Pages automatically "hijacked" to porn sites (not related to URL)

  • Thread starter Thread starter Andrea
  • Start date Start date
A

Andrea

This is a fun one that's causing me problems at work!

When I log in to a site I've used hundreds of times
before, www.backflip.com, after I hit "enter", the page
gets hijacked to a porn site called akril.com, opens lots
more windows, etc.

This only happens when I check the site from my computer
at work, on which I've just installed IE6. It doesn't
happen on colleagues' computers. I e-mailed the website,
thinking it was a problem on their end, but they haven't
seen any other reports and can't replicate the problem.
He did say, however, that right at the moment the site
gets hijacked (log-in), there is Java script running, and
that it sounded like a virus on my end programmed to run
when java script runs.

I've searched my computer using our corporate version of
Norton Anti-Virus, to no avail.

Any ideas? Thanks so much. This is a website I need to
access for work, which is causing no end of hilarity among
my colleagues.
 
Hi Andrea - It sounds like you've been hijacked. If you go to this page
at Jim Eshelman's site, here: http://aumha.org/a/noads.htm and wait a
little bit (be patient), an analysis of a number of possible parasites
on your machine will be made to help you identify and remove them.
NOTE: You will need to disable Ad Blocking in Zone Alarm 3.x, if
present or any other Ad Blocking software which interferes with Java
Scripting for this scan to work. You should get a message between the
two lines of **** giving the results of the scan.

For the general hijack case, the best way to start is to get Ad-Aware
6.0, Build 162 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this
regularly to get rid of most "spyware/hijackware" on your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I
recommend using both normally. After fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you
get a clean "no red" scan.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help, http://www.tomcoyote.org/hjt/ (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php

Another program giving a good inventory of all of the possible start
vectors is AutostartExplorer, here: http://www.misec.net/aexp.jsp
While it doesn't allow control of startups, it's extremely comprehensive
in examining all of the possible sources. Highly Recommended

Next, go here: http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but
more extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns
from here:
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns. Be very
careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems
with suspected hijackers, you can look up and investigate suspect
programs in your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
(Recommended)
http://www.3feetunder.com/krick/startup/list.html (Recommended)
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (Recommended)


Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal,
but if you see something that doesn't make any sense, try disabling it
and see if that helps. Another excellent program for this same purpose
is BHODemon, (still free) here: http://www.definitivesolutions.com/ or
here: http://www.spywareinfo.com/downloads/bhod/ I would recommend
both. You can also check/control BHO's using the Tools function of
SpyBot S&D.

There's good information about hijacking and fixes available here:

Andrew Clover's parasite page: http://www.doxdesk.com/parasite/
(Highly recommended)
Robert Allen's parasite page: http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files
to lock and unlock your homepage, BTW. You can also use this program to
toggle locking/unlocking of your homepage:
http://www.dougknox.com/security/scripts/nosethomepage.vbs Recommended)
http://www.mvps.org/inetexplorer/answers.htm#home_page

Also, there's a new class of hijacker using Window's Messenger Service
(not Instant Messaging, BTW). See: Messenger Service Window That
Contains an Internet Advertisement Appears
http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do. You can test your system
and follow the 'Prevention' link to get additional information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very
good reasons to keep this active, it should be turned off in Win2k and
XP. Go here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better,
get MessageSubtract, free, here, which will give you flexible control of
the service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.

Once you get this cleaned up, you might want to consider installing the
Browser Hijack Blaster, SpywareBlaster and SpywareGuard here to help
prevent this kind of thing from happening in the future:
http://www.wilderssecurity.com/bhblaster.html (Prevents malware BHO's)
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware
Active X installs) (BTW, SpyWare Blaster is not memory resident ... no
CPU or memory load - but keep it updated) The latest version as of this
writing will prevent installation or prevent the malware from running if
it is already installed, and it provides information and fixit-links for
a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts
to install malware) All three Very Highly Recommended.

See if any of this helps and post back with your results.


--
Regards, Jim Byrd, MS-MVP
Please respond in original thread in Newsgroup.




In [email protected], Andrea typed:
 
This is a fun one that's causing me problems at work!

When I log in to a site I've used hundreds of times
before, www.backflip.com, after I hit "enter", the page
gets hijacked to a porn site called akril.com, opens lots
more windows, etc.

This only happens when I check the site from my computer
at work, on which I've just installed IE6. It doesn't
happen on colleagues' computers. I e-mailed the website,
thinking it was a problem on their end, but they haven't
seen any other reports and can't replicate the problem.
He did say, however, that right at the moment the site
gets hijacked (log-in), there is Java script running, and
that it sounded like a virus on my end programmed to run
when java script runs.

I've searched my computer using our corporate version of
Norton Anti-Virus, to no avail.

Any ideas? Thanks so much. This is a website I need to
access for work, which is causing no end of hilarity among
my colleagues.

You have been hijacked by a porn dialer parasite.
Truncated deliberately to break hyperlink
http://connect.online-dialer.com/connect.php?did=od-stnd280&ufw=
http://xxxod.net/enter.php?did=o d-stnd280


Please take immediate action ~
~~~~~~~~~~~~~~~~~~~~
Download and run SpyBot Search & Destroy,
http://studserver.uni-dortmund.de/~su1669/spybotsd12.exe

SpyBot home: http://security.kolla.de
SpyBot How -To: http://www.tomcoyote.org/SPYBOT/

HTH


--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_
 
Back
Top