• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1146
  • Last Modified:

'Page not found' page hijacked by a virus or worm?

On a Win2K system we recently had the problem that any wrong URL entered at the IE URL prompt leads to some (changing) sex portal, i. e. it comes instead of the 'page not found' page. Symantic Antivirus, Pest Patrol and SpyBot couldn't repair the issue though they seem now to block some of the pages.

We changed to Mozilla Firefox but - wondering - the issue was the same.

Any ideas what I can do?

Regards, Alex
0
itsmeandnobodyelse
Asked:
itsmeandnobodyelse
  • 3
  • 2
  • 2
  • +1
4 Solutions
 
ajwukCommented:
Sounds like some kind of root kit could be installed. Does spybot return which spyware is installed and just can't remove it?

Using a powerful malware removal tool like combofix could help you if it's embedded itself that deep into IE. (use with caution).

Also... check that the spyware hasn't changed the IE proxy settings to point to a local directory (as this is probably where the sexportal info is popping up from).

HTH.
0
 
itsmeandnobodyelseAuthor Commented:
>>> Does spybot return which spyware is installed and just can't remove it?
No, it only found some cookies and adware. But I removed it last week cause it's popup to warn when the registry was changed had puzzled controls so that I couldn't change the registry myself as it was refused by spybot.

>>>> if it's embedded itself that deep into IE
I wonder cause Firefox has the same problem. Do you know where 'page not found' html page was stored? I assume the worm simply exchanged that page.

>>> hasn't changed the IE proxy settings
The settings were changed when the whole mess bean. But they failed as we used a router and there was no phone access to the provider. I don't use a proxy but go directly to the router.
0
 
SheharyaarSaahilCommented:
run an updated scan with superantispyware
http://www.superantispyware.com/

if problem persists, get hijackthis
http://www.download.com/HijackThis/3000-8022_4-10379544.html

run, scan and save a log file, please post the log here...
0
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

 
Marc ZCommented:
You may also want to take  a look at your Hosts file.
http://www.mvps.org/winhelp2002/hosts.htm
0
 
itsmeandnobodyelseAuthor Commented:
Sorry for the delayed feedback but the computer is at my home office and I am currently on the road ...

The problem with downloading antispy software is that I don't trust the computer. So, I have to download from somewhere else. I hope I'll find time to run the tools this friday. I will give feedback then.

Does anybody know where the 'Server Not Found' page comes from? I would assume the worm made a redirection by replacing that page.

Regards, Alex
0
 
Marc ZCommented:
No problem, keep us in the loop.
Typically, the web server you are trying to access sends you the "Server Not Found" Page.

Superantispyware is a great place to start and a hijackthis log will certainly help us see what you have got, but this page gives pretty good steps to follow to also see how clean you can get.
See http://securitytango.com/tango.php  for some steps on getting cleaned up. (Don't forget, if you skip a step doing the Tango, you are just moving, not Dancing.)

You might want to grab a copy of this in case you break your internet connection when cleaning out the system.
http://www.snapfiles.com/get/winsockxpfix.html
and
http://cexx.org/lspfix.htm

Regardless, if you have not fully cleaned this machine, you should consider backing up all of your important data and consider reinstalling the OS.  It might be quicker to do this, then to try to clean out this machine.  Just a thought.
0
 
SheharyaarSaahilCommented:
>> Does anybody know where the 'Server Not Found' page comes from? I would assume the worm made a redirection by replacing that page.
you should check the hosts file as mtz said above, otherwise hijackthis log will show the culprit.
0
 
itsmeandnobodyelseAuthor Commented:
>>>> otherwise hijackthis log will show the culprit.
I downloaded hijackthis and - positive - contrary to other products it didn't write to the registry itself and simply did what expected.

Unfortunately it doesn't find any malicious (looking) thing what might be due to my previous activities regarding that issue.

I will now close that thread nevertheless cause I intend to replace that 10 year old computer by a 5 year old one and as I didn't intend to overtake programs but data only, there is a good chance that the problem was not copied.

Thanks and Regards
Alex
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now