amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA | reply to Doctor Four
Dallas routing:
Related info: »Re: Is msmvps.com down?
 |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to Just Bob
Re: Contact with wfaa -
said by Just Bob  :Gee, ya don't think they did a take down on msmvps.com, do ya? EDIT: I should have added a smiley...or maybe not. There are reports in the Dallas are of up to 18" of rain, record flooding, tens of thousands without power, and at least one fatality. 3rd wettest June on record, and there is more rain yet to
come. Forecasters are saying it could continue through the
middle of next week.
Back on topic, a traceroute to msmvps.com seems to crap out
at COLO4-DALLA.car2.Dallas1.Level3.net. Considering how
much trouble there has been with their routers, it could
be related (the more conspiracy minded would think it was
a DDoS courtesy of the Winfixer gang, angry at being outed
by Sandi yet again.)
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| reply to Just Bob
This problem has been escalated ----
Original Message:
-----------------
From: xxxxxxxxxxxxxxxxxxxxxx
Date: Tue, 26 Jun 2007 11:38:45 -0500 (CDT)
To: amysheehan dslr.net
Subject: CASE-1136394c277.93.88.fa.72.2-CASE - www.wfaa.com
Dear Amy,
Thank you so much for taking the time to write us.
Your question has been forwarded to the appropriate department at WFAA.com.
We appreciate your feedback.
Thank you for your continued support.
Best Regards,
Mike
--
DSLR Phishtracker |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
2 edits | reply to amysheehan
Re: Contact with wfaa -
Gee, ya don't think they did a take down on msmvps.com, do ya?
EDIT: I should have added a smiley...or maybe not.
There are reports in the Dallas area of up to 18" of rain, record flooding, tens of thousands without power, and at least one fatality. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to Just Bob
Original Message:
-----------------
From: xxxxxxxx.belointeractive@abc.com
Date: Mon, 25 Jun 2007 10:51:37 -0500 (CDT)
To: amysheehan================dslr.net
Subject: Customer Service Inquiry - www.wfaa.com
Dear Amy-
We have received your comment and will get back with you shortly.
***************** Your feedback *****************
Please have a look at this topic posted at dslreports re your website and
winfixer ads being served on Sunday
»Another WinFixer infiltration...this time on www.wfaa.com
time-on-wwwwfaacom
I can't replicate the problem today but I think you need to have a look at
recent advertising changes that may have caused this problem.
I am registered as amysheehan @ dslreports and I am an executive online news producer
in Los Angeles for a network O/O station at xxxxx
My work email address isxxxxxxx@#####.com and you may reach me directly @ 818mmmmmmmm.
I have shared this info with our IT director for website operations who asked that I relay his offer of assistance for your online service issues.
Sincerely
Amy Sheehan
Huntington Beach, CA
Please feel free to contact me at my work email address or phone number if you would like specifics or background
info re this problem.
-amy-
--
DSLR Phishtracker |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to Doctor Four
Re: Another WinFixer infiltration...this time on www.wfaa.com
I'm beginning to wonder if Belo doesn't care that their
websites are serving up malware, and that the only way
to get them to take notice is to tell their competition
about it (here in DFW that would be myfoxdfw.com, nbc5i.com,
and cbs11tv.com).
A few years ago, wfaa.com was asking rather intrusive
personal questions you had to answer in order to visit
much of their site; so much so that whenever I wanted to
visit a local network's website, it was never theirs.
My mom's PC now has the MVPS hosts file on it, and I was
able to get it to install on one machine at work that is
not part of the network controlled by the company's IT
department - it is part of our lab LAN, and we can install
pretty much anything, short of copying files to or modifying
files on the network drives. I also put Firefox on it,
which is less susceptible to this kind of hostile
redirect.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
| reply to Just Bob
Looks like a canned response. I bet if you sent a message to the competing stations in the area this issue would be fixed much faster. Can you imagine the other stations reporting this about WFAA?  |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to Doctor Four
I'm not very encouraged.
Perhaps if a large number of people were to file a complainant...
Dear Bob,
Thank you for your e-mail.
Everyone here at WFAA.com strives everyday to provide the most personally relevant news and information for our customers. And, it is through customer feedback that we are best able to meet customer needs, preferences and wishes.
We appreciate your feedback.
Thank you again for your e-mail. We encourage you to e-mail us again with any other comments, questions, concerns or complaints you may have.
Best Regards,
LaTonya S.
--------Original Message-------------
From: Bob
To: null
Date: 26-JUN-2007 11:21AM
It seems your site is serving ads for malware via Real Media and Valueclick:
»msmvps.com/blogs/spywaresucks/default.aspx |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to Doctor Four
This is likely happening on all Belo owned websites,
considering that the vector for the malicious redirects
is their own ad company, belointeractive (via RealMedia).
Which means that the website for the Dallas Morning News,
dallasnews.com, may also have the same problem. Though here
it could hit them in the bottom line as they will likely
lose quite a few subscriptions from people who have gone to
the site and gotten infected.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to Just Bob
Sandi has blogged. She found that ultimately these infected ads come from Real Media and Valueclick.
»msmvps.com/blogs/spywaresucks/default.aspx |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL | reply to Doctor Four
Wow!
BTW, Sandi has seen this thread. Keep an eye on her blog.
»msmvps.com/blogs/spywaresucks/default.aspx |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to Doctor Four
Winfixer hosts entries (from the June 14th MVPS hosts file):
# [Innovative Marketing Group][NSCACHE.NET][SetupAHost]
127.0.0.1 adnetserver.com
127.0.0.1 www.adnetserver.com
127.0.0.1 adserver.affiliatemg.com
127.0.0.1 amaena.com
127.0.0.1 www.amaena.com #[IE-SpyAd][Trojan.TrustedZone]
127.0.0.1 www.amxtravel.com
127.0.0.1 www.antivirus-comparison.com
127.0.0.1 www.antivirusproshop.com
127.0.0.1 ads2desk.com
127.0.0.1 www.bestofonlinesearch.com
127.0.0.1 www.bestsearchnet.com
127.0.0.1 betbonus.com
127.0.0.1 www.betbonus.com
127.0.0.1 www.billingcomplete.com
127.0.0.1 billingnow.com #[Trojan.TrustedZone]
127.0.0.1 secure.billingnow.com
127.0.0.1 www.billingnow.com
127.0.0.1 stats.bookmyfares.com
127.0.0.1 www.bookmyfares.com
127.0.0.1 www.cannis.org
127.0.0.1 www.casinoaceking.com
127.0.0.1 www.clickwwwsearch.com
127.0.0.1 www.completebilling.com
127.0.0.1 www.computershield.com
127.0.0.1 locator.contentsvc.com
127.0.0.1 www.creditsecretguide.com
127.0.0.1 cdn.downloadcontrol.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 drivecleaner.com #[McAfee.FakeAlert-I]
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 freeware.updates.drivecleaner.com
127.0.0.1 go.drivecleaner.com #[eTrust.Win32/Beenut]
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 stats.drivecleaner.com
127.0.0.1 www.drivecleaner.com #[Symantec.DriveCleaner]
127.0.0.1 www.driveprotector.com
127.0.0.1 www.enhanceyourbust.com
127.0.0.1 www.epinioncash.com
127.0.0.1 errorprotector.com #[SunBelt.ErrorProtector][secure.winsoftware.com]
127.0.0.1 bin.errorprotector.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 go.errorprotector.com #[Google Warning]
127.0.0.1 report.errorprotector.com
127.0.0.1 www.errorprotector.com #[HJTH.Downloader.Agent]
127.0.0.1 errorsafe.com #[Downloader.Win32.Agent.d]
127.0.0.1 br.errorsafe.com
127.0.0.1 de.errorsafe.com
127.0.0.1 download.errorsafe.com #[Prevx.Rogue.ErrorSafe]
127.0.0.1 go.errorsafe.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com #[SiteAdvisor.errorsafe.com]
127.0.0.1 secure.errorsafe.com
127.0.0.1 utils.errorsafe.com #[winfixer.com]
127.0.0.1 www.errorsafe.com #[Symantec.ErrorSafe]
127.0.0.1 www.ezmp3downloads.com
127.0.0.1 www.fileprotector.com
127.0.0.1 genericscanner.com #[Rogue/Suspect]
127.0.0.1 www.genericscanner.com
127.0.0.1 getfreecar.com
127.0.0.1 www.getfreecar.com
127.0.0.1 gomyron.com #[Malicious Links]
127.0.0.1 jsp.gomyron.com
127.0.0.1 members.us.homecs.com
127.0.0.1 www.homecs.com #[ripoffreport.com]
127.0.0.1 locator.imagesrvr.com
127.0.0.1 locator1.cdn.imagesrvr.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.incrediseek.com
127.0.0.1 innovativemarketing.com #[Trojan.Vundo.B][TROJ_CRYPT.N]
127.0.0.1 www.innovativemarketing.com
127.0.0.1 internetantispy.com #[Rogue/Suspect]
127.0.0.1 www.internetantispy.com
127.0.0.1 www.jobdrill.com
127.0.0.1 www.kpremium.com
127.0.0.1 www.matchservice.com
127.0.0.1 www.maxkb.com
127.0.0.1 www.mcafeereview.com #[locator.imagesrvr.com]
127.0.0.1 mp3u.com
127.0.0.1 download.mp3u.com
127.0.0.1 www.mp3u.com
127.0.0.1 www.mp3asap.com
127.0.0.1 www.mp3asap.net
127.0.0.1 www.multimediafixer.com
127.0.0.1 www.mysurvey4u.com
127.0.0.1 www.nortoncomparison.com
127.0.0.1 content.onerateld.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.onestoponlineshop.net
127.0.0.1 www.pcsupercharger.com
127.0.0.1 pcturbopro.com
127.0.0.1 www.pcturbopro.com
127.0.0.1 popupavenger.com
127.0.0.1 www.popupavenger.com
127.0.0.1 images.popupguard.com
127.0.0.1 www.popupguard.com
127.0.0.1 stats1.reliablestats.com #[TR/Dldr.FakeAv.C]
127.0.0.1 stats2.reliablestats.com
127.0.0.1 www.review-software.com
127.0.0.1 www.ringtonegold.com #[LURHQ.IFrame.Exploit]
127.0.0.1 search42.com
127.0.0.1 www.search42.com
127.0.0.1 www.searchfindsearch.com
127.0.0.1 setupahost.net
127.0.0.1 noc.setupahost.net
127.0.0.1 www.setupahost.net
127.0.0.1 www.sexbuddies.com
127.0.0.1 sexprofit.com
127.0.0.1 go.sexprofit.com
127.0.0.1 jsp.sexprofit.com
127.0.0.1 sxp.sexprofit.com
127.0.0.1 www.sexprofit.com
127.0.0.1 www.smax.us #[Innovative Marketing Ukraine]
127.0.0.1 smileydistrict.com
127.0.0.1 softwareprofit.com
127.0.0.1 go.softwareprofit.com
127.0.0.1 www.softwareprofit.com
127.0.0.1 www.symantecreview.com
127.0.0.1 sysprotect.com
127.0.0.1 download.sysprotect.com
127.0.0.1 scanner.sysprotect.com
127.0.0.1 utils.sysprotect.com
127.0.0.1 www.sysprotect.com #[McAfee.SysProtect]
127.0.0.1 systemdoctor.com #[HJTH.Downloader.Agent]
127.0.0.1 de.systemdoctor.com
127.0.0.1 download.systemdoctor.com #[Win32/Adware.WinFixer]
127.0.0.1 es.systemdoctor.com
127.0.0.1 fr.systemdoctor.com
127.0.0.1 go.systemdoctor.com #[Symantec.SystemDoctor]
127.0.0.1 instlog.systemdoctor.com
127.0.0.1 px.systemdoctor.com
127.0.0.1 www.systemdoctor.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 www.tattoobitches.com
127.0.0.1 www.theringtonesource.com
127.0.0.1 vantagesoftware.com #[Rogue/Suspect]
127.0.0.1 billing.vantagesoftware.com
127.0.0.1 www.vantagesoftware.com #[SiteAdvisor.vantagesoftware.com]
127.0.0.1 www.viptravelagent.com
127.0.0.1 www.virusguard.com
127.0.0.1 virussoftwarereview.com
127.0.0.1 purchase.virussoftwarereview.com
127.0.0.1 www.virussoftwarereview.com
127.0.0.1 www.virussw.com
127.0.0.1 http.edge.vru4.com #[McAfee.Adware-Apropos]
127.0.0.1 www.wantprofit.com
127.0.0.1 www.webinvestigator.com
127.0.0.1 go.winadblocker.com
127.0.0.1 secure.winadblocker.com
127.0.0.1 www.winadblocker.com
127.0.0.1 secure.winantispam.com
127.0.0.1 www.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 www.winantispy.com
127.0.0.1 winantivirus.com #[Google Warning]
127.0.0.1 br.winantivirus.com
127.0.0.1 de.winantivirus.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 go.winantivirus.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 purchase.winantivirus.com
127.0.0.1 secure.winantivirus.com #[SiteAdvisor.winantivirus.com]
127.0.0.1 support.winantivirus.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 www.winantivirus.com #[Rogue/Suspect][TR/Dldr.FakeAV.A.6]
127.0.0.1 winantivirus.co.uk
127.0.0.1 www.winantivirus.co.uk
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 winantispyware.com #[Symantec.WinAntiSpyware]
127.0.0.1 download.winantispyware.com
127.0.0.1 go.winantispyware.com #[SiteAdvisor.winantispyware.com]
127.0.0.1 www.winantispyware.com #[Rogue/Suspect]
127.0.0.1 kb.winantiviruspro.com
127.0.0.1 www.winantiviruspro.com #[SpySweeper.Spy.Cookie]
127.0.0.1 wincontentfilter.com
127.0.0.1 download.wincontentfilter.com
127.0.0.1 secure.wincontentfilter.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 winfirewall.com
127.0.0.1 www.winfirewall.com
127.0.0.1 winfixer.co.uk
127.0.0.1 br.winfixer.com #[SiteAdvisor.winfixer.com]
127.0.0.1 download.winfixer.com #[Symantec.WinFixer]
127.0.0.1 fr.winfixer.com
127.0.0.1 winnanny.com #[Trojan.TrustedZone]
127.0.0.1 www.winnanny.com
127.0.0.1 www.winpluspak.com
127.0.0.1 ls.winpopupguard.com
127.0.0.1 www.winpopupguard.com
127.0.0.1 winprivacyguard.com
127.0.0.1 www.winprivacyguard.com
127.0.0.1 www.winproductions.com
127.0.0.1 activate.winsoftware.com
127.0.0.1 download.cdn.winsoftware.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 updates.winsoftware.com
127.0.0.1 secure.winsoftware.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 www.winsoftware.com
127.0.0.1 uk.workhomecenter.com
127.0.0.1 www.workhomecenter.com
Not every one of these will be encountered.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
1 edit | reply to Just Bob
Looks like the current MVPS Hosts file! 
Edit: Well looks like you posted as I was. My reply was to your earlier post with the MVPS entries. |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to DrStrange
I highly recommend the use of a hosts file. Personally I use the MVSP file:
»www.mvps.org/winhelp2002/hosts.htm
Remember the good old days when the justification for the hosts file was a privacy issue rather than a security issue? |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
·Stephouse Networks
 ·magicjack.com
·EarthLink
| reply to Doctor Four
Thanks for the hosts file entries. I've seen zedo hits elsewhere on the 'net, and I'll bet this will propagate to other sites before it's stopped. I generally block advertisers as a rule. This case is an operational definition of my reasoning for doing so. |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Just Bob
Thanks for the list. The wfaa block is a stop-gap measure until I get proper filters in place. Heck, my dad surfs porn when I'm not around, and yet it was wfaa that got him. What is the world coming to? 
--
Think outside the fox...Seamonkey |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to sivran
said by sivran :WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago. I suppose I should mention again that it was Google ads served by Zedo that caused the problems on the travelpod website.But since there's no way to predict the source of the ads, you would have wider protection if you were to block Zedo, rather than WFAA.
Here's all the sites I could glean from my hosts file:
127.0.0.1 undertonenetworks.com #[zedo.com][IE-SpyAd]
127.0.0.1 www.undertonenetworks.com
127.0.0.1 zedo.com #[SecuritySpace.WebBug]
127.0.0.1 ads.zedo.com #[McAfee.Cookie-Zedo]
127.0.0.1 c1.zedo.com #[a1979.g.akamai.net]
127.0.0.1 c2.zedo.com #[SpySweeper.Spy.Cookie]
127.0.0.1 c3.zedo.com
127.0.0.1 c4.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 c5.zedo.com
127.0.0.1 c6.zedo.com
127.0.0.1 c7.zedo.com
127.0.0.1 c8.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 freeze.zedo.com
127.0.0.1 g.zedo.com #[zedo.live365.com]
127.0.0.1 gw.zedo.com
127.0.0.1 l1.zedo.com #[a1101.g.akamai.net]
127.0.0.1 l2.zedo.com
127.0.0.1 l3.zedo.com
127.0.0.1 l4.zedo.com #[Panda.Spyware:Cookie/Zedo]
127.0.0.1 l5.zedo.com
127.0.0.1 l6.zedo.com #[a515.g.akamai.net][Tenebril.Tracking Cookie]
127.0.0.1 l7.zedo.com
127.0.0.1 l8.zedo.com
127.0.0.1 simg.zedo.com #[zedo.vo.llnwd.net][a556.g.akamai.net]
127.0.0.1 ss1.zedo.com
127.0.0.1 ss2.zedo.com
127.0.0.1 xads.zedo.com
127.0.0.1 www.zedo.com #[Adware.RaxSearch] |
|
youveshutmedown
@sbcglobal.net
| reply to mysec
said by mysec
They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade! [/BQUOTE :MACs are inherently secure, and don't need to be patched or updated because they are impervious to exploits/viruses/hacking, aren't they? LOL |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Doctor Four
WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago.
--
Think outside the fox...Seamonkey |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
2 edits | reply to Doctor Four
It happened again just now, but this time on
intellicast.com. I had loaded the 1km radar page
for DFW to see where the storms we're supposed to be
getting today were at when I got redirected to errorsafe.
Since I had put all the Winfixer domains in the restricted
sites, it couldn't do anything - and the page was blank.
(This was on my work machine, BTW.)
A previous visit to the same radar page had a flash ad
served by Zedo. I think you're on to something here with
the Winfixer-Zedo connection Just Bob .
Edit: it is a Zedo ad on WFAA that is likely doing this -
I have them in the restricted sites zone as well - this
seemed to have prevented a redirect to any Winfixer sites.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
