Unwanted redirection

[Guest]

When I go to certain websites (www.hi-speed.rogers.com is one) it goes to that page and then it sounds like the noise it makes when you click on a hyperlink and re-directs me to an advertising page with the address http://209.47.15.67/int/set?type=468-60. Please help. Thanks

 

[war17]

Some website has hijacked your search.

1. Use the following scanners to find and remove the website.

SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
or
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html

2. Some porn websites redirects links to their websites using your HOSTS
file. Do a search for the HOSTS (without extension) file and remove the
entry.

3. If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/program/hijackthis.html

Run the program and you will find many entries. Most are OK. Post the log. I
will find the problem for you.

4. For future preventive maintenance, make sure programs cannot just
download on your computer without your permission. From the Internet
Toolbar, go to Tools > Internet Options > Advanced. Make sure "Enable
Install On Demand (Internet Explorer)" and "Enable Install On Demand
(Other)" are unchecked.

--
Warren
For additional help, post in
http://groups.msn.com/HelpforInternetExplorerorWindowsME/homepage

When I go to certain websites (www.hi-speed.rogers.com is one) it goes to

that page and then it sounds like the noise it makes when you click on a
hyperlink and re-directs me to an advertising page with the address
http://209.47.15.67/int/set?type=468-60. Please help. Thanks

 

[Ramesh [MVP]]

Tyler,

Your browser is hijacked. Download and run all of the spyware removal tools below:

* Spybot Search & Destroy: http://www.safer-networking.org/
* Ad-Aware - www.lavasoftusa.com
* CoolWebSearch Shredder : [Link courtesy of Siljaline]
http://www.wilderssecurity.com/attachments/cwshredder1521.zip
or
www.majorgeeks.com keyword [CWShredder]

 

[brent]

I'm having the same issue when I type in www.evite.com,
www.ebay.com, www.foodnetwork.com I get redirected to the
folllowing URL
http://209.47.15.67/int/set?type=468-60

I followed all of these instructions and I'm still being
redirected. Here is my log file from HiJackThis

Logfile of HijackThis v1.97.7
Scan saved at 10:15:25 AM, on 3/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\insight\tools\aiclient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\insight\tools\AICR.EXE
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Cisco Systems\Aironet Client
Monitor\ACUMon.Exe
C:\WINNT\System32\mrtMngr.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\SMC\EZ Connect Wireless\Config.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Palm\HOTSYNC.EXE
C:\o2kstd\PFiles\MSOffice\Office\1033\msoffice.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Palm\palm.exe
C:\o2kstd\PFiles\MSOffice\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033
\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\smithb8\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://energy.home.ge.com/MainPage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://keyword.netscape.com/keyword/%s
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = ftp=http-
proxy.geps.ge.com:80;gopher=http-
proxy.geps.ge.com:80;http=http-
proxy.geps.ge.com:80;https=http-
proxy.geps.ge.com:80;socks=http-proxy.geps.ge.com:80
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
dynhost.inetcam.com;register.inetcam.com;gepsdc.ps.ge.com;g
psdba96.corporate.ge.com;;localhost;<local>
O1 - Hosts: 3.96.199.160 gaatlx04psge.geips.ge.com
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-
910304A55011} - C:\WINNT\hhU.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-
00D0B743919D} - C:\WINNT\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program
Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program
Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program
Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program
Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program
Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [vptray] C:\Program
Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SMS Application Launcher]
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco
Systems\Aironet Client Monitor\ACUMon.Exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!
\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdsGone.lnk = C:\Program
Files\AdsGone\adsgone.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk =
C:\o2kstd\PFiles\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Configuration Utility.lnk =
C:\Program Files\SMC\EZ Connect Wireless\Config.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk =
C:\WINNT\System32\SMC2635WMonitor.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .asf: C:\Program
Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .au: C:\Program
Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .wav: C:\Program
Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O16 - DPF: Sametime Meeting Room Client ST30EMS -
http://psmeeting01c.ge.com/sametime/stmeetingroomclient/STM
eetingRoomClient.cab
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} -
http://www.comcastsupport.com/sdccommon/download/tgctlch.ca
b
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} -
http://www.comcastsupport.com/sdccommon/download/tgrc.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}
(Microsoft Office Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0}
(QuickPlace Class) - http://mmfquickplace01.ge.com/qp2.cab
O16 - DPF: {1EE104B2-B32A-43D2-8DF1-2FD84BD00B14}
(WebIntelligence 2.6 Report Editor Control) -
http://gepsdc.ps.ge.com/wi/ActiveX/WIPanelXEN.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF}
(JNILoader Control) -
http://psmeeting01c.ge.com/sametime/STMeetingRoomClient/STJ
NILoader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info
..apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
(DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7}
(HPObjectInstaller Class) -
http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions
..cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
..CAB?38051.2379861111
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C}
(Downloader Class) -
https://www.stopzilla.com/_download/Auto_Installer/dwnldr.c
ab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE}
(Microsoft Office Tools on the Web Control) -
http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
(GpcContainer Class) -
http://oracleisdtest.webex.com/client/v_oracleisdtest/webex
/ieatgpc.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9}
(RptViewerAX Class) -
http://gepsdc.ps.ge.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262}
(ZABOClientControl Class) -
http://gepsdc.ps.ge.com/wi/ActiveX/ZABOIEEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
psamer.ps.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
psamer.ps.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
psamer.ps.ge.com

thanks,
Brent

 

[Mike Burgess]

Brent,
FYI: you have "HungryHands" (adware)

You need to create a folder [example] C:\HijackThis
Then move HijackThis.exe to C:\HijackThis and rescan.

Next, go to: http://www.spywareinfo.com/forums/

Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic", copy and paste hijackthis.log into your new message.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 03-02-04]
Please post replies to this Newsgroup, email address is invalid
--

I'm having the same issue when I type in www.evite.com,
www.ebay.com, www.foodnetwork.com I get redirected to the
folllowing URL
http://209.47.15.67/int/set?type=468-60

I followed all of these instructions and I'm still being
redirected. Here is my log file from HiJackThis

Logfile of HijackThis v1.97.7
Scan saved at 10:15:25 AM, on 3/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

<snip>

 

[Brent]

I'm having the same problem your having and was wondering
if you found a solution yet? I have downloaded numerous
spyware apps and none of them have fixed the problem. I
did notice that when I use Netscape I don't have the
redirect problem.
-Brent

-----Original Message-----
When I go to certain websites (www.hi-speed.rogers.com is

one) it goes to that page and then it sounds like the
noise it makes when you click on a hyperlink and re-
directs me to an advertising page with the address
http://209.47.15.67/int/set?type=468-60. Please help.
Thanks

 

[Mike Burgess]

Brent,
Go to: http://mvps.org/winhelp2002/unwanted.htm
Download "Hijack This!" [freeware]

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates: "hijackthis.log")

Next, go to the below location:
http://www.spywareinfo.com/forums/

Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic", copy and paste hijackthis.log into your new message.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 03-02-04]
Please post replies to this Newsgroup, email address is invalid
--

 

[Alric Knebel]

I'm having the same problem your having and was wondering
if you found a solution yet? I have downloaded numerous
spyware apps and none of them have fixed the problem. I
did notice that when I use Netscape I don't have the
redirect problem.
-Brent

I'm currently experiencing a similar thing. When a page can't be found,
instead of the sheer white page explaining that the page couldn't be found,
an almost identical page is displayed, but with a Orbit Explorer URL, with a
search option in the page. The thing is, it originally displays the
original page -- the one that's supposed to be there -- but this Orbit
Explorer has shanghaied IE and redirects it to this page. When I hit the
back arrow, the proper page appears. Along with the Orbit Explorer fake
page, another IE window opens up with something called Tpad, and it's sole
purpose is to display an ad. I can't get rid of it. The thing is, this
doesn't happen with Netscape.


Alric Knebel

 

[Penna Elabi]

When a page can't be found, instead of the sheer white page
explaining that the page couldn't be found, an almost
identical page is displayed, but with a Orbit Explorer URL,
with a search option in the page. The thing is, it originally
displays the original page -- the one that's supposed to be
there -- but this Orbit Explorer has shanghaied IE and
redirects it to this page.

You have probably inadvertently downloaded and installed adware,
spyware, parasite, trojan or a browser hijacker from some web site:

http://www.geocities.com/googlepubsupgenfaq/#noaccesstosearchengines

 

[Gregb]

I too have come across this problem! The ad removing software listed
above did not help in my case. I did some searching and found another
helpfull tool that will remove what are called BHO's (Browser Helper
Objects). These BHO's are usually helpful but ofcourse any such
helpfull tool often is turned into a weak point to attack. The tool
BHODemon will search your computers registry to find all BHO's you can
then click a BHO and find its path typically a DLL file is what points
to. Then select disable BHO for any that dont look like they belong.
Good Luck.