"about:blank or Use Default redirecting"

  • Thread starter Thread starter Sohail
  • Start date Start date
S

Sohail

My symptoms are that going into "(Microsof)internet
explorer 6", the page will default to About:Blank or Use
Defualt, but I am being redirected
to "http://206.161.207.99/sextracker.html" Norton
Antivirus is also updated but it does not show me any
sign of virus in my compter. I have tried the following
programs:

Adaware
SpySweeper
Spybot
CWShredder
A^2
regcleaner
HiJack This

Nothing has worked so far. if anyone can please help it
would be greatly appreciated, many thanks:
 
Hi,

Suggestions:

In IE, clear your TIF, Cookies, Delete Files/Offline as well, then go to
Settings/View objects, clear. Once done:

Go to Start/Run and type in: regsvr32 urlmon.dll. Then go to:
IE/Tools/Internet Options/Programs/Reset Web Settings.

If this doesn't help, run SpyHunter and make note of what it finds and
follow the paths, no need to register at this point.

This generally has to do with having to end a process (pay mind to the
proper name) via the Task Manager as these don't normally show up under the
registry runkeys, removing the exe from either System or System32 and
removing the CLSID involved via the registry.

At times, these are also placed in the startup folder and/or under Shell =
Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Good luck!
 
Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx
 
Kelly said:
If this doesn't help, run SpyHunter and make note of what it finds and
follow the paths, no need to register at this point.
Click to expand...
Do you really recommend SpyHunter? It's on the list of fake spyware
removers at http://www.netrn.net/archives2/000550.html described as, "The
following programs are not recommended because they install spyware
themselves, just aren't any good at fixing spyware, or somewhere in
between." I've found this list to be accurate and reliable in the past.
 
Sohail said:
My symptoms are that going into "(Microsof)internet
explorer 6", the page will default to About:Blank or Use
Defualt, but I am being redirected
to "http://206.161.207.99/sextracker.html"
Click to expand...

You have been Hijacked, by one that is troublesome. Before anything
else, go to Control Panel (not IE) Internet Options and edit the
about:blank to about:mozilla
Also edit the windows\system32\drivers\etc\hosts file with NotePad, and
put a 'comment out' # before all lines but the
127.0.0.1 localhost
one

Here is a full repair instruction from MVP Mike Burgess on the one it
probably is: a bit out of date by now, but hopefully will help, and
best of luck!


Download: "RepairAppInit.reg"
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware
 
ted said:
Do you really recommend SpyHunter? It's on the list of fake spyware
removers at http://www.netrn.net/archives2/000550.html described as, "The
following programs are not recommended because they install spyware
themselves, just aren't any good at fixing spyware, or somewhere in
between." I've found this list to be accurate and reliable in the past.
Click to expand...

Spyhunter is on the list because it is "trickware". On their site the
claim is made that it is free and will find and remove threats but when
you use it and it finds all these things only THEN does it tell you that
you must purchase it in order to remove the problems it finds.

I believe Kelly recommended using it to find problems but then follow
the registry and file paths in order to remove them manually.

Steve
 
Correct! :o) It will tell you all you need to know.

Another note worth mentioning is that I had a system here which had the
licensed version installed and I ran the 'free' catch version first to test
as comparison and it listed many, many interesting items. Then ran their
licensed version and it listed twice as many. All true to the point (both
scans).

Will test it again, if I get the chance. I could see a free version doing
this but not a catch model. Dunno!
 
Yes, Jason mentioned that, but only good if the user isn't using Mozilla!
<w>




Alex Nichol said:
Sohail said:
My symptoms are that going into "(Microsof)internet
explorer 6", the page will default to About:Blank or Use
Defualt, but I am being redirected
to "http://206.161.207.99/sextracker.html"
Click to expand...

You have been Hijacked, by one that is troublesome. Before anything
else, go to Control Panel (not IE) Internet Options and edit the
about:blank to about:mozilla
Also edit the windows\system32\drivers\etc\hosts file with NotePad, and
put a 'comment out' # before all lines but the
127.0.0.1 localhost
one

Here is a full repair instruction from MVP Mike Burgess on the one it
probably is: a bit out of date by now, but hopefully will help, and
best of luck!


Download: "RepairAppInit.reg"
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware
Click to expand...
 
Back
Top