IE won't load certain web pages anymore

[Guest]

Within the past 2 weeks, IE 6.0 on my home computer (XP Pro OS) will no
longer load certain web pages. These are sites I have been viewing almost
daily (cnn.com, for example) for years. Others load just fine (like normal).

Prior to this problem, I had not adjusted my firewall (ZoneAlarm) or IE
security settings. I've tried uninstalling and reinstalling IE - no impact.
I've turned off ZA, no impact. I've reduced the security settings in IE, no
impact.

Any suggestions?

Thank you,
Harry

 

[Frank Saunders, MS-MVP]

Within the past 2 weeks, IE 6.0 on my home computer (XP Pro OS) will
no longer load certain web pages. These are sites I have been
viewing almost daily (cnn.com, for example) for years. Others load
just fine (like normal).

Prior to this problem, I had not adjusted my firewall (ZoneAlarm) or
IE security settings. I've tried uninstalling and reinstalling IE -
no impact. I've turned off ZA, no impact. I've reduced the security
settings in IE, no impact.

Any suggestions?

Thank you,
Harry

Check for a file named HOSTS with no extension (not Hosts.sam). It may be a
hidden file. Open it with Notepad and remove any line referencing the site.
Or, rename HOSTS to OLDHOSTS

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Guest]

Frank-

I followed your instructions this morning. Ended up renaming the hosts file
to OLDHOSTS because I could not find any references to cnn.com, for example.

Worked like a champ! Left for work very happy!

Logged on again just now approx 14hrs later and IE is doing the same thing
again. A HOSTS file has been recreated and contains hundreds of entries
(searched for "cnn", found nothing).

Is there a way to perm. rectify this problem? Any recomnmendations?

Thank you,
Harry

 

[Frank Saunders, MS-MVP IE/OE]

Frank-

I followed your instructions this morning. Ended up renaming the
hosts file to OLDHOSTS because I could not find any references to
cnn.com, for example.

Worked like a champ! Left for work very happy!

Logged on again just now approx 14hrs later and IE is doing the same
thing again. A HOSTS file has been recreated and contains hundreds
of entries (searched for "cnn", found nothing).

Is there a way to perm. rectify this problem? Any recomnmendations?

Thank you,
Harry

First eliminate any scumware.
See
Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each needs to be updated with the program's update function
before every use, even when just downloaded. There's also a lot more to do
than just those two programs. CWShredder is also available here:
http://www.kellys-korner-xp.com/regs_edits/cwshredder.zip
**Post your HijackThis log to
http://forums.spywareinfo.com/ or the Spyware forum at
http://forum.aumha.org/ for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder
may be found on this page:
http://aumha.org/a/parasite.htm.
CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

If nothing there helps, please post back to this thread.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Guest]

Frank-

Bottom line - didn't help.

Details:
1. I've been a Spybot regular for yrs. Re-ran it after you suggested to.
2. Downloaded and ran Adaware and cwshredder (thanks - good tips!).
Adaware caught more gunk, but still no joy.
3. Prior to running any of those utilities, I downloaded and fired up
Mozilla Firefox (as alt plan to surf if IE problem persisted). Initially, I
had no problem surfing to CNN.com and the few other sites I was having
problems with in IE. That lasted a day. I now have the same page problems
in FireFox I have with IE - to include after running those utilities.

Suggestions?

Harry

 

[Robert Aldwinckle]

(interleaved reply)

Frank-

Bottom line - didn't help.

Clearly the tack is correct, since that HOSTS file is being regenerated
from somewhere.

BTW one thing you should do after making any changes to your
HOSTS file is open a command window and enter:

ipconfig /flushdns


Also are you sure that you are finding the right one? Certain malware
(ref QHosts) is known to change the location of the DNS overrides.
Open a command window and enter this command pipeline to make
sure the path being used is the path you are finding it under:

netsh diag show adapter /v | find /i "DataBasePath"


Now it appears the bad guys have figured out ways to insert filters
into the TCP-IP stack to do what they want. This seems to show up
most in NT5 systems.

Here is a excerpt about my current understanding about that:

<excerpt>
FYI for XPsp2 there is a new repair command for the latter possibility:

netsh winsock reset

Otherwise there is

netsh interface ip reset

You might try checking for abnormalities beforehand by

netsh winsock show catalog type=LSP

ipseccmd show filters

(ipseccmd is on the XP Pro Support Tools)


BTW you may get better suggestions in a newsgroup
which specializes in networking for your OS.

Details:
1. I've been a Spybot regular for yrs. Re-ran it after you suggested to.

Did you download the latest version _and then_ get any updates?


HTH

Robert Aldwinckle
---

 

[Guest]

Aloha Robert-

Interesting ref. regeneration of "hosts"...

Here's what I did:
1. renamed "hosts" again for kicks; ran ipconfig /flushdns. No impact.
2. ran netsh winsock reset. No impact.
3. ran netsh winsock show catalog type=LSP ipseccmd show filters;
rcvd "parameter is incorrect" error msg. What am I doing wrong here?
4. ran netsh diag show adapter /v | find /i "DataBasePath". Screen
read:
databasePath = %systemroot%\system32\drivers\etc
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
Does this mean I'm looking in the right place or do I need to change
parameters?

Ref Spybot, it checks for newer updates when I start it. It tells me "no
new updates avail". Confirmed that I am running 1.1 rel 4.

Pls let me know if I did the above correctly and if you have additional
suggestions.

Thank you-
Harry

 

[Robert Aldwinckle]

Aloha Robert-

Interesting ref. regeneration of "hosts"...

Here's what I did:
1. renamed "hosts" again for kicks; ran ipconfig /flushdns. No impact.

Does that mean you don't have one still?
(E.g. regeneration has stopped?)

2. ran netsh winsock reset. No impact.
3. ran netsh winsock show catalog type=LSP ipseccmd show filters;
rcvd "parameter is incorrect" error msg. What am I doing wrong here?

That was supposed to be two commands:

netsh winsock show catalog type=LSP
and
ipseccmd show filters

You may have to install XP Pro Support Tools to be able to use
the last command.

4. ran netsh diag show adapter /v | find /i "DataBasePath". Screen
read:
databasePath = %systemroot%\system32\drivers\etc
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
databasePath = (empty)
Does this mean I'm looking in the right place or do I need to change
parameters?

Yes. Everything looks fine.

Ref Spybot, it checks for newer updates when I start it. It tells me "no
new updates avail". Confirmed that I am running 1.1 rel 4.

I just remembered that SpybotSD has an option to do something
with HOSTS. Maybe that is where you are getting yours?

Pls let me know if I did the above correctly and if you have additional
suggestions.

If everything above checks out and you find a reasonable explanation
for the HOSTS file you may simply have a conventional connectivity
problem with that site. E.g. you can check the DNS lookup for its
main URL using nslookup. Then you can load that into your dsncache
with a ping -n 1 or tracert. (Don't worry if either command fails.
That doesn't mean much these days since many large sites are blocking
ICMP packets to guard against moronic Denial of Service "exploits".)

What you should be able to do though, if the lookups are working properly,
is use telnet 80 to confirm that there is an HTTP server ready for you.
You may even be able to get an idea of the response it might send IE
by simulating the GET request. Often it is sufficient to enter
GET /

Thank you-
Harry

Good luck

Robert
---

 

[Guest]

Robert-

The problem remains. Here's what I did and answers to your questions:

1. The "hosts" file regenerates itself after I rename it & log off/log back
on again; it still exists on my PC.
2. Installed XP support tools. Ran cmd prompt. Re-ran the two sep. cmds.
After entering the 2nd cmd, ("ipseccmd show filters") I get " 'ipseccmd' is
not recognized as an internal or external command, operable program or batch
file".
3. The only thing I saw in SPYBOT was an explanation as to what the "hosts"
file does in the help file. I saw no configuration settings, etc pertaining
to "hosts" file.

Recommendations or ideas?

Thank you,
Harry

 

[Robert Aldwinckle]

Robert-

The problem remains. Here's what I did and answers to your questions:

1. The "hosts" file regenerates itself after I rename it & log off/log back
on again; it still exists on my PC.

Let's be clear. The HOSTS file can not regenerate itself.
Some program is causing that to happen. I was just guessing
that it might be spybotsd.

2. Installed XP support tools. Ran cmd prompt. Re-ran the two sep. cmds.
After entering the 2nd cmd, ("ipseccmd show filters") I get " 'ipseccmd' is
not recognized as an internal or external command, operable program or batch
file".

I have my Support Tools directory in my PATH environment variable.
I don't think I did anything special to have that happen but if that isn't
the case with your PATH variable it would explain your symptom if you
were trying to use the command from any other location than the
Support Tools directory. Even if this path wasn't specified I have a
Start menu shortcut, which again I suspect was created by the install,
which is labeled: Command Prompt underneath the Support Tools
submenu; so I would use that as an alternative.

To avoid any question about how your Support Tools were installed,
including which shortcuts you have in your Start menu's Programs submenu,
why not just do a change directory to wherever they are installed and verify
that the command is there? E.g.

cd %ProgramFiles%\Support Tools
dir ips*

If you installed the Support Tools to some other directory than Program Files
or if you renamed it something other than Support Tools modify the first
command appropriately.

3. The only thing I saw in SPYBOT was an explanation as to what the "hosts"
file does in the help file. I saw no configuration settings, etc pertaining
to "hosts" file.

Recommendations or ideas?

As I mentioned above the spybotsd idea was a guess.
In that case what I would do is use FileMon to monitor HOSTS
to help find out which program is creating that file.
(FileMon is freeware from SysInternals.)


BTW have you tried the other suggestions anyway?
If you are getting hung up on trying to assess the validity
of the malware hypothesis try using the telnet test to start
diagnosing particular problems.

Thank you,
Harry

Good luck

Robert
---

 

[Guest]

Robert-

There's no issue with paths, etc ref. XP spt tools (install path was the
same as you described; shortcuts in start menu same as you describe; etc).
Still get that error though. Is this something worth investigating? In
other words, will solving this problem impact/solve my orig problem? If not,
then no worries.

You mentioned below about trying your other suggestions. I've tried to
follow along and do everything you suggest. In fact, I've kept a log of the
things I've tried after each of your responses. But maybe I missed something
(it's a little difficult finding your responses within the quoted text of my
responses - would not be too surprised if I missed something). Was there
something in particular you were referring to? I'm still "out of business"...

Regards-
HarryX