browser hijack > eebuy.co.uk
Hello All,
Laptop running XP pro SP2
Def files SE1R126 12.10.2006
Profile based hijack (I think). Whenever I log in as myself, I get redirected to http://www.eebuy.co.uk no matter what address I put in the browser. Doesn't affect Firefox, just IE (ver 6.0.2900.2180). If I log in using the Admin account all ok.
Have started up in safe mode and then run a full system scan, deleted temp internet files, run another full system scan. The second full system scan drew a blank, but next time I logged in as normal, I was redirected to eebuy.co.uk.
Attached is Hijack This log. hijackthisJsl3.txt
Attached is adaware log. adawarejsl3.txt
Any help much appreciated.
-
Hello,
I am having the same problem with some PC's at my work. If anyone has any ideas, please post here. No virus/syware/adaware found on any pc or server.
0 -
Would love to hear a solution too... I'm getting exactly the same problem for users on a Citrix box where IE6 is a published application. Running on Windows Server 2003 SP1. If I log on as an administrator though IE6 behaves normally.
0 -
I have had the same place where I work.
I have seen the spread of this both in profiles and as a worm like effect.
The effects of the "virus" are caused by it placing a "Windows Proxy Auto-Detect" (WPAD.DAT) file onto your computer and then making you use it (typically in to C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 or similar).
We have found that if we block the website at our firewall (so that no computers can go to it) then the affected computers try to go to their designated proxy and when they can't just go to the requested website by whatever method they used previously (directly or by their previously set proxy etc).
Also we have found that adding the October patches from Microsoft seems to have a similar affect (i.e. stopping the redirection) but for no readily apparent reason.
Also we don't know if this fixes the computers or just leaves them infected with whatever it is but stops the redirection taking place.
0 -
thank you I'll give that a shot on our network.
[update]
If you can block traffic to 81.149.130.33
This is the BT IP where eebuy.co.uk is running from.
Abuse contact -
abuse@bt.net - for the IP address
abuse@123-reg.o.uk - for the domain name
the text of the file it installs is -
function FindProxyForURL(url, host) { return "PROXY eebuy.co.uk:80; DIRECT"; }
[/update]
0 -
Thanks for that. I've managed another workaround. In IE in Tools, Internet Options, Connections and in the LAN settings, take the tick off the "Automatically Detect Settings" This can also be enforced through GPO - User Config, Windows Settings, Internet Explorer Maintenance, Connection.
Doesn't sort out the 'infection itself' but until then this is working.
0 -
Thanks for all your replies all.
Martialalmac, that works for me too, so I'm putting that out on the GPo until there is a fix.
Thanks again,
Jon
0 -
thank you I'll give that a shot on our network.[update]
If you can block traffic to 81.149.130.33
This is the BT IP where eebuy.co.uk is running from.
Abuse contact -
abuse@bt.net - for the IP address
abuse@123-reg.o.uk - for the domain name
the text of the file it installs is -
function FindProxyForURL(url, host) { return "PROXY eebuy.co.uk:80; DIRECT"; }
[/update]
I have had this problem occur in the last couple of days.. and it appears to have no pattern.
Random PC's on my network are affected, I cannot tie it down to a PC or profile problem.
The GPO suggestion works fine.
I am keen for a proper fix though
0 -
Did you try my suggestion too?
Martialalmac.
0 -
Did you try my suggestion too?Martialalmac.
Just edited my post, the pc I looked at for the test didnt apply my GPO change as it was exempt (sods law)
Thanks anyway
0 -
Glad it works.
Couldn't agree more... this appears to be spreading quite a lot and a proper fix would be very welcome!
0
Please sign in to leave a comment.
Comments
10 comments