Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"syncrisis.com" Is Hijacking One Link


  • Please log in to reply
9 replies to this topic

#1 dchiass

dchiass

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 November 2007 - 10:44 PM

I use Internet explorer 6 with XP Pro. I have run AVG, Search & Destroy & also ran Trendmicro House Call. Nada.

But if I try to go to "www.tabasco.com", I am redirected to syncris.com's page. I see tobasco's real front page for a split second BEFORE I am redirected to syncrisis.

How do I get rid of this large Pain in the Butt? So far I have not seen the same on other links.

Any help is really appreciated.

dewayne

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 15 November 2007 - 01:41 PM

What OS (Win XP/2000, etc) are you using? Have you tried doing your scans in "Safe Mode"?

You need to start there first. If rescanning in Safe Modes does not help, then try performing another Online Virus Scan like BitDefender.

After that download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dchiass

dchiass
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 16 November 2007 - 07:05 PM

Thanks for the reply & HELP.

I did a couple anti-virus scans already with no luck & in safe mode. I am running Windows XP Pro.

1.I downloaded & ran SuperAntiSpyware exactly as your FINE detailed blurb said. It spotted 7 "adware virus" which I deleted.

So I was feeling great until I tried to go to "www.tabasco.com" & once again got to a page that said "Ooops. We are sorry. The Web Site has experienced an unexpected error."

It gives a couple links but they do not go anywhere aka I stay on this page if I click them.

But I am not "redirected" to syncrisis.com as before. So it seems I am part way to solving this problem.

I went to tabasco.com site on a different PC & got there no problem. I had posted a previous post to "TechSupportForum" & they gave me your reply to my ? to Bleeping Computer!

Bottomline, prob still not solved.

dewayne

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 16 November 2007 - 07:34 PM

Have you tried clearing your Internet cache, cookies and temp files? If not, try this.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Make sure you close and restart your browser when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dchiass

dchiass
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 17 November 2007 - 08:28 PM

Thanks for the quick reply!!!! Much appreciated.

As I mentioned before I have/use MS Internet. I had deleted all temp "Internet" files before.

But NO luck! I still get the Tabasco front page with the "Ooops comment...." & even though there are a coupld links on the page, clicking them does nothing.

Back to the Drawing Board.

dewayne

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 18 November 2007 - 08:02 AM

I had deleted all temp "Internet" files before

Did that include any cookies for that site? Sometimes removing them so the site can create new ones helps resolve this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 fistanes

fistanes

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 26 April 2008 - 04:15 AM

Just for the sake of other users having the same problem. Somehow Intenet Explorer can be infected so that the User Agent is changed to a javascript text that, when displayed on a webpage, can redirect the infected browser to a given page.

The solution is simply revert back the User Agent to the original value. This value is stored in the Windows Registry in the Version key at:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
"Version"="Mozilla/4.0"

To check your user agent string. You can go to http://www.fileformat.info/system/useragent.htm and see if there is something wrong. If you see something starting with <script>, then you are infected.

There may be other sites that can show you your user agent, but they tend to be teased by the code, thus redirecting you to the other page.

Edited by quietman7, 26 April 2008 - 08:08 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 26 April 2008 - 08:07 AM

fistanes how do you know for sure this is the OP's problem in this particular case?

Without further investigation, it is not advisable to make registry changes if only something is a possible cause. And when you recommend making changes to the registry you should always advise the person you are trying to help to back up their registry before making any changes. I edited your post to remove the registry fix.

The user agent string is a piece of text which identifies the name and version of a given browser.

To see the user agent string, you can also copy java script:alert(navigator.userAgent) into the Location (Address) Bar and press Enter. Another way to see the user agent string in the Firefox browser is to go to Help and click "About Mozilla Firefox". The user agent string will show at the bottom of the dialog box.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 fistanes

fistanes

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 26 April 2008 - 04:29 PM

You are right, quietman7. Good advice. I am sorry for the way I posted the potential solution, but I was having a similar problem and I discovered that the user agent string of my Internet Explorer had been changed to "<script>window.location='http://www.syncrisis.com'</script>" so that whenever I went to any site that was trying to display my user agent I was redirected to syncrisis.

In the specific case of www.tabasco.com, whenever I tried to access it I just saw a page stating that my browser was not recognized. I imagined that tabasco.com probably used to show the user agent string in those instances back in 2007, but decided not to display it anymore due to those type of issues.

Since I did not find the solution anywhere on the internet but many people was having the same problem, I rushed to post the solution, without the proper warnings.

Anyway, just one additional note. Your solution to check for the user agent string did not work for me. There must be no space between java and script (it must be javascript). Apparently your post was changed automatically to avoid exploits.

Edited by fistanes, 26 April 2008 - 04:32 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 26 April 2008 - 05:35 PM

Since I did not find the solution anywhere on the internet but many people was having the same problem, I rushed to post the solution, without the proper warnings.

We appreciate your willingness to assist and understanding why your post was edited. In our efforts to help others we certainly don't want them to end up with more problems then when they came here due to a mistake.

Yes, you are correct, there must be no space between java and script for that line to work as intended. Ok, lets not "hijack" this thread and wait on the original poster to reply back.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users