From: "Geo" 

This is a multi-part message in MIME format.

------=_NextPart_000_0068_01C58322.9EF0E000
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Well the machine isn't "owned" and the dialog that came up had a
cancel = button which when hit still allowed the homepage setting to be
changed. = I wish I could reproduce it for you (because I would really like
to nail = however this is being done) but I went back thru the same set of
pages = and the popup never came back which is why I think it's one of the
ads = that did it.

Does it matter that I'm running W2K and not XP for the warning dialog = box
you are talking about?

As for traces of what happened, the only change is the homepage, there = is
no executable, no registry entries, no w entries on the address line =
(when you type w into the address bar), no nothing that I can find and I =
did do a really good search for any other changes and executables =
associated with that securityapi.dll web page (google had a fair amount =
on it).

I'm not even sure if the popup was related to what made the change, =
that's just an assumption. Facts I do know, I couldn't find anything, =
spybot, adaware, AVG, rootkitrevealer, tcpview, and silent runners all =
found nothing. The only change appears to be the homepage setting and =
it's got something to do with my shortcuts to news sites (that's the = only
times it's ever happened is when I open all in my favorites/news = folder).
I think it's happened 3 times in the past 3 months and I open = all in that
folder at least once a week.

Geo.
  "Rich"  wrote in message news:42ccbb9f{at}w3.nls.net...
     Sure.  If a web page requests to change your home page a =
confirmation dialog is displayed.  The dialog is always displayed.  = Given
the lack of details in your description I can't tell you what = happened on
your machine.  Given this and earlier statements you have = made I would
not be surprised if your machine was "owned".

     If you want me to comment on examples of which I do have knowledge =
I can say that my machines have never had this happen and the machines = of
others where it has happened and they asked me for help I have found = in
all cases there was an application downloaded and running on the = machine
that was responsible.  Give me full access to your machine and = if I have
time I'll investigate, that is assuming you have not destroyed = the traces
of what happened.

  Rich

    "Geo"  wrote in message
news:42ccaa54{at}w3.nls.net...
    Rich,

    So this evening when I got home my homepage was set to www.nls.net

    I go browsing the news sites, nice normal very public type news =
sites. One
    of the ads (I'm assuming it was an ad since I can't get it to do it =
again)
    that comes up on those sites brought up a popup window which of =
course I
    just clicked cancel to whatever it was and now my homepage is

    http://205.177.122.27/securityAPI.dll?xC02

    You wanna tell me about this nice warning box that's supposed to =
prevent my
    homepage getting changed now?

    Geo.


------=_NextPart_000_0068_01C58322.9EF0E000
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








Well the machine isn't
"owned" and the =
dialog that=20
came up had a cancel button which when hit still allowed the homepage = setting to=20
be changed. I wish I could reproduce it for you (because I would really = like to=20
nail however this is being done) but I went back thru the same set of = pages and=20
the popup never came back which is why I think it's one of the ads that = did=20
it.
Does it matter that I'm
running W2K and =
not XP for=20
the warning dialog box you are talking about?
 
As for traces of what happened, the =
only change is=20
the homepage, there is no executable, no registry entries, no w entries = on the=20
address line (when you type w into the address bar), no nothing that I = can find=20
and I did do a really good search for any other changes and executables=20
associated with that securityapi.dll web page (google had a fair amount =
on=20
it).
 
I'm not even sure if the popup was =
related to what=20
made the change, that's just an assumption. Facts I do know, I couldn't = find=20
anything, spybot, adaware, AVG, rootkitrevealer, tcpview, and silent = runners all=20
found nothing. The only change appears to be the homepage setting and = it's got=20
something to do with my shortcuts to news sites (that's the only times = it's ever=20
happened is when I open all in my favorites/news folder). I think it's = happened=20
3 times in the past 3 months and I open all in that folder at least once = a=20
week.
 
Geo.

  "Rich" <{at}> wrote in message news:42ccbb9f{at}w3.nls.net...
    
Sure.  If a web =
page requests=20
  to change your home page a confirmation dialog is displayed.  The =
dialog=20
  is always displayed.  Given the lack of details in your =
description I=20
  can't tell you what happened on your machine.  Given this and =
earlier=20
  statements you have made I would not be surprised if your machine was=20
  "owned".
   
     If you
want me to =
comment on=20
  examples of which I do have knowledge I can say that my machines have =
never=20
  had this happen and the machines of others where it has happened and =
they=20
  asked me for help I have found in all cases there was an application=20
  downloaded and running on the machine that was responsible.  Give =
me full=20
  access to your machine and if I have time I'll investigate, that is =
assuming=20
  you have not destroyed the traces of what happened.
  Rich
   
  
    "Geo" <georger{at}nls.net>=20">mailto:georger{at}nls.net">georger{at}nls.net>=20
    wrote in message news:42ccaa54{at}w3.nls.net...Ri=
ch,So=20
    this evening when I got home my homepage was set to www.nls.netI">http://www.nls.net">www.nls.netI
go browsing the =
news=20
    sites, nice normal very public type news sites. Oneof the ads =
(I'm=20
    assuming it was an ad since I can't get it to do it again)that =
comes up=20
    on those sites brought up a popup window which of course Ijust =
clicked=20
    cancel to whatever it was and now my homepage ishttp://205.177.122.27" target="new">http://205.177.122.27=">http://205.177.122.27/securityAPI.dll?xC02">http://205.177.122.27=
/securityAPI.dll?xC02You=20
    wanna tell me about this nice warning box that's supposed to prevent =

    myhomepage getting changed=20
now?Geo.

------=_NextPart_000_0068_01C58322.9EF0E000--

--- BBBS/NT v4.01 Flag-5