Serious search problem

[Robin Bignall]

The problem is simple: after a search using Google or MSN, EVERY link
I click on goes to a semi-arbitrary advertising site. Sometimes
repeating the click gets the same site, sometimes a different one.
Searching has become impossible.

Clicking on links given in Usenet posts, or in my favourites file,
takes me to the correct site. Entering a URL into the entry line of
IE, or copying the URL from the bottom of a Google entry and pasting
it into the entry area, gives me the correct site. It's the links
that Google provides that are all getting redirected by something. I
used a tool to ensure that the Google search page I'm getting has not
been spoofed, and it told me it was clean. I have anti-fraud and
phishing stuff running.

What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
Internet Security 2007, A-Squared malware checker with real-time
monitor, CA firewall set to maximum protection. I'm not in the habit
of opening HTML mail or clicking on sites in spam mail, or of
downloading anything I'm not sure of.

What I've done:
checked HOSTS and LMHOSTS files - all okay.
Ran a deep scan with Norton and A-Squared. Also bought Adaware and
tried two other malware checkers, plus the online virus scan from
McAfee. No problems found other than a couple of tracking cookies
that were not causing the problem. In desperation I did a Windows
repair install, and ran all of the virus and malware checkers again.
This made no difference, and I have no idea what to try next.

Any ideas?

 

[SingaporeWebDesign]

Hello,

Try running IE7 without add-ons

Go to Start > Programs > Accessories > System Tools > Internet Explorer 7
(No Add-ons) to start without any add-ons.

Close the browser and see whether the problem occurs again.

If the problem does not occur again, start IE7, go to Tools > Manage Add-ons
and disable all the add-ons and enable them one by one till the problem
appears and you get the culprit.

Also, try performing a spyware scan by downloading and running
SuperAntispyware from here

http://www.superantispyware.com
(the free HOME edition is sufficient for your needs)

--
Singapore Website Design
http://www.bootstrike.com/Webdesign/
Singapore Web Hosting
http://www.bootstrike.com/WinXP/faq.html
Windows XP FAQ

The problem is simple: after a search using Google or MSN, EVERY link
I click on goes to a semi-arbitrary advertising site. Sometimes
repeating the click gets the same site, sometimes a different one.
Searching has become impossible.

Clicking on links given in Usenet posts, or in my favourites file,
takes me to the correct site. Entering a URL into the entry line of
IE, or copying the URL from the bottom of a Google entry and pasting
it into the entry area, gives me the correct site. It's the links
that Google provides that are all getting redirected by something. I
used a tool to ensure that the Google search page I'm getting has not
been spoofed, and it told me it was clean. I have anti-fraud and
phishing stuff running.

What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
Internet Security 2007, A-Squared malware checker with real-time
monitor, CA firewall set to maximum protection. I'm not in the habit
of opening HTML mail or clicking on sites in spam mail, or of
downloading anything I'm not sure of.

What I've done:
checked HOSTS and LMHOSTS files - all okay.
Ran a deep scan with Norton and A-Squared. Also bought Adaware and
tried two other malware checkers, plus the online virus scan from
McAfee. No problems found other than a couple of tracking cookies
that were not causing the problem. In desperation I did a Windows
repair install, and ran all of the virus and malware checkers again.
This made no difference, and I have no idea what to try next.

Any ideas?

 

[Guest]

The problem is simple: after a search using Google or MSN, EVERY link
I click on goes to a semi-arbitrary advertising site. Sometimes
repeating the click gets the same site, sometimes a different one.
Searching has become impossible.

Clicking on links given in Usenet posts, or in my favourites file,
takes me to the correct site. Entering a URL into the entry line of
IE, or copying the URL from the bottom of a Google entry and pasting
it into the entry area, gives me the correct site. It's the links
that Google provides that are all getting redirected by something. I
used a tool to ensure that the Google search page I'm getting has not
been spoofed, and it told me it was clean. I have anti-fraud and
phishing stuff running.

What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
Internet Security 2007, A-Squared malware checker with real-time
monitor, CA firewall set to maximum protection. I'm not in the habit
of opening HTML mail or clicking on sites in spam mail, or of
downloading anything I'm not sure of.

What I've done:
checked HOSTS and LMHOSTS files - all okay.
Ran a deep scan with Norton and A-Squared. Also bought Adaware and
tried two other malware checkers, plus the online virus scan from
McAfee. No problems found other than a couple of tracking cookies
that were not causing the problem. In desperation I did a Windows
repair install, and ran all of the virus and malware checkers again.
This made no difference, and I have no idea what to try next.

Any ideas?

Hi Robin,
1...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced.

Click on General Tab, under Browsing Histroy Click Delete Button then Click
Delete all... Button and also check the check box for Delete
files and settings stored by add-ons.
Click [ Yes ].
Click Privacy Tab and make sure your Privacy settings at least Medium High,
Also under:
Pop-Up Blocker:
Prevent most pop-up windows from appearing. [ Settings ] Click here to
see if your Pop-Up blocker is set Medium High
[ ] Turn on Pop-Up Blocker <= Check this Box.

Click Programs Tab, then click on manage add-ons there Disable all
not-verified add-ons then click [OK]
Click Advanced tab, scroll until Browsing Option:
[&] Browsing:
[ ] Enable Third-Party browser extensions* <= uncheck this box
[ ] Enable websites to use search pane* <= uncheck this box


Then scroll to:
[*] Phishing Filter:
( ) Disable Phishing Filter
( ) Turn OFF Automatic Website checking
(*) Turn ON Automatic website checking <= Check this Radio Button

2...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Network Connections then Right click on your
Local Area Connection (LAN) and select Properties from the list.
On the LAN Properties window Highlight Internet Protocol (TCP/IP) and click
Properties Button, on the Internet protocol
(TCP/IP) Properties click on Advanced Button.
On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
IP Settings | DNS | WINS | Options.
If there is and no recognised by your ISP then the likely is the bad IP that
redirect you to this advertising sites.
Click on Options and click on Properties while the TCP/IP Filtering is
selected and see if there is an entry for any IPs there.
Click [OK] when Finished.

3.. Click Start >> Run and type in:
regedit.exe click [OK] on the Registry Editor locate these Keys:

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar = What
listed here?

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
What listed here?

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search page

[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap =

Use this tool to see the Registry and all the DLLs and running processes in
real time on your system.
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
The tool above will show in real time the running processes and can show
what in the registry, DLLs on your machine and you can use it to
remove/Delete a file or edit the startup programs.
HTH.
nass

 

[Robin Bignall]

Hello,

Thanks for trying to help. It's much appreciated.

Try running IE7 without add-ons

Go to Start > Programs > Accessories > System Tools > Internet Explorer 7
(No Add-ons) to start without any add-ons.

Close the browser and see whether the problem occurs again.

Unfortunately, it does. See my response to Nass.

If the problem does not occur again, start IE7, go to Tools > Manage Add-ons
and disable all the add-ons and enable them one by one till the problem
appears and you get the culprit.

Also, try performing a spyware scan by downloading and running
SuperAntispyware from here

SuperAntiSpyware is one of the four malware checkers that I've run.

 

[Robin Bignall]

Hi Robin,

Hi, Nass. Thanks for all of your suggestions.

1...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced.

Click on General Tab, under Browsing Histroy Click Delete Button then Click
Delete all... Button and also check the check box for Delete
files and settings stored by add-ons.
Click [ Yes ].
Click Privacy Tab and make sure your Privacy settings at least Medium High,
Also under:
Pop-Up Blocker:
Prevent most pop-up windows from appearing. [ Settings ] Click here to
see if your Pop-Up blocker is set Medium High
[ ] Turn on Pop-Up Blocker <= Check this Box.

Click Programs Tab, then click on manage add-ons there Disable all
not-verified add-ons then click [OK]
Click Advanced tab, scroll until Browsing Option:
[&] Browsing:
[ ] Enable Third-Party browser extensions* <= uncheck this box
[ ] Enable websites to use search pane* <= uncheck this box


Then scroll to:
[*] Phishing Filter:
( ) Disable Phishing Filter
( ) Turn OFF Automatic Website checking
(*) Turn ON Automatic website checking <= Check this Radio Button

2...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Network Connections then Right click on your
Local Area Connection (LAN) and select Properties from the list.
On the LAN Properties window Highlight Internet Protocol (TCP/IP) and click
Properties Button, on the Internet protocol
(TCP/IP) Properties click on Advanced Button.
On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
IP Settings | DNS | WINS | Options.
If there is and no recognised by your ISP then the likely is the bad IP that
redirect you to this advertising sites.
Click on Options and click on Properties while the TCP/IP Filtering is
selected and see if there is an entry for any IPs there.
Click [OK] when Finished.

Okay, I tried all of the above and thought I'd solved the problem,
because the DNS entries were different from my own ISP's. I changed
them to what they should be, rebooted, and for good luck also rebooted
the cable modem. I got to IE7 via the start menu to run it without
add-ons, as the previous poster suggested, and the problem is exactly
as it was before. I tried several searches on Google's UK and France
and every link takes me to an ad site.

3.. Click Start >> Run and type in:
regedit.exe click [OK] on the Registry Editor locate these Keys:

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar = What
listed here?

default reg_sz value not set
locked reg-dword 0x0000001

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks=
What listed here?

default not set
{CFBFAE00-17A6-1100-99CB-00C04FD64497}

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search page
ie.search.msn.com

[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap =

Four reg doublewords with values of 0x0000001
a whole bunch of sub-folders with doublewords ranging from empty
(blank) to 0x0000003

I don't see anything sinister in any of the above. (I can't seem to
be able to copy/paste from regedit to show the full entries).

Use this tool to see the Registry and all the DLLs and running processesin
real time on your system.
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
The tool above will show in real time the running processes and can show
what in the registry, DLLs on your machine and you can use it to
remove/Delete a file or edit the startup programs.

I downloaded this tool (thanks for letting me know about this) and ran
it with verification and empty locations set, and verified Microsoft
stuff eliminated, just to see if any strange things were lurking. It
shows that everything that's in there is part of my known
applications.

I just checked my DNS settings again to see if anything has changed
them, but they're fine.

This is all rather weird. I have no peculiar applications
auto-starting, no malware or viruses that any of the tools can find,
and the problem survived through a Windows repair.

 

[Guest]

Hi Robin,

Hi, Nass. Thanks for all of your suggestions.

1...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced.

Click on General Tab, under Browsing Histroy Click Delete Button then Click
Delete all... Button and also check the check box for Delete
files and settings stored by add-ons.
Click [ Yes ].
Click Privacy Tab and make sure your Privacy settings at least Medium High,
Also under:
Pop-Up Blocker:
Prevent most pop-up windows from appearing. [ Settings ] Click here to
see if your Pop-Up blocker is set Medium High
[ ] Turn on Pop-Up Blocker <= Check this Box.

Click Programs Tab, then click on manage add-ons there Disable all
not-verified add-ons then click [OK]
Click Advanced tab, scroll until Browsing Option:
[&] Browsing:
[ ] Enable Third-Party browser extensions* <= uncheck this box
[ ] Enable websites to use search pane* <= uncheck this box


Then scroll to:
[*] Phishing Filter:
( ) Disable Phishing Filter
( ) Turn OFF Automatic Website checking
(*) Turn ON Automatic website checking <= Check this Radio Button

2...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Network Connections then Right click on your
Local Area Connection (LAN) and select Properties from the list.
On the LAN Properties window Highlight Internet Protocol (TCP/IP) and click
Properties Button, on the Internet protocol
(TCP/IP) Properties click on Advanced Button.
On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
IP Settings | DNS | WINS | Options.
If there is and no recognised by your ISP then the likely is the bad IP that
redirect you to this advertising sites.
Click on Options and click on Properties while the TCP/IP Filtering is
selected and see if there is an entry for any IPs there.
Click [OK] when Finished.

Okay, I tried all of the above and thought I'd solved the problem,
because the DNS entries were different from my own ISP's. I changed
them to what they should be, rebooted, and for good luck also rebooted
the cable modem. I got to IE7 via the start menu to run it without
add-ons, as the previous poster suggested, and the problem is exactly
as it was before. I tried several searches on Google's UK and France
and every link takes me to an ad site.

3.. Click Start >> Run and type in:
regedit.exe click [OK] on the Registry Editor locate these Keys:

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar = What
listed here?

default reg_sz value not set
locked reg-dword 0x0000001

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
What listed here?

default not set
{CFBFAE00-17A6-1100-99CB-00C04FD64497}

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search page
ie.search.msn.com

[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap =

Four reg doublewords with values of 0x0000001
a whole bunch of sub-folders with doublewords ranging from empty
(blank) to 0x0000003

I don't see anything sinister in any of the above. (I can't seem to
be able to copy/paste from regedit to show the full entries).

Use this tool to see the Registry and all the DLLs and running processes in
real time on your system.
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
The tool above will show in real time the running processes and can show
what in the registry, DLLs on your machine and you can use it to
remove/Delete a file or edit the startup programs.

I downloaded this tool (thanks for letting me know about this) and ran
it with verification and empty locations set, and verified Microsoft
stuff eliminated, just to see if any strange things were lurking. It
shows that everything that's in there is part of my known
applications.

I just checked my DNS settings again to see if anything has changed
them, but they're fine.

This is all rather weird. I have no peculiar applications
auto-starting, no malware or viruses that any of the tools can find,
and the problem survived through a Windows repair.

Hi Robin,
Since you mentioned that your DNS is been changed that you may be have
infection on this machine, try to scan from the following links and try the
HijackThis forums.
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

If you still directed Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know.
Regards,
nass

 

[Robin Bignall]

:

The problem is simple: after a search using Google or MSN, EVERY link
I click on goes to a semi-arbitrary advertising site. Sometimes
repeating the click gets the same site, sometimes a different one.
Searching has become impossible.

Clicking on links given in Usenet posts, or in my favourites file,
takes me to the correct site. Entering a URL into the entry line of
IE, or copying the URL from the bottom of a Google entry and pasting
it into the entry area, gives me the correct site. It's the links
that Google provides that are all getting redirected by something. I
used a tool to ensure that the Google search page I'm getting has not
been spoofed, and it told me it was clean. I have anti-fraud and
phishing stuff running.

What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
Internet Security 2007, A-Squared malware checker with real-time
monitor, CA firewall set to maximum protection. I'm not in the habit
of opening HTML mail or clicking on sites in spam mail, or of
downloading anything I'm not sure of.

What I've done:
checked HOSTS and LMHOSTS files - all okay.
Ran a deep scan with Norton and A-Squared. Also bought Adaware and
tried two other malware checkers, plus the online virus scan from
McAfee. No problems found other than a couple of tracking cookies
that were not causing the problem. In desperation I did a Windows
repair install, and ran all of the virus and malware checkers again.
This made no difference, and I have no idea what to try next.

Any ideas?
--
Robin Bignall
Herts, England

Hi Robin,

Hi, Nass. Thanks for all of your suggestions.

1...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced.

Click on General Tab, under Browsing Histroy Click Delete Button thenClick
Delete all... Button and also check the check box for Delete
files and settings stored by add-ons.
Click [ Yes ].
Click Privacy Tab and make sure your Privacy settings at least MediumHigh,
Also under:
Pop-Up Blocker:
Prevent most pop-up windows from appearing. [ Settings ] Click here to
see if your Pop-Up blocker is set Medium High
[ ] Turn on Pop-Up Blocker <= Check this Box.

Click Programs Tab, then click on manage add-ons there Disable all
not-verified add-ons then click [OK]
Click Advanced tab, scroll until Browsing Option:
[&] Browsing:
[ ] Enable Third-Party browser extensions* <= uncheck this box
[ ] Enable websites to use search pane* <= uncheck this box


Then scroll to:
[*] Phishing Filter:
( ) Disable Phishing Filter
( ) Turn OFF Automatic Website checking
(*) Turn ON Automatic website checking <= Check this Radio Button

2...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Network Connections then Right click on your
Local Area Connection (LAN) and select Properties from the list.
On the LAN Properties window Highlight Internet Protocol (TCP/IP) andclick
Properties Button, on the Internet protocol
(TCP/IP) Properties click on Advanced Button.
On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
IP Settings | DNS | WINS | Options.
If there is and no recognised by your ISP then the likely is the bad IP that
redirect you to this advertising sites.
Click on Options and click on Properties while the TCP/IP Filtering is
selected and see if there is an entry for any IPs there.
Click [OK] when Finished.

Okay, I tried all of the above and thought I'd solved the problem,
because the DNS entries were different from my own ISP's. I changed
them to what they should be, rebooted, and for good luck also rebooted
the cable modem. I got to IE7 via the start menu to run it without
add-ons, as the previous poster suggested, and the problem is exactly
as it was before. I tried several searches on Google's UK and France
and every link takes me to an ad site.

3.. Click Start >> Run and type in:
regedit.exe click [OK] on the Registry Editor locate these Keys:

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar =What
listed here?

default reg_sz value not set
locked reg-dword 0x0000001

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
What listed here?

default not set
{CFBFAE00-17A6-1100-99CB-00C04FD64497}

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Searchpage
ie.search.msn.com

[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap =

Four reg doublewords with values of 0x0000001
a whole bunch of sub-folders with doublewords ranging from empty
(blank) to 0x0000003

I don't see anything sinister in any of the above. (I can't seem to
be able to copy/paste from regedit to show the full entries).

Use this tool to see the Registry and all the DLLs and running processes in
real time on your system.
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
The tool above will show in real time the running processes and can show
what in the registry, DLLs on your machine and you can use it to
remove/Delete a file or edit the startup programs.

I downloaded this tool (thanks for letting me know about this) and ran
it with verification and empty locations set, and verified Microsoft
stuff eliminated, just to see if any strange things were lurking. It
shows that everything that's in there is part of my known
applications.

I just checked my DNS settings again to see if anything has changed
them, but they're fine.

This is all rather weird. I have no peculiar applications
auto-starting, no malware or viruses that any of the tools can find,
and the problem survived through a Windows repair.

Hi Robin,
Since you mentioned that your DNS is been changed that you may be have
infection on this machine, try to scan from the following links and try the
HijackThis forums.
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

If you still directed Download the Hijackthis and send the report to oneof
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,

Hi, Nass,

I finally solved the problem with the magnificent help of Bill Kastner
the aumha forums, for the knowledge of which I thank you very much.
rather than repeat all of the steps, they can be seen at
http://aumha.net/viewtopic.php?p=153605#153605

I have learned some interesting things.

 

[Guest]

On Tue, 29 May 2007 01:49:01 -0700, nass



:

The problem is simple: after a search using Google or MSN, EVERY link
I click on goes to a semi-arbitrary advertising site. Sometimes
repeating the click gets the same site, sometimes a different one.
Searching has become impossible.

Clicking on links given in Usenet posts, or in my favourites file,
takes me to the correct site. Entering a URL into the entry line of
IE, or copying the URL from the bottom of a Google entry and pasting
it into the entry area, gives me the correct site. It's the links
that Google provides that are all getting redirected by something. I
used a tool to ensure that the Google search page I'm getting has not
been spoofed, and it told me it was clean. I have anti-fraud and
phishing stuff running.

What I've got: XP Pro with IE7 (problem also occurs with IE6): Norton
Internet Security 2007, A-Squared malware checker with real-time
monitor, CA firewall set to maximum protection. I'm not in the habit
of opening HTML mail or clicking on sites in spam mail, or of
downloading anything I'm not sure of.

What I've done:
checked HOSTS and LMHOSTS files - all okay.
Ran a deep scan with Norton and A-Squared. Also bought Adaware and
tried two other malware checkers, plus the online virus scan from
McAfee. No problems found other than a couple of tracking cookies
that were not causing the problem. In desperation I did a Windows
repair install, and ran all of the virus and malware checkers again.
This made no difference, and I have no idea what to try next.

Any ideas?
--
Robin Bignall
Herts, England

Hi Robin,

Hi, Nass. Thanks for all of your suggestions.

1...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced.

Click on General Tab, under Browsing Histroy Click Delete Button then Click
Delete all... Button and also check the check box for Delete
files and settings stored by add-ons.
Click [ Yes ].
Click Privacy Tab and make sure your Privacy settings at least Medium High,
Also under:
Pop-Up Blocker:
Prevent most pop-up windows from appearing. [ Settings ] Click here to
see if your Pop-Up blocker is set Medium High
[ ] Turn on Pop-Up Blocker <= Check this Box.

Click Programs Tab, then click on manage add-ons there Disable all
not-verified add-ons then click [OK]
Click Advanced tab, scroll until Browsing Option:
[&] Browsing:
[ ] Enable Third-Party browser extensions* <= uncheck this box
[ ] Enable websites to use search pane* <= uncheck this box


Then scroll to:
[*] Phishing Filter:
( ) Disable Phishing Filter
( ) Turn OFF Automatic Website checking
(*) Turn ON Automatic website checking <= Check this Radio Button

2...Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Network Connections then Right click on your
Local Area Connection (LAN) and select Properties from the list.
On the LAN Properties window Highlight Internet Protocol (TCP/IP) and click
Properties Button, on the Internet protocol
(TCP/IP) Properties click on Advanced Button.
On Advanced TCP/IP settings, make sure there is no DNS name or IP under:
IP Settings | DNS | WINS | Options.
If there is and no recognised by your ISP then the likely is the bad IP that
redirect you to this advertising sites.
Click on Options and click on Properties while the TCP/IP Filtering is
selected and see if there is an entry for any IPs there.
Click [OK] when Finished.


Okay, I tried all of the above and thought I'd solved the problem,
because the DNS entries were different from my own ISP's. I changed
them to what they should be, rebooted, and for good luck also rebooted
the cable modem. I got to IE7 via the start menu to run it without
add-ons, as the previous poster suggested, and the problem is exactly
as it was before. I tried several searches on Google's UK and France
and every link takes me to an ad site.

3.. Click Start >> Run and type in:
regedit.exe click [OK] on the Registry Editor locate these Keys:

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar = What
listed here?

default reg_sz value not set
locked reg-dword 0x0000001

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
What listed here?

default not set
{CFBFAE00-17A6-1100-99CB-00C04FD64497}

[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search page

ie.search.msn.com

[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap =


Four reg doublewords with values of 0x0000001
a whole bunch of sub-folders with doublewords ranging from empty
(blank) to 0x0000003

I don't see anything sinister in any of the above. (I can't seem to
be able to copy/paste from regedit to show the full entries).


Use this tool to see the Registry and all the DLLs and running processes in
real time on your system.
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
The tool above will show in real time the running processes and can show
what in the registry, DLLs on your machine and you can use it to
remove/Delete a file or edit the startup programs.

I downloaded this tool (thanks for letting me know about this) and ran
it with verification and empty locations set, and verified Microsoft
stuff eliminated, just to see if any strange things were lurking. It
shows that everything that's in there is part of my known
applications.

I just checked my DNS settings again to see if anything has changed
them, but they're fine.

This is all rather weird. I have no peculiar applications
auto-starting, no malware or viruses that any of the tools can find,
and the problem survived through a Windows repair.

Hi Robin,
Since you mentioned that your DNS is been changed that you may be have
infection on this machine, try to scan from the following links and try the
HijackThis forums.
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

If you still directed Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,

Hi, Nass,

I finally solved the problem with the magnificent help of Bill Kastner
the aumha forums, for the knowledge of which I thank you very much.
rather than repeat all of the steps, they can be seen at
http://aumha.net/viewtopic.php?p=153605#153605

I have learned some interesting things.

Hi Robin,
Glad you got it sorted and thanks for taking the time to post back the
solution much appreciated.
Thanks and Good luck.
Regards,
nass