possible infection

Discussion in 'malware problems & news' started by lodore, Nov 29, 2006.

Thread Status:
Not open for further replies.
  1. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hi, someone i know uses IE7 as there main browser and antivir as there av.
    whenever they spell a page wrong they get redirected to sedoparking.com
    instead of the default page. what infection is this and how do i check to see what page it redirects to under IE7 options?
    i used to be able to find it in ie6 settings but cant find it in IE7 settings.

    im mainly worried about the fact the persons pc keeps redirecting to sedoparking.com and i dont know why.
    it must be an infection.
    thanks in advance
    lodore
     
    Last edited: Nov 29, 2006
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    Last edited: Nov 29, 2006
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    cmon someone must know what malware keeps redirecting to sedoparking.com
    lodore
     
  4. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    as per previous post it's a hijacker but according to microsoft here
    http://research.microsoft.com/URLTracer/ it's a typo squatter what ever that is but they are definitely on microsoft's list. sorry I couldn't be more helpful o_O
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    thanks and i hope someone can help me get rid of it off there pc.

    also i need to point out this is a public hotspot near a uni for student accommodation. and the internet has been down for 3 days.
    im guessing the router or server higher up the line got hacked and now is redirecting people.

    they will try the laptop at uni tomorrow and if it works there its the network
    lodore
     
    Last edited: Nov 29, 2006
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Have you tried picking through the Registry to remove references to sedoparking.com and replacing them with the default entry?

    You'd need to look at:-

    *\Software\Microsoft\Internet Explorer\Main

    where * = HKCU, HKLM and HKU

    Or you could use an app to do it (CounterSpy is very good at this, enabling you to put everything back to default at the click of a mouse). Then at least you could see whether the page gets changed back again or not (if not then end of problem).

    You could also have a look at the Hosts File to see if there is any redirecting going on from there.
     
  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    haven't tryed that yet.
    what about the superantispyware repairs?
    lodore
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Lodore,

    Is this only happening when you misspell a URL? If so then this is normal and not an indication of malware on your system. Typosquatting is where someone registers misspelt names so you see their site if you enter their domain name in error.
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    it seems to be lego.com and other correctly spelt websites as well.
    so it might be a malware infection.
    its not on my pc its on another person's pc.
    where do i start?
    superantispyware scan and the special repairs?
    also what could i use on the laptop to stop it happerning again?
    mainly something to protect browser settings?
    lodore
     
    Last edited: Nov 29, 2006
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't use SAS, but the Tools/Browser Pages section of SpyBot S&D enables you to make the changes. I believe Windows Defender does as well.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In that case, try the following steps:

    Check that your system is resolving addresses properly

    Open a command prompt window and type ping lego.com. You should receive a response similar to:

    Pinging lego.com [64.29.221.104] with 32 bytes of data:

    Reply from 64.29.221.104: bytes=32 time=425ms TTL=238
    Reply from 64.29.221.104: bytes=32 time=429ms TTL=237
    Reply from 64.29.221.104: bytes=32 time=431ms TTL=237
    Reply from 64.29.221.104: bytes=32 time=551ms TTL=238


    The important thing to check is the address - if it is not 64.29.221.104 then your computer is getting the wrong IP address. This could be due to a hosts file entry for lego.com (unlikely but possible) or a DNS problem with your ISP (either cache poisoning or deliberate misdirection). To correct the latter, configure your system to use OpenDNS instead.

    Check for webpage redirection

    Try accessing the Lego Homepage via a proxy server (e.g. via Babelfish, PimpProxy or Proxy7). If the proxies work and the main link doesn't then your web requests are being redirected. This could be by proxy software on your system, a proxy server on the network or even the ISP (they would typically only do this though if they wished to quarantine a PC believed to be participating in a DDoS attack). Connecting to the Internet via another ISP to see if the results change would be the best method of checking this - if the results stay the same, then the cause is local.

    If you tie the cause down to redirection by your ISP or network administrator, then you need to contact them to ask why - they may have a policy of blocking access to certain sites or they may have quarantined your PC (which may be for a good reason or a case of mistaken identity).
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    thanks paranoid2000
    today all links open fine at the same place.
    it must of been the server got infected and was redirecting
    at least i now know
    lodore
     
    Last edited: Nov 30, 2006
Loading...
Thread Status:
Not open for further replies.