Jump to content


Photo

Unvisited web-site constantly in IE History


  • Please log in to reply
7 replies to this topic

#1 Gabriele Hauschild

Gabriele Hauschild

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 09 June 2004 - 04:58 PM

I have read your forum's FAQ document.
I have a stand-alone PC Pentium 3 running Windows 98 second edition with Internet Explorer 6, SP1 which is Microsoft-patched up-to-date.
I have run with up-to-date updates: AdAware 6.181, SpybotSD 1.3 (inoculate enabled), CWShredder 1.59.0. I have SpywareBlaster 3.1 loaded and up-to-date and Norton Internet Security 2001.

Whenever I connect to the Internet using Internet Explorer 6, SP1 ("IE") I can see in its "History" the following one URL:

"http://media47.fastc...152&pop=slider"

This is despite having previously deleted that item and never having visited such a URL. When I close IE there remains minimised to the Desktop Taskbar, the following: "http://media47.fast..."
If I leave the cursor on the latter, a yellow note appears showing the above-mentioned URL.

I have made a "HijackThis Startup Log" to submit only if requested.
I assume the unwanted URL may be the result of malware and would like to remove the malware. I hope you can assist.
Regards,
Gabriele Hauschild

The following is the "HijackThis Log File":

Logfile of HijackThis v1.97.7
Scan saved at 22:01:04, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\ONE GUY CODING\AUTOMACHRON\ACHRON.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SCREEN THIEF 98\ST98.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cybersleuth-kids.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV DefAlert] c:\PROGRA~1\NORTON~2\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] c:\PROGRA~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] c:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] c:\WINDOWS\SYSTEM\sentstrt.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Automachron.lnk = C:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - User Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - User Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - User Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Automachron.lnk = C:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - User Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O8 - Extra context menu item: Send Image to Photo Library - file://C:\WINDOWS\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7906.5492939815
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 07:02 PM

Hi,
I don't see anything in your log to indicate a problem.

Resize your browser cache, then rebuild the cache folders ...
How To: Delete the Internet Explorer Temporary Internet Files
http://www.mvps.org/...02/delcache.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Gabriele Hauschild

Gabriele Hauschild

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 09 June 2004 - 08:32 PM

Thank you Mike for your response of Jun 9 2004, 07:02 PM.

Please could you explain how to "rebuild the cache folders" as I could not find that as a subject in the document/URL that you mentioned. Does it mean I should delete any folders and then remake them?

Did you also intend I should carry out any of the deletion procedures covered in the document/URL you mentioned?

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 09:09 PM

Hi,
Yes delete the folders they will be rebuilt on restart.

Restart in Ms-Dos Mode
From C:\> (type and press Enter after each command)

cd\windows
smartdrv
deltree tempor~1
deltree history
deltree temp


Then Restart (Ctrl-Alt-Del)

http://www.mvps.org/...02/delcache.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 Gabriele Hauschild

Gabriele Hauschild

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 12 June 2004 - 06:52 PM

Thank you Mike for your response of Jun 9 2004, 09:09 PM.

I carried out your suggestions to resize the browser cache and to rebuild the cache folders, but unfortunately this has not resolved the problem.

When I close IE there remains minimised to the Desktop Taskbar, the following: "http://media47.fast..." which can be closed by right-clicking and then clicking on "X Close".

Should I make further attempts to solve this or if it is not significant, just accept this IE error? Is there a solution to it?

Regards,

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 12 June 2004 - 07:26 PM

Hi,
"media47.fastclick.net" is not adware or a hijacker, it's simply an ad server.
Run another scan with Ad-Aware and see if that shows up as a Cookie.

If not you can add that entry to the IE "Restricted Zone"
http://www.mvps.org/.../restricted.htm

Internet Options | Security [tab] | Restricted icon (highlight)
Click the Sites button and add the following:

*.fastclick.net


Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

If that still comes up post a fresh log after the above ...

See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 Gabriele Hauschild

Gabriele Hauschild

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 13 June 2004 - 01:23 PM

Thank you Mike for your response of Jun 12 2004, 07:26 PM.

However, I believe I have now discovered the reason for the occurances of "http://media47.fast..." .

I had looked for a search engine to use as my Home Page " which would be "content-safe" for my children and found: "http://cybersleuth-kids.com/".

When connected to "cybersleuth-kids.com", the IE "Privacy Report" shows that "http://media47.fast..." is a web site "with content on the current page" and that the setting is already set to block cookies from "media47. fast...".

Therefore I suppose I can either leave the "cybersleuth-kids.com" site as the Home Page or change to another.

I hope this information may be of use to others and want to thank you for your assistance.

However, perhaps you could let me know if you believe I have misunderstood the position.

Regards,

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 13 June 2004 - 03:36 PM

Hi,
I just looked at "cybersleuth-kids.com" and they do "track" everything you do while there. Plus they use several different ad servers for pop-ups and Cookies, etc.

Thanks for the feedback ... :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button