-- John Corliss BS206. I try not to reply to trolls like Andy Mabbett, Hummingbird or proteanthread. Because of Googlespam, I use NFilter to block all Google Groups posts from being displayed in my news reader. No ad, cd, commercial, cripple, demo, dotnet, nag, share, spy, time-limited, trial or web wares OR warez for me, please.
>What AV program are you using? I just opened it and didn't get anything, >and I've gone to that site using several of the top AV programs in the last >year. Adblock plus doesn't show any strange items and Siteadvisor.com >gives it a clean rating./
>One thing I did notice this time is that even with javascript enabled, I >couldn't get a menu on the pricelessware.org main page. All I saw was the >banner.
>> See the warning thread I posted about it. >I didn't see anything on the Prevx page that mentioned pricelessware.org. >I also tried a Google newsgroup search for your thread and couldn't find >it.
The prevx page doesn't mention pricelessware.org ... it describes the trojan that the website is infected with. I got that by googling one of the .exe files which were downloaded from the pricelessware.org site onto my computer.
Here's what I wrote in a new thread MID: Message-ID: <b734e4829ce5892822ed78928c4b8080@localhost.127.0.0.1>
<quote>
-----WARNING-----WARNING-----
It appears the OLD Pricelessware website has been compromised and infected with a trojan virus.
IF YOU SURF TO IT, IT WILL AUTO DOWNLOAD A BUNCH OF TROJANS/VIRUS EXECUTABLEs AND MAY INFECT YOUR COMPUTER.
Details of the trojan virus and what it does are here:
> I didn't see anything on the Prevx page that mentioned > pricelessware.org. I also tried a Google newsgroup search for your > thread and couldn't find it.
Your scans couldn't find anything.
Maybe Hummingbird picked up the virus while visiting porn sites?
>>> See the warning thread I posted about it. >> I didn't see anything on the Prevx page that mentioned >> pricelessware.org. I also tried a Google newsgroup search for your >> thread and couldn't find it.
> Your scans couldn't find anything.
> Maybe Hummingbird picked up the virus while visiting porn sites?
Curiosity not being confined to cats, I had to have a go at it shortly after HB first posted his alert. My scanner also blocked some Java activity. I saw a reference to "gollum" go by, and a bunch of other redirections, and some Java junk got trapped before I canned it.
After doing a full system cleanse, I put pricelessware.org into my Untrusted Sites list and went back. Nothing happened then.
And I don't think it's got anything to do with pron sites, the only horny babe I've been looking at recently is this one:
>> Maybe Hummingbird picked up the virus while visiting porn sites?
> Curiosity not being confined to cats, I had to have a go at it > shortly after HB first posted his alert. My scanner also blocked > some Java activity. I saw a reference to "gollum" go by, and a > bunch of other redirections, and some Java junk got trapped before > I canned it.
> After doing a full system cleanse, I put pricelessware.org into my > Untrusted Sites list and went back. Nothing happened then.
> And I don't think it's got anything to do with pron sites, the only > horny babe I've been looking at recently is this one:
On Tue, 30 Oct 2007 10:04:09 -0700 'bluerhinoceros' wrote this on alt.comp.freeware:
>Curiosity not being confined to cats, I had to have a go at it shortly >after HB first posted his alert. My scanner also blocked some Java >activity. I saw a reference to "gollum" go by, and a bunch of other >redirections, and some Java junk got trapped before I canned it.
Wow! you're braver than me bluerhino! I only went there to check if it was working after someone posted that it wasn't working.
>After doing a full system cleanse, I put pricelessware.org into my >Untrusted Sites list and went back. Nothing happened then.
I've now put it in my hosts file...never again.
I must say I'm rather puzzled as to why anyone would select that website to hack into and plant a complex trojan...hhmmm.
Anyway, I e-mailed the website hosters and reported it.
>And I don't think it's got anything to do with pron sites, the only >horny babe I've been looking at recently is this one:
bluerhinoceros wrote: > Curiosity not being confined to cats, I had to have a go at it shortly > after HB first posted his alert. My scanner also blocked some Java > activity. I saw a reference to "gollum" go by, and a bunch of other > redirections, and some Java junk got trapped before I canned it.
> After doing a full system cleanse, I put pricelessware.org into my > Untrusted Sites list and went back. Nothing happened then.
Also curious, I looked at the page source - copied below.
Susan, do you think it's a good idea still to be advertising the OLD pricelessware site in your signature, given that it's been hacked and contains a trojan virus?
> What's the easiest way to copy all of the files listed on the Prevx url > into the search for files and folders, so that I can search for all of the > files listed in one try. I seem to remember that a semicolon or some > other punctuation mark.
> Shouldn't this kind of info about Pricelessware.org be discussed on > Wilders? What good is Siteadvisor if they don't have an alert. Is there > anyone at McAfee who evens monitors that tool?
Hi hmmm:
Go to the bottom of the page where it says "...can also use the following file names".
Select them all (hold down the left mouse button and starting at the top left of the first file name, go to the end of the last name). LEt up the left button, right click the selection, select Copy.
Open Notepad, and paste in what you just copied. Make sure your cursor is at the very beginning of the text and click Edit -> Replace. Replace a single space with a comma followed by a space. Look for the string "DOCUMENTS, AND, SETTIN" and remove the two commas from it, but surround it with the double quotes so it looks exactly (quotes included) like
"DOCUMENTS AND SETTIN"
Select all text and right click -> Copy.
Open a command line. Change directories to the root of the drive, typically C:\
Type "dir " (no quotes, but remember the space). Click the top left black box icon in the title bar, move to Edit, select Paste.
If there's a trailing comma, bacspace over it, add a space and "/s" (no quotes).
Hit enter.
You might also like to run it after adding " /a:h" and then " /a:s" at the end of the command line, also. (No quotes, but a leading space)
If you get toms of hits, repeat the command but add ">> c:\found.jnk" at the end of the line. When you're finished, c:\found.jnk will contain reference to all the files found.
>> My scanner also blocked some Java >> activity. I saw a reference to "gollum" go by, and a bunch of other >> redirections, and some Java junk got trapped before I canned it.
>> After doing a full system cleanse, I put pricelessware.org into my >> Untrusted Sites list and went back. Nothing happened then.
> What scanner and "cleanser" did you use? This internet is becoming so germ > filled that they're have to start injecting Comet Cleanser and Lysol into > the security programs soon.
Hi hmmm:
I'm using Avira Antivir Personal Edition Classic. I also use Prevx 2.0, but it didn't notice anything, presumably because AntiVir was earlier in the food chain.
I then used Avira to scan the whole drive, followed by a reboot, another sweep and a going over with Prevx, Spybot and AdAware for good measure.
I have Returnil installed, and had I thought about it, I'd have turned on sandbox mode before going to a known nasty site, but it was late and I was tired... :-)
>> My scanner also blocked some Java >> activity. I saw a reference to "gollum" go by, and a bunch of other >> redirections, and some Java junk got trapped before I canned it.
>> After doing a full system cleanse, I put pricelessware.org into my >> Untrusted Sites list and went back. Nothing happened then.
> What scanner and "cleanser" did you use? This internet is becoming so germ > filled that they're have to start injecting Comet Cleanser and Lysol into > the security programs soon.
If you surf using the free "Returnil" or "sandboxie" none of this would bother your machine:)
>What's the easiest way to copy all of the files listed on the Prevx url >into the search for files and folders, so that I can search for all of the >files listed in one try. I seem to remember that a semicolon or some >other punctuation mark.
Do you mean do a search on your local machine?
If so, I dunno because I use my payware file manager and it listed the bad files in about 5 secs because I have files sorted by date in descending order, so the trojan .exe files all appeared at the top of the list and I immediately saw them there. That allowed me to rename them all, reboot and search for other items like the reg key it created and then run a few av apps.
Notably, Spybot S&D found nothing even with the latest updates running and AdAware only found the bad reg key.
I guess it took me about 1 hour and three reboots to recover. No damage done. I caught it in good time.
Today, I put all the bad files through jotti but only about 40% of their virus scans found the trojans in them, notably Kaspersky and F-whatsit. I am not impressed :-(
>Shouldn't this kind of info about Pricelessware.org be discussed on >Wilders? What good is Siteadvisor if they don't have an alert. Is there >anyone at McAfee who evens monitors that tool?
Dunno, I posted the alert to warn other ACF-ers and possibly that someone might know how to deal with it. I also sent urgent e-mail to the website hoster today - so far no response. It needs taking down and fixing pronto.
> >What AV program are you using? I just opened it and didn't get > >anything, and I've gone to that site using several of the top AV > >programs in the last year. Adblock plus doesn't show any strange > >items and Siteadvisor.com gives it a clean rating./
> >One thing I did notice this time is that even with javascript > >enabled, I couldn't get a menu on the pricelessware.org main page. > >All I saw was the banner.
No, it's not. It links to about a hundres other sites behind your back and one of them may or may not try to send you that file (I saw no such thing in a full packet capture), but it's not "infected" with anything.
> See the warning thread I posted about it...
Innacurate warnings from people who don't know what they're talking about are as useless as no warnings at all. Next time you run up against something you don't understand, please don't just guess. Ask politely and an expert will explain it to you.
>> >What AV program are you using? I just opened it and didn't get >> >anything, and I've gone to that site using several of the top AV >> >programs in the last year. Adblock plus doesn't show any strange >> >items and Siteadvisor.com gives it a clean rating./
>> >One thing I did notice this time is that even with javascript >> >enabled, I couldn't get a menu on the pricelessware.org main page. >> >All I saw was the banner.
Yes it is. I got caught with it last night. I Googled some of the files and that's what it came up with.
And your next trick.............. is..............?
>It links to about a hundres other sites behind your back >and one of them may or may not try to send you that file (I saw no such >thing in a full packet capture), but it's not "infected" with anything.
Wrong. Do try to keep up at the back.
If you read elsewhere in this thread, you will see that someone grabbed a raw copy of the front page from the pl.org site and it contains a website address (unrelated to pricelessware.org) which is hosted in Malaysia. That is probably where users are having the trojan files downloaded from without knowing. So there appears to be only one redirection but I'm not too fussed about it. That is consistent with what happened to my ISP 6 months ago when Russian criminals hacked into their webmail service and diverted users to *their* website address to download trojans.
>> See the warning thread I posted about it...
>Innacurate warnings from people who don't know what they're talking >about are as useless as no warnings at all. Next time you run up >against something you don't understand, please don't just guess. Ask >politely and an expert will explain it to you.
On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros' wrote this on alt.comp.freeware:
>Hi hmmm:
>I'm using Avira Antivir Personal Edition Classic. I also use Prevx 2.0, >but it didn't notice anything, presumably because AntiVir was earlier in >the food chain.
>I then used Avira to scan the whole drive, followed by a reboot, another >sweep and a going over with Prevx, Spybot and AdAware for good measure.
See my comments about Spybot and AdAware. Neither picked up the trojan files on my HDD.
>I have Returnil installed, and had I thought about it, I'd have turned >on sandbox mode before going to a known nasty site, but it was late and >I was tired... :-)
Susan Bugher wrote: > bluerhinoceros wrote: >> Curiosity not being confined to cats, I had to have a go at it shortly >> after HB first posted his alert. My scanner also blocked some Java >> activity. I saw a reference to "gollum" go by, and a bunch of other >> redirections, and some Java junk got trapped before I canned it.
>> After doing a full system cleanse, I put pricelessware.org into my >> Untrusted Sites list and went back. Nothing happened then. > Also curious, I looked at the page source - copied below.
<q> Security Product AVG 7.5.485 Version 7.5.485 Windows Windows XP Home Service Pack 2 (Build 2600) 32bit Scans 1 (First Scan: Oct 31 4:13 UCT Last Scan: Oct 31 4:17 UCT) Files Checked 2,780 Bad Files 0 Your Computer Status CLEAN </q>
> >> >What AV program are you using? I just opened it and didn't get > >> >anything, and I've gone to that site using several of the top AV > >> >programs in the last year. Adblock plus doesn't show any strange > >> >items and Siteadvisor.com gives it a clean rating./
> >> >One thing I did notice this time is that even with javascript > >> >enabled, I couldn't get a menu on the pricelessware.org main page. > >> >All I saw was the banner.
> Yes it is. I got caught with it last night. > I Googled some of the files and that's what it came up with.
> And your next trick.............. is..............?
> >It links to about a hundres other sites behind your back > >and one of them may or may not try to send you that file (I saw no > >such thing in a full packet capture), but it's not "infected" with > >anything.
> Wrong. Do try to keep up at the back.
> If you read elsewhere in this thread, you will see that someone > grabbed a raw copy of the front page from the pl.org site and it > contains a website address (unrelated to pricelessware.org) which is > hosted in Malaysia.
Yes, dimbulb, that's exactly what I said.
And the site isn't infected with anything, even if it does try to drop files. You apparently don't even understand the basic lexicography, let alone the problem in any depth.
> That is probably where users are having the > trojan files downloaded from without knowing. So there appears to > be only one redirection but I'm not too fussed about it. That is
More like 60. I counted 66 to be exact, and snaked them all. There's a whole lot more to be concerned with than amateurish .exe link exploits on that page. So whoever "grabbed the front page" needs to learn a little bit more about what they're doing too.
> consistent with what happened to my ISP 6 months ago when Russian > criminals hacked into their webmail service and diverted users to > *their* website address to download trojans.
That's UPload. And sites offering trojans for download aren't "infected" no matter where they are or how many they offer.
> >> See the warning thread I posted about it...
> >Innacurate warnings from people who don't know what they're talking > >about are as useless as no warnings at all. Next time you run up > >against something you don't understand, please don't just guess. Ask > >politely and an expert will explain it to you.
> It won't be you then, will it.
Seems to be working well so far this time. If you weren't so thick this conversation would already be over. But I have to keep correcting you and going over the same material. :(
>>>> My scanner also blocked some Java >>>> activity. I saw a reference to "gollum" go by, and a bunch of other >>>> redirections, and some Java junk got trapped before I canned it.
>>>> After doing a full system cleanse, I put pricelessware.org into my >>>> Untrusted Sites list and went back. Nothing happened then.
>>> What scanner and "cleanser" did you use? This internet is becoming >>> so germ filled that they're have to start injecting Comet Cleanser >>> and Lysol into the security programs soon. >> Hi hmmm:
>> I'm using Avira Antivir Personal Edition Classic. I also use Prevx >> 2.0, but it didn't notice anything, presumably because AntiVir was >> earlier in the food chain.
>> I then used Avira to scan the whole drive, followed by a reboot, >> another sweep and a going over with Prevx, Spybot and AdAware for good >> measure.
>> I have Returnil installed, and had I thought about it, I'd have turned >> on sandbox mode before going to a known nasty site, but it was late >> and I was tired... :-)
>> Cheers.
> I have Avira Antivir PE Premium (free three month trial) with a firewall, > and I use Firefox with the Adblock Plus extension. I also use the free > anti-spyware programs you mentioned above, plus A-squared, Super > Antispyware, and AVG Anti-spyware (all free versions) less Prevx.
> I didn't get any alerts , however. It seems that I used to get more site > alerts when I had Avast installed, and I have Antivirs heuristics set to > high. I also used to have Winpatrol installed plus a few others. I > might install Spyware Terminator soon. Do you prefer Returnil over > Sandboxie?
> Has anyone actually experienced any problems relating to > Pricelessware.org?
It's all over now, somebody fixed something either there or at that iframe URL. For what it's worth, a Google cached page from Oct 28 shows different data being passed to that php script than now, commented out.
> On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros' > wrote this on alt.comp.freeware:
> >Hi hmmm:
> >I'm using Avira Antivir Personal Edition Classic. I also use Prevx > >2.0, but it didn't notice anything, presumably because AntiVir was > >earlier in the food chain.
> >I then used Avira to scan the whole drive, followed by a reboot, > >another sweep and a going over with Prevx, Spybot and AdAware for > >good measure.
> See my comments about Spybot and AdAware. Neither picked up the > trojan files on my HDD.
> >I have Returnil installed, and had I thought about it, I'd have > >turned on sandbox mode before going to a known nasty site, but it > >was late and I was tired... :-)
|
