Something hijacking URLs and directing browser to porno site

  • Thread starter Thread starter Shirley Worrall
  • Start date Start date
Hi there,
Have you checked your Hosts file?
Click to expand...

I don't think I had one until this problem began, but I was advised to
make one on a support forum (trying to solve this problem). I've
pasted it below. I cut and pasted the one that was recommended. I
don't know what to look for in it: if you see anything dodgy, please
let me know.

Slightly weirdly, I've just been to paste it, and now it's called
hosts.bak - I'm almost certain it didn't have any extension 2 nights
ago. It's in C:/windows/system32/drivers/etc. Could this be sinister?

Thanks again for any help,

Shirley

====
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# AFAIR, the above was the shell file from Windows install - bts

# === Added because RR DNS server flips quads. Most won't need this.
204.127.161.11 inetnews.worldnet.att.net
# ===


# Block Google ads. Add additional servers as found.
127.0.0.1 pagead2.googlesyndication.com

# Block verisign takeover for non-existent domains
127.0.0.1 sitefinder.verisign.com
127.0.0.1 sitefinder-idn.verisign.com
#

# General: please keep alphabetical
127.0.0.1 2o7.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 a88.g.akamai.net
127.0.0.1 a9.g.akamai.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.doubleclick.com
127.0.0.1 ad.uk.doubleclick.com
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.iwin.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.network60.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 ad.abcnews.com
127.0.0.1 ad.usatoday.com
127.0.0.1 adimages.go.com
127.0.0.1 ads.abcnews.com
127.0.0.1 ads.adiscon.com
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 ads.hitcents.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.msnbc.com
#127.0.0.1 ads.osdn.com
127.0.0.1 ads.real.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.sys-con.com
127.0.0.1 ads.vnuemedia.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.x10.com
127.0.0.1 ads2.vx2.cc
127.0.0.1 adserv.lwmn.net
127.0.0.1 adserv.bravenet.com
127.0.0.1 adserv2.bravenet.com
# AT&T Marketing - block or not
127.0.0.1 aens.net
127.0.0.1 g6589dcs.nyc2.aens.net
#
127.0.0.1 aim.aol.com
127.0.0.1 aim-charts.pf.aol.com
127.0.0.1 aimexpress.oscar.aol.com
127.0.0.1 aimtoday.aol.com
127.0.0.1 ar.atwola.com
127.0.0.1 arc3.msn.com
127.0.0.1 auto.search.msn.com
127.0.0.1 bannerfarm.ace.advertising.com
127.0.0.1 brilliantdigital.com
127.0.0.1 bs.serving-sys.com
127.0.0.1 burstnet.com
127.0.0.1 carrotink.com
127.0.0.1 c1.zedo.com
127.0.0.1 c2.zedo.com
127.0.0.1 c3.zedo.com
127.0.0.1 c4.zedo.com
127.0.0.1 click.linksynergy.com
127.0.0.1 clickthru.online.com
127.0.0.1 creative.floppybank.com
127.0.0.1 colonize.com
# 127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 doubleclick.com
127.0.0.1 doubleclick.net
127.0.0.1 extreme-dm.com
127.0.0.1 flycast.com
127.0.0.1 fortunecity.com
127.0.0.1 gcirm.DemocratandChronicle.com
127.0.0.1 hitbox.com
127.0.0.1 ehg-attworldnet.hitbox.com
127.0.0.1 ehg-rr.hitbox.com
127.0.0.1 imgfarm.snv.mediaplex.com
127.0.0.1 imrworldwide.com
127.0.0.1 inforocket.com
127.0.0.1 jqkserv2.net # Netscape 7 wants to access this at
startup
127.0.0.1 login.oscar.aol.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 lubid.lycos.com
127.0.0.1 m.doubleclick.net
127.0.0.1 m2.doubleclick.net
127.0.0.1 match.com
127.0.0.1 media.fastclick.net
#127.0.0.1 msn.com
#127.0.0.1 msnbc.com
127.0.0.1 network.realmedia.com
127.0.0.1 offers.mailpref.go.com
127.0.0.1 popup.msn.com
127.0.0.1 qksrv.net
127.0.0.1 qserv.zdnet.com
127.0.0.1 redsheriff.com
127.0.0.1 scrooge.ibsys.com
127.0.0.1 servedby.advertising.com
127.0.0.1 server-uk.imrworldwide.com
127.0.0.1 service.bfast.com
127.0.0.1 specificclick.net
127.0.0.1 speedyclick.com
127.0.0.1 statse.webtrendslive.com
127.0.0.1 t0.extreme-dm.com
127.0.0.1 t1.extreme-dm.com
127.0.0.1 timeinc.net
127.0.0.1 transfer.go.com
127.0.0.1 u0.extreme-dm.com
127.0.0.1 u1.extreme-dm.com
127.0.0.1 us.a1.yimg.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 view.atdmt.com
127.0.0.1 view.optamail.com
127.0.0.1 www.aim.com
127.0.0.1 www.consumerinfo.com
127.0.0.1 www.eshopxml.msn.com
127.0.0.1 www.freebanners.com
127.0.0.1 www.hightrafficads.com
127.0.0.1 www.kscasino.com
127.0.0.1 www.refsnesdata.no
127.0.0.1 www.qksrv.net
127.0.0.1 www.qwestdex.com
127.0.0.1 www.yourfreecamera.com
127.0.0.1 www2.consumercreditusa.com
127.0.0.1 x10.com
127.0.0.1 z1.adserver.com
# Please keep alphabetical

# Paste in Comet Cursor sites
# found this list in grc.spyware message
127.0.0.1 beta.cometsystems.com
127.0.0.1 comet.com
127.0.0.1 cometcursor.com
127.0.0.1 cometsystems.com
127.0.0.1 cometzone.com
127.0.0.1 cometzone.cometsystems.com
127.0.0.1 cometzone.qa.cometsystems.com
127.0.0.1 content.cometsystems.com
127.0.0.1 cps.yn.cometsystems.com
127.0.0.1 cursors.cometsystems.com
127.0.0.1 czfarm.cometsystems.com
127.0.0.1 czfiles.cometsystems.com
127.0.0.1 download.cometsystems.com
127.0.0.1 files.cometsystems.com
127.0.0.1 files2.cometsystems.com
127.0.0.1 hale-bopp.cometsystems.com
127.0.0.1 livecursors.dev.cometsystems.com
127.0.0.1 log.cc.cometsystems.com
127.0.0.1 mcc.cometsystems.com
127.0.0.1 md.yn.cometsystems.com
127.0.0.1 mockups.cometsystems.com
127.0.0.1 mycometcursor.com
127.0.0.1 NS1.COMETSYSTEMS.COM
127.0.0.1 NS2.COMETSYSTEMS.COM
127.0.0.1 pa.yn.cometsystems.com
127.0.0.1 pm.yn.cometsystems.com
127.0.0.1 reg.cc.cometsystems.com
127.0.0.1 sk.cc.cometsystems.com
127.0.0.1 terisias.cometsystems.com
127.0.0.1 ver.cc.cometsystems.com
127.0.0.1 www.comet.com
127.0.0.1 www.cometcursor.com
127.0.0.1 www.cometsystems.com
127.0.0.1 www.cometzone.com
127.0.0.1 www.livecursors.com
127.0.0.1 www.mycometcursor.com
127.0.0.1 yellownet.cometsystems.com
127.0.0.1 alma.dev.cometsystems.com
127.0.0.1 alma.qa.cometsystems.com
127.0.0.1 aphrodite.cometsystems.com
127.0.0.1 asimov.cometsystems.com
127.0.0.1 beta-test.dev.cometsystems.com
127.0.0.1 beta.cometsystems.com
127.0.0.1 chat.cometsystems.com
127.0.0.1 cometobuy.cj.com
127.0.0.1 csdev01.dev.cometsystems.com
127.0.0.1 csdev02.cometsystems.com
127.0.0.1 csprod01.cometsystems.com
127.0.0.1 csprod05.cometsystems.com
127.0.0.1 csprod06.cometsystems.com
127.0.0.1 csprod08.cometsystems.com
127.0.0.1 czfiles-1.cometsystems.com
127.0.0.1 czfiles-2.cometsystems.com
127.0.0.1 dhcp152.cometsystems.com
127.0.0.1 digex-gw.cometsystems.com
127.0.0.1 download.dev.cometsystems.com
127.0.0.1 download2.cometsystems.com
127.0.0.1 download3.cometsystems.com
127.0.0.1 downloadaccelerator.com
127.0.0.1 downlocometsystems.com
127.0.0.1 exodus.cometsystems.com
127.0.0.1 fgc-gw.cometsystems.com
127.0.0.1 files.dev.cometsystems.com
127.0.0.1 galileo.cometsystems.com
127.0.0.1 guys.cometsystems.com
127.0.0.1 halley.cometsystems.com
127.0.0.1 helium.cometsystems.com
127.0.0.1 hydrogen.cometsystems.com
127.0.0.1 jupiter.cometsystems.com
127.0.0.1 kepler.cometsystems.com
127.0.0.1 liko.cometsystems.com
127.0.0.1 lists.cometsystems.com
127.0.0.1 lithium.cometsystems.com
127.0.0.1 mcc.qa.cometsystems.com
127.0.0.1 minerva.cometsystems.com
127.0.0.1 neon.cometsystems.com
127.0.0.1 neptune.cometsystems.com
127.0.0.1 NS1.COMETSYSTEMS.COM
127.0.0.1 NS2.COMETSYSTEMS.COM
127.0.0.1 sagan.cometsystems.com
127.0.0.1 saturn.cometsystems.com
127.0.0.1 savvis-gw.cometsystems.com
127.0.0.1 ssn.cc.cometsystems.com
127.0.0.1 uranus.cometsystems.com
127.0.0.1 venus.cometsystems.com
127.0.0.1 voyager1.cometsystems.com
127.0.0.1 www.qa.cometsystems.com
# End paste of Comet Cursor sites

# AOL instant messenger ads
127.0.0.1 ads.aol.com
127.0.0.1 ads.web.aol.com
127.0.0.1 affiliate.aol.com
127.0.0.1 aimtoday.aol.com
127.0.0.1 free.aol.com
127.0.0.1 p.specialoffers.aol.com
127.0.0.1 specialoffers.aol.com
# End AOL instant messenger

# Red Sheriff - new tracking company
127.0.0.1 dk.imrworldwide.com
127.0.0.1 fe-au.imrworldwide.com
127.0.0.1 fe1-au.imrworldwide.com
127.0.0.1 fe1-fi.imrworldwide.com
127.0.0.1 fe1-it.imrworldwide.com
127.0.0.1 fe2-au.imrworldwide.com
127.0.0.1 fe2-gc.imrworldwide.com
127.0.0.1 fe3-au.imrworldwide.com
127.0.0.1 fe3-gc.imrworldwide.com
127.0.0.1 fe3-uk.imrworldwide.com
127.0.0.1 fe4-uk.imrworldwide.com
127.0.0.1 imrworldwide.com
127.0.0.1 lycos-eu.imrworldwide.com
127.0.0.1 ninemsn.imrworldwide.com
127.0.0.1 rc-au.imrworldwide.com
127.0.0.1 redsheriff.com
127.0.0.1 secure-au.imrworldwide.com
127.0.0.1 secure-uk.imrworldwide.com
127.0.0.1 secure-us.imrworldwide.com
127.0.0.1 secure-jp.imrworldwide.com
127.0.0.1 server-au.imrworldwide.com
127.0.0.1 server-br.imrworldwide.com
127.0.0.1 server-by.imrworldwide.com
127.0.0.1 server-ca.imrworldwide.com
127.0.0.1 server-de.imrworldwide.com
127.0.0.1 server-dk.imrworldwide.com
127.0.0.1 server-ee.imrworldwide.com
127.0.0.1 server-fi.imrworldwide.com
127.0.0.1 server-fr.imrworldwide.com
127.0.0.1 server-hk.imrworldwide.com
127.0.0.1 server-it.imrworldwide.com
127.0.0.1 server-jp.imrworldwide.com
127.0.0.1 server-lt.imrworldwide.com
127.0.0.1 server-lv.imrworldwide.com
127.0.0.1 server-no.imrworldwide.com
127.0.0.1 server-nz.imrworldwide.com
127.0.0.1 server-pl.imrworldwide.com
127.0.0.1 server-ru.imrworldwide.com
127.0.0.1 server-se.imrworldwide.com
127.0.0.1 server-sg.imrworldwide.com
127.0.0.1 server-stockh.imrworldwide.com
127.0.0.1 server-ua.imrworldwide.com
127.0.0.1 server-uk.imrworldwide.com
127.0.0.1 server-us.imrworldwide.com
127.0.0.1 telstra.imrworldwide.com
127.0.0.1 www.telstra.imrworldwide.com
127.0.0.1 www.imrworldwide.com
127.0.0.1 www.imrworldwide.com.au
127.0.0.1 www.redsheriff.com
# End Red Sheriff

#
# Add disabler for Opra
#

127.0.0.1 cdn1.adsdk.com
127.0.0.1 opera1-servedby.advertising.com
127.0.0.1 ins1.opera.com
127.0.0.1 ins2.opera.com
127.0.0.1 tribalfusion.com
127.0.0.1 a.tribalfusion.com
127.0.0.1 pagead-us.googlesyndication.com
127.0.0.1 bn.bfast.com # Opera ad server
 
Default said:
I don't think I had one until this problem began, but I was advised
to make one on a support forum (trying to solve this problem). I've
pasted it below. I cut and pasted the one that was recommended. I
don't know what to look for in it: if you see anything dodgy,
please let me know.
Click to expand...

Doesn't look dodgy to me ... :-D

Since nothing in this hosts file redirects *TO* anything other than
127.0.0.1, that cannot be your problem.
 
Have you checked your Hosts file?
I don't think I had one until this problem began, but I was advised to
make one on a support forum (trying to solve this problem). I've
pasted it below. I cut and pasted the one that was recommended. I
don't know what to look for in it: if you see anything dodgy, please
let me know.

Slightly weirdly, I've just been to paste it, and now it's called
hosts.bak - I'm almost certain it didn't have any extension 2 nights
ago. It's in C:/windows/system32/drivers/etc. Could this be sinister?

Thanks again for any help,

Shirley
Click to expand...


Not sure what your OS is but if W2000 ask on newsgroup
microsoft.public.win2000.general Lots of OS and virus / spy experts over
there. If you have some other os search for it in the microsoft newsgroup
hierarchy.
 
Default said:
Slightly weirdly, I've just been to paste it, and now it's called
hosts.bak - I'm almost certain it didn't have any extension 2
nights ago. It's in C:/windows/system32/drivers/etc. Could this be
sinister?
Click to expand...

Hmm, just realized you said it is: hosts.bak
That is a backup file you would get, with some editors, when you make
a change to the file.

Do you have Windows set to show all files? You should *also* see a
file named just hosts (with no extension) in that directory. If not,
then you have no working hosts file.
 
By way of an update...

I followed all the advice I was given - gratefully - but nothing I did
was able to prevent the redirection of my PC to the porno site when
clicking on the URL I posted, and other equally innocuous URLs.

However.... I returned from a couple of weeks' holiday a week or so
ago and it occurred to me this morning that I'd not had the
redirection experience since, and so I came back here and clicked
again on the URL. This time there was no problem - it's just sitting
there in my browser!

So, I have absolutely no idea at all what might have 'cured' the
problem, but I thought I'd report back, in case anyone who helped
remembers.

Thanks again for your help :-)
 
From: "Default NG ID" <[email protected]>

| By way of an update...
|
| I followed all the advice I was given - gratefully - but nothing I did
| was able to prevent the redirection of my PC to the porno site when
| clicking on the URL I posted, and other equally innocuous URLs.
|
| However.... I returned from a couple of weeks' holiday a week or so
| ago and it occurred to me this morning that I'd not had the
| redirection experience since, and so I came back here and clicked
| again on the URL. This time there was no problem - it's just sitting
| there in my browser!
|
| So, I have absolutely no idea at all what might have 'cured' the
| problem, but I thought I'd report back, in case anyone who helped
| remembers.
|
| Thanks again for your help :-)

I'm glad things got straightened out.

Thanx for updating this thread.
 
Default NG ID said:
By way of an update...

I followed all the advice I was given - gratefully - but nothing I did
was able to prevent the redirection of my PC to the porno site when
clicking on the URL I posted, and other equally innocuous URLs.

However.... I returned from a couple of weeks' holiday a week or so
ago and it occurred to me this morning that I'd not had the
redirection experience since, and so I came back here and clicked
again on the URL. This time there was no problem - it's just sitting
there in my browser!

So, I have absolutely no idea at all what might have 'cured' the
problem, but I thought I'd report back, in case anyone who helped
remembers.

Thanks again for your help :-)
Click to expand...

Your call to your provider may have alerted them to an instance of DNS
poisoning on their end.

....or not...

Thanks for the followup.
 
Back
Top