General discussion

Locked

help punish this site

By tiza ·
i don't know if this qualifies as a discussion, but what i know is that i need help desparately.
You may guess from the topic that i am very angry and i'm. somebody is causing me problems and if i knew them, i would kick their A** real bad. thing is, my IE Browser has been hijacked by this cheap stinker using IP:http://81.211.105.9. everytime i start explorer & i'm a heavy internet user, this site comes up first with the extension: index.php?v=3, with the result that i ma directed to these search engines: allsearch.ws and wetsearch.ws.
this is very annoying. i have tried all i could to remove the crap but i can't find where its hiding, and its the second time. first time i had to re-inst wins so as to get rid of it & now like crap its back. ofcourse, apart from sharing with me your experiences, i would like to know if the're laws against this, and how can i make the a****** responsible pay for this bull***t, anyway would suit me fine.
please assist.

This conversation is currently closed to new comments.

17 total posts (Page 2 of 2)   Prev   01 | 02
| Thread display: Collapse - | Expand +

All Comments

Collapse -

CoolSearch

by Joseph Moore In reply to HijackThis

Ah, something else interesting on the IP you posted. Now, I agree with Maxwell that helping you attack this site is WRONG and not something to do. But, I also agree with Oldefar that a little knowledge about the site is in order. Now, the web server HTTP headers you get from the web site (things your browser does not show you, but it received first before the HTML comes across) appear as follows:

HTTP/1.1 302 Found
Date: Sat, 10 Jan 2004 22:11:22 GMT
Server: Apache/1.3.28 (Unix) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Location: http://cool-search.ws/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html


What is important here is the Location tag, pointing to CoolSearch. They are evil, from what I have read on the spyware boards! With the CoolSearch spyware on your machine, you need to do something special to remove it, above and beyone Ad-aware and HijackThis. Those tools alone cannot remove the CoolSearch spyware; apparently, it is the worst one out there, writing itself all over the REgistry.
But luckily, the guy who wrote HijackThis ALSO has an anti CoolSearch tool called CWShredder.
So, go to his home page:
http://www.spywareinfo.com/~merijn/
and click the Download link.
Then scroll down to the CWShredder section, and click the documentation link. That will tell you about just what is going on with CoolSearch, along with a link to get his removal tool.

Good luck!

Collapse -

CW shredder

by Oz_Media In reply to CoolSearch

I've used CW Shredder before (it works well) but also have a friend who has written a very similar script and it is just part of the IE-Spy Ad process. From what I understand, and this could be wrong, CW Shredder is just part of the IE-Spy Ad script.

How does CW Shredder perform a deifferent task ?

I am not trying to start a rant here, I am honestly asking out of interest in your opinion.

OM

Collapse -

Contact

by Oldefar In reply to help punish this site

The address belongs within the range of -

person: Prasolov S A
address: ICS TM
address: 70 Bolshoy pr. V.O.
address: 199002 St.-Petersburg
address: Russia
phone: +7 812 32**492
fax-no: +7 812 3222242
e-mail: dnsmaster@ilca.ru
nic-hdl: PSA13-RIPE
notify: dnsmaster@ilca.ru
mnt-by: SOVINTEL-MNT
changed: marty@sovintel.ru 20031203
source: RIPE

You could try complaining to them.

You can find this info beginning at http://www.whois.net

Collapse -

Common hijacking

by Oz_Media In reply to help punish this site

This is a very common hijack, it is installed due to you level of security in your IE securilty settings. Raising them will only disable your ability to view many sites, unfortunately the hijack isn't breaking laws if it in in compliance with your security settings. If it CHANGED you settings in order to install itself, that would be unlawful aand you'd have grounds for complaint to authorities.

There are many ways to block this stuff, registry entries and startup files will simply reinstall and acticate the 'jack as soo as you reboot.

There is some software, 'ie-spyad' that adjusts your security certificates to block these known hijack websites and AdAware will probably help remove all thejunk and malware and ad cookies that get installed as you surf.

LINKS:

IE-SPY AD http://tinyurl.com/zoh7

AdAware http://www.lavasoft.nu

This protection and then regular cleaning with AdAware (I run it several time a day), will help prevent further hijacking and advertisements.

Collapse -

HAVE YOU CHECKED...

by FluxIt In reply to help punish this site

Have checked to see if some program is running on start? There could numerous places that this is located depending on your version of windows.

You may be faced with an IRC channel being opened and someone accessing your machine if such a program is installed on start. There are a variety of ways to deliver them to your machine from the internet.

The whois on the ip pulled up a melbourneit.com and a check on this found. However, they may only be brokering domain names. Email them with your complaint.

Domain Name.......... melbourneit.com
Creation Date........ 1999-04-05
Registration Date.... 2000-05-23
Expiry Date.......... 2013-04-05
Organisation Name.... Melbourne IT Ltd
Organisation Address. Level 2, 120 King Street
Organisation Address.
Organisation Address. Melbourne
Organisation Address. 3000
Organisation Address. Vic
Organisation Address. AUSTRALIA

Admin Name........... Account Manager
Admin Address........ Level 2, 120 King Street
Admin Address........
Admin Address........ Melbourne
Admin Address........ 3000
Admin Address........ Vic
Admin Address........ AUSTRALIA
Admin Email.......... cdm@melbourneit.com
Admin Phone.......... +61.386242465
Admin Fax............

Tech Name............ Account Manager
Tech Address......... Level 2, 120 King Street
Tech Address.........
Tech Address......... Melbourne
Tech Address......... 3000
Tech Address......... Vic
Tech Address......... AUSTRALIA
Tech Email........... cdm@melbourneit.com
Tech Phone........... +61.386242465
Tech Fax.............
Name Server.......... ns1.MelbourneIT.com.au
Name Server.......... ns2.MelbourneIT.com.au
Name Server.......... ns4.MelbourneIT.com.au

Collapse -

Use this to get rid of that.

by mrafrohead In reply to help punish this site

http://www.merijn.org/downloads.html

There's a program called CWShredder. Run that, then when you're finished download Spybot and run that on your computer.

The reason that this is happening, is becauase this is software that someone at your site installed on your computer to make it do this. If you are at a business, I'd tell them to stop or they're fired. If they're putting this on their machine, imagine what else is there, and I'm sure you don't want your data going to other peoples servers legally do you?

As to are there laws regarding this. Depending on your state their may be. But the problem is that almost all of this software is installed on your computer because you allowed it to install. Make sure the EULA's to anything you run is read thoroughly. That is where you will see that extra "stuff" is being installed on your box.

Good luck.

mrafrohead

Collapse -

CW Shredder

by tiza In reply to Use this to get rid of th ...

Thanks all for the help. CW Shredder seems like worked for now. i tried hijack this but only helped in telling me where the culprits were hiding but could not get rid of them. CW Shredder on the other hand removed these links from their hidings completely. i am monitoring my system to see for how long its gonna work and if CW itself is not a carrier of anything. in the meantime i will follow the worthy advise and install a firewall.
thanks all and may 2004 and beyond be your best years.

Back to Community Forum
17 total posts (Page 2 of 2)   Prev   01 | 02

Related Discussions

Related Forums