Adware on Neowin

[Steven]

This issue is currently under review of the Neowin Admins. :)

Go Go Inspector Redmak! :D

[nuka_t]

get firefox

[Cara Veteran]

All of you Firefox users are blocking our Ads I suppose...great to help out the site's funding. :rolleyes:

[Rascally]

Heh. Darn those Firefox users! *shake fist*

Hmmm, that's a BC-registered numbered corporation, in the same province where I'm in (where I happen to head up the security/abuse desk of a Tier 1 carrier). I hope those clowns aren't with us. :|

Anyone know the IP address where the first download is coming from? If the ad's still up, maybe I'll fire up a vmware win98 session and see if I can capture it.

[HipHopaholic]

It seems to me that neowin or its ads are changing my homepage, cuase after a hour browsing around in other forum (after using ccleaner to clean all the interent stuff on my comp,run adaware and spybot) nothing happen. Until just now when my homepage changed.

Before my homepage change i get this pop-up from object.passthison.com/vu083003/object.cgi?homepage1

ANY help

[Rascally]

The same IP address range keeps appearing. I would suggest using your firewall to block 209.50.252.0/24:

Non-authoritative answer:

Name: object.passthison.com

Addresses: 209.50.252.113, 209.50.252.114, 209.50.252.116

%whois -a 209.50.252.113

ServInt Corp. SERVINT-CIDR-1 (NET-209-50-224-0-1)

209.50.224.0 - 209.50.255.255

ServInt Internet Services SERVINT-INTR-2 (NET-209-50-252-0-1)

209.50.252.0 - 209.50.252.255

# ARIN WHOIS database, last updated 2004-03-17 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

%whois -a servint-intr-2

OrgName: ServInt Internet Services

OrgID: SIS-31

Address: 6861 Elm St.

City: McLean

StateProv: VA

PostalCode: 22101

Country: US

NetRange: 209.50.252.0 - 209.50.252.255

CIDR: 209.50.252.0/24

NetName: SERVINT-INTR-2

NetHandle: NET-209-50-252-0-1

Parent: NET-209-50-224-0-1

NetType: Reassigned

NameServer: NS.SERVINT.COM

NameServer: NS2.SERVINT.COM

Comment:

RegDate: 1998-06-30

Updated: 2001-05-15

TechHandle: NO178-ARIN

TechName: Network Operations

TechPhone: +1-703-847-1421

TechEmail: [email protected]

[HipHopaholic]

sorry to be off-topic but i just did some research on passthison **** and damn im **** <---mad

[Rascally]

I just popped it into google, and the results are rather mortifying.

I really hope Neowin isn't supporting these clowns. :|

[Cara Veteran]

I can tell you right now, Neowin does not (nor ever has) support any forms of Spyware/Adware/Malware/Asshatware. The blame for this one lies in one of the Advertising companies that Neowin receives it's banners from, Redmak will resolve this issue as soon as possible.

Thanks again for your concern,

Cara

Global Moderator

[Steven]

Asshatware.

thats a new one. :D

[Steven]

All of you Firefox users are blocking our Ads I suppose...great to help out the site's funding.  :rolleyes:

I'm using firefox and i'm not blocking anything related to neowin's ads. :)

So "ALL" is not a good way to say it :/

[Samoa]

All of you Firefox users are blocking our Ads I suppose...great to help out the site's funding. :rolleyes:

hi Cara, haven't seen you post in quite a while... :)

[Cara Veteran]

Ya, been a while since I posted last, back and kicking now though. :)

[Steven]

Ya, been a while since I posted last, back and kicking now though. :)

You mean whipping... :p

[HellBender]

I hide the Neowin ads in Firefox, so they load but I dont see them :yes:

[mAcOdIn Veteran]

Weak ass trojan can't even infect with my McAfee disabled lol.

Well the "trojan" is hosted on http://www.achtungachtung.com/0021 (this is where all the parts of the "trojan" are located) but I can't tell you much more because I can't get the whole thing downloaded. I have the part that installs the trojan but not the part it downloads after you're infected.

I'm willing to bet though that this trojan aint a trojan but a crappy spyware program. The infecter part(index[1].html is pretty small but makes several references to LaunchJpu.php which in turn references scriptbody.jsp which then references payloadexe.exe(which I can't seem to get). It also mentions C:/WINDOWS/PCHEALTH/HELPCTR/System/panels/Context.htm and has several paths to notepad coded into it but just what it does I can't say because I can't get payloadexe.exe, and on top of that even if I could I probably wouldn't understand it as easy as I would a script like the other files.

[Redmak Administrators]

I'm working on this but as I don't get these ads myself it's quite hard to pinpoint its origin.

If any of you get this ad again could you please provide me with:

The link of the banner that is showing at that time (so do a mouseover and read your IE status bar) and if you could even provide me with the source code of the page (the neowin page) so I can check the ad code in there.

[HipHopaholic]

I was in this thread

https://www.neowin.net/forum/index.php?showtopic=149643

And the ad above was

http://oz.valueclick.com/cycle?host=hs0279...script=1;msizes

"Free! Online Diabetes menu planner Click here to use it now"

Hoped i have help, off to scan my comp, how gay :blush:

[HipHopaholic]

Oh can someone look in there registry and go to

Hkey_Current_user\software\microsoft\internet Explorer\main

and look for

search bar

search page

And tell me what is the defualt data suppose to be. So i can change mines :)

i found that mines said smartbotpro which i guess is affiliated with the Passthison crap, after doin research on it.

Currently in my registy (pic below)

[Keldyn]

Oh can someone look in there registry and go to

Hkey_Current_user\software\microsoft\internet Explorer\main

and look for

search bar

search page

And tell me what is the defualt data suppose to be. So i can change mines :)

i found that mines said smartbotpro which i guess is affiliated with the Passthison crap, after doin research on it.

Currently in my registy (pic below)

Those registry keys are not a default part of Internet Explorer. They are a part of the "adware" you are describing. I would delete them personally.

[HipHopaholic]

after some time again researching about passthison, i have learn that this Hijacking occured becuase of some flaw/hole in IE.

Would it be in my best interest to switch to firefox. Will it rid me of my problem.

Other forum also sent me a popup and reset my homepage. i have tried everything to get rid of it, including going to safe mode with CMD and del index.dat/s. I manage to browse around neowin by pressing hte stop button before the ads load.

Firefox - yay or nay?

[CaKeY]

YAY!!

[SOOPAH256]

i was just refreshing the main page when a window, w/o and content in it loaded, popped up saying something like "passionate....." in the window title.

here is the source code of the page (main page) just as you requested:

www.neowin_1_.html

[SOOPAH256]

btw, it apparently changed my homepage also to: http://default-homepage-network.com/start.cgi?hkcu

[Xylene]

I was getting the same crap yesterday. I thought it was just me, but looks like others are complaining now as well. I got rid of it by running HiJackThis and removing the entries for it. I didn't even get one of those installer windows, like in some screenshots. I just got a normal popup that opened and was closed instantly by the google toolbar, and then after that popup I had problems.