One of lawnsite's sponsors has a script...

Discussion in 'Questions, Rules, Suggestions' started by topsites, May 9, 2007.

  1. topsites

    topsites LawnSite Fanatic
    Posts: 21,653

    I'll let you in on which one it was but not sure if you want it made public...

    Anyhow, I went to visit a sponsor's site and after a short time a popup came up, which I closed, then another and another shortly after... By the time I was done closing popups, all of my explorer windows were closed, including this one.

    I re-started the explorer, and now every 30 seconds or so I'm getting a spam in the form of a popup, so something got installed on my PC via one of the sponsor sites. I think it even does it when all of my explorer windows are closed.

    When I find out what this POS is I'll give more detailed info, I'll go find a spyware / adware scanner now.
  2. topsites

    topsites LawnSite Fanatic
    Posts: 21,653

    Ok, I just downloaded and ran Ad-Aware, and even with all explorer windows closed I'm still catching spam, thou Ad-Aware detected (and thus removed) nothing... Before anyone dances a gig thou, I hope you don't catch this annoyance, and whatever it is I would sure like to know how to remove it.

    The ads appear to be coming from, that is not the sponsor's site, it is the sponsor's sponsor... Doing a google for 'adfarm mediaplex' turns up rather interesting results.
  3. topsites

    topsites LawnSite Fanatic
    Posts: 21,653

    Ok, after much research, the best I could figure out was this script is the dreaded explorer WMF image vulnerability... That's the closest I came to, based on symptoms and how it happened, I'm better than 90% sure that's what it was / is.

    The conclusions I can draw are that the sponsor's site I visited was likely running a banner which contained the malicious image, AND the sponsor is likely unaware of this.

    Successful exploitation allows execution of arbitrary code on a user's system by e.g. tricking the user to visit a malicious web site hosting a specially crafted WMF file, a user intentionally visiting a good site that is inadvertently hosting an infected banner, or via an email message containing a specially crafted attachment.

    That is to say, I found a few trojan horses on my pc.

    Ad-aware did eventually figure it out, but I had to use deeper than default scanning options, not a big deal all in all, just rather annoying. And yeah, it's fixed on my end.

    Also, supposedly Microsoft did release a fix for this around January, but idk...

    Well, I guess I can release the sponsor's site if someone contacts me via my site, I would still prefer not making this a public issue.
  4. DLCS

    DLCS LawnSite Platinum Member
    Posts: 4,378

    So what is the point of going to the trouble of posting this if you aren't going to tell us which sponsor uses scripts? Now I'm afraid to go to any of the sponsors websites, now see what you did.:laugh: Actually post who it is, we need to call this sponsor out onto the carpet.:clapping:
  5. DLCS

    DLCS LawnSite Platinum Member
    Posts: 4,378

  6. LindblomRJ

    LindblomRJ LawnSite Silver Member
    Posts: 2,570

    That is the reason I run firefox 2.0 and with ad black and no script - I run what script I want to run.

    So for me its a non issue.
  7. topsites

    topsites LawnSite Fanatic
    Posts: 21,653

    The site in question was mowpart's, and my pc looked like it was fixed until this morning, now it's spamming again... Until I finally close the Explorer as a process within the Task manager, then it finally stops.

    I use Firefox, too, but this thing infects the explorer, an essential part of Windows, even with all explorer windows closed, if you open your task manager you can see an 'explorer.exe' (or 'Explorer.exe') running under Processes, that explorer!

    Yeah because my site doesn't have sponsors, much less rotating banner scripts.
  8. Duekster

    Duekster LawnSite Fanatic
    from DFW, TX
    Posts: 7,961

    spy-bot does a good job too. Many IT folks I know run both the ad aware and spy-bot.

    Also Spybot has a registry monitor and does not allow any registry changes unless you approve it.

    Norton also does a great job on blocking pop up and ad blocking. I see not a single ad on this site except the bobcat logo. I was not aware this site had so many banners on it until I turn off the ad blocker so I could see the link to the virtual tradeshow.
  9. Vikings

    Vikings LawnSite Bronze Member
    from canada
    Posts: 1,667

    Spybot, but if you get something nasty, that even cleaning the registry won't help you should reformat.
  10. Vikings

    Vikings LawnSite Bronze Member
    from canada
    Posts: 1,667

    Damn! a firefox update erased all my Bookmarks or I would have given you this link to a rootkit revealer as well as a place where you can copy/paste your report and it interprets your registry and points out nasty stuff, if you have it.

Share This Page