IE6 hijacked - continual redirects

  • Thread starter Thread starter happybrick
  • Start date Start date
H

happybrick

I can't open IE without being redirected to www.eebuy.co.uk which
usually takes a very long time.

I've run TrendMicro housecall and it found no issues at all.
I've run CWShredder and again, no problem was found.
I've deleted all cookies etc and nothing seems to fix it.

This is on a client PC running Windows XP SP2 on Windows Server 2003
network. Only one user is affected and the PC itself seems fine.
 
So How Did I Get Infected Anyway?
For quite a few people it's by installing Messenger Plus, whose default
install is loaded with malware. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom and see
what else is being carried along.

Help with Hijackware
All MS - MVP Sites.
http://aumha.org/a/parasite.htm
(http://aumha.org/a/quickfix.htm)
http://www.elephantboycomputers.com/page2.html#Removing_Malware
(http://mvps.org/winhelp2002/unwanted.htm)
(http://inetexplorer.mvps.org/darnit.html)
(http://www.mvps.org/sramesh2k/Malware_Defence.htm)

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315
 
Hi Happybrick,

What is the user's Homepage setting? Is it just the homepage setting or a
genuine re-direct from the homepage? Or is the homepage setting to an
invalid address (which would trigger a 404 error and start autosearch) Test
by using Ctrl+Home to navigate to the homepage Solution - change the
homepage to about:blank - IE loads fastest with a local start/home page.

What toolbar and BHO add-ons has the user installed? Test by disabling
"Third-Party Browser Helpers" (Tools>Internet Options - Advanced tab).

Solution - Uninstall the offending Add-on.

Lastly check if the nut holding the keyboard is loose. Tighten if necessary.

Regards.
 
The users homepage is set to the company website.

Setting the homepage to about:blank doesn't help. As soon as you type a
URL or attempt to navigate to another site the redirect takes hold.

I disabled third-party browser helpers - no effect.
I uninstalled all add ons - no effect.

I'm wondering if I should delete the users profile from the server and
local machine.
 
I have tried deleting the profile as you propose, but this doesn't
work. It seems to, as the first attempt to view a website via IE goes
through fine, but the second one fails and goes to eebuy.co.uk. Any
other suggestions would be very welcome.
 
Did you delete all local profiles as well as the server copy?

I also tried to uninstall / reinstall IE as per this article for MS:
http://support.microsoft.com/kb/318378

but got stuck at the System File Checker step. Even when logged in as
admin this doesn't do anything - well a program runs and then exits the
console so no feed back is gained.
 
For info, I managed to get System File Checker started only for it to
ask for the XP Pro CD. Of course, no media CD was distributed with the
PC so now I'm stuck again.
 
I may have a fix, I've tried this and it seems to be working.

The trick is to remove the corrupt profile from the clients and the
server, then create a new profile, then log into a machine that has
never had that profile on it before. Once everything is configured
(Outlook etc) close the 'new' machine, and log onto the original
machine.

You may lose the favourites, my documents etc though.
 
Find the i386 folder on the drive and when it asks for the CD point it to
that.
 
I've been having exactly the same problem with the browsers being
hijacked and sent to www.eebuy.co.uk and as above i've just deleted the
user profiles and this seems to stop the problem.

But i'd like to find out what's causing the problem, any ideas?
 
Hi there,

I've been having this issue too - I'm finding that not only is IE
unable to connect to any other website, but I'm finding that anything
depending on the wininet api is unable to connect - iTunes, Google
Notifier, Windows Messenger - the works. Any web page I surf to in IE,
I get re-directed to eebuy. Firefox, however, is a happy bunny, as is
S&D's updates, McAfee's updates and a few other programs besides.

As an experienced IT support man myself, I've been through the usual
basic steps, including Virus Scan, Spybot S&D, checking the usual
hiding places for start ups, ADS streams, and rootkits, none of which
has turned up any positives (other than the usual tracking cookies) -
I've tried creating a new profile on the machine in question, and the
same symptoms are still occurring.

Having checked the Hijackthis log, I can't spot anything that seems
untowards, so I'm feeling fairly frustrated - thankfully, I've got a
backup laptop, so it's not exactly the end of the world just yet, but
it is my primary machine - I'm working on finding out as much as I can,
but if anyone can add any information in the meantime, that'd be much
appreciated.

Thanks in advance,

K
 
This is also being discussed here:
http://www.lavasoftsupport.com/index.php?showtopic=4137&hl=eebuy

I certain it's somewhere in the profile, however if its affected the
default profile on the server (work environment) then deleting and
logging back on isn't going to help.

Anyway I've suggested a workaround in the above forum, basically it
seems to be an infection of the proxy seetings for the browser so if
you go to IE then into Tools, Internet Options, Connections and in the
LAN settings, take the tick off the "Automatically Detect Settings"
This can also be enforced through GPO - User Config, Windows Settings,
Internet Explorer Maintenance, Connection.

Doesn't sort out the 'infection itself' but until then this is working.
 
I don't get the option to Browse ... it is simply a prompt for the CD
and you can Retry or Cancel.
 
As of today, everything appears fixed - the 'nice' people at eebuy have
issued a statement, explaining that only people registered with .org.uk
addresses were affected.

see: http://www.eebuy.co.uk/wrongpage.htm

The trouble I have is this...

1: The website www.eebuy.co.uk is a commercial website, however, was
registered without an address attached to it.

2: The usenet groups are littered with both spam adverts for eebuy, and
'adverts' by the registrant, Stuart Hunt, claiming to be trying out
this 'new fangled eebuy thing', despite clearly knowing all about it.
(eg:
http://groups.google.co.uk/group/uk...7MeVl9rhg9y8pIyky7oZ_RSiUboqwxmG3EuqoLaHlELWS)

3: The Lavasoft website as linked above has a poster Shunt010, which
co-incidentally happens to be the first part of Stuart Hunt's Email:
shunt010 [at] hotmail.com, despite this, the poster Shunt010 denies
being anything to do with the service.

4: The 'cover' story for wpad.co.uk is more than a little fishy, given
little to no flesh, and very co-incidental, bearing in mind the back
history of the wpad domains.

So, it is my suspicion that Stuart Hunt at eebuy planned this as a
publicity stunt, knowing full well what his actions would mean, hence
the poor 'bounce back' email replies.

Obviously, all the above is mearly my musings and things that have been
noticed, however, it does paint a sour picture.

K

(e-mail address removed) wrote:
[a lot of useful things]
 
Back
Top