• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
grinler

Sites that Install Spyware, Hijackers or Dialer

46 posts in this topic

Hey all. I am trying to compile a list of sites that are known to actually install the spyware, hijackers, or dialers. I especially want to find sites/programs that install the new versions of Look2Me/VX BetterInternet or coolwebsearch.

 

This way I can get my vmware machine infected and create procedures on removing these parasites.

 

If you know of any sites, please let me know.

 

Thanks again.

Share this post


Link to post
Share on other sites

Yes but a lot of these domains are dead or do not install from there.

 

I am looking for sites and software that are known to definitely still be installing spyware, and what spyware it is that they install.

Edited by grinler

Share this post


Link to post
Share on other sites

well even if it is known to install, it's not always going to install. it's a hit or miss many places.

Share this post


Link to post
Share on other sites

True, but if I knew the sites or specific software that installed a specific malware, I will eventually get myself infected by clicking on everything and install everything they offer :)

Share this post


Link to post
Share on other sites

Isn't it ironic! A huge number of people come here at wits end and need help ridding their computer of malware, and here you are trying to get infected! :blink::D

 

Shellsworld

Share this post


Link to post
Share on other sites

errorspace domains tell you to download their "uninstall program" (a .exe file) I dont wanna find out what it does, but i do know that it DOESNT uninstall it.

Share this post


Link to post
Share on other sites

I'm actually trying to do the same thing. Specifically I'm trying to find the about:blank variant that puts itself into the appinit_dlls so I can experiment with removal.

Share this post


Link to post
Share on other sites

I really tried to track down where I had gotten my major CWS infection a month ago. It should have been easy because it a bunch of crap truly did all start flooding in at one point. I think I know what it did to trick me to allow it to do this, but I don't kinow where the initial window came from. There were no Web sites that were outside my ordinary "haunts", and no sites I would have thought would be a problem. I had recently been both to www.survivornews.net, and www.zone.msn.com, which are the sites where I had a lot of popups being killed. But I don't have any evidence that these sites were responsible.

 

The history has expired, or I would give you a list of where I went on that day.

 

I think this is one of the reasons these nasties are so successful - it's really hard to tell where they came from.

Share this post


Link to post
Share on other sites
Isn't it ironic! A huge number of people come here at wits end and need help ridding their computer of malware, and here you are trying to get infected!

 

I know how he feels. When I was creating my SPAM FILTER, I had to SOLICIT a lot of spam to test it with. I posted on a popular e-mail forum asking for people to give me their old, useless, spam-filled POP3 accounts. I got laughed at.

 

Jerry

Share this post


Link to post
Share on other sites

Well I have heard it all now, people willing to get infected. My hat comes off to you all. Where would us mere mortals be without you lot to clean up the pieces. Personally I would like to know how to tell an infected item from another normal one, but I dont know enough about it all yet.

Share this post


Link to post
Share on other sites

It comes with experience. ;)

On that note, I'm still trying to find this elusive about:blank that infests itself into the appinit_dlls. If anyone would fess up where they've been when they got it I'd be grateful. :)

Edited by d4vr0s

Share this post


Link to post
Share on other sites

I have read a lot about "about blank", but how does it show itself, is it just a blank browser? Does it call itself About Blank?. It is just that some members choose the blank setting for their browser, and if I read it right, some removal programs were detecting this as hostile.

Share this post


Link to post
Share on other sites

A bunch of references similar to this in your hjt log is a dead give-away:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

The dll is randomly generated, it hooks into explorer.exe so just removing it with hjt doesn't work.

Mcafee antivirus might show it as the StartPage-CZ trojan too, it has here on one occasion.

Edited by d4vr0s

Share this post


Link to post
Share on other sites

Remember - do not install spyware on your main PC. You need a test platform for that.

Share this post


Link to post
Share on other sites
Well I have heard it all now, people willing to get infected. My hat comes off to you all. Where would us mere mortals be without you lot to clean up the pieces. Personally I would like to know how to tell an infected item from another normal one, but I dont know enough about it all yet.

 

I have to agree w/ jasper I don't know how slow my pc would be without people doing stuff like this.

Share this post


Link to post
Share on other sites

I suppose this is similar to a "HoneyPot" or "HoneyNet"...where the user allows backdoors etc, to enter the system - in order to observe how they operate, thus being able to understand the natures of the malware itself, and also how to defend against such on a typical computer system.

Share this post


Link to post
Share on other sites

Grinler,

 

Like you, I too am seeking sites that install spyware, particularly the VX2 variants.

 

Although I already know how to detect and clean these off of systems, I've set up a "Sitting Duck" system to re-infect over and over to find which programs will block the installation in the first place. All I need now are infecting sites.

 

Once systems are infected with this insidious stuff, none of the current common spyware utilities can detect or clean the system "completely" because of the Hidden / Read Only .dll's installed that an admin of the system cannot see or take ownership of. I have used Spybot, Spykiller, Ad-Aware, CWshredder, etc. They will clean the symptoms, but they cannot see the "hidden" .dll's either, and therefore cannot clean the infected system completely.

 

I want to find out if some of the above products will at least block the dll's from being dropped onto the hard drive if any are installed and active prior to infection.

 

If you or anyone else has a list of infecting sites yet, I'd love to hear from you.

-R

Edited by stryder

Share this post


Link to post
Share on other sites

I don't know sites that install spyware without you noticing,but I do not that a lot of ROM/emulation and video game cheat sites try to force you into installing something by bringing up an annoying pop-up saying "YOU MUST CLICK YES TO VIEW THIS SITE!". These pop-ups won't go away unless you click yes,and the only other ways out are to say no and click the back button really quickly or to bring up Task Manager and end your web browser.

 

{EDIT}Of course, porn sites install dialers.

Edited by TheAlmightyButter

Share this post


Link to post
Share on other sites

I want to find out if some of the above products will at least block the dll's from being dropped onto the hard drive if any are installed and active prior to infection.

 

If you or anyone else has a list of infecting sites yet, I'd love to hear from you.

-R

If you have a test box and would like to see something that stops hidden dll's from being installed and you have a NTFS file system, try going to a site like yahoogamez.com from a limited user account. If you use monitoring tools like regmon and filemon you can see what the site tries to install without getting infected. If you are looking for an about blank hijack try lomalka.com. It will give you a trojan and hijack you to a site that want to scan your computer for malware. young-exotic.com is still an active CWS hijack site as of yesterday.

 

Good luck.

 

Gary

 

P.S. If you want to see which dll get installed after an infection try MyNetWatchman's SecCheck. Take a snapshot before and after then you will be able to compare what modules have been loaded after an infection.

Edited by shoreg

Share this post


Link to post
Share on other sites

You sayin u wanna get infected with spyware?

go to www.keygen.us and download any of the cracks there and you will get infected with XXX Toolbar, no kidin. It will prompt u if u want to install it!

Share this post


Link to post
Share on other sites

i dont think that counts seeing as how it prompts you to install it. i kno all too well wat u experience at that site and others like it. for wat ur looking for on those sites, simply declining those prompts and clicking "Yes" is nothing.

 

Again, im not sure if this counts, since its not spy or adware specifically, but stay away from w*w.crackz.ws. last i heard, it was infecting many people with a certain (or i think many) virus. sorry i forgot the name tho. and i dont plan on finding out first hand.

 

Please forgive me if i have done anything wrong, for this is my first post.

Share this post


Link to post
Share on other sites

I'm also hunting for a list of sites that install spyware. If anyone knows of a way to get a collection of spyware, please let me know. I'm analyzing spyware in VMware also and hoping to come up with ways to stop it :techsupport:

 

Grinler and Stryder, some of the following sites install VX2.ABetterInternet and CoolWebSearch (CWS) if y'all are still interested in them.

 

Here's a list of some sites I found and what spyware (PestPatrol names) they install. The popup ActiveX window will prompt you to click "Yes" before it installs.

 

NOTE: If you want the site to infect you without the prompt showing up, you can go to IE, click Tools > Internet Options. Then go to the "Security" tab and click "Custom Level." Change "Download signed ActiveX controls" to "Enable."

 

DO NOT GO TO THESE SITES UNLESS YOU WANT TO GET INFECTED WITH SPYWARE

accessplugin.com

AccessPlugin(Dialer)

 

http://sex-true.com

CWS(Hijacker)

 

bomb-mp3.com

TopRebates(Adware), ISTbar(Hijacker), DyFuCA.Internet Optimizer(BHO), VX2.ABetterInternet(BHO), Twain-Tech(BHO), Trojan.Win32.Revop.c(Trojan), IPInsight(BHO), IBIS Toolbar(Search Hijacker), BlazeFind(Hijacker), BargainBuddy(Adware), Ucmore(Toolbar), SpediaBar(Adware), MoneyTree.DyFuCA(Dialer), MoneyTree(Dialer), HuntBar(Hijacker), DyFuCA(BHO), BlazeFind.variant(Hijacker), Adware.Binet(Adware), ABetterInternet(Adware)

 

cometcursors.com/download.asp

CometSystems(Adware), OrbitExplorer(Adware), Egroup(Adware), CometCursor(Adware), Xupiter.Orbitexplorer(Homepage Hijacker)

 

dailytoolbar.com

DailyToolbar(Toolbar)

 

http://www.dotcomtoolbar.com/default.htm

DotCom Toolbar(Homepage Hijacker), EasyWWW(Adware), ISTbar(Hijacker), HitHopper(Adware), CWS.GonnaSearch(Search Hijacker), 2020Search(BHO)

 

downloads-mp3.net

Powerscan(Adware), ISTbar.XXXToolbar(Hijacker), ISTbar(Hijacker), DyFuCA.Internet Optimizer(BHO), VX2.ABetterInternet(BHO), SpediaBar(Adware), MoneyTree.DyFuCA(Dialer), MoneyTree(Dialer), HitHopper(Adware), DotCom Toolbar(Homepage Hijacker), CWS.GonnaSearch(Search Hijacker), Adware.Binet(Adware), ABetterInternet(Adware)

 

erosconnect.com

Egroup(Dialer)

 

http://exactsearchbar.com/download.htm?

ExactSearchBar(BHO)

 

http://ezula.com/TopText/autoload.asp

Ezula TopText(Adware), WebHancer(Spyware)

 

http://freescratchandwin.com/download.html

FreeScratchAndWin(BHO), Scratch and Win(Adware), 2nd Thought(Adware)

 

 

Hope this helps!

 

Bob

bob_hermit@hotmail.com

Share this post


Link to post
Share on other sites

Well, last year the computers at my school were so infected with spyware that the students were desperate to get rid of it all. All the computers had McAfee but it wasn't doing anything, so I suggested AVG instead. A kid sitting next to me asks for the website, but I had forgotten it. The actual website is Grisoft.com, but I said "Griftsoft.com or something like that." Well, he went to it, and it turns out it was a spyware site that brought up popups, and advertised a fake spyware remover. I don't know if it's still there, and I never hear of it. I don't think Spyware Blaster or anyone else knows of it. You could check it out if you want.

Share this post


Link to post
Share on other sites

The worst site I've found for spyware is catsss.da.ru

This will start opening more offensive sites until your system runs out of resources.

I've gotten various infections from the sites it goes to.

 

This site is not for the faint hearted. It will severely infect a system.

Edited by d4vr0s

Share this post


Link to post
Share on other sites

Try www.cracks.ws or www.crackz.ws or something like that. It installs XXX toolbar, though I was using IE-SPYAD and didn't get infected. Download any of the cracks.

Share this post


Link to post
Share on other sites

WARNING, GOING TO THESE SITES WILL INSTALL MALWARE ON YOUR COMPUTER. DO NOT VISIT THESE SITES!!!!!!!!!!!! :alarm:

 

 

Here are some sites that have been confirmed by Spyware Blaster to be filled with malware.

 

 

www.xxxtoolbar.com

 

www.xupiter.com

 

www.sexdialer.com

 

www.lop.com

 

www.look2me.com

 

www.myfreecursors.com

 

www.search-to-find.com

 

www.uni-porn.com

 

 

 

There's lots more, but those are just a few. If you still want more malware, go to roms and warez sites and visit porn sites.

Share this post


Link to post
Share on other sites

Use Opera and you won't have a problem. With my browser configuration and my firewall, I can go to any of these sites unscathed. :cool:

Share this post


Link to post
Share on other sites
Use Opera and you won't have a problem. With my browser configuration and my firewall, I can go to any of these sites unscathed. :cool:

Firefox also! :D

Share this post


Link to post
Share on other sites

Here's one for you.

www.pictureheaven.com

 

Drops a .exe trojan on you, if you have IE.

Doesn't work with firefox of course.

Share this post


Link to post
Share on other sites

well if you want to get infected do waht i used to do (but now stopped because of the infectiony stuff) just go to something like altavista and do a video search on varius porn and download some videos. i swear i did that for 2 miniutes and got CWS.

Share this post


Link to post
Share on other sites

I got BargainBuddy, ClearSearch, PlaybingoOnline and others on

wunderground.com, a weather information site!

 

Do you think complaining to the site's webmaster would help?

Share this post


Link to post
Share on other sites

My kids (and all their friends) downloaded Messenger Plus-this was thrust upon them upon visting launch.com. All these people including me were instantly loaded with the most diabolical selection of spy/malware, toolbars, changed home pages, desktop icons etc

 

This Messenger Plus realy p****es me off as it's badged like a Microsoft add-on but is'nt- what it is , is disgraceful.

Who are Patchou anyway??

Share this post


Link to post
Share on other sites

Messenger Plus was created by Patchou , and he is a partner of the wicked spyware company called Lop.com.

 

google that name and see how many results you get ..

 

Heres a couple of Webhelper reports on it :

http://www.spywarewarrior.com/viewtopic.php?t=2413

http://forums.maddoktor2.com/index.php?showtopic=505

Edited by Moore

Share this post


Link to post
Share on other sites

I did a test on coolwebsearch well a test to get infected by it, the only thing I had running was a webpage linked to cgi run adverts, within 10 minutes my system was infected with the cool web searcher.

 

I did another test and went to a forum that I know displays cgi adverts at the top of the page, and got infected with the cool web spyware, I asked about the adverts they used, and they said they only used adverts supplied by google.com the forum is a private run forum for mod builders.

 

So if cool web search is being loaded now by cgi adverts, have they change the way its now deployed, and if it is adverts thats deploy this spyware, is there a legal corporation behind the spyware. As the cool web search inbedded adverts trace back to Atrivo technology, operating out of San Francisco, ca.

Share this post


Link to post
Share on other sites
I did another test and went to a forum that I know displays cgi adverts at the top of the page, and got infected with the cool web spyware, I asked about the adverts they used, and they said they only used adverts supplied by google.com the forum is a private run forum for mod builders.

 

So if cool web search is being loaded now by cgi adverts, have they change the way its now deployed, and if it is adverts thats deploy this spyware, is there a legal corporation behind the spyware. As the cool web search inbedded adverts trace back to Atrivo technology, operating out of San Francisco, ca.

128974[/snapback]

 

Well I beleve google is not doing this, but an ad site source goes by the name Falkag.net has been known to install spyware, but this was likly much earlier back in 2002 that I was probbly infected by the CWS virant, but in return I had a program called Go Back wich after I restored an older date before the installation and in other words was no longer on my system, but I know for sure that Falkag may provide certian advertising that would be in Cool Web's area of coruse and that is just the only though I can come up with at this time.

Edited by ChaoGuy

Share this post


Link to post
Share on other sites
My kids (and all their friends) downloaded Messenger Plus-this was thrust upon them upon visting launch.com. All these people including me were instantly loaded with the most diabolical selection of spy/malware, toolbars, changed home pages, desktop icons etc

 

This Messenger Plus realy p****es me off as it's badged like a Microsoft add-on but is'nt- what it is , is disgraceful.

Who are Patchou anyway??

121326[/snapback]

One reason to even look at the license page.In the installer you have an a option to not install the "sponsor program".I have installed it and I did not get any spyware.

Share this post


Link to post
Share on other sites

So you want to get infected with about:blank. You can read of my travails in the malware removal section. Ongoing.

 

How I got it, well... A porn site. Friends & family would drop to hear about this. I come from a very upper-crust background--you know: afternoon tea with little cucumber sandwiches. I got involved with a "downtown" guy who has coffee, cigarettes and Internet porn for breakfast. One of my mailboxes gets spammed by porn sites, so I visited whatever was free. It seems that after I visited, the spam I got became more outlandish. I got emails hawking barnyard sex! Women & horses, dogs--I couldn't figure out why they didn't feature bulls, but maybe bulls are dangerous?! And why I was targeted as a barnyard sex fan, who knows, though maybe because I'm pursuing a degree in veterinary medicine?

 

Anyway, I thought it was all goofy fun until I got an email that said "DADDY MADE HER A SLUT." That's where I put my foot down. I saw something on the Internet years ago involving children and immediately called the New York State Attorney General, and I went into this site trying to figure out if there was some way to identify the perpetrators. And then guess who got [edited], to put it in plain English?!

 

Here's your site, my friend. And so long as you are unafraid of whatever is being downloaded, let me know if there is some way to identify the criminals, because I have nothing to say about what adults do behind closed doors, but involving minors is an unspeakable crime in my book. :mad:

 

Leigh B.

 

email received from myrtle@juno.com (I don't know anyone with that address, just a spam address, I assume) text reads:

 

Incredibly dirty family secret stories!

Free pics at http://archdiocese.bigdig.info/

Unsubscribe: http://deconvolution.bigdig.info/u/home-amuse.cgi

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

Leigh,

And then guess who got [edited], to put it in plain English?!
No you can not put it in that type language here! That is not plain English, this is a "Public Forum", please treat it as such.

Share this post


Link to post
Share on other sites
Leigh,
And then guess who got [edited], to put it in plain English?!
No you can not put it in that type language here! That is not plain English, this is a "Public Forum", please treat it as such.

131347[/snapback]

 

Sorry! :gasp: Between the spyware and the site topic, my blood was boiling. You're absolutely right.

Share this post


Link to post
Share on other sites

hi...

I too am looking to infect my machine ... doing some research on Malware...

to get infected with XPlugin a variant of CWS go to www.mscracks.com...

 

If u too have any website which brings in other variants please do share

the info ..

 

regards

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0