Skip to main content

browser hijack > eebuy.co.uk

Comments

10 comments

  • Customer

    Hello,

     

    I am having the same problem with some PC's at my work. If anyone has any ideas, please post here. No virus/syware/adaware found on any pc or server.

    0
  • Customer

    Would love to hear a solution too... I'm getting exactly the same problem for users on a Citrix box where IE6 is a published application. Running on Windows Server 2003 SP1. If I log on as an administrator though IE6 behaves normally.

    0
  • Customer

    I have had the same place where I work.

     

    I have seen the spread of this both in profiles and as a worm like effect.

     

    The effects of the "virus" are caused by it placing a "Windows Proxy Auto-Detect" (WPAD.DAT) file onto your computer and then making you use it (typically in to C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 or similar).

     

    We have found that if we block the website at our firewall (so that no computers can go to it) then the affected computers try to go to their designated proxy and when they can't just go to the requested website by whatever method they used previously (directly or by their previously set proxy etc).

     

    Also we have found that adding the October patches from Microsoft seems to have a similar affect (i.e. stopping the redirection) but for no readily apparent reason.

     

    Also we don't know if this fixes the computers or just leaves them infected with whatever it is but stops the redirection taking place.

    0
  • Customer

    thank you I'll give that a shot on our network.

     

     

    [update]

     

    If you can block traffic to 81.149.130.33

    This is the BT IP where eebuy.co.uk is running from.

     

    Abuse contact -

    abuse@bt.net - for the IP address

     

    abuse@123-reg.o.uk - for the domain name

     

    the text of the file it installs is -

     

    function FindProxyForURL(url, host) { return "PROXY eebuy.co.uk:80; DIRECT"; }

     

     

    [/update]

    0
  • Customer

    Thanks for that. I've managed another workaround. In IE in Tools, Internet Options, Connections and in the LAN settings, take the tick off the "Automatically Detect Settings" This can also be enforced through GPO - User Config, Windows Settings, Internet Explorer Maintenance, Connection.

     

    Doesn't sort out the 'infection itself' but until then this is working.

    0
  • Customer

    Thanks for all your replies all.

     

    Martialalmac, that works for me too, so I'm putting that out on the GPo until there is a fix.

     

    Thanks again,

     

    Jon

    0
  • Customer

    thank you I'll give that a shot on our network.

    [update]

     

    If you can block traffic to 81.149.130.33

    This is the BT IP where eebuy.co.uk is running from.

     

    Abuse contact -

    abuse@bt.net - for the IP address

     

    abuse@123-reg.o.uk - for the domain name

     

    the text of the file it installs is -

     

    function FindProxyForURL(url, host) { return "PROXY eebuy.co.uk:80; DIRECT"; }

    [/update]


    I have had this problem occur in the last couple of days.. and it appears to have no pattern.

     

    Random PC's on my network are affected, I cannot tie it down to a PC or profile problem.

     

    The GPO suggestion works fine.

     

    I am keen for a proper fix though

    0
  • Customer

    Did you try my suggestion too?

     

    Martialalmac.

    0
  • Customer

    Did you try my suggestion too?

     

    Martialalmac.


     

    Just edited my post, the pc I looked at for the test didnt apply my GPO change as it was exempt (sods law)

     

    Thanks anyway

    0
  • Customer

    Glad it works.

     

    Couldn't agree more... this appears to be spreading quite a lot and a proper fix would be very welcome!

    0

Please sign in to leave a comment.