IE strange page

Just lately when I try to go to different regular sites IE trys to open and all of sudden it goes to what looks like the typical internet server not found page display, like it does when you need to hit refresh and try again. Except the address displayed at the top has nothing to do with whatever pg attempting to open. It is always something like this

res://mshp.dll/http_404.htm

Any ideas on what's happening? Thanks.

 

If you're not running SpyBot/Adaware, download them, install, update, run them. May also run virus scan.

 

Keep avg updated daily. Ran avg and nothing showed. Downloaded adaware and ran. Shows this in quarantine:

ArchiveData(quarantine.bckp)
======================================================

CYDOOR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : .default\software\Cydoor
obj[2]=RegKey : software\cydoor
obj[3]=RegKey : Software\Cydoor

HOTBAR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=RegKey : Interface\{8F59F897-6923-4B3B-8156-4E55D19DE99A}
obj[5]=RegKey : Software\Hotbar
obj[6]=RegKey : SOFTWARE\Hotbar
obj[7]=RegKey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{69FD62B1-0216-4C31-8D55-840ED86B7C8F}
obj[10]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hotbar Uninstall
obj[15]=RegKey : TypeLib\{94BEB7A2-36B7-46DC-8AD1-81A8332409C0}
obj[21]=File : c:\windows\system\hbinst.exe
obj[22]=RegKey : CLSID\{A54814C0-40F3-4249-8528-B4922CD2964E}

HI-WIRE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegKey : Software\HIWIRE

LOP.COM
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=RegKey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}

ALEXA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[9]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

SPYWARENUKER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[11]=RegKey : Software\SOFTUP2009
obj[12]=RegKey : SOFTWARE\SOFTUP2009\camps
obj[13]=RegKey : Software\VB and VBA Program Settings\SPYWARE NUKER

SAVENOW
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[14]=RegKey : Software\WhenU
obj[16]=RegKey : WUSN.1

WEB3000
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[17]=RegValue : Software\Microsoft\Windows\CurrentVersion

WINDOWS
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[18]=RegData : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
obj[19]=RegData : Software\Microsoft\MediaPlayer\Player\Settings

BRILLIANTDIGITAL
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[20]=File : c:\windows\system\bdeinstall.exe
obj[23]=File : c:\windows\bde\update
obj[24]=File : c:\windows\bde\cache
obj[25]=File : c:\windows\bde\mskin
obj[26]=File : c:\windows\bde\movies
obj[27]=File : c:\windows\bde\cache\installnsplugins.cab
obj[28]=File : c:\windows\bde\cache\infowin1.bmp
obj[29]=File : c:\windows\bde\cache\infowin1.txt
obj[30]=File : c:\windows\bde\cache\infowin1a.txt
obj[31]=File : c:\windows\bde\cache\infowin2.txt
obj[32]=File : c:\windows\bde\cache\infowin3.txt
obj[33]=File : c:\windows\bde\cache\playb3d3200.cab

Helpful? Where do we go from here? Thanks

 

The Hotbar and Cydoor are both Spyware. The BDE, Borland Data base. When I run Adware, I get rid of whatever it finds. I use SpyBot also, what one doesn't catch the other does. The Win Media, just looking for updates. You may find Hotbar and Cydoor in the add/remove programs. If so, I would do a remove, then run adaware again. If you see Coolwwwsearch or something like that. Go to this link, download the CWshredder and run it.

 

If you have a hosts file, take a look for entries directing the problem URLs to someplace interesting but wrong. The file will be (since you didn't mention your OS) in

Win9x/ME - c:\windows
NT4/2K/XP - c:\windows\system32\drivers\etc

 

Thanks a lot. Used Adaware and deleted entries and haven't had the IE page problem again.



I opened Hosts from Windows 98 and there's a long list of stuff. Opened it in Wordpad. Can all of that be deleted? What is it from? Here's examples:
127.0.0.1 ads.msn.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 ads.msn.com
127.0.0.1 pop3.norton.antivirus

I just read some of the Gorilla Design Studio's pages on Hosts. I guess my main question is how did the long list of entries ever get in to my list? I never entered anything there because I never knew it existed before. Thanks again!

 

Its just a sneaky method of hijacking,, that some veriations use

mshp.dll is (was) a sign of the coolweb search bug,, Usualy,
not always becouse other threats might use the same urls
even though Adaware has cleared things up it would be a good idea to run the CWSredder

CWShredder CWS-Chronicles
Its near the bottom n that page in zip and EXE form
Save it to your hard drive,,Unzip and Open -> doubleclick cwshredder.exe
Always check for updates first then -> click 'FIX' button.
Wait while it scans your PC. It will then list what you're infected with. Hit "Next" Again and you're finished.



Im not sure what to think of those hosts entries
Lonny

 

Anyone else? Where do Host entries come from if I don't enter them?

 

Do you use any ad blocking software? If so, that's probably the source of the ads.msn.com ones and any others that are ad site related. It works this way. When you type an address into your address bar your computer first has to look up the numerical address for that site. Sort of like a phone book. It first looks to the hosts file to see if it's listed there. If it is, it uses the numerical address that it shows and then goes to that website. If it's not in the hosts file it goes to your the DNS server to get it. 127.0.0.1 is the address for your own computer. It's the same for everybody. What happens with the ad blocking is that when the web page has an ad on it with an address of ads.msn.com, your computer will look at your hosts file again to see if it's there and when it finds it with the address of 127.0.0.1 it sort of looks to your own computer for the ad. It's not there of course so the ad won't be displayed in your web browser. You'll most likely just get that familiar box with the red x in it where the ad is supposed to be. The problem with doing it this way is sometimes, when it can't find the ad, you will get a page not found instead of getting the page you wanted without the ad. I don't know why the ads sometimes generate the page not found and at other times don't.

Some of the addresses that are in there could also have been put there by one of those programs that are supposed to speed up your internet connection. Have you ever used one of them? Some of them will scan your favorites and then access the DNS server to retrieve the addresses for them and then put them in the hosts file in an effort to save a tiny bit of time retrieving them from the DNS server everytime you click on one of your favorites. The time saved isn't worth the trouble though. If any of your favorites addresses happen to change, you end up getting a page not found when trying to access that site because its no longer located at that address. If you are going to use the hosts file for this, you have to keep it up to date.

The Norton one you want to leave there. It's there because of the Norton email scanning function and if removed, you'll have problems there. The rest should be safe to delete.

 

Actually I've never had any ad blocking sw. And haven't had a net speed upper. I had Norton but dumped it for AVG. That's why I was curious where all these dozens of Host listings came from.

 

JAK--There are several programs that make entries into HOSTS. In fact one is right in the HOSTS tutorial itself!!
http://www.accs-net.com/hosts/
Click "Get the HOSTS" file.
Others are listed here
http://www.smartin-designs.com/
The entries you show are ad sites so blocking them should be good, at least most people would think so
There are however some new types of spyware that block access to good sites by writing to the HOSTS file. Just hope you do not get one of those.