OK, more info, a message I sent to AIN'T IT COOL NEWS.com: Harry, I just called you re this. Nasty. Note that my message below presumed it came from MSN, but a history check of my browser indicates it loaded AFTER your site and BEFORE I went to MSN. Looks like it puts up a small window and a delay to disguise it's origin. Check the site referenced below for some more info. Looks like this is the start URL: http://ad1.zendmedia.com/cw.php?id=45 next, the takeover: http://ad1.zendmedia.com/adpop_rpc.php?id=45 This is really nasty. Your site may or may not be a source, but it looks like it here. Good luck. >From: "John Nagy" >To: support@opensrs.org, compliance@opensrs.org, info@opensrs.org >Subject: Abuse/Fraud/Malicious software via your services - ZENDMEDIA >Date: Thu, 14 Aug 2003 16:08:29 -0700 > >A "ZENDMEDIA" is either operating or being hijacked in one of the >most nasty computer take-over ad popup I've seen. It poped up while >viewing MSN.com news stories. > >You are the registrar for zendmedia.com. > >Please expidite a look at this company and consider immediate >termination if not legal action against them. > >This URL shows a good description of what they are doing. > >http://www.computing.net/security/wwwboard/forum/5886.html > >Essentially, a popup takes over the entire screen with all ability >to control the computer removed. It simulates a windows warning >window warning of variously a "Required shutdown due to an >enexpected RPC termination" or "Your computer is infected" and >offers a single link to a "Fix". > >I did not take that link to see what else would occur. An >Al/tCntrl/Delete enabled me to terminate that task, leaving a small >launcher window, whose source I could display. It revealed the >ZENDMEDIA info. > >This is very, very evil, misleading, and potentially the tip of a >malicious attack. > >DO NOT DELAY RESEARCHING THIS! >

0

Click on the 1st pop-over screen and then scroll to the bottom of the 2nd screen, the ad is for http://www.discountbob.com/. Let those ()*&)(*# know what you think! I'm just guessing, but probably zendmedia came up with the idea and it is Discount Bob that is actually paying for this crap.

0

I had a similar experience and agree with everything you have said. It might be worth noting that the old Alt+F4 keystroke combination worked to close the window. Sometimes it is good to be old.

0

you can use this link to discount Bob and tell them you just join the hate club they started with this adceertising they took with ZendMEDIA. http://www.discountbob.com/contact.php and spread the word

0

My main concern is if this is really dangerous or just annoying, I don't have any "important" files in my computer (most of them can be replaced from backup or re-installed), but I wouldn't like to lose them neither. I visited billboard.com, and before that I was surfing in google and some mexican news sites (elnorte.com, palabra.com, todito.com), and yes i have installed recently kazaa, maybe I should better remove it from my computer. Hope this is just a bad joke, and let's take action by reporting to TUCOWS, as many of you suggest, I have a question here: how can you find out who is the registrator for a domain? Thanks guys... Happy surfing... / jC

0

Being a corporate man myself, in charge of a somewhat sizable communications system. I too have had a couple nasty run ins with this pop up. DON'T LET IT GET TO YOU. Treat it like you would any other pop-up and just hit ctrl-w. I myself plan on going to discountbob.com and letting them know exactly what I think of zendmedia

0

As far as I can tell it is not dangerous. It is a complete load of sh!te though. Whoever is responsible Discountbob ? Zendmedia ? should fry in in hell, and fail miserably in all their endeavors F*#k them, F*#k them in their greedy little asses

0

We got this same annoying thing from from MSNBC. Try going to www.symantes.com (NOT symantec, symantes!). Looks like the perpetrator has registered this domain name and is running this as their main page! It' s registered to someone in Pakistan (do a lookup with nsi.com).

0

zendmedia got me too... my history log pointed me to ad1.zendmedia.com I then opened my command prompt and ping-ed (sp?) that url and the reply came back from 64.186.152.152 Just like response #11, I was on Billboard's website for like 30 seconds before heading somewhere else when they bombarded my screen. buggers! Is this really legal?

0

***COMPUTER SECURITY ALERT your PC is infected*** I have had this Zenmedia popup on one of my Win98se machines now twice while visiting MSNBC.com. To those who could not close the window: Hit Ctrl+Alt+Del select the "zendmedia" from the task manager and hit end task. This will close the window immediately. I also came up with Tucows as the site owner. Domain Name: ZENDMEDIA.COM Registrar: TUCOWS, INC. Whois Server: whois.opensrs.net Referral URL: http://www.opensrs.org Name Server: NS1.IAD1.NSSRV.COM Name Server: NS2.IAD1.NSSRV.COM Status: ACTIVE Updated Date: 01-may-2003 Creation Date: 15-apr-2002 Expiration Date: 15-apr-2004 >>> Last update of whois database: Mon, 18 Aug 2003 06:11:28 EDT The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Redirecting to TUCOWS, INC. whois -h whois.opensrs.net zendmedia.com ... Registrant: Zend Media, Inc. P.O. Box 192 Kiev, NA 01103 UA Domain name: ZENDMEDIA.COM Administrative Contact: Hostmaster, Zend hostmaster@zendmedia.com P.O. Box 192 Kiev, NA 01103 UA +380 44 4943536 Fax: +380 44 4943537 Technical Contact: Hostmaster, Zend hostmaster@zendmedia.com P.O. Box 192 Kiev, NA 01103 UA +380 44 4943536 Fax: +380 44 4943537 Registrar of Record: TUCOWS, INC. Record last updated on 01-May-2003. Record expires on 15-Apr-2004. Record Created on 15-Apr-2002. Domain servers in listed order: NS1.IAD1.NSSRV.COM 64.186.152.111 NS2.IAD1.NSSRV.COM 64.186.152.112 I'm very interested on more information on this!! Tucows has not responded to my inquiry. Spybot search and destroy has not located a spybot on my system related to this phenomena. I'm going to write the maker of Spybot S&D. When were you hit with this popup? My first one was about 2 days ago then again last night. Hoping someone gets to the bottom of this. Vlad Sczensh Phoenix, AZ

0

Good detective work user: SomeoneElse! I went to the www.symantes.com site as you suggested and followed up on it. You were on target!

0

I also got this popup from MSNBC. Out of curiosity, I did click on the link, and it took me to discounbob's page to buy a program called Computer Shield. Wanting to find the program maker so I could complain to them, I searched for that name on google. Stangely enough, I was unable to find any mention of this product. It's a download, so someone would have to buy it (and that definitely won't be me) to find out who makes it. What I also find interesting, is that you can't find this particular software on discountbob's if you don't use the popup, so it's obviously a 'special deal'.

0

I encountered the zendmedia crap when jumping from yahoo to msn radio. I have complained to discount bobs and will next do so at tucows. fyi, Turk -- I don't think zenmedia and zendmedia are the same thing. Peace!

0

Actually, here is more info on this. I was on MSNBC and got hit with it. Zendmedia is apparently the company pumping it out through the various websites. The popup is pulling its graphics from http://grx.dvlabs.com, a company in Virigina. If you WHOIS the discountbob.com site, it shows to be in Slovakia. However, a ping and trace of www.discountbob.com led to a hosting company named Servint.net ALSO in Virginia. (Coincidence?) The Slovakia WHOIS information is bogus just like the Pakistan WHOIS information for www.symantes.com. A ping of www.symantes.com shows 216.65.41.188, which traces to NNW.NET, which has contact info in Los Angeles and Russia. However, symantes.com is only the popup (probably the one Zendmedia is pulling from) and discountbob.com is the actual site. I tried searching for the software "Computer Shield Firewall" which is advertised in the popup. No luck on a manufacturer, etc. (and I don't want to spend $40 to find out what it is.) My guess is that your complaints to discountbob.com will go to the Recycle Bin as they are the ones doing all of this. Your complaints should all go to the ServInt webhosting company that is hosting discountbob.com, as well as the website that allowed Zendmedia to serve it to you (aka. MSNBC, etc.) ServInt, Inc. 6861 Elm St #4B McLean, VA 22101 800-573-7846

0

I had the exact same experience last night (8-19-03) on two of my home PC's (desktop and laptop). Here is the content of the scam: "SYSTEM SHUTDOWN"(LOOKS LIKE REAL WINDOW) [X] "This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Time before shutdown: 00:00:50 (with counter actually counting down while flashing "Fix it" click here). MESSAGE Windows must now restart because the Remote Procedure Call(RPC)service terminated unexpectedly." What appears to be an advertisement for "COMPUTER SHIELD" is present with a price of $39.99 (regularly $49.99) and several of Norton's products are also visible on this full page. It also indicates "Your computer is infected". The bottom of the page indicates as follows: Copyright @2003 DiscountBob All Rights Reserved. One method of escape is to "END TASK" with CTRL+ALT+DEL & highlight the culprit and 'End Task'. I have written to TUCOWS,INC. based on the information provided within this Web site and am awaiting a response/solution that may never come! This type of heinous act should not be ignored and the individual[s] responsible should be prosecuted for such flagrant abuses to the general public and users of the system.

0

ZENDMEDIA confusion... I just wrote "Turkish" on the spam matter as well, but apparently he posted the WHOIS information for a website I used to run that has a name close to the offending domain. I used to run "zenmedia.com" while the offending website apparently is named "zenDmedia.com" ... totally different and unrelated but I can understand the mixup. No harm done, but I'd rather not be implicated for something I have zero to do with... Thanx, -Dave M. EOM...out

0

Hi I got this one too. Here is some more info, and guesses! First this is directly related to windows media player on my computer at least ! I admit that I have been going to some free porn sites, I think that is where I picked this up at, as some of the mpg movies played strangely. I first saw it at MSN's radio site. The radio stopped playing,( computer lost all sound), and I got the popup. Tried other radio web sites got same results. I have only seen this popup when the radio site uses windows media player. I have reinstalled windows media player 9. I have not seen the popup ad since, but I did lose sound after about a hour. I have done a restore to my earliest set point. Have been to windows update getting caught up on updates. I have not tested to see if I get the popup again or if the music will keep playing over one hour. It is tricky for me as I am on a dialup, some times my ISP shuts me down. I wish you all luck with this.

0

BIG NEWS!! I wrote this company(?)an email to their DISCOUNTBOB.COM site and expressed an interest in their software. I received a reply back today as follows: Dear Steve, Greetings Thank you for your interest towards our services. We recommend you to kindly visit the following URL to register for our services to safeguard your system from any vulnerable virus attacks. http://ad1.zendmedia.com/ad-rpc.php?id= Thank you -- Sincerely, Customer Support(CS-Software) The site takes you to their ad for 'COMPUTER SHIELD FIREWALL' software and the ad will look absolutely familiar to those of you who have fallen victim to this underhanded scheme/gimick. The important thing to note here also is that the "link" to download their software will take you to the following site: http://www.buysmarter.com/click.php?aid=zend_rpc&lid=&prod_id=9010 Then you are at their Buysmarter.com site where the COMPUTER SHIELD software is once again advertised as a DOWNLOAD for $39.99. Over the last several days, this outfit was using DISCOUNTBOB.COM as their site and today it is BUYSMARTER.COM....who will it be tomorrow???? Their letter to me was from : Customer Support (CS-SW) (Support@pmmci.com) Subject:[401684] re:**CUSTOMER** This is all the info I have at this time and I would like to know from those of you "in the know" out there...is there any means of: (1.) having these individuals be held responsible for their actions & by what ENFORCING AGENCY ? AND, (2.) What methods might be employed and used to prevent their scheme from working in the future?? I hope this is of some assistance in bringing this matter to a conclusion of sorts. All though we know they'll be back...we need to continue the battle against these types! A concerned and irate system user ! Steve M.

0

Hi all, news up date, I did not pick this up at the porn site after all! No I got it from http://entertainment.msn.com/music/ it seems that there is a ad for MS DSL on the site. The ad comes from http.edge.vru4.com (no that's not a typo!) they send this web page html.html (no that's not a typo!) that web page gives you both the flash ad in the msn ad box and the little pop up window that sites at the bottom of the screen. The little popup window opens up another window for the ad1.zendmedia.com ads. Not sure how well this will look but here is the contents of the pop up. pl-msdsl468-01 function HiddenPop(openurl) { win3 = window.open(openurl,"","x=5000,top=0,y=0,left=5000,height=10,width=10,directories=no,toolbar=no,addressbar=no,resizable=no,menubar=no,scrollbars=no"); } HiddenPop('http://ad1.zendmedia.com/cw.php?id=205'); I have sent a email to abuse@msn.com, still waiting for a reply.

0

Let me try that again! pl-msdsl468-01 function HiddenPop(openurl) { win3 = window.open(openurl,"","x=5000,top=0,y=0,left=5000, height=10,width=10,directories=no,toolbar=no, addressbar=no,resizable=no,menubar=no, scrollbars=no"); ) HiddenPop('http://ad1.zendmedia.com/cw.php?id=205'); Added spaces so hopfully it will show up correctly.

0

ABC might be interested in this one...try going to www.whowantstobeamillionaire.com and you get this pop-up also for Computer Shield: <html><head> <title></title> </HEAD> <BODY onload="confirmGoto()"> <SCRIPT> var exit=true; function confirmGoto() { if (exit) { if (confirm(" Virus Warning !!!\n\nW32 RPC Virus Detected. \n\n CLICK on OK\n to Scan and Clean !")) { window.open('http://ad1.zendmedia.com/ad-rpc.php?id=adru606'); location="http://www.super-casino.com/BestCasino.htm" } else { location="http://www.super-casino.com/BestCasino.htm" } } } </SCRIPT> </body> </html>

0