jefe
Premium
join:2001-05-19
Northport, NY
| Audio spam - How is it getting in?
This is a new one on me folks.
I just fired up BBR with IE and was browsing my favorite forums and what I can best describe as an audio spam started playing.
It was a poor quality recording so it's hard for me to be sure what it was advertising, but it sounded like some kind of movie coming this holiday season.
Hell, it just played again. Elf, rated PG.
I'm running nod32. I've done a full scan. All my ports are stealth-ed. I use OE6 but don't ever have the preview window enabled and I always shift-delete any messages I don't recognize.
Has anyone else experienced the audio spam I'm getting? And does anyone have a clue how it got in to my system?
TIA
--jeff
edit: More info...I found the files that's being played and found it somehow rode in on AIM. If I close AIM in the middle of the sound bite, it stops it.
The 3 files are:
aim_ELFInc.js
elAUD.eye
elf350.eye
[text was edited by author 2003-10-29 14:52:34] |
|
LowWaterMark
Premium
join:2002-05-16
Wallingford, CT
| You're saying you think it's from BBR/DSLR? I suppose someone could be fooling around with embedding a script to call a flash object (one that's just sound) or somehow linking some other type of sound file. Do you know exactly what threads you were in? If it is from here, you may be able to locate it. Otherwise, might you have other spyware installed? You could scan with either/both Ad-Aware or Spybot S&D.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily! |
|
jefe
Premium
join:2001-05-19
Northport, NY | I thought it might've been for a minute, but I now realize it was just a coincidence that it happened shortly after I fired up BBR.
Sorry if I gave anyone the impression that BBR was in any way involved. |
|
panth1
The Coyote
join:2000-12-11
Boca Raton, FL
| reply to jefe
I just got this not 5 minutes ago and came to this forum :P
My friend said he got this yesterday and I was like wtf you talking about and now it just happend.
I'm running DeadAIM and it was "downloaded" by one of my friends so I wonder if some hacked it to include this.
--
ISPs: Road Runner/Powerlink Status: Road Runner
[text was edited by author 2003-10-29 14:56:38] |
|
jefe
Premium
join:2001-05-19
Northport, NY
| I'm running DeadAim V4 also. One other thing, I just got a notification from JDennis that V4.1 was available. I went to their web site to get it and I wonder if that's where the culprit files could've come from?
(I didn't get DeadAIM 4.1 because they want me to give them my friggin' birthday to register with them. I oppose giving out that info for a casual registration on principle, but that's another thread....) |
|
halc
join:2003-03-17
swe
| reply to jefe
I'm not sure I understand you, but playing an embedded background sound without user control is one of the very basic features of Internet Explorer (and many other browsers).
Or did you mean something completely else?
I block all automatic video/sound embed links using Proxomitron web filter. |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
 ·Comcast
| reply to jefe
Unfortunately, AOL has started spaming AIM users with audio ads. At the same time, DeadAIM only hides the ads.
What is happening is that the ad is playing, but DeadAIM has made it invisible.
--
-Ryan
There are 0F types of people in the world: those that can count in hex, and those that can't. |
|
jefe
Premium
join:2001-05-19
Northport, NY
| reply to halc
I have all those features disabled in IE too.
It took a little while before I found that closing AIM would stop the audio file from playing.
AIM is big on advertising banners, which DeadAim blocks. I wonder if that Java script and the files associated with it were just a new way of AIM pushing advertisements?
The issue hasn't resurfaced since I found and deleted the 3 files I mentioned above, which were in \Documents and Settings\user-me\Local Settings\Temporary Internet Files. (XP Pro) |
|
jefe
Premium
join:2001-05-19
Northport, NY
| reply to Daemon
said by Daemon  :
Unfortunately, AOL has started spaming AIM users with audio ads. At the same time, DeadAIM only hides the ads.
What is happening is that the ad is playing, but DeadAIM has made it invisible.
Yep...that's just the conclusion I came to.
Maybe JDennis will find a way to let you select blocking the audio ads as well. Or maybe it's just time to find another IM client and service. |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| it's simple enough to monitor your connections via netstat and the add the AOL ad server to your host file so that it loops back to localhost.
This also keeps AOL from downloading any ads normally, but deadaim has the additional benefit of hiding the space where the ad normally goes.
-Ryan |
|
jefe
Premium
join:2001-05-19
Northport, NY | Do you happen to know that the IP or URL is of the AOL ad server? |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to jefe
Hmmmm, I wonder if that is only happening on newer versions of AIM? I am running 4.7.2480 and have not had the problem.
However, if you would like to continue using the AIM service and want to use a different client, Trillian works very well with AIM (and it has no ads or spyware). They have a free Basic Version and a paid Pro Version - both very popular with some of our members here. You can use Trillian with your existing AIM screen names and you can transfer your buddy list, if you have saved it from AIM. Trillian will also allow you to use other chat clients like ICQ and Yahoo, MSN, and IRC
»www.ceruleanstudios.com
I wrote a tutorial in another forum that might help if you decide to try it:)
How to Set up & Use Trillian with AIM
»forum.gladiator-antivirus.com/in···pic=5116
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
jefe
Premium
join:2001-05-19
Northport, NY | I used Trillian for a while CJ. I didn't like it as well as the native AIM client. I can't remember why...it's been a year or so.
I'm going to work trying to block the ad server before I give up on AIM.
Tnx.
--jeff |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Yep, I prefer the AIM client too. For now, I think I am safe from the elf with my older version  |
|
jefe
Premium
join:2001-05-19
Northport, NY
| reply to jefe
So it's back...with more files than before. The screen grab shows the files in my temp folder.
Can anyone suggest what URL I should block, and the exact syntax to use in hosts? |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  reply to jefe
This is soooooo not good.
I found this on google but could only get the cached link to show the news story (so if this link doesn't work - just google for AOL audio ads)
AOL Tests TV Ads in AIM
quote:
Users also will be able to stop, rewind, and replay the spots at will, Bernstein said
"The user is going to be in control," he added. "That goes back to us being very careful with our users and wanting to make it a great experience, so we've taken some safeguards -- if a user wants to stop it, they can stop it, if they want to replay it, they can."
However, they won't be able to control an ad's initial use of sound -- instead, that will be initiated by the ad server.
Sounds Ads...seems to be a growing trend  Related story here:
»www.wired.com/news/ebiz/0,1272,57767,00.html
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
jefe
Premium
join:2001-05-19
Northport, NY
| Right. Just what we need. More ads blaring at us.
If I can't find a way to block that noise I will for sure dump AIM and find another way to IM. Not that AOL is losing any sleep over the possibility of losing me. |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | reply to jefe
Just use a different AIM client like Trillian or Gaim. They don't have any ads. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to jefe
Extension: EYE
Program and/or Extension Function Company
Eyeris Encoded Audio/Video File Eyewonder, Inc.
Specific Notes
Eyeris is the backbone of EyeWonder's technology, an encoding algorithm that supports Web, E-mail and wireless environments from narrowband up. EyeWonder is Java-based streaming media technology. The procedure for all EyeWonder audio/video files begins with the encoding (compressing) process via the Eyeris technology into .EYE files.
»www.eyewonder.com/
--
Gladiator Security Forum »www.gladiator-antivirus.com/ |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| reply to jefe
from the firewall logs i keep, i'd host out
aim-charts.pf.aol.com
www.aim.com
aim.aol.com
ar.alwola.com
for the specific ad I'd block
www.empiremovies.com
xlonhcld.xlontech.net (which is where the player is coming from)
also, you can try uninstalling viewpoint media player from add/remove (aim installs it automatically)
AIM connect to AIM.com and then is redirected to a different site, which i think is the atwola site.
--
-Ryan
There are 0F types of people in the world: those that can count in hex, and those that can't.
[text was edited by author 2003-10-30 19:08:45] |
|
