IE slow then redirects to other URL

[Tom]

My browser has been very slow and it is not due to the
connection (cable modem, verified with ISP). I can visit
some pages, but it is very slow. When I try to visit most
other pages it is slow and eventually redirects me by
adding "www" and ".org" onto the front and end of my URL
address (e.g., it changes "www.boston.com"
to "www.www.boston.com.org"). The page I go to has a
fantasy football advertisement and other general info --
says it is from www.DigiMedia.com. Other times I get
a "page cannot be displayed" message.

I have Norton Antivirus and have done a full system scan
with no results. All of this has happened since @8/26 and
I have made no changes to my system recently.

Any thoughts?

 

[Jim Byrd]

Hi Tom - It sounds like you may have picked up a "drive-by" parasite. If
you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 162 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help, http://www.tomcoyote.org/hjt/ (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php

Another program giving a good inventory of all of the possible start vectors
is AutostartExplorer, here: http://www.misec.net/aexp.jsp While it doesn't
allow control of startups, it's extremely comprehensive in examining all of
the possible sources. Highly Recommended

Next, go here: http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but more
extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns from
here: http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns. Be
very careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems with
suspected hijackers, you can look up and investigate suspect programs in
your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm (Recommended)
http://www.3feetunder.com/krick/startup/list.html (Recommended)
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (Recommended)


Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal, but
if you see something that doesn't make any sense, try disabling it and see
if that helps. Another excellent program for this same purpose is BHODemon,
(still free) here: http://www.definitivesolutions.com/ or here:
http://www.spywareinfo.com/downloads/bhod/ I would recommend both. You can
also check/control BHO's using the Tools function of SpyBot S&D.

There's good information about hijacking and fixes available here:

Andrew Clover's parasite page: http://www.doxdesk.com/parasite/ (Highly
recommended)
Robert Allen's parasite page: http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files to
lock and unlock your homepage, BTW. You can also use this program to toggle
locking/unlocking of your homepage:
http://www.dougknox.com/security/scripts/nosethomepage.vbs Recommended)
http://www.mvps.org/inetexplorer/answers.htm#home_page

Also, there's a new class of hijacker using Window's Messenger Service (not
Instant Messaging, BTW). See: Messenger Service Window That Contains an
Internet Advertisement Appears http://support.microsoft.com/?id=330904
which identifies reasons to keep this service and steps to take if you do.
You can test your system and follow the 'Prevention' link to get additional
information here: http://www.mynetwatchman.com/winpopuptester.asp.
These are due to open NetBios ports 135, 137-139 and
445. You really need to block these with a firewall as a general
protection measure. You can stop the popups by turning off Messenger
Service; however, this still leaves you vulnerable.

Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messaages to users. However, it can also be (and now
frequently is) used to introduce spam via this open NetBios channel.
For a single user home computer, it normally isn't needed and can be
turned off which will eliminate the spam popups. This DOESN'T, however,
remove the vulnerability of having these ports open, when in fact they
aren't needed, since they can be perverted in other ways as well, some
of which can be much more damaging than just a spam popup.

Unless you have very good reasons to keep this active, it should be turned
off in Win2k and XP. Go here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.

(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks
the necessary ports to prevent this use of Messenger Service. I don't
know the situation with regard to other firewalls.)

Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.

See if any of this helps and post back with your results.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Tom]

Jim,

Thanks for the info. I will try these things when I get
home and post a response with the results. Do you have
any suggestions if my browser won't let me get to the
sites you've listed due the the problem I'm trying to
resolve?

Thanks.

-----Original Message-----
Hi Tom - It sounds like you may have picked up a "drive- by" parasite. If
you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 162 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-

bin/forums/ikonboard.cgi. I recommend

using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help,

http://www.tomcoyote.org/hjt/ (Recommended)

This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php

Another program giving a good inventory of all of the possible start vectors
is AutostartExplorer, here:

http://www.misec.net/aexp.jsp While it doesn't

allow control of startups, it's extremely comprehensive in examining all of
the possible sources. Highly Recommended

Next, go here: http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but more
extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns from
here:

http://www.sysinternals.com/ntw2k/source/misc.shtml#autorun
s. Be

very careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems with
suspected hijackers, you can look up and investigate suspect programs in
your StartUp lists here:
http://www.pacs-

portal.co.uk/startup_pages/startup_full.htm (Recommended)

http://www.3feetunder.com/krick/startup/list.html (Recommended)
(Recommended)


Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal, but
if you see something that doesn't make any sense, try disabling it and see
if that helps. Another excellent program for this same purpose is BHODemon,
(still free) here: http://www.definitivesolutions.com/ or here:
http://www.spywareinfo.com/downloads/bhod/ I would recommend both. You can
also check/control BHO's using the Tools function of SpyBot S&D.

There's good information about hijacking and fixes available here:

Andrew Clover's parasite page:

http://www.doxdesk.com/parasite/ (Highly

 

[Jim Byrd]

Hi Tom - Do you currently have AdAware and/or SpyBot installed? That's your
first line of defense. If not, here are direct download links:

AdAware: http://www.wyvernworks.com/Lavasoft/aaw6.exe

SpyBot:
http://download.com.com/redir?pid=1...ownload.com/pub/win95/internet/spybotsd12.exe

(may wrap)

Be sure you UPDATE them first, then run per my previous post. See where
you're at after that and then post back please. There's more that can be
done.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[H Leboeuf]

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions
--

Once you have cleaned your computer restore the 3rd party browser
extensions.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm

 

[Tom]

I couldn't get to any of those sites on my computer. (I
didn't see Henri's post until this morning - I'll try that
tonight.)

I downloaded spybot and adaware from a friend's computer
and installed it. They found and resolved 68 problems!
Unfortunately it still doesn't work.

Two things:
1) I can't update spybot and adaware after I installed
because I can't receive info from those sites. I don't
know if updating the programs would fix the issue.
2) My ISP said that it looks like there is a problem with
some sort of firewall that is not letting data in. They
think my Norton Antivirus is malfunctioning and suggested
that I contact Symantec-Norton suport to see if they can
figure it out. Does that make any sense?

Any ideas on where to go from here?

 

[H Leboeuf]

Yes your Firewall can possibly be the cause.

Also, it may be a HOSTS file problem.
Look also for a file named HOSTS (no extension, could be hidden) rename it
OLDHOSTS, reboot.
Some parasite create that file and cause havoc.

 

[Jim Byrd]

OK Tom, try the following and see at each step if it lets you get to the net
more easily. If so, stop at that step and then do the previously suggested
steps to clean up your computer and post back for some other things to do.

1. As Henri suggested, In IE6, Tools|Internet Options|Advanced uncheck
Enable third party browser extensions then close all instances of IE6 and
then reopen IE.

2. See if you have a file named HOSTS (no extension, and NOT HOSTS.sam)
in:
Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 98\ME Location: - C:\WINDOWS

If you have such a file, rename it to: NOHOSTS

3. Disable ALL Norton/Symantec software, especially NIS and NAV.

4. Open a CMD window and enter: ipconfig /flushdns followed by
ENTER, and then enter ipconfig /registerdns followed by ENTER

Now see if you can get to the net and start downloading the updates, etc.
that you need to start cleaning your machine. After you get your downloads,
try reenabling your firewall temporarily. Please post back with your
results as you go.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Jim Byrd]

Hi Tom - Try this (some of it may not appear to directly apply, but check it
anyway):

1. Go to Start|Run and enter one line at a time (or even easier, open a DOS
box and copy the following in its entirety and then paste it into the box):

regsvr32 comcat.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Urlmon.dll
regsvr32 Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 browseui.dll
regsvr32 Stdole2.tlb
regsvr32 Olepro32.dll
regsvr32 Msjet40.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll


with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one (which you'll have
to OK), then enter the next (with the DOS box they'll be continuous except
for the last one where you'll need to press RTN).

If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on the last two - if so,
ignore them.

Re-start your computer when you've finished.

2. Some links to additional possible solutions are given here:
http://www.mvps.org/inetexplorer/answers.htm#new_window
Also see: http://support.microsoft.com/?kbid=281679 for certain registry
checks that can be made.

3. You can also do the following, but BE AWARE that it will reset to the
default Homepage and Search. Go to: IE/Tools/Internet Options/Programs/
and click Reset Web Settings.


4. And now go to Windows Explorer/Tools/Folder Options/File Types. Scroll
down to URL:HyperText Transfer Protocol/Advanced/Edit. Under Application
used to perform action it should read: "C:\Program Files\Internet
Explorer\iexplore.exe" -nohome

(Check the path to iexplore.exe to make sure that is correct and use the
double quotes. It may be "%SystemDrive%:\Program Files\Plus!\Microsoft
Internet" for NT4. )

DDE should be set to: "%1",,-1,0,,,,
Application should say: IExplore
DDE application not running should be blank
Topic should be: WWW_OpenURL

The above settings should also be there for URL:Gopher.

Here's a more detailed procedure for this if you have difficulty, courtesy
of Robert Aldwinckle:

"1. Find Files for E:\Program Files\iexplore.exe
(That's a partial path I'm giving it to just get there quicker.)
2. Use Alt-Enter to open the Properties for that file
3. Click on the Location: field. Select it all (Shift-F10,A)
4. Copy it to the clipboard. (Shift-F10,C)
5. Open Folder Options and navigate to
Editing action for type: URL: Hypertext Transfer Protocol
6. In the box labeled Application used to perform action (Alt-L)
highlight everything _between_ the first doublequote and the
last backslash. NB: leave unhighlighted the characters I mention
and everything after the last backslash.
7. Press Ctrl-v
8. Close the dialogs.

....
If there are other protocols you need fixed do them in the same way.

Here's what my procedure is based on. It will give you a
bit more detail about step 5 which is OS dependent.
FWIW I start Folder Options using my Start menu
(Win,s,f) (I'm using Windows NT + WDU.)

OLEXP: Internet Shortcuts in Outlook Express Do Not Start Web Browser
(Q177054)"



See if that helps.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[rajbaba]

Hi,
Tom, did you ever figure out what caused this? Or more importantly,
what fixed it?

I am having the exact same problem, and is just driving me nuts that I
cant go to links the first time, have to refresh or reclick. Or
sometimes adds www.www.---.com.org to the address.

Does anyone know what I should try which will work? The post has many
solutions. I can start with the latest one...just wondering if someone
knows a concrete solution.

Thanks,
Raj

 

[rajbaba]

Hi Tom - Try this (some of it may not appear to directly apply, but check it
anyway):

1. Go to Start|Run and enter one line at a time (or even easier, open a DOS
box and copy the following in its entirety and then paste it into the box):

regsvr32 comcat.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Urlmon.dll
regsvr32 Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 browseui.dll
regsvr32 Stdole2.tlb
regsvr32 Olepro32.dll
regsvr32 Msjet40.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll


with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one (which you'll have
to OK), then enter the next (with the DOS box they'll be continuous except
for the last one where you'll need to press RTN).

If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on the last two - if so,
ignore them.

Re-start your computer when you've finished.

2. Some links to additional possible solutions are given here:
http://www.mvps.org/inetexplorer/answers.htm#new_window
Also see: http://support.microsoft.com/?kbid=281679 for certain registry
checks that can be made.

3. You can also do the following, but BE AWARE that it will reset to the
default Homepage and Search. Go to: IE/Tools/Internet Options/Programs/
and click Reset Web Settings.


4. And now go to Windows Explorer/Tools/Folder Options/File Types. Scroll
down to URL:HyperText Transfer Protocol/Advanced/Edit. Under Application
used to perform action it should read: "C:\Program Files\Internet
Explorer\iexplore.exe" -nohome

(Check the path to iexplore.exe to make sure that is correct and use the
double quotes. It may be "%SystemDrive%:\Program Files\Plus!\Microsoft
Internet" for NT4. )

DDE should be set to: "%1",,-1,0,,,,
Application should say: IExplore
DDE application not running should be blank
Topic should be: WWW_OpenURL

The above settings should also be there for URL:Gopher.

Here's a more detailed procedure for this if you have difficulty, courtesy
of Robert Aldwinckle:

"1. Find Files for E:\Program Files\iexplore.exe
(That's a partial path I'm giving it to just get there quicker.)
2. Use Alt-Enter to open the Properties for that file
3. Click on the Location: field. Select it all (Shift-F10,A)
4. Copy it to the clipboard. (Shift-F10,C)
5. Open Folder Options and navigate to
Editing action for type: URL: Hypertext Transfer Protocol
6. In the box labeled Application used to perform action (Alt-L)
highlight everything _between_ the first doublequote and the
last backslash. NB: leave unhighlighted the characters I mention
and everything after the last backslash.
7. Press Ctrl-v
8. Close the dialogs.

...
If there are other protocols you need fixed do them in the same way.

Here's what my procedure is based on. It will give you a
bit more detail about step 5 which is OS dependent.
FWIW I start Folder Options using my Start menu
(Win,s,f) (I'm using Windows NT + WDU.)

OLEXP: Internet Shortcuts in Outlook Express Do Not Start Web Browser
(Q177054)"



See if that helps.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In