IIS Spyware Hijacked... Help Please !

I'm running IIS 6 on Windows 2003 Server.

I have run a full antivirus scan, Adaware scan and SpyBot Scan..

Nothing has been found... BUT !

When I try and view a web site on my server, things go a bit strange !

If I try in the full file path.. ie: test.com/list.htm
This works, assuming a file called list.htm exists.

However if the file does not exist or directory browsing is turned off, I
would normally get the standard error....

But I'm getting redirected to a search page, that has nothing to do with
me....The page is : http://296f8.ilxt.info/index.php

Which I believe is used in various spyware apps.

How do I remove this from my server, and how do I stop it happening agian ??

Thanks

Dave
Sun Aug 01 05:55:38 CDT 2004

are you sure its on your server and not on your browser. hijacks like that
are common on browsers.

"TomT" <tomt@adslweb.co.uk> wrote in message
news:410cc53a$0$6441$cc9e4d1f@news-text.dial.pipex.com...
> I'm running IIS 6 on Windows 2003 Server.
>
> I have run a full antivirus scan, Adaware scan and SpyBot Scan..
>
> Nothing has been found... BUT !
>
> When I try and view a web site on my server, things go a bit strange !
>
> If I try in the full file path.. ie: test.com/list.htm
> This works, assuming a file called list.htm exists.
>
> However if the file does not exist or directory browsing is turned off, I
> would normally get the standard error....
>
> But I'm getting redirected to a search page, that has nothing to do with
> me....The page is : http://296f8.ilxt.info/index.php
>
> Which I believe is used in various spyware apps.
>
> How do I remove this from my server, and how do I stop it happening agian
??
>
> Thanks
>
>

Me
Sun Aug 01 07:03:29 CDT 2004

Download a program called Hijackthis and run it, you'll probably find
unwanted settings, be careful if you delete the incorrect item then you are
hosed.

"Dave" <noone@nowhere.com> wrote in message
news:4u-dnco-OJW3UZHcRVn-qg@crocker.com...
> are you sure its on your server and not on your browser. hijacks like
that
> are common on browsers.
>
> "TomT" <tomt@adslweb.co.uk> wrote in message
> news:410cc53a$0$6441$cc9e4d1f@news-text.dial.pipex.com...
> > I'm running IIS 6 on Windows 2003 Server.
> >
> > I have run a full antivirus scan, Adaware scan and SpyBot Scan..
> >
> > Nothing has been found... BUT !
> >
> > When I try and view a web site on my server, things go a bit strange !
> >
> > If I try in the full file path.. ie: test.com/list.htm
> > This works, assuming a file called list.htm exists.
> >
> > However if the file does not exist or directory browsing is turned off,
I
> > would normally get the standard error....
> >
> > But I'm getting redirected to a search page, that has nothing to do with
> > me....The page is : http://296f8.ilxt.info/index.php
> >
> > Which I believe is used in various spyware apps.
> >
> > How do I remove this from my server, and how do I stop it happening
agian
> ??
> >
> > Thanks
> >
> >
>
>

jeff
Sun Aug 01 21:48:08 CDT 2004

On Sun, 1 Aug 2004 11:26:05 +0100, "TomT" <tomt@adslweb.co.uk> wrote:

>I'm running IIS 6 on Windows 2003 Server.
>
>I have run a full antivirus scan, Adaware scan and SpyBot Scan..
>
>Nothing has been found... BUT !
>
>When I try and view a web site on my server, things go a bit strange !
>
>If I try in the full file path.. ie: test.com/list.htm
>This works, assuming a file called list.htm exists.
>
>However if the file does not exist or directory browsing is turned off, I
>would normally get the standard error....
>
>But I'm getting redirected to a search page, that has nothing to do with
>me....The page is : http://296f8.ilxt.info/index.php
>
>Which I believe is used in various spyware apps.
>
>How do I remove this from my server, and how do I stop it happening agian ??

It's not IIS, it's your browser. See:

http://www.spywareinfo.com/~merijn/downloads.html

Jeff