PDA

View Full Version : Re: Serious search problem



Ext User(Robin Bignall)
02-06-2007, 03:36 AM
On Tue, 29 May 2007 15:53:01 -0700, nass
<nass@discussions.microsoft.com> wrote:

>
>
>"Robin Bignall" wrote:
>
>> On Tue, 29 May 2007 01:49:01 -0700, nass
>> <nass@discussions.microsoft.com> wrote:
>>
>> >
>> >
>> >"Robin Bignall" wrote:
>> >
>> >> The problem is simple: after a search using Google or MSN, EVERY link
>> >> I click on goes to a semi-arbitrary advertising site. Sometimes
>> >> repeating the click gets the same site, sometimes a different one.
>> >> Searching has become impossible.
>> >>
>> >> Clicking on links given in Usenet posts, or in my favourites file,
>> >> takes me to the correct site. Entering a URL into the entry line of
>> >> IE, or copying the URL from the bottom of a Google entry and pasting
>> >> it into the entry area, gives me the correct site. It's the links
>> >> that Google provides that are all getting redirected by something. I
>> >> used a tool to ensure that the Google search page I'm getting has not
>> >> been spoofed, and it told me it was clean. I have anti-fraud and
>> >> phishing stuff running.
>> >>
>> >> What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
>> >> Internet Security 2007, A-Squared malware checker with real-time
>> >> monitor, CA firewall set to maximum protection. I'm not in the habit
>> >> of opening HTML mail or clicking on sites in spam mail, or of
>> >> downloading anything I'm not sure of.
>> >>
>> >> What I've done:
>> >> checked HOSTS and LMHOSTS files - all okay.
>> >> Ran a deep scan with Norton and A-Squared. Also bought Adaware and
>> >> tried two other malware checkers, plus the online virus scan from
>> >> McAfee. No problems found other than a couple of tracking cookies
>> >> that were not causing the problem. In desperation I did a Windows
>> >> repair install, and ran all of the virus and malware checkers again.
>> >> This made no difference, and I have no idea what to try next.
>> >>
>> >> Any ideas?
>> >> --
>> >> Robin Bignall
>> >> Herts, England
>> >
>> >Hi Robin,
>>
>> Hi, Nass. Thanks for all of your suggestions.
>>
>> >1...Click Start >> Control Panel >> Double click Network and Internet
>> >Connections >> Double click Internet Options.
>> >On the IE properties windows you will see these Taps:
>> >General | Security | Privacy | Content | Connections | Programs |
>> >Advanced.
>> >
>> >Click on General Tab, under Browsing Histroy Click Delete Button thenClick
>> >Delete all... Button and also check the check box for Delete
>> >files and settings stored by add-ons.
>> >Click [ Yes ].
>> >Click Privacy Tab and make sure your Privacy settings at least MediumHigh,
>> >Also under:
>> >Pop-Up Blocker:
>> >Prevent most pop-up windows from appearing. [ Settings ] Click here to
>> >see if your Pop-Up blocker is set Medium High
>> >[ ] Turn on Pop-Up Blocker <= Check this Box.
>> >
>> >Click Programs Tab, then click on manage add-ons there Disable all
>> >not-verified add-ons then click [OK]
>> >Click Advanced tab, scroll until Browsing Option:
>> >[&] Browsing:
>> > [ ] Enable Third-Party browser extensions* <= uncheck this box
>> > [ ] Enable websites to use search pane* <= uncheck this box
>> >
>> >
>> >Then scroll to:
>> > Phishing Filter:
>> > ( ) Disable Phishing Filter
>> > ( ) Turn OFF Automatic Website checking
>> > (*) Turn ON Automatic website checking <= Check this Radio Button
>> >
>> >2...Click Start >> Control Panel >> Double click Network and Internet
>> >Connections >> Double click Network Connections then Right click on your
>> >Local Area Connection (LAN) and select Properties from the list.
>> >On the LAN Properties window Highlight Internet Protocol (TCP/IP) andclick
>> >Properties Button, on the Internet protocol
>> >(TCP/IP) Properties click on Advanced Button.
>> >On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
>> >IP Settings | DNS | WINS | Options.
>> >If there is and no recognised by your ISP then the likely is the bad IP that
>> >redirect you to this advertising sites.
>> >Click on Options and click on Properties while the TCP/IP Filtering is
>> >selected and see if there is an entry for any IPs there.
>> >Click [OK] when Finished.
>> >
>>
>> Okay, I tried all of the above and thought I'd solved the problem,
>> because the DNS entries were different from my own ISP's. I changed
>> them to what they should be, rebooted, and for good luck also rebooted
>> the cable modem. I got to IE7 via the start menu to run it without
>> add-ons, as the previous poster suggested, and the problem is exactly
>> as it was before. I tried several searches on Google's UK and France
>> and every link takes me to an ad site.
>>
>> >3.. Click Start >> Run and type in:
>> >regedit.exe click [OK] on the Registry Editor locate these Keys:
>> >
>> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar =What
>> >listed here?
>> >
>> default reg_sz value not set
>> locked reg-dword 0x0000001
>>
>> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
>> >What listed here?
>> >
>> default not set
>> {CFBFAE00-17A6-1100-99CB-00C04FD64497}
>>
>> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Searchpage
>> >
>> ie.search.msn.com
>>
>> >[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
>> >Settings\ZoneMap =
>> >
>>
>> Four reg doublewords with values of 0x0000001
>> a whole bunch of sub-folders with doublewords ranging from empty
>> (blank) to 0x0000003
>>
>> I don't see anything sinister in any of the above. (I can't seem to
>> be able to copy/paste from regedit to show the full entries).
>>
>>
>> >Use this tool to see the Registry and all the DLLs and running processes in
>> >real time on your system.
>> >"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
>> >http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
>> >The tool above will show in real time the running processes and can show
>> >what in the registry, DLLs on your machine and you can use it to
>> >remove/Delete a file or edit the startup programs.
>>
>> I downloaded this tool (thanks for letting me know about this) and ran
>> it with verification and empty locations set, and verified Microsoft
>> stuff eliminated, just to see if any strange things were lurking. It
>> shows that everything that's in there is part of my known
>> applications.
>>
>> I just checked my DNS settings again to see if anything has changed
>> them, but they're fine.
>>
>> This is all rather weird. I have no peculiar applications
>> auto-starting, no malware or viruses that any of the tools can find,
>> and the problem survived through a Windows repair.
>> --
>> Robin Bignall
>> Herts, England
>
>Hi Robin,
>Since you mentioned that your DNS is been changed that you may be have
>infection on this machine, try to scan from the following links and try the
>HijackThis forums.
>Run a scan from here on-line:
>http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>Download Avast Cleaner from here:
>http://www.avast.com/eng/avast-virus-cleaner.html
>Lots of tools to download and disinfect your machine:
>http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
>
>If you still directed Download the Hijackthis and send the report to oneof
>many
>forums for analysis and troubleshooting:
>When all else fails, HijackThis v1.99.1
>(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
>It will help you to both identify and remove any hijackware/spyware. Post
>your log to http://aumha.net/viewforum.php?f=30,

Hi, Nass,

I finally solved the problem with the magnificent help of Bill Kastner
the aumha forums, for the knowledge of which I thank you very much.
rather than repeat all of the steps, they can be seen at
http://aumha.net/viewtopic.php?p=153605#153605

I have learned some interesting things.
--
Robin Bignall
Herts, England

Ext User(nass)
02-06-2007, 03:49 AM
"Robin Bignall" wrote:

> On Tue, 29 May 2007 15:53:01 -0700, nass
> <nass@discussions.microsoft.com> wrote:
>
> >
> >
> >"Robin Bignall" wrote:
> >
> >> On Tue, 29 May 2007 01:49:01 -0700, nass
> >> <nass@discussions.microsoft.com> wrote:
> >>
> >> >
> >> >
> >> >"Robin Bignall" wrote:
> >> >
> >> >> The problem is simple: after a search using Google or MSN, EVERY link
> >> >> I click on goes to a semi-arbitrary advertising site. Sometimes
> >> >> repeating the click gets the same site, sometimes a different one.
> >> >> Searching has become impossible.
> >> >>
> >> >> Clicking on links given in Usenet posts, or in my favourites file,
> >> >> takes me to the correct site. Entering a URL into the entry line of
> >> >> IE, or copying the URL from the bottom of a Google entry and pasting
> >> >> it into the entry area, gives me the correct site. It's the links
> >> >> that Google provides that are all getting redirected by something. I
> >> >> used a tool to ensure that the Google search page I'm getting has not
> >> >> been spoofed, and it told me it was clean. I have anti-fraud and
> >> >> phishing stuff running.
> >> >>
> >> >> What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
> >> >> Internet Security 2007, A-Squared malware checker with real-time
> >> >> monitor, CA firewall set to maximum protection. I'm not in the habit
> >> >> of opening HTML mail or clicking on sites in spam mail, or of
> >> >> downloading anything I'm not sure of.
> >> >>
> >> >> What I've done:
> >> >> checked HOSTS and LMHOSTS files - all okay.
> >> >> Ran a deep scan with Norton and A-Squared. Also bought Adaware and
> >> >> tried two other malware checkers, plus the online virus scan from
> >> >> McAfee. No problems found other than a couple of tracking cookies
> >> >> that were not causing the problem. In desperation I did a Windows
> >> >> repair install, and ran all of the virus and malware checkers again.
> >> >> This made no difference, and I have no idea what to try next.
> >> >>
> >> >> Any ideas?
> >> >> --
> >> >> Robin Bignall
> >> >> Herts, England
> >> >
> >> >Hi Robin,
> >>
> >> Hi, Nass. Thanks for all of your suggestions.
> >>
> >> >1...Click Start >> Control Panel >> Double click Network and Internet
> >> >Connections >> Double click Internet Options.
> >> >On the IE properties windows you will see these Taps:
> >> >General | Security | Privacy | Content | Connections | Programs |
> >> >Advanced.
> >> >
> >> >Click on General Tab, under Browsing Histroy Click Delete Button then Click
> >> >Delete all... Button and also check the check box for Delete
> >> >files and settings stored by add-ons.
> >> >Click [ Yes ].
> >> >Click Privacy Tab and make sure your Privacy settings at least Medium High,
> >> >Also under:
> >> >Pop-Up Blocker:
> >> >Prevent most pop-up windows from appearing. [ Settings ] Click here to
> >> >see if your Pop-Up blocker is set Medium High
> >> >[ ] Turn on Pop-Up Blocker <= Check this Box.
> >> >
> >> >Click Programs Tab, then click on manage add-ons there Disable all
> >> >not-verified add-ons then click [OK]
> >> >Click Advanced tab, scroll until Browsing Option:
> >> >[&] Browsing:
> >> > [ ] Enable Third-Party browser extensions* <= uncheck this box
> >> > [ ] Enable websites to use search pane* <= uncheck this box
> >> >
> >> >
> >> >Then scroll to:
> >> > Phishing Filter:
> >> > ( ) Disable Phishing Filter
> >> > ( ) Turn OFF Automatic Website checking
> >> > (*) Turn ON Automatic website checking <= Check this Radio Button
> >> >
> >> >2...Click Start >> Control Panel >> Double click Network and Internet
> >> >Connections >> Double click Network Connections then Right click on your
> >> >Local Area Connection (LAN) and select Properties from the list.
> >> >On the LAN Properties window Highlight Internet Protocol (TCP/IP) and click
> >> >Properties Button, on the Internet protocol
> >> >(TCP/IP) Properties click on Advanced Button.
> >> >On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
> >> >IP Settings | DNS | WINS | Options.
> >> >If there is and no recognised by your ISP then the likely is the bad IP that
> >> >redirect you to this advertising sites.
> >> >Click on Options and click on Properties while the TCP/IP Filtering is
> >> >selected and see if there is an entry for any IPs there.
> >> >Click [OK] when Finished.
> >> >
> >>
> >> Okay, I tried all of the above and thought I'd solved the problem,
> >> because the DNS entries were different from my own ISP's. I changed
> >> them to what they should be, rebooted, and for good luck also rebooted
> >> the cable modem. I got to IE7 via the start menu to run it without
> >> add-ons, as the previous poster suggested, and the problem is exactly
> >> as it was before. I tried several searches on Google's UK and France
> >> and every link takes me to an ad site.
> >>
> >> >3.. Click Start >> Run and type in:
> >> >regedit.exe click [OK] on the Registry Editor locate these Keys:
> >> >
> >> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar = What
> >> >listed here?
> >> >
> >> default reg_sz value not set
> >> locked reg-dword 0x0000001
> >>
> >> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
> >> >What listed here?
> >> >
> >> default not set
> >> {CFBFAE00-17A6-1100-99CB-00C04FD64497}
> >>
> >> >[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search page
> >> >
> >> ie.search.msn.com
> >>
> >> >[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
> >> >Settings\ZoneMap =
> >> >
> >>
> >> Four reg doublewords with values of 0x0000001
> >> a whole bunch of sub-folders with doublewords ranging from empty
> >> (blank) to 0x0000003
> >>
> >> I don't see anything sinister in any of the above. (I can't seem to
> >> be able to copy/paste from regedit to show the full entries).
> >>
> >>
> >> >Use this tool to see the Registry and all the DLLs and running processes in
> >> >real time on your system.
> >> >"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
> >> >http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
> >> >The tool above will show in real time the running processes and can show
> >> >what in the registry, DLLs on your machine and you can use it to
> >> >remove/Delete a file or edit the startup programs.
> >>
> >> I downloaded this tool (thanks for letting me know about this) and ran
> >> it with verification and empty locations set, and verified Microsoft
> >> stuff eliminated, just to see if any strange things were lurking. It
> >> shows that everything that's in there is part of my known
> >> applications.
> >>
> >> I just checked my DNS settings again to see if anything has changed
> >> them, but they're fine.
> >>
> >> This is all rather weird. I have no peculiar applications
> >> auto-starting, no malware or viruses that any of the tools can find,
> >> and the problem survived through a Windows repair.
> >> --
> >> Robin Bignall
> >> Herts, England
> >
> >Hi Robin,
> >Since you mentioned that your DNS is been changed that you may be have
> >infection on this machine, try to scan from the following links and try the
> >HijackThis forums.
> >Run a scan from here on-line:
> >http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> >Download Avast Cleaner from here:
> >http://www.avast.com/eng/avast-virus-cleaner.html
> >Lots of tools to download and disinfect your machine:
> >http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
> >
> >If you still directed Download the Hijackthis and send the report to one of
> >many
> >forums for analysis and troubleshooting:
> >When all else fails, HijackThis v1.99.1
> >(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> >It will help you to both identify and remove any hijackware/spyware. Post
> >your log to http://aumha.net/viewforum.php?f=30,
>
> Hi, Nass,
>
> I finally solved the problem with the magnificent help of Bill Kastner
> the aumha forums, for the knowledge of which I thank you very much.
> rather than repeat all of the steps, they can be seen at
> http://aumha.net/viewtopic.php?p=153605#153605
>
> I have learned some interesting things.
> --
> Robin Bignall
> Herts, England

Hi Robin,
Glad you got it sorted and thanks for taking the time to post back the
solution much appreciated.
Thanks and Good luck.
Regards,
nass
-----
www.nasstec.co.uk

Hosted by: Eyo Technologies Pty Ltd. Sponsored by: Actiontec Pty Ltd