Adware or something is taking over my borwser--pls help.

Discussion in 'Computer Security' started by James Bond, Feb 2, 2004.

  1. James Bond

    James Bond Guest

    First, if this is not an appropritate group for posing this question,
    please refer me to the correct one.

    Now, on the the issue. I use google as my search engine and have it set as
    my home page. Though I am very careful about letting unknown software get
    on my computer, I seem to have something going on that is taking over my
    browser. First, my home page keeps getting changed to SearchCentral.cc
    (actually, in the set home page field it is listed by IP, 81.211.105.43).

    Even worse than that, when I am using Google, some portion of the links in
    a google search results page are actually redirected to this same Search
    Central with my original Google search parameters filled in on
    SearchCentral search box. When this happens, the only way I can actually
    get to the url shown in the Google search results is to cut and paste the
    real url.

    Can someone please help me figure out how to find the pervasive code that
    is taking over my browser and eradicate it.

    Thank you.

    James
     
    James Bond, Feb 2, 2004
    #1
    1. Advertising

  2. On Mon, 02 Feb 2004 16:12:27 GMT, James Bond
    <> wrote:

    >First, if this is not an appropritate group for posing this question,
    >please refer me to the correct one.
    >
    >Now, on the the issue. I use google as my search engine and have it set as
    >my home page. Though I am very careful about letting unknown software get
    >on my computer, I seem to have something going on that is taking over my
    >browser. First, my home page keeps getting changed to SearchCentral.cc
    >(actually, in the set home page field it is listed by IP, 81.211.105.43).
    >
    >Even worse than that, when I am using Google, some portion of the links in
    >a google search results page are actually redirected to this same Search
    >Central with my original Google search parameters filled in on
    >SearchCentral search box. When this happens, the only way I can actually
    >get to the url shown in the Google search results is to cut and paste the
    >real url.
    >
    >Can someone please help me figure out how to find the pervasive code that
    >is taking over my browser and eradicate it.


    Google is your friend :)

    http://groups.google.com/groups?num...e=utf-8&q=SearchCentral.cc&btnG=Google Search
     
    Maurice ON4BAM, Feb 2, 2004
    #2
    1. Advertising

  3. James Bond

    Quaoar Guest

    Maurice ON4BAM wrote:
    > On Mon, 02 Feb 2004 16:12:27 GMT, James Bond
    > <> wrote:
    >
    >> First, if this is not an appropritate group for posing this question,
    >> please refer me to the correct one.
    >>
    >> Now, on the the issue. I use google as my search engine and have it
    >> set as my home page. Though I am very careful about letting unknown
    >> software get on my computer, I seem to have something going on that
    >> is taking over my browser. First, my home page keeps getting
    >> changed to SearchCentral.cc (actually, in the set home page field it
    >> is listed by IP, 81.211.105.43).
    >>
    >> Even worse than that, when I am using Google, some portion of the
    >> links in a google search results page are actually redirected to
    >> this same Search Central with my original Google search parameters
    >> filled in on SearchCentral search box. When this happens, the only
    >> way I can actually get to the url shown in the Google search results
    >> is to cut and paste the real url.
    >>
    >> Can someone please help me figure out how to find the pervasive code
    >> that is taking over my browser and eradicate it.

    >
    > Google is your friend :)
    >
    >

    http://groups.google.com/groups?num...e=utf-8&q=SearchCentral.cc&btnG=Google Search

    And SpyBot is your tool. security.kola.de

    Q
     
    Quaoar, Feb 2, 2004
    #3
  4. James Bond

    Duane Arnold Guest

    James Bond <> wrote in
    news:Xns94837212ECB95jbonduniversalexport@140.99.99.130:

    > First, if this is not an appropritate group for posing this question,
    > please refer me to the correct one.
    >
    > Now, on the the issue. I use google as my search engine and have it
    > set as my home page. Though I am very careful about letting unknown
    > software get on my computer, I seem to have something going on that is
    > taking over my browser. First, my home page keeps getting changed to
    > SearchCentral.cc (actually, in the set home page field it is listed by
    > IP, 81.211.105.43).
    >
    > Even worse than that, when I am using Google, some portion of the
    > links in a google search results page are actually redirected to this
    > same Search Central with my original Google search parameters filled
    > in on SearchCentral search box. When this happens, the only way I can
    > actually get to the url shown in the Google search results is to cut
    > and paste the real url.
    >
    > Can someone please help me figure out how to find the pervasive code
    > that is taking over my browser and eradicate it.
    >
    > Thank you.
    >
    > James


    Use the Host it can help.

    http://mvps.org/winhelp2002/hosts.htm
    http://accs-net.com/hosts/HostsToggle/

    One example is to edit the Host.fle and make the following entry.

    127.0.0.1 www.microsoft.com

    And then go to your browser and enter www.microsoft.com and you'll see that
    the browser will not go to the site.

    That's one way you can stop the redirects. Maybe the site you're being sent
    to is already in the Host.fle or you can edit the file yourself and create
    the entry.

    There are various Host files out there on Google you can use or combine
    into one Host file.

    Duane :)
     
    Duane Arnold, Feb 2, 2004
    #4
  5. James Bond

    Leythos Guest

    In article <Xns948377146B3C8darnold92insightbbco@216.148.227.77>,
    says...
    > James Bond <> wrote in
    > news:Xns94837212ECB95jbonduniversalexport@140.99.99.130:
    >
    > > First, if this is not an appropritate group for posing this question,
    > > please refer me to the correct one.
    > >
    > > Now, on the the issue. I use google as my search engine and have it
    > > set as my home page. Though I am very careful about letting unknown
    > > software get on my computer, I seem to have something going on that is
    > > taking over my browser. First, my home page keeps getting changed to
    > > SearchCentral.cc (actually, in the set home page field it is listed by
    > > IP, 81.211.105.43).
    > >
    > > Even worse than that, when I am using Google, some portion of the
    > > links in a google search results page are actually redirected to this
    > > same Search Central with my original Google search parameters filled
    > > in on SearchCentral search box. When this happens, the only way I can
    > > actually get to the url shown in the Google search results is to cut
    > > and paste the real url.
    > >
    > > Can someone please help me figure out how to find the pervasive code
    > > that is taking over my browser and eradicate it.
    > >
    > > Thank you.
    > >
    > > James

    >
    > Use the Host it can help.

    [snip host info]

    Using a host file to block some redirects is bad in this persons case.
    Their machine has been compromised by one of the search tools - most of
    these can be uninstalled with ADD/REMOVE Software from the control panel
    and then running Spy Bot....

    Using the host file will only mask part of the problem, not fix it in
    any way.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Feb 2, 2004
    #5
  6. James Bond

    Duane Arnold Guest

    Leythos <> wrote in news:MPG.1a88577060461a5e98a12f@news-
    server.columbus.rr.com:

    > In article <Xns948377146B3C8darnold92insightbbco@216.148.227.77>,
    > says...
    >> James Bond <> wrote in
    >> news:Xns94837212ECB95jbonduniversalexport@140.99.99.130:
    >>
    >> > First, if this is not an appropritate group for posing this

    question,
    >> > please refer me to the correct one.
    >> >
    >> > Now, on the the issue. I use google as my search engine and have it
    >> > set as my home page. Though I am very careful about letting unknown
    >> > software get on my computer, I seem to have something going on that

    is
    >> > taking over my browser. First, my home page keeps getting changed

    to
    >> > SearchCentral.cc (actually, in the set home page field it is listed

    by
    >> > IP, 81.211.105.43).
    >> >
    >> > Even worse than that, when I am using Google, some portion of the
    >> > links in a google search results page are actually redirected to

    this
    >> > same Search Central with my original Google search parameters filled
    >> > in on SearchCentral search box. When this happens, the only way I

    can
    >> > actually get to the url shown in the Google search results is to cut
    >> > and paste the real url.
    >> >
    >> > Can someone please help me figure out how to find the pervasive code
    >> > that is taking over my browser and eradicate it.
    >> >
    >> > Thank you.
    >> >
    >> > James

    >>
    >> Use the Host it can help.

    > [snip host info]
    >
    > Using a host file to block some redirects is bad in this persons case.
    > Their machine has been compromised by one of the search tools - most of
    > these can be uninstalled with ADD/REMOVE Software from the control

    panel
    > and then running Spy Bot....
    >
    > Using the host file will only mask part of the problem, not fix it in
    > any way.
    >


    I'll agree that one must find the real problem as to the compromise. But
    I also think that using the Host as a prevention tool is a viable
    solution for the overall protection of the machine. To me, this Host is
    more than just about doing some add blocking.

    Duane :)
     
    Duane Arnold, Feb 2, 2004
    #6
  7. James Bond

    curious Guest

    Duane Arnold <> wrote in message news:<Xns948379F1D28F6darnold92insightbbco@216.148.227.77>...

    <snip>

    >
    > I'll agree that one must find the real problem as to the compromise. But
    > I also think that using the Host as a prevention tool is a viable
    > solution for the overall protection of the machine. To me, this Host is
    > more than just about doing some add blocking.
    >
    > Duane :)


    Should I do that as a preventive measure?
     
    curious, Feb 3, 2004
    #7
  8. James Bond

    Duane Arnold Guest

    (curious) wrote in
    news::

    > Duane Arnold <> wrote in message
    > news:<Xns948379F1D28F6darnold92insightbbco@216.148.227.77>...
    >
    > <snip>
    >
    >>
    >> I'll agree that one must find the real problem as to the compromise.
    >> But I also think that using the Host as a prevention tool is a viable
    >> solution for the overall protection of the machine. To me, this Host
    >> is more than just about doing some add blocking.
    >>
    >> Duane :)

    >
    > Should I do that as a preventive measure?


    It's not a stop all solution but it does help. There are some
    applications written for WEB usage that have the IP of a WEBsite hard
    coded in the application. But most applications are going to use a DNS
    for the site hard coded in the application. By using a DNS in the code,
    the IP for the DNS must be resolved by the computer. Usually, the DNS is
    at the ISP, on a Domain in a closed MS network, or the computer itself
    can resolve the DNS to IP if there is a Host file. If the HOST file does
    have a DNS in it and it's set to the Loopback IP, then the access to the
    site will be blocked as the requests is returned back to the machine. It
    doesn't matter if you have some WEB application or some batch
    application/program running that's doing a lookup by DNS to reslove the
    IP to access a WEbsite it will be blocked from accessing the site.

    Also, configuring a browser such as IE's security settings properly and
    not leaving them in their default out of the box state helps as well,
    along with using one's common sense and not having the happy fingers that
    click unknowingly.

    Duane :)
     
    Duane Arnold, Feb 3, 2004
    #8
  9. James Bond

    CyberDroog Guest

    On 2 Feb 2004 22:32:45 -0800, (curious) wrote:

    >Duane Arnold <> wrote in message news:<Xns948379F1D28F6darnold92insightbbco@216.148.227.77>...
    >
    ><snip>
    >
    >>
    >> I'll agree that one must find the real problem as to the compromise. But
    >> I also think that using the Host as a prevention tool is a viable
    >> solution for the overall protection of the machine. To me, this Host is
    >> more than just about doing some add blocking.
    >>
    >> Duane :)

    >
    > Should I do that as a preventive measure?


    A HOSTS file isn't a bad security measure, but IP's for adware can always
    change and keeping up the HOSTS file can become a chore.

    An easier solution is to use something like PopUpCop
    (http://www.popupcop.com/) to prevent malicious activity and warn you when
    web sites are trying to hose your system (via Java Script, ActiveX, etc.)

    ---
    When under the pretext of fraternity, the legal code imposes mutual sacrifices
    on the citizens, human nature is not thereby abrogated. Everyone will then
    direct his efforts toward contributing little to, and taking much from, the
    common fund of sacrifices. Now, is it the most unfortunate who gains from this
    struggle? Certainly not, but rather the most influential and calculating.

    - Fredric Bastiat
     
    CyberDroog, Feb 3, 2004
    #9
  10. James Bond

    Duane Arnold Guest

    CyberDroog <> wrote in
    news::

    > On 2 Feb 2004 22:32:45 -0800, (curious)
    > wrote:
    >
    >>Duane Arnold <> wrote in message
    >>news:<Xns948379F1D28F6darnold92insightbbco@216.148.227.77>...
    >>
    >><snip>
    >>
    >>>
    >>> I'll agree that one must find the real problem as to the compromise.
    >>> But I also think that using the Host as a prevention tool is a
    >>> viable solution for the overall protection of the machine. To me,
    >>> this Host is more than just about doing some add blocking.
    >>>
    >>> Duane :)

    >>
    >> Should I do that as a preventive measure?

    >
    > A HOSTS file isn't a bad security measure, but IP's for adware can
    > always change and keeping up the HOSTS file can become a chore.
    >
    > An easier solution is to use something like PopUpCop
    > (http://www.popupcop.com/) to prevent malicious activity and warn you
    > when web sites are trying to hose your system (via Java Script,
    > ActiveX, etc.)
    >
    > ---
    > When under the pretext of fraternity, the legal code imposes mutual
    > sacrifices on the citizens, human nature is not thereby abrogated.
    > Everyone will then direct his efforts toward contributing little to,
    > and taking much from, the common fund of sacrifices. Now, is it the
    > most unfortunate who gains from this struggle? Certainly not, but
    > rather the most influential and calculating.
    >
    > - Fredric Bastiat
    >


    Thanks, I may take a look at POPUpCop, since I am using POPUP Stopper
    (free). The only third party tool I'll use is BlackIce's Application
    Control that has step in a couple of times behind the browser on the
    protection. I do like to go to the O/S when it comes to security
    configuration, like IE. I have gone to IE and configured it such that it
    just won't start downloading ActiveX controls and executing Java Scripts
    on its own.

    Use I understand that the data of the Host file will change from time to
    time due to websites coming and going. I also hear that you can obtain
    update Host files as well.

    To me, it's just part of the mix of trying to keep the crap at bay.

    Duane :)
     
    Duane Arnold, Feb 3, 2004
    #10
  11. James Bond

    Xplosion Guest

    Dear James,

    I had the same problem, but spybot does not seem to recognize thi
    one.

    The application responsible for this behavior is called

    Open Site

    You can remove it by Add/Remove Programs.

    You may want to check wether all registry entries get deleted.

    For your refderence follow this

    http://sarc.com/avcenter/venc/data/adware.opensite.html



    Xplosion
    -----------------------------------------------------------------------
    Posted via http://www.webservertalk.co
    -----------------------------------------------------------------------
    View this thread: http://www.webservertalk.com/message107244.htm
     
    Xplosion, Feb 4, 2004
    #11
  12. James Bond

    Unregistered Guest

    what this thing does is edit your registry file somehow and update th
    default search.. I keep deleting the page and somehow it keeps updatin
    back in my registry.

    Unregistered
    -----------------------------------------------------------------------
    Posted via http://www.webservertalk.co
    -----------------------------------------------------------------------
    View this thread: http://www.webservertalk.com/message107244.htm
     
    Unregistered, Feb 4, 2004
    #12
  13. James Bond

    johns Guest


    > Can someone please help me figure out how to find the pervasive code that
    > is taking over my browser and eradicate it.


    First thing, go off line. That hijacker will phone home and
    reload over and over and over. Next, do a search for every file
    that is dated at and after the time of infection ... you are looking
    for the dropper. It will be there, and hard as hell to find. I've
    found it in a 2nd recycle bin directory that is bogus ... also in
    a "name" directory in System32 .. there's probably others.
    Run AdWare6.0 that has been recently updated ( go to another
    computer and dl it ) and delete all that crap. Run Spybot, and
    delete all that crap. Reboot. If the stuff comes back .. AND IT
    WILL ... search again for the dropper directory, and go delete
    the entire directory. Delete Temporary Internet Files .. and
    delete the Temp directory ( under local settings ). Go look
    at Services and see if you see a weirdo running. See what
    directory contains it, and go look there. If there are "new"
    dated files in that directory .. that is probably the dropper.
    Delete it if you feel safe doing so .. or if Adware or Spybot
    has been in that directory. Note: if you are running XP, you
    must shut off System Restore .. My Computer > properties
    > System Restore .. uncheck box. Also Note: I never do

    any of this. I have a whopping big hard drive, and I image
    my C-drive. If a hijacker gets me .. I boot to floppy with
    recovery disks, and reimage. Screw all that effort. Reimage
    takes 30 - 40 minutes, and I spend that time ice skating :)

    johns
     
    johns, Feb 6, 2004
    #13
  14. James Bond

    Robin T Cox Guest

    James Bond <> wrote in
    news:Xns94837212ECB95jbonduniversalexport@140.99.99.130:

    > Can someone please help me figure out how to find the pervasive code
    > that is taking over my browser and eradicate it.
    >


    See:
    http://www.spywareinfo.com/articles/hijacked/
     
    Robin T Cox, Feb 6, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    519
    Big Will
    Mar 3, 2005
  2. olabanji  timothy

    pls, help.. i need a number..pls

    olabanji timothy, Sep 9, 2003, in forum: MCSE
    Replies:
    7
    Views:
    864
  3. Pupper
    Replies:
    1
    Views:
    863
    Patrick
    Jun 27, 2004
  4. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,083
    Theo Markettos
    Feb 14, 2008
  5. Replies:
    2
    Views:
    719
    trouble
    Aug 16, 2008
Loading...

Share This Page