dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
56008
share rss forum feed


Oleg
Premium
join:2003-12-08
Birmingham, AL
kudos:2
reply to moonpuppy

Re: foxnews.com infected?

No problems here Adblock Plus blocked all of the ad servers for me



ctceo
Premium
join:2001-04-26
South Bend, IN
reply to moonpuppy

AdBlock Plus user here as well. Disabled it and waited for assets.espn.go.com, then refreshed. Repeated for 3 minutes and got nothing. They've probably cleaned it out.

Expand your moderator at work

moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to moonpuppy

Re: foxnews.com infected?

I wonder if there a way to monitor the ad sites when they feed these types of trojans.

Seems any site that large would want to do its best not to add to the problem.



SandShark
Long may you run
Premium,MVM
join:2000-05-23
Santa Fe, TX
kudos:3
reply to moonpuppy

The same thing happened to me last night. All I remember was something about "rd-point.net" in the warning. I'm using Firefox (v3.0.8) on a Mac (OS X v10.4.11).



IceDogg
Premium
join:2005-08-01
Batesville, AR

2 recommendations

reply to moonpuppy

This is why I don't feel the least bit guilty for blocking ads and never will.

Expand your moderator at work


mbaha

join:2009-03-01
reply to moonpuppy

Re: foxnews.com infected?

Hmm really? Is this common for news sites to do? what virus program are you using
--
Don't remind of the things I said or I'll be hurt

Expand your moderator at work


fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14
reply to fatness

Re: foxnews.com infected?

Does anyone know what ad was doing this?



MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16

2 edits

1 recommendation

Click for full size
Click for full size
Click for full size
said by fatness:

Does anyone know what ad was doing this?
I went to the site with IE7, Opera and Seamonkey and got nothing so i couldn't tell you what ad was doing it.
Expand your moderator at work

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

Re: foxnews.com infected?

Click for full size
I built a VM with XP SP2 and no patches, and surfed FoxNews in it, and it didn't take long to pick up the Vundo.

I got it when I hit the "scitech" link. But since the ads are rotated, it's luck of the draw.

But now my VM is running a "virus scan" that shows infections of all sorts... tee hee hee..

Next challenge, remove this sucker!
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.
Expand your moderator at work


Cant Tell You

@204.211.193.x
reply to kpatz

Re: foxnews.com infected?

said by kpatz:

Next challenge, remove this sucker!
Start with ComboFix and follow with SuperAntiSpyware. Gets it everytime. I see this daily on machines that come into my shop.

The guys doing this are great. Its a shame their talents are put to use this way.

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

1 edit
reply to moonpuppy

This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants.

EDIT: Had to remove a BHO that was intercepting IE as well.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.



Cant Tell You

@204.211.193.x

Five minutes is all it usually takes and your done. If you can catch it in the first couple of minutes then you can beat it. But, how many users have any clue on how to do that? Most of my customers tell me they finally brought it in when they just couldn't deal with it any longer. Some last a couple of days! I don't know how they do it. It blows my mind when I can't get the annoying IE or Firefox popup to go away in the initial attempt at getting you to click to download. I always try to kill it without killing the process. I refuse to give in to it.


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

1 edit

I re-infected my VM and will leave it on there a bit longer before attempting removal. I love challenges!

When I right-click the tray icon, it says "Open User Inteface". Malware makers never proofread their work...


moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to kpatz

said by kpatz:

This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants.

EDIT: Had to remove a BHO that was intercepting IE as well.
I shut down my system as soon as I realized what was going on. This laptop has no AV but it is fully patched.

Glad I am not going crazy.

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

I was playing around in the VM, emailing a friend of mine, and noting the crazy "warnings" that my cool new anti-virus has been warning me of.

Here's a couple:

quote:
Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 and installing FOrmSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be deleted proactively in Internet Explorer (IE). This is a detection for a malware that was discovered in the wild on July 24, 2009 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM). This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)
So, they detect malware that won't be discovered for another 3+ months.
quote:
"Windows Meta File Vulnerability - Vulnerability"
"The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability. Exploit this vulnerability are Trojan-Downloaders, which install other Trojan programs on the victim machine. At the moment, Trojan programs are being downloaded from unionseek.com and iframeurl.biz. New modifications of these programs may appear".
I'll leave the VM running overnight and then see if it's harder to remove tomorrow.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.


shopboss

@axeontech.com
reply to moonpuppy

Yeah, definitely infected. It's tried to hit he on two different PCs -just going to foxnews.com with IE7. No wonder we get so many cleanup jobs in our shop -a lot of wated talent there.


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

Well, on the second infection, removal was even simpler than the first time. I just killed the process and ran Hijack This, and found that it didn't reinstall the BHO or even the Run entry in the registry. Perhaps there were traces left behind that fooled the installer.

I'll have to revert to a pre-infection snapshot and try again.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.