74.124.207.89 q.dreniq.com

[TomFace]

I was adding Dogpile to Firefox 20.1.0 and got this. It it a FP?

[MysteryFCM]

This is not an F/P, no. Can you let us know where you downloaded it from and/or attach a copy please?

[TomFace]

I was in Firefox....went to options>search>Dogpile was not there. Went to add more search engines, typed in Dogpile and added it to Firefox. That's when the notification came up.

It is just a website block...correct?? 

 

Edited January 12, 2017 by TomFace

[MysteryFCM]

Thanks for letting me know, I'll get the extension checked.

It is just a block on the hostname, yes.

[TomFace]

Thank you for your help Steven.

 

Regards,

Tom

[MysteryFCM]

Unfortunately, I can't reproduce this so far.

[MysteryFCM]

2 minutes ago, TomFace said:

Thank you for your help Steven.

 

Regards,

Tom

My pleasure.

I'll drop another reply here once I'm able to reproduce the issue (installed the add-on on two different machines and neither produce the block).

[TomFace]

Thank you for your help Steven.

 

Regards,

Tom

[TomFace]

6 minutes ago, MysteryFCM said:

My pleasure.

I'll drop another reply here once I'm able to reproduce the issue (installed the add-on on two different machines and neither produce the block).

Well I just reproduced it....

Firefox 50.1.0 (I called it 20.1.0 by mistake earlier). Win 7 x64

Edited January 12, 2017 by TomFace

[MysteryFCM]

Thanks for letting me know.

I'm doing further testing, but in the meantime, if you're able to, can you let me know what you see when loading the following in Firefox and IE please?

https://addons.mozilla.org/firefox/downloads/latest/dogpile/addon-14028-latest.xml?src=ss

As long as nothing is interfering with it, what you see should be the same as I do;

<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/"
   xmlns:moz="http://www.mozilla.org/2006/browser/search/">
<ShortName>Dogpile</ShortName>
<Description>Dogpile.com Web Search</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height="16" type="image/x-icon">http://wanfamilyweb.com/public/weblaunchpad/icon_dogpile.jpg</Image>
<Url type="text/html" method="GET" template="http://www.dogpile.com/dogpile/ws/results/Web/{searchTerms}/1/417/TopNavigation/Relevance/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true" />
</OpenSearchDescription>

 

[TomFace]

IE 11

********************************************************************************************************************************************************************************************

Firefox 50.1.0

Regards,

Tom

 

 

Edited January 12, 2017 by TomFace

[MysteryFCM]

Much appreciated, thank you. I'm consulting with colleagues as I still can't reproduce this on my machines

[MysteryFCM]

Neither myself nor my colleagues are able to reproduce this either, which leads to a suspicion of a hijack.

Please follow the instructions at;

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

[TomFace]

Posting results as directed.

 

 

 

Edited January 13, 2017 by TomFace

[MysteryFCM]

Much appreciated, thank you.

Can you also post a Fiddler log of the issue occurring please;

http://fiddlertool.com

Once reproduced, select File -> Save -> All Sessions, then attach the .saz (you may need to zip it first).

[TomFace]

I've never used Fiddler before-I'll send you the results in a PM after I figure it out.

[TomFace]

The fiddler file is too big (even zipped) 32.7 M unless I did something wrong. Can I upload it somewhere-not sure how to do that.

Edited January 13, 2017 by TomFace

[TomFace]

32 minutes ago, TomFace said:

The fiddler file is too big (even zipped) 32.7 M unless I did something wrong. Can I upload it somewhere-not sure how to do that.

Steven, I figured it out....PM is on the way.

[MysteryFCM]

I got it, thank you. It seems the cause in this case, is a redirect from;

http://wanfamilyweb.com/public/weblaunchpad/icon_dogpile.jpg

This URL produces a 404 for me, which isn't surprising given the site is parked. However, in your case, it's producing an HTTP 302 to dreniq.com;

HTTP/1.1 302 Found
Date: Fri, 13 Jan 2017 17:09:27 GMT
Server: Apache
Set-Cookie: vsid=902vr2318729673926125; expires=Wed, 12-Jan-2022 17:09:27 GMT; path=/; domain=wanfamilyweb.com; httponly
Location: http://q.dreniq.com/iq?i=SKENZO&k=6b2a32fdf781b2feb6d7985efdf645a6&d=wanfamilyweb.com&u=%2Fpublic%2Fweblaunchpad%2Ficon_dogpile.jpg
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=65
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 0

Given the wanfamilyweb.com URL is in the XML file for the add-on, it means someone from Dogpile is going to need to update it.

In the meantime, you should be able to get it directly from the Dogpile.com site itself.

[TomFace]

Thanks Steven for all your hard work. I take it there is no infection in my machine (other than a slight case of heartburn...Oh wait a minute, I have the heartburn) .

Anyway thanks again!

 

I need to upgrade to v 3.05-but it looks like there are a few issues going on-think I'll wait a bit-still got a few months left on MBAM 2.2.1

[MysteryFCM]

It remains a pleasure.