Re: Strange browser problems while surfing (wrong URLS, images don't load, file not found errors)

From: Jim Byrd (jrbyrd@spamlessattbi.com)
Date: 02/21/03 

From: "Jim Byrd" <jrbyrd@spamlessattbi.com>
Date: Fri, 21 Feb 2003 10:13:27 -0800

Hi - It sounds like you may have been hijacked. If you go to this page
at Jim Eshelman's site, here: http://aumha.org/a/noads.htm and wait a
little bit (be patient), an analysis of a number of possible parasites
on your machine will be made to help you identify and remove them.
NOTE: You will need to disable Ad Blocking in Zone Alarm 3.x, if
present or any other Ad Blocking software which interferes with Java
Scripting for this scan to work. You should get a message between the
two lines of **** giving the results of the scan.

For the general hijack case, the best way to start is to get Ad-Aware
6.0 here: http://lavasoft3.element5.com/. Update and run this
regularly to get rid of most "spyware/hijackware" on your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ I recommend using both
normally.

Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php

Next, download and install StartUp CPL here:
http://www.mlin.net/StartupCPL.shtml
This will allow you to easily examine from your Control Panel which
programs are being started automatically when you boot. Look for
programs that don't seem like they belong. There are further
explanations of the StartUp process here:
http://www.forrestandassociates.co.uk/pcforrest/startups.html and here:
http://www.pacs-portal.co.uk/startup_index.htm. You may have to try
disabling things one-at-a time and re-booting to find the culprit. A
somewhat more difficult to use but more extensive program to do the same
thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html. Be very careful about
doing any Registry modifications directly unless you're comfortable with
this, and be sure that you BACKUP your Registry before making any
changes, so that you can recover if something goes wrong. Changes made
with StartUpCPL are less likely to cause problems, and are usually a
matter of just re-enabling the particular program. You can look up and
investigate suspect programs in your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
(Recommended) and here:
http://www.forrestandassociates.co.uk/pcforrest/startups.html

Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp (You may
have to register first, but it's free and no spam) and take a look at
what BHO's are currently installed. Some things like AdShield and
Acrobat are normal, but if you see something that doesn't make any
sense, try disabling it and see if that helps. Another excellent
program for this same purpose is BHODemon, here:
http://www.definitivesolutions.com/ I would recommend using both.

There's good information about hijacking and fixes available here:

Andrew Clover's parasite page: http://www.doxdesk.com/parasite/
(Highly recommended)
Robert Allen's parasite page: http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files
to lock and unlock your homepage, BTW)
http://www.mvps.org/inetexplorer/answers.htm#home_page

Also, there's a new class of hijacker using Window's Messenger Service
(not Instant Messaging, BTW). Unless you have very good reasons to
keep this active, it should be turned off in Win2k and XP. Go here and
do what it says: http://www.itc.virginia.edu/desktop/docs/messagepopup/
or, even better, get MessageSubtract, free, here, which will give you
flexible control of the service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended. Also,
see: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904

Once you get this cleaned up, you might want to consider installing the
Browser Hijack Blaster and SpywareBlaster here to help prevent this kind
of thing from happening in the future:
http://www.wilderssecurity.com/bhblaster.html (Prevents malware BHO's)
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware
Active X installs) (BTW, SpyWare Blaster is not memory resident ... no
CPU or memory load - but keep it updated) The latest version as of this
writing will prevent installation or prevent the malware from running if
it is already installed, and it provides information and fixit-links for
a variety of parasites. Both Very Highly Recommended.

See if any of this helps and post back with your results. Regards, Jim
Byrd

 In 4ab6d532.0302210937.36d9ba9d@posting.google.com, pbuddy typed:
> After I've been surfing for sometime my browser has intermittent
> problems:
>
> 1.) I type a new URL in the address field and get redirected to a
> totally different site even though the URL in the address field is
> what I specified. Sometimes I get redirected to a site that I've never
> visited!
>
> 2.) I receive all different kinds of "file or page not found" errors
> (even though the page does exist), for which I have keep refreshing to
> eventually load the page.
>
> 3.) Sometimes I will be able to load the page successfully, but all
> the images do not load (specifically, the dreaded squares show up with
> a red x in the middle).
>
> At first I thought this was an IE6 cache problem, but I have been
> seeing the same behavior in Netscape, so now I am completely
> perplexed. I am running Windows XP Professional with the standard
> firewall while online, so I am theorizing there might be a problem
> with OS installation or the network connections settings while surfing
> behind a firewall.
>
> Has anyone out there been having these problems or similar? Any help
> or information would be greatly appreciated. Thanks!

Relevant Pages

  • Re: Pop ups
    ... For the general hijack case, the best way to start is to get Ad-Aware 6.0, ... UPDATE (even on your first install/run) and run this regularly to get rid of ... program of this type that I can recommend is StartMan, free, here: ... there's a new class of hijacker using Window's Messenger Service (not ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: browser hijack
    ... For the general hijack case, the best way to start is to get Ad-Aware 6.0, ... UPDATE (even on your first install/run) and run this regularly to get rid of ... program of this type that I can recommend is StartMan, free, here: ... there's a new class of hijacker using Window's Messenger Service (not ...
    (microsoft.public.windowsxp.general)
  • Re: Explorer restaring IE6 --> virus?? bug??
    ... Explorer process. ... with a fresh install of McAfee Enterprise 8.0i including latest ... Will rerun HiJack and make sure I haven't overlooked anything there. ... Symantec's online scanner and Microsoft's online scanner, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Hijack??My log
    ... My computer was hijacked by a ebook website a few days ago. ... Hijack this to my computer. ... Internet Explorer v6.00 SP1 ... O4 - Startup: Internet Explorer.lnk ...
    (microsoft.public.windowsxp.network_web)
  • Hijack??MY LOG
    ... I clicked was connected to a search engine called www.ntsearch.com. ... Hijack this to my computer. ... Internet Explorer v6.00 SP1 ... O4 - Startup: Internet Explorer.lnk ...
    (microsoft.public.windows.inetexplorer.ie6.browser)