Related.htm cause China hits?

[BlueStar54]

For the past few months I have been bombarded with a lot of hits from China and other places on certain ports. I blocked all I could on my firewall, but still the hits came in. HijackThis didn't find anything off nor Adaware. Then in the course of checking out things on the port number hits and firewall wanting to allow components I found a couple of files I renamed and that seemed to slow things down for the first 15 minutes I was connected.

Due to my posting on AutoComplete (url), I finally checked the information to see if Alexia had made it on my computer which it hadn't, but I followed it's suggestion to change the Related.htm. For some reason this has just about stopped those firewall hits. Same thing happened several years ago and every program I tried didn't find anything. I finally gave up and did a recovery that time which fixed it, thus all I can guess is MS files had been used.

Does anyone know if there is something in the related.htm that could cause such hits to occurr? W98SE:

line changed use to say-RelatedServiceURL="http://related.msn.com/related.asp?url=";

another suggested change was: RelatedServiceURL="http://127.0.0.1";

If you have an ideal of what any of the lines below that may be using as files please let me know since they might be the infected MS files.

<script>

//Build the query

userURL=external.menuArguments.location.href;

RelatedServiceURL="http://no_way_no_how.org/="; (line I changed to prevent files use)

//Perform simple check for Intranet URLs

//this is where the http or https will be, as found by searching for :// but skip res:

protocolIndex=userURL.indexOf("://",4);

serverIndex=userURL.indexOf("/",protocolIndex + 3);

urlresult=userURL.substring(0,serverIndex);

//Check if Intranet URL - then open search bar

if (urlresult.indexOf(".",0) < 1) userURL="Intranet URL";

finalURL = RelatedServiceURL + encodeURIComponent(userURL);

external.menuArguments.open(finalURL, "_search");

</script>

[BlueStar54]

Are my questions just to technical for someone to answer, have bad breath or do you not care to answer questions for people with W98SE? It would be nice to know so that I don't waste any more time coming here and I can know not to trust your unofficial updates since general questions about the OS can't be answered.

No offense intended, just need to know what's up.

[submix8c]

What version of IE are you using? IE6SP1 has updated files in the "WEB" folder.

What is RELATED.HTM?

Sound like you have something else wrong (i.e. "incoming hits" - YOU HAVE BEEN FOUND AND PESTERED!). Have you tried using Spybot S&D?

And if you want the exact registry entries that are supposed to be there (and the IE6SP1 RELATED.HTM) go here and get the ALEXA.ZIP (read down the thread).

Edited April 6, 2008 by submix8c

[BlueStar54]

I'm using IE6SP1, but Foxfire and Thunderbird are downloaded to try out before I do a recovery to make sure all is well. Along with a MD5 Hash program that will tell me if my MS files change when they shouldn't. Also downloaded Sun Java, but need to make sure all my programs will work with it before the restore and a new backup is made.

What is related.htm was already found, but this link explains the problem better and why it's associated with Alexa but is done by MS instead.

http://www.infopackets.com/channels/en/win..._key_part_2.htm

Geoffrey Mack, Product Manager at Alexa, an Amazon.com company reply to the above:

http://www.infopackets.com/channels/en/win..._key_part_3.htm

Yes I have been found and pestered big time. Though with all I've done it has calmed down some. I downloaded Spybot S&D, but have to get my taxes done before I mess with it and will have to post before I let it fix something it shouldn't. HiJackThis and AdawareSE hasn't found anything off and Port Explorer didn't find anything out of the ordinary that I can tell. BitDefender AV found minor things before it crashed that where taken care of, and I haven't had time to try the newer version of it.

When I right click to save the target ALEXA.ZIP, I'm asked by my firewall if I want to allow msi.dll to run (currently had OE open and viewed some emails). When I did it again it didn't do this. This also happens when I use the reply function in OE...wanting to allow msi.dll to run. Still haven't figured that out but won't let it run until I know why it wants to run which I haven't found a reason for so far. Some emails do it while others don't so I don't know if it's related to newer OS's causing it or what. Since MSI in an installer, I'm leary of a dll of the same name being allowed.

The related.htm words are exactly like the one I have except I have now pointed it to not go out at all ...RelatedServiceURL="http://127.0.0.1"

The registry has [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions but no entries exist there. The registry keys says to RestoreAlexa and I don't have Alexa installed so I don't want to restore it. I don't have a Windows Related links button (W98SE) nor do I want one so I guess I don't need the registry file or do I?

Thanks for the feedback submix8c. In my books E for effort is better than nothing at all, though I don't know enough to make even a good effort unless it's something I've had and conquered somehow. At least I know my related.htm was the right one, but something it was using was probably behind part of this problem. Now that it is looping back to my computer it has slowed the hits down, but China is still on the prowl.