start page in IE changed without asking me

PonzSpyder · December 26th, 2001, 05:03 PM

Well actually it happened on sombody elses computer here at work. suddenly their start page was changed to yahoo but when I checked IE's settings it wasnt actually yahoo that it changed to, it was the IP address 66.40.16.232 and the page was hy.htm.

I thought it might be a virus but I am not sure if maybe he clicked on one of those " click here to make this your start page sort of thing" or if this is related of one of the windows security problems going around right now.

I did a tracert on the IP and came up with a few hops in the hostcentric.com domain and finally resolved to host232.ancientmedia.com and is registered to, get this, "Horny Demon" All the other reg info appeared to be made up also.

To make a long story short, I grabed a copy of the htm file that his home page was set to and it has this java code in it...

Code:

<html><head><script>
var type=navigator.appName
if (type=="Netscape")
var lang = navigator.language
else
var lang = navigator.userLanguage
var lang = lang.substr(0,2)
if (lang == "en") window.location.replace('http://www.yahoo.com/')
else if (lang == "ar") window.location.replace('http://www.yahoo.com/')
else if (lang == "cs") window.location.replace('http://www.yahoo.com/')
else if (lang == "de") window.location.replace('http://www.yahoo.com/')
else if (lang == "es") window.location.replace('http://www.yahoo.com/')
else if (lang == "hr") window.location.replace('http://www.yahoo.com/')
else if (lang == "et") window.location.replace('http://www.yahoo.com/')
else if (lang == "he") window.location.replace('http://www.yahoo.com/')
else if (lang == "ja") window.location.replace('http://www.yahoo.com/')
else if (lang == "ko") window.location.replace('http://www.yahoo.com/')
else if (lang == "ro") window.location.replace('http://www.yahoo.com/')
else if (lang == "ru") window.location.replace('http://www.yahoo.com/')
else if (lang == "sl") window.location.replace('http://www.yahoo.com/')
else if (lang == "zh") window.location.replace('http://www.yahoo.com/')
else if (lang == "vi") window.location.replace('http://www.yahoo.com/')
else if (lang == "th") window.location.replace('http://www.yahoo.com/')
else if (lang == "uk") window.location.replace('http://www.yahoo.com/')
else window.location.replace('http://www.yahoo.com/');
open('topsearch.htm', 'remote', 'width=300,height=160'); 
</script></head><body></body></html>

Is this anything to be worried about?

December 26th, 2001, 05:12 PM

I've had that do the same thing, sometimes when you visit Errrmmm those kinda sites... and others times some search page sites just assume that you want the site as your home page and go ahead and change it for you..

Madfish

Edit: lol spelling. left out a R

PonzSpyder · December 26th, 2001, 05:25 PM

lol

yeah, I think that was the problem. I searched through his cookies an sure enough there was my answer

Fingers · December 26th, 2001, 05:26 PM

That can happen if your Java and/or ActiveX security setting are too low (too low can be defined as anytime they're enabled).

It's easy to stop that site from doing it again, just put 66.40.16.232 in your list of restricted sites and he won't be able to change your setting via JS again. JavaScript and ActiveX are great enhancements to web browsing, unfortunately, unscrupulous morons can also use them to change your computer settings and even download and install programs without your knowledge. I disable JavaScript for normal web browsing, and only enable it for websites I trust..... like this one

PonzSpyder · December 26th, 2001, 05:30 PM

Thats a good idea Fingers, I think I might just have to do that on all the PC's here at work

Either that or maybe one day we will get some sort of web filtering in place here but its a small company and they arent that worried about it yet.

Xeroid · December 26th, 2001, 05:30 PM

There are some viruses that do this. There are also some web pages that do this. Look Here In my case it was just some new dirty trick from some code happy webmaster.

What version of IE are you running? I haven't had this happen since upgrading to IE 5.5 spec2 and downloading all the current security patches. Also make sure your Virus Definitions are up to date.

You can run a free online Security and/or Virus check at Symantec.

Mike

inquisitive goat · December 27th, 2001, 06:30 PM

hp paviliturds have some deal with yahoo that resets your homepage to yahoo for fun every now and then. it is the default. can't imagine he is using a paviliturd or the bloated & mangled os they come with, but just a possibility since I see it at work alot.

strangerstill · December 27th, 2001, 06:43 PM

Are you sure about the IP address / document name?

I went to check it out ang got a 404:

Code:

C:\>curl 66.40.16.232/hy.htm
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /hy.htm was not found on this server.<P>
</BODY></HTML>

storm2k · December 27th, 2001, 06:44 PM

prolly something that generates random names to do that.

a good virus scanner or maybe even adaware should help with that.

PonzSpyder · December 31st, 2001, 01:35 PM

Sorry, I think I got confused somehow...

EDIT: Please be careful about clicking these links, I posted them for referance only.

The address that it's switched to was actually:
http://66.40.16.232/hy/

But if you RightClick/SaveTargetAs on that link, you will get the hy.htm file I was refering to

These also are related pages:
http://66.40.16.232/hy/L8r.htm
http://66.40.16.232/hy/topsearch.htm