PDA

View Full Version : One of lawnsite's sponsors has a script...


topsites
05-10-2007, 12:36 AM
I'll let you in on which one it was but not sure if you want it made public...

Anyhow, I went to visit a sponsor's site and after a short time a popup came up, which I closed, then another and another shortly after... By the time I was done closing popups, all of my explorer windows were closed, including this one.

I re-started the explorer, and now every 30 seconds or so I'm getting a spam in the form of a popup, so something got installed on my PC via one of the sponsor sites. I think it even does it when all of my explorer windows are closed.

When I find out what this POS is I'll give more detailed info, I'll go find a spyware / adware scanner now.

topsites
05-10-2007, 12:44 AM
Ok, I just downloaded and ran Ad-Aware, and even with all explorer windows closed I'm still catching spam, thou Ad-Aware detected (and thus removed) nothing... Before anyone dances a gig thou, I hope you don't catch this annoyance, and whatever it is I would sure like to know how to remove it.

The ads appear to be coming from adfarm.mediaplex.com, that is not the sponsor's site, it is the sponsor's sponsor... Doing a google for 'adfarm mediaplex' turns up rather interesting results.

topsites
05-10-2007, 11:57 PM
Ok, after much research, the best I could figure out was this script is the dreaded explorer WMF image vulnerability... That's the closest I came to, based on symptoms and how it happened, I'm better than 90% sure that's what it was / is.

The conclusions I can draw are that the sponsor's site I visited was likely running a banner which contained the malicious image, AND the sponsor is likely unaware of this.

Successful exploitation allows execution of arbitrary code on a user's system by e.g. tricking the user to visit a malicious web site hosting a specially crafted WMF file, a user intentionally visiting a good site that is inadvertently hosting an infected banner, or via an email message containing a specially crafted attachment.

That is to say, I found a few trojan horses on my pc.

Ad-aware did eventually figure it out, but I had to use deeper than default scanning options, not a big deal all in all, just rather annoying. And yeah, it's fixed on my end.

Also, supposedly Microsoft did release a fix for this around January, but idk...

Well, I guess I can release the sponsor's site if someone contacts me via my site, I would still prefer not making this a public issue.

DLCS
05-11-2007, 12:19 AM
I would still prefer not making this a public issue.




So what is the point of going to the trouble of posting this if you aren't going to tell us which sponsor uses scripts? Now I'm afraid to go to any of the sponsors websites, now see what you did.:laugh: Actually post who it is, we need to call this sponsor out onto the carpet.:clapping:

DLCS
05-11-2007, 12:20 AM
You sure its a sponsor and not your own website, www.stonypointlawncare.com?:laugh:

LindblomRJ
05-11-2007, 09:45 AM
That is the reason I run firefox 2.0 and with ad black and no script - I run what script I want to run.

So for me its a non issue.

topsites
05-11-2007, 09:56 AM
The site in question was mowpart's, and my pc looked like it was fixed until this morning, now it's spamming again... Until I finally close the Explorer as a process within the Task manager, then it finally stops.

I use Firefox, too, but this thing infects the explorer, an essential part of Windows, even with all explorer windows closed, if you open your task manager you can see an 'explorer.exe' (or 'Explorer.exe') running under Processes, that explorer!

You sure its a sponsor and not your own website, www.stonypointlawncare.com?:laugh:

Yeah because my site doesn't have sponsors, much less rotating banner scripts.

Duekster
05-11-2007, 10:00 AM
http://www.safer-networking.org/

spy-bot does a good job too. Many IT folks I know run both the ad aware and spy-bot.

Also Spybot has a registry monitor and does not allow any registry changes unless you approve it.

Norton also does a great job on blocking pop up and ad blocking. I see not a single ad on this site except the bobcat logo. I was not aware this site had so many banners on it until I turn off the ad blocker so I could see the link to the virtual tradeshow.

Vikings
05-11-2007, 07:56 PM
Spybot, but if you get something nasty, that even cleaning the registry won't help you should reformat.

Vikings
05-11-2007, 08:03 PM
Damn! a firefox update erased all my Bookmarks or I would have given you this link to a rootkit revealer as well as a place where you can copy/paste your report and it interprets your registry and points out nasty stuff, if you have it.

topsites
05-11-2007, 10:07 PM
Spybot, but if you get something nasty, that even cleaning the registry won't help you should reformat.

It's a brand-new hdd (no it isn't, but the windows on it is), more likely than not that's what I'll do, but I'll start with a LLF (low level format), just been putting off the dreaded day long affair.

Rizzo
05-11-2007, 11:01 PM
Use avast along with spybot and adaware... I have cleaned several peoples computers where norton failed by using these three pieces of software. Avast will do a boot scan before anything can startup on your computer, even windows.

Duekster
05-12-2007, 02:46 PM
Nice thing about spybot is that it does not allow registry changes. Maybe too late in this case but it does prevent future problems.