Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
See this thread:
http://computing.net/windows95/wwwboard/forum/167341.html
Response # 12, 13, 14.
I was posting from a spyware infected test box. The infection added that link to those posts.
I didn't see it till # 14.
I am posting now from uninfected so link does not show.
It also does not show in my profile settings. Therefore I cannot remove it.Can a mod remove those links please? I don't want anyone clickin it.
And no....I wont post from infection box any more...:)
Thanks!
ps. Go ahead and delete this post once done.
Hello,
I'll leave this post up. Now anyone who sees this or that post on a search engine, will know that is indeed a virus or spyware of sorts. I have also taken care of the problem.
Justin
0 
You're not the only one, I've been noticing a few of those - as in this post.
That poster (eventually) admitted that he had no idea where the link came from. I recommended he try and remove it, as well as run some scans, but he seemed a bit... unwilling
Resist the temptation to close your request for help with semantically-null questions like “Can anyone help me?”
0
jboy
I posted to that thread...threw up a few links and such mainly to hilight the fact there is an infection present.
Justin took care of it so any new 'infectees' won't show the url but still shows the http://www./ part so any helpers/advisors can still see infection.
Look at my homepage link now.
0
Test to see if that hp link is removed.
Not sure exactly what files did it [yet] but removing the following seems to have stopped that link insert: (I was already half cleaned up and these were left over)
Ewido Security Scan (excluding any harvested files (moved) & recycle bin items)
C:\Program Files\Common Files\Download\mc-58-12-0000113.exe -> Spyware.Maxifiles
C:\Program Files\Common Files\InetGet\mc-58-12-0000113.exe -> Spyware.Maxifiles
C:\Program Files\Common Files\Windows\mc-58-12-0000113.exe -> Spyware.Maxifiles
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles
C:\WINDOWS\Downloaded Program Files\html.exe -> TrojanDownloader.Delf.ks
C:\WINDOWS\system32\MTC.dll -> TrojanDownloader.Agent.ga
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev <--had to rename this one, reboot b4 delete.That was left over from 'smitfraud' & 'PSGuard' infection. 180 solutions was in the bundle along with other randomised junk.
0
Yeah - I'm not sure just exactly what mechanism is involved, but I have to believe that the posters affected by this are running machines that are compromised at some level. If it was Smitfraud... well, that wouldn't surprise me terribly
As indicated by this Google search, only a handful of posts at Computing.Net come up (but other sites were found with the same link embedded).
This seems very similar to the pornographic link I mentioned in that other post, which Justin also blocked. This 'freemp3' link didn't seem as bad (contentwise anyways) and I encountered no problems checking the site out (a while back) at least, using Firefox. Still, not exactly desirable either
Resist the temptation to close your request for help with semantically-null questions like “Can anyone help me?”
0
I didn't see anything real nasty on that freeloadmp3 site either....but I didn't click any links there. I just clicked on the link in my post that has it.
I did happen to harvest pretty much every new file that showed up in my Inctrl5 log before I went 'shady site surfin'. Like I said before I test malware installs. This box has been comprimised by nearly every malware known to mankind and is ready for a 'nuke & pave'. Also had some rootkit infections on it so it cannot be trusted for anything.Seeing I was able to harvest files...I can look at em and see if I can find the one responsible. I should be able to find the freeloadmp3 string in the file.
I have seen those links inserted before. Some real garbage sites and others not 'so bad'. Still it is an unwanted event and warrents further investigation by users who are affected simply cus we don't know what all is involved.
Quite possible the reason not that many search results off other forums turn up is cus several keep up quite well with those silly links.
I am an admin at spywarewarrior site. Any of the new users who signed up with that link (or other bad links)...we remove the link. Just now seeing it as an infection symptom rather than users putting that link there. (cus of my box)
Almost every user with that link has/had no idea why it's there.
Many other forums do the same thing.Part of the reason I brought this up in the first place was to "spread the word" - so to speak so others would be able to recognise it as an infection of some sort and not the user being an idiot posting bad links.
Since the URL is now being stripped & we cant see what infection is trying to insert...we will need to ask users what the url is that is trying to insert. Most will know of it cus that will be one of the complaints.
From there we have a better clue what user has and what to use to clean it up.Anyway...If I find what file is responsible and what/who put it on my hdd...I'll post it.
0
Oh, it shows up elsewhere, just not that much here.
I'd researched the other (pornographic) one somewhat - it was of Russian/Eastern European origin, not too surprisingly. So is this mp3 one:
Domain Name: FREELOADMP3.COM
Registrant:
Denis Petrov
Denis Petrov (denispetr@gmail.com)
Novorizskoe shosse 53-7
Moscow
null,117162
RU
Tel. +7.0955643326Creation Date: 24-May-2005
Resist the temptation to close your request for help with semantically-null questions like “Can anyone help me?”
0
Another link to watch for....
webanalsex.com
I found a site that installs it.
End up with win-eto hijack
Seems to be one of those 'rotational' install deals and ya dont know what rotten link they will be serving up next.Yes I was browsin 'bad sites' to try find out what infection is doing this.
Ya don't see link in my post cus I'm posting from uninfected box.
0
I did click on that mp3 link in an early post and haven't found anything odd on my system yet. I'm stealthed up to my eyballs though inc NetBEUI bindings.
Maybe the link itself (homepage anyway) is OK but the problem is "what put it there".
DerekW
0
Derek
Quite right you are. That freeloadmp3 site is ok as far as no malware installs just from visiting the site & no clickin stuff. (I wouldn't trust that forever tho seeing who owns the domain as jboy pointed out)
The infection installed (from other site I was at) includes a fair number of files.
Likely several hijackers doing it but so far with me it has been this hijacker:You will see it in HJT logs.
C:\WINDOWS\System32\sysbho.exe <--troj krepper/Cassandra
hxxp://win-eto.com/hp.htm?id=293 <--several of these entries (link mangled by me)
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O20 - AppInit_DLLs: sysmain.dll <--troj krepper/Cassandra
A real bear to remove.
A few other files belonging to same infection onboard that does not show in HJT.
%windir%\itshta.exe <--troj small/downloader
%windir%\q387.exe <--troj small/downloader\desktop\m00.exe <--troj small/downloader
%system%\random.dll (mine is 8l5rmo6ze8vc.dll)<--troj. small\downloader
%system%\backup.old (bholoader)<--Troj. Krepperproperty check of all shows manufacturer is
Melkosoft CorporationAV scanners will ID em.
There is a bunch of random name ones in %temp% as well. (same family of trojans)Bad favorites are also added.
Seems to be a rotational thing as far as what link is being used to 'hijack' users profiles.
freeloadmp3 might be ok to look at but I don't think I would wanna click on webanalsex which is the one I have now....
It shouldnt show up in this post cus I'm usin firefox.Have to be kinda careful nukin this one...AV won't fix it all up cus of the AppInit one that is hard to kill. (Careful with AppInit there are legits out there)
Killbox gets it but last time I removed this thing a couple services were disabled (XP) rendering my internet unavaliable.Workstation and DHCP
Re-automating and starting those services worked.Of course just running an AV scanner isn't enough.
The usual install/update antispyware apps such as spybot S&D, Ad-Aware, MS/AS, SpySweeper, etc...cleaning up temps and a couple online scans are in order.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
