'Page not found' page hijacked by a virus or worm?

On a Win2K system we recently had the problem that any wrong URL entered at the IE URL prompt leads to some (changing) sex portal, i. e. it comes instead of the 'page not found' page. Symantic Antivirus, Pest Patrol and SpyBot couldn't repair the issue though they seem now to block some of the pages.

We changed to Mozilla Firefox but - wondering - the issue was the same.

Any ideas what I can do?

Regards, Alex
LVL 39
Who is Participating?
SheharyaarSaahilConnect With a Mentor Commented:
run an updated scan with superantispyware

if problem persists, get hijackthis

run, scan and save a log file, please post the log here...
ajwukConnect With a Mentor Technical Consultant / Project ManagerCommented:
Sounds like some kind of root kit could be installed. Does spybot return which spyware is installed and just can't remove it?

Using a powerful malware removal tool like combofix could help you if it's embedded itself that deep into IE. (use with caution).

Also... check that the spyware hasn't changed the IE proxy settings to point to a local directory (as this is probably where the sexportal info is popping up from).

itsmeandnobodyelseAuthor Commented:
>>> Does spybot return which spyware is installed and just can't remove it?
No, it only found some cookies and adware. But I removed it last week cause it's popup to warn when the registry was changed had puzzled controls so that I couldn't change the registry myself as it was refused by spybot.

>>>> if it's embedded itself that deep into IE
I wonder cause Firefox has the same problem. Do you know where 'page not found' html page was stored? I assume the worm simply exchanged that page.

>>> hasn't changed the IE proxy settings
The settings were changed when the whole mess bean. But they failed as we used a router and there was no phone access to the provider. I don't use a proxy but go directly to the router.
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Marc ZConnect With a Mentor Commented:
You may also want to take  a look at your Hosts file.
itsmeandnobodyelseAuthor Commented:
Sorry for the delayed feedback but the computer is at my home office and I am currently on the road ...

The problem with downloading antispy software is that I don't trust the computer. So, I have to download from somewhere else. I hope I'll find time to run the tools this friday. I will give feedback then.

Does anybody know where the 'Server Not Found' page comes from? I would assume the worm made a redirection by replacing that page.

Regards, Alex
Marc ZConnect With a Mentor Commented:
No problem, keep us in the loop.
Typically, the web server you are trying to access sends you the "Server Not Found" Page.

Superantispyware is a great place to start and a hijackthis log will certainly help us see what you have got, but this page gives pretty good steps to follow to also see how clean you can get.
See http://securitytango.com/tango.php  for some steps on getting cleaned up. (Don't forget, if you skip a step doing the Tango, you are just moving, not Dancing.)

You might want to grab a copy of this in case you break your internet connection when cleaning out the system.

Regardless, if you have not fully cleaned this machine, you should consider backing up all of your important data and consider reinstalling the OS.  It might be quicker to do this, then to try to clean out this machine.  Just a thought.
>> Does anybody know where the 'Server Not Found' page comes from? I would assume the worm made a redirection by replacing that page.
you should check the hosts file as mtz said above, otherwise hijackthis log will show the culprit.
itsmeandnobodyelseAuthor Commented:
>>>> otherwise hijackthis log will show the culprit.
I downloaded hijackthis and - positive - contrary to other products it didn't write to the registry itself and simply did what expected.

Unfortunately it doesn't find any malicious (looking) thing what might be due to my previous activities regarding that issue.

I will now close that thread nevertheless cause I intend to replace that 10 year old computer by a 5 year old one and as I didn't intend to overtake programs but data only, there is a good chance that the problem was not copied.

Thanks and Regards
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.