces the
registry keys as fast as you delete them. scan some more, use other
programs, you need to find the malware that is writing the registry keys,
they don't just show up on their own.

"Del Reedy" <delreedy@earthlink.net> wrote in message
news:ijgKc.1746$iK.750@newsread2.news.atl.earthlink.net...
> Hi
>
> I'm having a problem with IE6.
>
> When I attempt to connect to any website with IE6, at the bottom
> it says "attempting to connect to 127.0.0.1", then I get the error:
> "The page cannot be displayed"
>
> After doing some google research I think this is possibly the result of
> of a partially uninstalled pop-up blocking program (which I wouldn't
> know the name of).
>
> There is a registry entry (below) which I think directs all of Internet
> Explorer's http requests to a proxy server on the localhost. Although
> nothing seems to be listening on 8080, which explains the blank page.
>
> Hijackthis shows the following entry
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer
> = http=localhost:8080
>
> Which I suspect is the reason why, when I open IE it tries to connect to
> 127.0.0.1.
>
> If I delete the registry entry above it gets written back the next time I
> open IE.
>
> If I delete the entry above and immediately rescan with hijackthis a few
new
> ones appear:
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyOverride = <local>
>
> Even if I delete the new ones, later when I run IE the original one will
get
> written back.
>
> So the problem is that I can't seem to get rid of this entry, and it's
> driving me crazy.
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer
> = http=localhost:8080
>
> What can I do to prevent this or discover the program that is changing the
> registry entries?
>
> Thanks in advance.
>
>