Bogus "page cannot be displayed" error on URL http:///

Question

elunow 0 Newbie Poster

19 Years Ago

Internet Explorer fails with the error message "The page cannot be displayed." The problem occurs on Windows 2000 running Internet Explorer 6.0.

The problem occurs intermittently but with sufficient frequency to make IE totally unusable.
When the problem occurs, Internet Explorer first displays the requested URL, but a short time thereafter, on the order of 1/4 to 1 second, replaces the URL with 'http:///' causing the error. Often, IE goes into a loop redisplaying the error page about every second.
When the problem does not occur, I occasionally, but not always, observe the presence of a background IE window containing advertisements and a title bar requesting me to visit sponsors.

The problem is independent of DNS and network errors. Network packet traces show only TCP and UDP packets associated with the requested URL. One can reproduce the problem by loading a simple 'Hello World' HTML page from the local disk with a URL of the form 'file:///C:/test.htm.' In this case, the local HTML page is displayed correctly, but then overwritten about a half second later and no network traffic is generated. Other web browsers, such as FireFox, do not manifest the problem.

I have run multiple virus scanners, including Ad Aware, AntiVir, and Spybot without success.
I have installed all current service packs with no long term success.
Reinstalling IE 6.0 makes the problem go away for awhile, yet the error always manifests itself again.
My local HOSTS file contains only one entry that maps 'localhost' to 127.0.0.1.

I run the Google toolbar and popup blocker. When the Google popup blocker is disabled, the problem still occurs, but less frequently.

The HijackThis log shows:

Logfile of HijackThis v1.99.0
Scan saved at 5:23:31 PM, on 1/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\fdeploy.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\winpack.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [fdeploy] C:\WINNT\system32\fdeploy.exe
O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{954F771D-85DA-4E9F-8808-322BE1B483C2}: NameServer = 192.168.0.254
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Anyone got any suggestions on how to fix this?
My hunch is that some post-processing occurring after IE displays a page generates the incomplete URL http:/// and stuffis it into the address bar.

windows-virus

2 Contributors
7 Replies
462 Views
5 Days Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

DMR 152 Wombat At Large

19 Years Ago

winpack.exe is a trojan which, among other things, performs browser redirects.

1. Have HijackThis fix the " O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe" entry, reboot, delete C:\WINNT\system32\winpack.exe, and empty your Recycle Bin.

2. Make sure you have the most current virus definitions for AVG and run a full system scan.

3. Go to the following two sites and run their free online virus scans:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/

4. Get back to us with the results.

DMR 152 Wombat At Large

19 Years Ago

Overall, that sounds pretty good in the end; test-drive the system for a bit and let us know how it goes.

As far as the fdeploy file goes: it did look suspicius to me, but I could find almost no info on the file whatsoever. The only thing I could find was that a legit file of that name is associated with the "Close Combat" game, but it didn't look like the legit fdeploy.exe should be living in the C:\WINNT\system32\ folder.

On thinking about it further, I take it you don't have Close Combat installed, yes? Even if you did, I highly doubt that the legit fdeploy program would need to add an entry to the Windows Registry to make it start automatically when Windows starts. If the Panda scan wasn't able to disinfect/delete the file, do this so that we can be more sure:

1. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". Click OK

2. Go to your C:\WINNT\system32\ folder and locate fdeploy.exe.

3. Right-click on the file, and choose Properties from the context menu that opens.

4. Under the Version tab of the Properties window, look through the Company Name, File Name, etc. listings and tell us what they report. If the file's Properties window offers you no Version tab; tell us that as well. A lack of info in the Version tab or an entire lack of the Version tab itself is usually a pretty good indication that the program is indeed an "unwanted guest". Looking at the file's creation and modification dates/times in the General tab of the Properties window can also give you a clue...

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

elunow 0 Newbie Poster · Answer 1 · 2005-01-06T05:27:00+00:00

I performed the indicated tasks, although not in the order you specified, because the pandasoftware and housecall.trendmicro scanners use activeX and hence are dependent upon IE yet the virus prevented me from using IE to run the scanners. Furthermore, those virus scanners would not work with FireFox.

However, after having HijackThis remove the " O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe" entry, deleting the C:\WINNT\system32\winpack.exe file, and rebooting, I did not observe the problem. This enabled me to run the web based virus scanners with IE.

When running the virus scanners, AntiVir found no infections, pandasoftware found one infection associated with fdeploy.exe, and housecall.trendmicro found no infections.

After rebooting, I still have'nt observed the problem. IE works correctly. Considering the intermittent nature of the problem, I will continue using IE and post my observations in a few days. If I don't observe the problem within a few days I'll feel confident it has been resolved. It looks like winpack.exe was the cause.

Thanks!

elunow 0 Newbie Poster · Answer 2 · 2005-01-06T23:54:29+00:00

Apparently the Panda scan removed fdeploy.exe, as it is no longer in my WINNT/system32 folder and I cannot check the file. I still have an fdeploy.dll, but that looks like a legitimate binary from Microsoft for the W2K distribution. I do not have Close Combat installed on my machine.

Good news so far, IE is working correctly and I haven't observed the page not found error.

DMR 152 Wombat At Large Team Colleague · Answer 3 · 2005-01-07T01:31:39+00:00

Good- it looks like your clean now. According to Microsoft, the fdeploy dll is a valid Windows component:

Fdeploy.dll Category Fdeploy.dll is an MMC extension to gpedit.dll that provides settings for Folder Redirection Group Policy.

Now that you've gotten rid of the nasties, here are some suggestions to minimize your chances of future infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here.

5. Obviously: install a good anti-virus program and enable its "auto-protect", "auto-update", and email-scanning features.

6. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

elunow 0 Newbie Poster · Answer 4 · 2005-01-10T21:24:15+00:00

I haven't seen the problem for several days now, and I consider it fully resolved. Thanks!

It must have been winpack.exe or fdeploy.exe.

DMR 152 Wombat At Large Team Colleague · Answer 5 · 2005-01-11T07:26:55+00:00

Thanks for the feedback elunow. Given what you've posted, I'll mark this thread as solved. :)