The last several months there seems to be a disturbing trend where websites on the seamier side of the web use active scripting to hijack the browser settings of web surfers, disable internet options, and in one known case, even disabling regedit with a registry hack. More here:
http://www.spywareinfo.com/hijacked.html

Had a very interesting experience today with an evil redirect........
I was searching Google for a port scanner.......came across.....www.blue.icestorm.net/software/security/ipscanner/ ......When I clicked on the link..This....dialog box came up............I clicked "No"..which brought up This
...........As you can see...there is only an "OK"...............back button couldn't be used....couldn't X out of there...had to crash my browser to get out.
Checked out blue.icestorm on Google...& 2 more similiar links...........There were more....
www.blue.icestorm.net/software/windows/pesx/
www.blue.icestorm.net/software/bench/hddspeed/ .....both led to the same result.
Did a query & a trace on blue.icestorm......it is a web hosting co.......Icestorm
& on msmn.com and gotosearchmsmn.com. I've got tons of info.......including names & email address for the msmn.com scumbag....who is in Russia.
Some help on where to go from here?..if at all.  Dingo...??

Hi, Gail.

The problem you're having there could revolve around browser settings and/or what version of Java you have on your computer.

Check the two most important things first:
Make sure you have 'Enable Install on Demand' UN-checked when you look at it in Tools/Internet Options/'Advanced' tab under 'Browsing' heading.

Tools/Internet Options/'Security' tab, highlight 'Internet', click 'Custom Level'. In 'Security Settings' window, make sure that under the 'Miscellaneous' section, the radio button in front of 'Disable' is selected for 'Installation of Desktop Items'.

Remember, you have GOT to click 'Apply' and 'Okay' if you make any changes in these settings before they will take effect.

Covering the rest of the issues would take up too much space here, but an excellent thread on a very similar subject can be found in the GRC 'Privacy' forum - if you're subscribed via newsreader, go there and bone up on everything that was covered there. If not you can track it (though it'll be harder), here: https://grc.com/x/news.exe?cmd=xover&group=grc.privacy (keep hitting the 'Earlier Items' button until you've read all the posts entitled 'Browser Hijacking' started by Dingo.

And I'm sure he'll be along eventually to add to this. Pete

Hi..Pete...thanks for responding............those settings (great advice..thanx!!)...have been disabled for a long time on my computer........this wasn't the same kind of forceful hijacking as does exist on the web..but it was sinister.....
The second dialog box which offers to "integrate web search directly to your browser" ......which only offers an 'OK' button.....is particularly scummy.
I bet a lot of people get snared by this. That's why I did the Whois ..& the trace & got names & addresses & stuff.....got 3 text files saved..but I'm not experienced in the proper way to deal with this information.

A couple of things to try next time without crashing your browser: (a) tap the 'Esc' button a couple of times and see if that helps. If not (b) do a C/A/D and see if there's an entry for the box that popped up (example: do a C/A/D right now and you'll see an entry - which you can highlight and kill - that says 'Suggest A Fix Support Forums Microsoft Internet Explorer - that box will probably have a similar entry). Of course, if that's the only browser window you have open at the time....

You 'roam' a lot, Gail, and even though it would be a real pain in the butt, you may want to consider disabling Java, JS and ActiveX when you're at a site you're new to until you get familiar with it.

Did you read the GRC thread?

Just a thought. Pete

Similar thread going on here : http://www.dslreports.com/forum....de=flat . Pete

That's what I meant by "crashing'..did a C-A-D...& killed the box.......that kicked me to safe mode.....then I "restored" & all was cool.
In order to read the GRC thread...I believe I have to set up a newsreader account with Grc..it's not offered on my regular newsreader.....I'd planned on doing it one of these days, anyway..I'll get around to it.

Below is the coding for that page. I had to brute-force it to get the blasted thing to show me the source code.
I took Pete's advice and ESCed out of that second box. It then popped up the first prompt a second time. I said no and it went to "http://gotosearch.msmn.com/links.htm" which has 15 sponsored links. Not all of them are suitable for young eyes.
I did it a second time and clicked the OK button just to see what it would do. The first prompt came up for the second time again and asked if I wanted to make it the home page. I said no and it went to that page again.
Very definitely sleazy.
I did it a third time and let it become my homepage and it took me to http://gotosearch.msmn.com/, which has an actual search engine box. FYI, there was a web bug on that page (clear and 1 pixel X 1 pixel) with the address "http://service.bfast.com/bfast/serve?bfmid=253985&bfsiteid=37412222&bfpage=over002".
The search engine is run by http://www.overture.com/ and all searches seem to go to their website.
Time to let their press spokesperson know how I feel about this.

Code Sample:
<html XMLNS:IE>
<head>
<STYLE>
@media all {
  IE\:homePage {behavior:url(#default#homepage)}
}  
</STYLE>
<meta http-equiv="Content-Type" content="text/html">
<title>Simple.. Fast.. Free.. search</title>
<style fprolloverstyle>A:hover {color: #FF0000; font-weight: bold}
</style>
</head>
<body bgcolor="#F0F0F0">
<IE:homePage ID="oHomePage" />
<script LANGUAGE="JavaScript">
if(oHomePage.isHomePage("http://gotosearch.msmn.com/")==false) {
alert("              We offer to integrate web search directly to your browser.\nYou will always able to roll back to the default homepage, so why not to give us a chance?");
oHomePage.setHomePage("http://gotosearch.msmn.com/");
};
if(oHomePage.isHomePage("http://gotosearch.msmn.com/")==false) {
window.location="http://gotosearch.msmn.com/links.htm";
}
else {
oHomePage.navigateHomePage();
}

</SCRIPT>
</body>
</html>

Hmmm........ Considering how much that looks like it trying to reset the browser to msn.com, perhaps Uncle Bill's people would be interested in this. Maybe I'll contact them too. };-)

So.....Is there any use for the info I collected on the web host....and for msmn? For example...

Domain Name: MSMN.COM
  Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
  Whois Server: whois.joker.com
  Referral URL: http://www.joker.com
  Name Server: NS1.WINROOT.COM
  Name Server: NS2.WINROOT.COM
  Updated Date: 05-nov-2001


>>> Last update of whois database: Thu, 22 Nov 2001 05:10:56 EST <<<



whois -h whois.joker.com msmn.com
domain:       msmn.com
status:       production
origin-c:     umsoft@yahoo.com#0
owner:        Sergey Gridasov
email:        umsoft@yahoo.com#0
address:      Dlinnaya st. d1
city:         Spb
state:        Spb
postal-code:  193230
country:      RU
admin-c:      umsoft@yahoo.com#0
tech-c:       umsoft@yahoo.com#0
billing-c:    umsoft@yahoo.com#1
nserver:      ns1.winroot.com 216.139.227.110
nserver:      ns2.winroot.com 216.139.227.111
registrar:    JORE-1
created:      2000-03-17 09:58:17 UTC core
modified:     2001-04-19 00:26:55 UTC JORE-1
expires:      2002-03-17 09:58:17 UTC
source:       joker.com


*By the by.........there is no port scanner page..right?
And when I searched Google.....& clicked the option to see other pages containing blue.icestorm.net.there were quite a few others...3 of which, at the very least...lead to the same trap.

Gail - You may want to also go here: http://www.staff.uiuc.edu/~ehowes/resource.htm and read about/get IE-SPYAD. It's pretty self-explanatory and may prove useful in your situation. Pete

Gail - The info you've collected has done worlds of good so far and we appreciate you bringing it to our attention!

Here's the letter I got from Eric Howes, provider of IE-SPYAD:
"Pete:

You asked:

http://www.suggestafix.com/cgi-bin....40;st=0

I'm refering to the posts to that thread by DiscoGail.

Thanks. Pete

Unfortunately, IE-SPYAD's list doesn't include any of the domains discussed
in that thread:

icestorm.net
icestorm.com
icestorm.tv
msmn.com
joker.com

Thus, it would not be of much help if the user's Internet Zone settings are
relatively lax.

If someone has a habit of romaing around the net at will and visting lots of
potentially shady sites, I'd recommend tightening up the Internet Zone
Security settings (Tools >> Internet Options >> Security >>  Internet Zone
>> Custom Level). I'd esp. consider disabling, setting to "prompt," or
setting to "high" the following items:

ActiveX Controls
ActiveX scripting
Microsoft VM (Java)
Installation of desktop items
Userdata persistence
Scripting
User authentication

I'm going to look into the above domains. I may include them in the next
release of IE-SPYAD.

Best,

Eric L. Howes"

My next post will be to Paul Kurland, author of SpyBlocker, to see if he'll go ahead and include those domains in the next release of SB (4.7 final), which should be out soon.

As far as notifying the people indicated by your info, I have doubts as to whether doing so will accomplish anything - but it may, especially if they find out they're going to blocked on a number of popular programs.

You did GREAT! Pete

Pete......you got me roaming around & visiting shady sites? Moi???? no.no.no.no..no.
I got to this site from Google!!! Looking for a port scanner!!!
Clicked on the link at Google.
Now that my reputation's down the tubes.....
...Actually, my internet settings are pretty tight....the only Active x controls enabled are those that are "signed"..the only Active scripting enabled are those marked "safe". Everything else is set to 'prompt".
I have Script Sentry running........"install on demand" & "installation of desktop items" are both disabled.
Userdata persistence is a relatively new one for me....it might have been you from whom I first learned about it.
Hey........I've got the info on Icestorm, too. You think alerting them to this would be at all useful?

Absolutely!  

You GO, girl!

Write to the webmaster/owner/operator of those sites and tell them to get their stuff straight, quick! BEFORE they wind up on every 'hosts' file throughout the universe!

Pete

I have redone this page into a 4 page article. If anyone notices anything I have left out, or something I have done wrong, please let me know as soon as possible.

The Problem

There is a disturbing trend in recent months where the browser settings of web surfers are being hijacked. Browser hijacking is where malicious code of some sort, whether it be javascript, ActiveX, or some other sort of scripting, modifies your browser settings. AOL has started doing this recently by placing it's web site in IE's trusted sites security zone, thereby bypassing the most frequently used security settings. I'm not clear on how they're accomplishing this, but likely it is happening when people install their AOL software, or perhaps one of their other products. It can also mean that your default start page has been reset from your choice to something else. Sometimes javascripts will add ready-made internet shortcuts to your favorites folder without asking you.
More....... http://www.spywareinfo.com/hijacked.html

that's pretty funny for me Dingo..
it was that fine site that led me to you folks..
"It's a small world after all"

You might all be interested to know that Paul Kurland, author of SpyBlocker is currently working on a small program that automatically resets your settings back to the way YOU had them to begin with, as well as doing the same for your homepage.

Check it out: http://www.morelerbe.com/cgi-bin....=000547 . Pete