Re: Web page redirection malware

From: ./dz (dz_at_discussions.microsoft.com)
Date: 11/23/05 

Date: Wed, 23 Nov 2005 14:00:02 -0800

Dave:
I know it's been a while, but I've been looking at it.

It's nearly impossible to give a complete blow-by-blow account of everything
I did, but here's an attempt ...........

I did do the things you suggested in your last response. In fact, several
times. I don't recall that any specific bad things other than tracking
cookies were found. And the behavior I described with respect to redirection
persisted anyway.

A couple of days ago, I downloaded the Microsoft Spyware thing; and it found
a couple of items (I do not know whether or not they were directly related to
the IE redirection problem or not - but the problem appeared to go away .....
for a while). But it's back.

The behavior is a little more visible however. Here's what's happening in
case you recognize this as a well-known malware hack of some sort. When I
open IE, using the icon in the quick tray, using the desktop icon, or even
from the program menu directly; it takes a while for it to appear. While it
is 'initializing', the 'wavy flag' appears in the middle of what will
eventually become the menu bar. But when don 'initializing', the menu bar is
completely blank (except for the little flag icon off to the right in its
usual spot).

The 'bar' that normally shows up immediately beneath the menu bar (and
immediately above the address bar), [the bar with the 'back', 'forward'
group; the 'search', 'favorites' group; and one other group of miscellaneous
icons] is missing entirely.

Only the address bar appears (and a blank menu bar).

But .... If I go directly to my Favorites folder in Explorer and click on
one of the shortcuts, IE comes up looking normal.

Does this behavior tell you anything that would help?

./dz

"David H. Lipman" wrote:

> From: "./dz" <dz@discussions.microsoft.com>
>
> | Dave:
> | I downloaded all (3) of the utilities. I ran the lavasoft utility many,
> | many times. The first time it showed evidence of some 'CoolWeb' variants and
> | some other stuff -- all of which were removed. Subsequent runs have turned
> | up no more of that stuff.
> |
> | I then ran SpyBot S&D 1.4 and it found absolutely nothing (I did get the
> | most recent updates before running it).
> |
> | I then ran the BHODemon and it found only (4) things; all of which are
> | marked as benign (e.g., AcroIEHelper.dll, SDHelper.dll, and a couple of
> | SpywareDoctor references that it is tagged as 'file is missing' - I'm
> | assuming this is a leftover from some uninstall I did of that 'tool').
> |
> | So effectively, these utilities determine nothing is wrong. YET !! and this
> | is the annoying thing -- the Web redirection persists. I've even tried a
> | different search engine (I used MSN.com instead of GOOGLE) -- but when I
> | click the hyperlink for the result of the search, off it goes to some ad
> | site.
> |
> | Any other ideas??? Is it possible to uninstall/re-install IE, and if so,
> | would that help?
> | (By the way, I do not have any distribution disk with IE on it, so either
> | it's lying around on my PC somewhere in a .cab and I don't know what I'm
> | looking at, or I got it off the web directly from MS at some point).
> |
> | In any case, if you can help -- I'm still very interested. The really nasty
> | thing about this is that my kids use the computer and it has on occassion
> | brought up some really crude porn sites. Not only that, but even the
> | non-porn sites sometimes, if you're not careful, you don't realize that you
> | were redirected and can accidentally ask for things (which of course makes
> | the problem worse).
> | ./dz
> |
> | "David H. Lipman" wrote:
> |
> >> From: "./dz" <dz@discussions.microsoft.com>
> >>
> |>> Thank you David. I think I've received advice from you before on some
> |>> entirely different threads, in an entirely different community, and they've
> |>> always been very useful. I wasn't able to 'discover' within the limits of my
> |>> patience how to 'rate' your reply, but when I find out how to, I shall do so.
> |>> In the meantime, this comment will have to suffice. Thanks again.
> |>> ./dz
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Relevant Pages

  • Re: Spyware infection
    ... | but nothing happens when I click on the icon. ... Download SmitFraud.exe from the URL -- ... On Win9x/ME platforms the report will not be shown in your bowser ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Packets sent out about every two seconds? HELP!!!!
    ... | area blinks, if I right click the icon and then left click Status, and wait for the next ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... It is suggested to run the scanners in both Safe Mode and Normal Mode. ...
    (microsoft.public.security.virus)
  • Re: Download Problem
    ... You may be asking for something that doesn't exist; the hard drive icon you ... describe doesn't have a status bar; has never had a status bar. ... > I've disabled view PDFs in browser. ... > the bottom left of the status bar instead of the download progress. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: "Custom" icon in Quick Launch bar?
    ... Just by simply dragging? ... the best way to download the actual ico is to use a download manager ... click on "Change Icon," but that just gives me choices of icons that reside on my machine. ... What I'm talking about is automatic on my XP machine: Drag the webpage's icon directly from the IE Address window while viewing the web page to the QL bar. ...
    (microsoft.public.windows.vista.general)
  • Re: "Custom" icon in Quick Launch bar?
    ... old machine they made their way to my QL bar without all the folderol? ... in order to find that icon you will add a /favicon.ico to the address you ... the best way to download the actual ico is to use a download manager ... bar by dragging the draggin the web page's icon from the IE Address Bar ...
    (microsoft.public.windows.vista.general)
Quantcast