IE6 Hi-jacked?

[Puddin' Man]

Hi,

This is about as strange as I've ever seen ...

W2K SP4 desktop, Sunbelt/Kerio pers. firewall, AVG, Spybot S&D, IE6.

I've used IE6 to access Fidelity sites for years. No change in IE6
settings for ages.

I went to https://www.fidelity.com today, got a quote on fdffx (a Fid.
fund), clicked the Research button, and it took me to:

http://personal.fidelity.com/products/funds/mfl_frame.shtml?316145309

where I find the usual Fid. banner in the top 10% of the screen. The
other 90% is a super-hype screen for Cake Financial Corporation.

I got a Fid. "techie" on the phone. He assures me that Cake's stuff
will -never- be part of a Fid. url, thinks my IE6 has been hi-jacked.
So, I flush my cache, confirm no Fid. cookies, delete file, set
security, etc to default. No help.

Then I update Spybot and run it. Nothing but Netburst (which I always got)
which tracks, not hi-jacks.

With a search, I find about 20 dir's like:

c:\docs and settings\me\loaal settings\temp inet files\Content.IE5\*

and names like cake[2].js type=jscript. I can delete all but 2, for
which I get an error: "Cannot read from the source file or disk".
And I still get "Cake".

How can I be getting, on a Fidelity website, a Fidelity site header,
and totally unrelated content from Cake? Why can't I delete the jscript
files? Etc, etc.

Thanks,
Puddin'

"Take Yo' Hand Out My Pocket (I Ain't Got Nothing What Belongs To You)!"
- Rice Miller, who probably never even _heard_ of GW Bush, Paulson, etc

 

[PA Bear [MS MVP]]

What you're seeing may be a "malvertizement" (cf.
http://whatis.techtarget.com/definition/malvertizement.html), certainly not
unusual in this time of economic turmoil and bank failures.

Or you may have a hijackware infection:

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Hi,

This is about as strange as I've ever seen ...

W2K SP4 desktop, Sunbelt/Kerio pers. firewall, AVG, Spybot S&D, IE6.

I've used IE6 to access Fidelity sites for years. No change in IE6
settings for ages.

I went to https://www.fidelity.com today, got a quote on fdffx (a Fid.
fund), clicked the Research button, and it took me to:

http://personal.fidelity.com/products/funds/mfl_frame.shtml?316145309

where I find the usual Fid. banner in the top 10% of the screen. The
other 90% is a super-hype screen for Cake Financial Corporation.

I got a Fid. "techie" on the phone. He assures me that Cake's stuff
will -never- be part of a Fid. url, thinks my IE6 has been hi-jacked.
So, I flush my cache, confirm no Fid. cookies, delete file, set
security, etc to default. No help.

Then I update Spybot and run it. Nothing but Netburst (which I always got)
which tracks, not hi-jacks.

With a search, I find about 20 dir's like:

c:\docs and settings\me\loaal settings\temp inet files\Content.IE5\*

and names like cake[2].js type=jscript. I can delete all but 2, for
which I get an error: "Cannot read from the source file or disk".
And I still get "Cake".

How can I be getting, on a Fidelity website, a Fidelity site header,
and totally unrelated content from Cake? Why can't I delete the jscript
files? Etc, etc.

Thanks,
Puddin'

"Take Yo' Hand Out My Pocket (I Ain't Got Nothing What Belongs To You)!"
- Rice Miller, who probably never even _heard_ of GW Bush, Paulson, etc

 

[Puddin' Man]

What you're seeing may be a "malvertizement" (cf.
http://whatis.techtarget.com/definition/malvertizement.html), certainly not
unusual in this time of economic turmoil and bank failures.

Not certain what it might have to do with bank failures, etc, but ...

Or you may have a hijackware infection:

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm

They like "Ad-Aware SE". I have Ad-Aware 2008 (free).
The instructions are seriously dated:

"Click the gear icon at the top ..."

No gear icon. Etc, etc.

Your response was just a "all imaginable malware sites" thingness?
Are the rest of 'em as dated as http://aumha.org/a/parasite.htm?

What -is- aumha, anyway???

P

"Take Yo' Hand Out My Pocket (I Ain't Got Nothing What Belongs To You)!"
- Rice Miller, who probably never even _heard_ of GW Bush, Paulson, etc

 

[PA Bear [MS MVP]]

You gotta start somewhere, d00d.

<QP>
What does "aumha" mean? The name of this domain consists of the two Sanskrit
words, aum ha, the first and last letters of the (devanagari) Sanskrit
alphabet - thus equivalent to the Greek "Alpha and Omega," the beginning and
end and, implicitly, the eternity that passes between. The first, aum, most
often written in English as Om, is a sacred syllable representing the course
of breath and the life-cycle - creation, preservation, destruction - "a
symbol both of the Personal God and of the Absolute" (Swami Vivekananda). It
is "at once an invocation, a benediction, an affirmation, and a promise"
(G.A. Barborka). Ha is an expulsion of breath and a word for the Sun. As a
pun, it is also the Hebrew word for "behold," etc. One translation of the
phrase aum ha, therefore, might be, "Alpha & Omega, The Sempiternal Sun." As
you can see, this has nothing at all to do with computers (or, possibly, has
everything to do with computers). It is a mantra that, for about 25 years,
has had deep personal meaning for me.
</QP>
Source: http://www.aumha.org/about.php

 

[Puddin' Man]

You gotta start somewhere, d00d.

Did you tell me where? Or did you wide-choke shotgun po' me?

<QP>
What does "aumha" mean? The name of this domain consists of the two Sanskrit
words, aum ha, the first and last letters of the (devanagari) Sanskrit ...
everything to do with computers). It is a mantra that, for about 25 years,
has had deep personal meaning for me.
</QP>
Source: http://www.aumha.org/about.php

So I'll say OOOOOOOOOOOOOOOOooooooooooooooooooooooohhhhhhhhhhhhhhmmmmmmmmmm
next time it happens.

A question remains:
How can I be getting, on a Fidelity website, a Fidelity site header,
and totally unrelated content from Cake?

It's my own fault for forgetting to run "view source" to see if
that would sort it out.

Safe to assume you didn't load the url to test the offending site?

P

"Take Yo' Hand Out My Pocket (I Ain't Got Nothing What Belongs To You)!"
- Rice Miller, who probably never even _heard_ of GW Bush, Paulson, etc