topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 1:31 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Google Books Downloader - WARNING - contains search hijack "arccosine.com"  (Read 25231 times)

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Just a quick warning about this.
I'm using Firefox 12.0 ß, but this problem may also occur with IE (according to a Mozilla Support thread, referred to below).

Out of interest, I downloaded and installed Google Books Downloader, having seen a reference to it in a blog post (Codeplex daily summary - http://www.codeplex.com/) in my feed aggregator.
The download site is/was: https://googlebookdo.../releases/view/84266

The proggie did what it claimed to do - copied previews of books to .PDF - which unfortunately wasn't of much use as you are still frustrated  by Google's removing pages from all previews.

Then I noticed that my home page and also my default Google search page had been hijacked by a search page which was imitating Google, with a pretty seascape background (see copy in spoiler):
Spoiler
Screenshot - 2012-03-20 , 10_46_15.png

The ruddy thing wouldn't go away.

So, I de-installed Google Books Downloader and googled the problem, coming up with a useful Mozilla Support thread at https://support.mozilla.org/en-US/questions/850780

The hijack is persistent and comes from the website 'arccosine.com' and wants you to "sign up" for something.
I did a 'Whois' on arccosine.com, and it is hosted in the Russian Federation. (That figures.)

Fix:
I deleted all references to "arccosine" (i.e., 2x "C"s) and "arcosine" in history, just in case.
I checked in the 'about:config' entry for 'keyword.URL' and reset that back to "Default" - it had been set to 'arccosine.com,q=' by the hijack proggie Google Books Downloader (in the discussion thread someone writes that if you examine the proggie's code, you can see where it does that).

Hope this helps someone to avoid the thing.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
you forgot to upload the image attachment : :(

[ ERROR: SPECIFIED ATTACHMENT MISSING ]

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Did you post a comment/report the project?  Because the source that's checked in pretty much does nothing, so its a misdirection...

I'm posting something about the source, but as I don't have experience with the binary, wouldn't post that.  I'd suggest going to http://googlebookdow.../releases/view/84266 and posting your experiences...

Update: Posted two issue tracker items and a review about the source code doing nothing.  I also sent a support e-mail to the Microsoft team over the site.
« Last Edit: March 19, 2012, 06:36 PM by wraith808 »

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
you forgot to upload the image attachment : :(
[ ERROR: SPECIFIED ATTACHMENT MISSING ]
-Stephen66515 (March 19, 2012, 06:21 PM)
Crikey, that was fast!
Five nanoseconds after I had posted it!     ;D
Fixed now. Thanks.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Did you post a comment/report the project?  Because the source that's checked in pretty much does nothing, so its a misdirection...

I'm posting something about the source, but as I don't have experience with the binary, wouldn't post that.  I'd suggest going to http://googlebookdow.../releases/view/84266 and posting your experiences...
Thanks! Good idea. I hadn't thought of doing that, supposing Codeplex to be a Wild West Frontier. Could be useful to others, I suppose.

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Thank you for the warning, IainB.

Google Books Downloader Website is at http://www.gbooksdownloader.com/. I thought CodePlex is for hosting .Net programs only. I guess not.

The installer has an opt out option though. Select 'custom' installation and deselect "arccosine". Sneaky, I know.

As for the program itself... it does download complete books (the free ones) and can convert them to other formats then just .pdf.

Btw, when I try to go to the CodePlex page I get a message about security certificate errors. Also, the installer is not digitally signed.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
you forgot to upload the image attachment : :(
[ ERROR: SPECIFIED ATTACHMENT MISSING ]
-Stephen66515 (March 19, 2012, 06:21 PM)
Crikey, that was fast!

Thats what my wife said  ;D

Oh...wait... :huh:

 :(  :redface:

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Well, I downloaded the proggy and the hijack from Codeplex, and I didn't notice any "options" for getting the hijack during install.
By the looks of things, neither did any of the people posting in the Mozilla Help forum on this subject.

After @wraith808's suggestion that I post to Codeplex, I registered there, then registered and at the Mozilla forum also.
When I tried to post to Codeplex (after registering/confirmation), I just could not get in. After messing about for ages, I decided that they must have a broken/moronic front end on the sign-in page, and, not wishing to waste any more time on the matter I abandoned the attempt.
After that, I successfully made a post to the Mozilla Help/Support forum.

Google Books Downloader Website is at http://www.gbooksdownloader.com/. I thought CodePlex is for hosting .Net programs only. I guess not.
The installer has an opt out option though. Select 'custom' installation and deselect "arccosine". Sneaky, I know.
As for the program itself... it does download complete books (the free ones) and can convert them to other formats then just .pdf.
Btw, when I try to go to the CodePlex page I get a message about security certificate errors. Also, the installer is not digitally signed.
Yes, well, evidently I didn't get the download from gbooksdownloader.com. I am disgusted by this in any event, because packing a scam hijack into a download either with or without a warning is categorically wrong in my book.

EDIT: Against my better judgement (I have wasted far too much time on this subject already), I have also emailed the contact point at the Google Books Downloader Website at http://www.gbooksdownloader.com/
Thanks for providing their link.
Yes, I know GBD outputs into other formats too, but I wasn't doing a review of the product and so omitted to mention its other features. All I was interested in was the .PDF output.
Anyway, I think I can guarantee that, after this experience, I shall never knowingly use this nor any product they might be peddling in the future.

Yours,
        Disgusted.
« Last Edit: March 19, 2012, 11:18 PM by IainB »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Update: from the codeplex team...


Hi -

Thanks for contacting us.

We have escalated this request to our next level support team.
As soon as this has been completed, you will be notified.

Thanks -
Hengzhe Li

Another update:
Thanks for reporting.  I have unpublished the project.
 
Thanks,
Jonathan
« Last Edit: March 20, 2012, 05:00 PM by wraith808 »

Patriciann

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 1
    • View Profile
    • Donate to Member
 >:( I got taken in by this 'bugger' also.  


I wanted to read a Google Book off line and downloaded a Good Book reader and it changed my home page to ‘arccosine.com’ which gave me a ‘Google Search’ screen ‘look-a-like’  I changed my homepage back to Google search and then discovered my wireless internet connection had been changed from ‘public’ to ‘home’ creating an unsecured internet connection.  I switched it back to ‘public’ and went looking into my ‘Services’ to see if anything ‘popped’ out at me as unusual.  I don’t know enough about how computers work but am trying to learn.  

I downloaded an application called ‘GooReader’ and think this may be where the ‘infection’ came from as it offered several services I have never even heard of before and I did not opt into any of them.  By the time I was finished with the screens they presented offering all of these unwanted services I began to notice ‘changes’ made to my computer.  The name of signer on this ‘GooReader’ is “Solimba Aplcaciones SL” The time stamp is Wednesday March 12, 2012.  I have searched for this in my registry – no show.  I have searched for this in my installed programs – no show.  When I clicked on the application again it let me know it was already installed and asked if I want it to reinstall.  I closed the dialog box and decided this is ‘bad news’.  Can someone guide me through the process of figuring this out?  I ran McAfree and it showed all clear.  

Two individual ‘Diagnostic System Host’ (WdiSystemHost) are listed in ‘Services’ – One has me locked completely out and one I can modify.
I downloaded the ‘SvchostAnalyzer’ from A&M Neuber Software and it gave two warning instances as follows:
Process: svchost.exe
ID: 1900
File Access is denied, Run program as Administrator!
Group: No Microsoft file
Services: 0

The second instance which showed up later appearing along with this one:
Process: svchost.exe
ID: 8664
File Access is denied, Run program as Administrator!
Group: No Microsoft file
Services: 0

How can I investigate if someone has ‘remote’ use of my computer?  What are the steps I need to follow to track this down?  Or what should I be looking for?
DcomLaunch has me frozen out.  

I don’t know enough about this subject to be of much good at tracking down what damage may have been done and what was ‘snagged’ from my computer and perhaps ‘sent’ to some unknown person.  Just very creepy and it takes a real CREEP to do this to people.  Time for me to learn what these JERKS are doing to us and how to intervene for our protection.  

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
How can I investigate if someone has ‘remote’ use of my computer?  What are the steps I need to follow to track this down?  Or what should I be looking for?
FWIW, my general recommendation is for a more private and secure PC and browsing experience via:
Set up OpenDNS (free) in your ADSL Router.
  • Download, install and run Microsoft Security Essentials (FREE and excellent virus checker). Uninstall any existing virus proggies.
  • Download, install and run Malwarebytes (there is a free and a paid version - go for the paid one as you need that for live scanning and monitoring of browsed sites).
  • Download, install and run Windows 7 Firewall Control (free).
  • Download, install and run PeerBlock (free). You may have to disable it from time to time as it's blocklists seem  a bit excessive at times.
Play around with these things and learn how they can best suit YOU. You will probably learn something useful in the process.

For what to do to clean the hijack up in Firefox, check my opening post about this (above):
Just a quick warning about this...

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Coincidence!
Where I said:
Then I noticed that my home page and also my default Google search page had been hijacked by a search page which was imitating Google, with a pretty seascape background (see copy in spoiler):The ruddy thing wouldn't go away.
- I came across the image in one of several .ZIP files of wallpapers that I had downloaded from http://minus.com/explore/Wallpapers
Filename: 02031_ageeba_1680x1050.jpg
Here it is after having been run through the irfanview Sharpen and Auto adjust colours:
Spoiler
Seashore - 02031_ageeba_1680x1050.jpg


Source:
http://minus.com/mS2zGqD2o/1g (collection)
http://minus.com/lozQK9TaJvMkH (image)
http://i.minus.com/mS2zGqD2o/gallery.zip (ZIP file of 297 images)
« Last Edit: June 08, 2012, 04:38 AM by IainB, Reason: Minor corrections. »