Discussion:
*****DO Not OPEN LINK****
(too old to reply)
Max Wachtel
2008-10-02 22:58:02 UTC
Permalink
i need help on my download <<<<<scam >>>>>site
the who is dns server is not working with my php database.
can anyone help?
you can email me directly or use this address
Address: Truda 14-1
City: Saint-Petersburg
State: Saint-Petersburg
ZIP: 188934
Country: RU
Phone: +7.9113234634
the site is
www.quickbullshitsoftupdate.com
thanks
Why would you qoute the whole thing Peter and not change the URL?????

--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Change nomail.afraid.org to gmail.com to reply by email.
nomail.afraid.org is for use in USENET-feel free to use it yourself.
David H. Lipman
2008-10-02 23:02:55 UTC
Permalink
From: "Peter Foldes" <***@hotmail.com>

File setup.exe received on 10.03.2008 00:59:12 (CET)

AhnLab-V3 2008.10.3.0 2008.10.02 -
AntiVir 7.8.1.34 2008.10.02 DR/Small.ght.7
AVG 8.0.0.161 2008.10.02 BackDoor.Generic10.MAB
BitDefender 7.2 2008.10.02 Trojan.Downloader.Zlob.ACJY
CAT-QuickHeal 9.50 2008.10.01 Backdoor.Small.fax
eSafe 7.0.17.0 2008.10.02 Win32.Small.ght
F-Secure 8.0.14332.0 2008.10.02 Trojan-Downloader.Win32.Agent.aigp
GData 19 2008.10.02 Trojan.Downloader.Zlob.ACJY
Ikarus T3.1.1.34.0 2008.10.02 Virus.Trojan.Win32.BHO.egw
K7AntiVirus 7.10.481 2008.10.02 Trojan-Downloader.Win32.Agent.hec
Kaspersky 7.0.0.125 2008.10.02 Backdoor.Win32.Small.ght
Microsoft 1.4005 2008.10.03 TrojanDownloader:Win32/Renos.M
NOD32 3490 2008.10.02 Win32/TrojanDownloader.FakeAlert.KG
Norman 5.80.02 2008.10.02 Malware.DJFR
Prevx1 V2 2008.10.03 Malicious Software
SecureWeb-Gateway 6.7.6 2008.10.02 Trojan.Dropper.Small.ght.7
Symantec 10 2008.10.02 Trojan.Dropper
TheHacker 6.3.1.0.098 2008.10.02 Backdoor/Small.foh
TrendMicro 8.700.0.1004 2008.10.02 TROJ_ZLOB.BYO
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David H. Lipman
2008-10-02 23:08:46 UTC
Permalink
the site is
www.quickbullshitsoftupdate.com
thanks
| Why would you qoute the whole thing Peter and not change the URL?????

He did alter the URL Max. < LOL >
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Max Wachtel
2008-10-03 21:05:55 UTC
Permalink
Post by David H. Lipman
Post by Max Wachtel
the site is
www.quickbullshitsoftupdate.com
thanks
Why would you qoute the whole thing Peter and not change the URL?????
He did alter the URL Max. < LOL >
no, I added the little "extra" to the url..........
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Change nomail.afraid.org to gmail.com to reply by email.
nomail.afraid.org is for use in USENET-feel free to use it yourself.
David H. Lipman
2008-10-03 21:39:54 UTC
Permalink
Post by David H. Lipman
Post by Max Wachtel
the site is
www.quickbullshitsoftupdate.com
thanks
Why would you qoute the whole thing Peter and not change the URL?????
He did alter the URL Max. < LOL >
| no, I added the little "extra" to the url..........

Ooooops...

Sorry buddy.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
PA Bear [MS MVP]
2008-10-03 00:39:35 UTC
Permalink
DO NOT QUOTE SUCH LINKS IN REPLIES!!
i need help on my download scam site
the who is dns server is not working with my php database.
can anyone help?
you can email me directly or use this address
Address: Truda 14-1
City: Saint-Petersburg
State: Saint-Petersburg
ZIP: 188934
Country: RU
Phone: +7.9113234634
the site is
MUNGE!!!.quicksoftupdate.com
thanks
Tom [Pepper] Willett
2008-10-03 13:20:17 UTC
Permalink
Symantec says that there are 1,980 threats on that site:
http://safeweb.norton.com/report/show?name=quicksoftupdate.com

"Anrey Terkin " <***@gmail.com> wrote in message news:%***@TK2MSFTNGP05.phx.gbl...
:i need help on my download scam site
: the who is dns server is not working with my php database.
: can anyone help?
: you can email me directly or use this address
:
: Address: Truda 14-1
: City: Saint-Petersburg
: State: Saint-Petersburg
: ZIP: 188934
: Country: RU
: Phone: +7.9113234634
:
:
: the site is
:
:
:
:
: thanks
unknown
2008-10-03 15:30:23 UTC
Permalink
The real problem here is how can it come that at this moment, these messages
have still not be deleted from the server? And also, with a company the
size of MS, is there is really no way that these messages could have been
filtered out in the first place?
--
Sylvain Lafontaine, ing.
MVP - Technologies Virtual-PC
E-mail: sylvain aei ca (fill the blanks, no spam please)
Post by Tom [Pepper] Willett
http://safeweb.norton.com/report/show?name=quicksoftupdate.com
:i need help on my download scam site
: the who is dns server is not working with my php database.
: can anyone help?
: you can email me directly or use this address
: Address: Truda 14-1
: City: Saint-Petersburg
: State: Saint-Petersburg
: ZIP: 188934
: Country: RU
: Phone: +7.9113234634
: the site is
: thanks
David H. Lipman
2008-10-03 19:36:49 UTC
Permalink
From: "Sylvain Lafontaine" <sylvain aei ca (fill the blanks, no spam please)>

| The real problem here is how can it come that at this moment, these messages
| have still not be deleted from the server? And also, with a company the
| size of MS, is there is really no way that these messages could have been
| filtered out in the first place?

| --
| Sylvain Lafontaine, ing.
| MVP - Technologies Virtual-PC
| E-mail: sylvain aei ca (fill the blanks, no spam please)


Easy answer.

Ever since Microsoft pharmed out the news server administration to a contractor that
service has sucked !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Peter Foldes
2008-10-03 21:51:46 UTC
Permalink
Before anybody else jumps on me. I did not open the link. Someone from microsoft Hungary put out the alarm on this post which was also posted there and in all foreign groups. I just tried to warn others and unfortunately in my haste without thinking I included the original link in my post.

Many think I opened the link which I did not. I never had any virus ,malware,trojan since I have been posting in the Microsoft forums for the last 15 yrs. So I made an error in posting and everyone seems to think I opened the link and that is how I found it. Sheeees.

Thank a bunch to those people
--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
Post by David H. Lipman
From: "Sylvain Lafontaine" <sylvain aei ca (fill the blanks, no spam please)>
| The real problem here is how can it come that at this moment, these messages
| have still not be deleted from the server? And also, with a company the
| size of MS, is there is really no way that these messages could have been
| filtered out in the first place?
| --
| Sylvain Lafontaine, ing.
| MVP - Technologies Virtual-PC
| E-mail: sylvain aei ca (fill the blanks, no spam please)
Easy answer.
Ever since Microsoft pharmed out the news server administration to a contractor that
service has sucked !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David H. Lipman
2008-10-03 22:03:45 UTC
Permalink
From: "Peter Foldes" <***@hotmail.com>

| Before anybody else jumps on me. I did not open the link. Someone from microsoft
| Hungary put out the alarm on this post which was also posted there and in all foreign
| groups. I just tried to warn others and unfortunately in my haste without thinking I
| included the original link in my post.

| Many think I opened the link which I did not. I never had any virus ,malware,trojan
| since I have been posting in the Microsoft forums for the last 15 yrs. So I made an
| error in posting and everyone seems to think I opened the link and that is how I found
| it. Sheeees.

| Thank a bunch to those people

| --
| Peter

I did, but NOT with a browser ;-)

I easily found the IFrame and file intended to be downloaded. I recognized the Social
Engineering in the post and was in the process of analizing it when you replied.

It's a fake codec called LPVideoPlugin and installs a BHO as...

C:\Program Files\LPVideoPlugin\5378.exe
C:\WINDOWS\system32\LPVideo.dll

HKLM\Software\Classes\AppID\{B90618AA-A0BF-41EE-8BDA-DC965B49042D}
HKLM\Software\Classes\AppID\LPVideo.DLL
HKLM\Software\Classes\LPVideo.XMLDOMDocumentEventsSink.1
HKLM\Software\Classes\LPVideo.XMLDOMDocumentEventsSink.1\CLSID
HKLM\Software\Classes\LPVideo.XMLDOMDocumentEventsSink
HKLM\Software\Classes\LPVideo.XMLDOMDocumentEventsSink\CLSID
HKLM\Software\Classes\LPVideo.XMLDOMDocumentEventsSink\CurVer
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}\ProgID
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}\VersionIndependentProgID
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}\Programmable
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}\InprocServer32
HKLM\Software\Classes\CLSID\{BEDA34FB-740D-4975-95DD-003A068CF999}\TypeLib
HKLM\Software\Classes\LPVideo.LPVideoPlugin.1
HKLM\Software\Classes\LPVideo.LPVideoPlugin.1\CLSID
HKLM\Software\Classes\LPVideo.LPVideoPlugin
HKLM\Software\Classes\LPVideo.LPVideoPlugin\CLSID
HKLM\Software\Classes\LPVideo.LPVideoPlugin\CurVer
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}\ProgID
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}\VersionIndependentProgID
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}\Programmable
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}\InprocServer32
HKLM\Software\Classes\CLSID\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}\TypeLib
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{724B80DE-D97A-4384-8960-6AF64CE5BBB3}
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}\1.0
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}\1.0\FLAGS
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}\1.0\0
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}\1.0\0\win32
HKLM\Software\Classes\TypeLib\{A3433B72-420B-4074-81AA-BD253532C230}\1.0\HELPDIR
HKLM\Software\Classes\Interface\{F19273AA-BD78-4EEA-A783-6177F6A1A547}
HKLM\Software\Classes\Interface\{F19273AA-BD78-4EEA-A783-6177F6A1A547}\ProxyStubClsid
HKLM\Software\Classes\Interface\{F19273AA-BD78-4EEA-A783-6177F6A1A547}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{F19273AA-BD78-4EEA-A783-6177F6A1A547}\TypeLib
HKLM\Software\Classes\Interface\{F9713375-EC34-4638-8176-7884D5CEF112}
HKLM\Software\Classes\Interface\{F9713375-EC34-4638-8176-7884D5CEF112}\ProxyStubClsid
HKLM\Software\Classes\Interface\{F9713375-EC34-4638-8176-7884D5CEF112}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{F9713375-EC34-4638-8176-7884D5CEF112}\TypeLib
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Shenan Stanley
2008-10-03 19:54:01 UTC
Permalink
Post by unknown
The real problem here is how can it come that at this moment, these
messages have still not be deleted from the server? And also, with
a company the size of MS, is there is really no way that these
messages could have been filtered out in the first place?
If Microsoft was actually in control of the hundreds (thousands..) of news
servers that these things get replicated to, that would - I suppose - make
sense.

Or - better yet - one could use their newsreader to properly block it OR
just ignore it. ;-)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Tom [Pepper] Willett
2008-10-03 21:08:39 UTC
Permalink
MS is in control of their own news servers, and are responsible (and have in
place) for stoping these type of things on their servers. C'mon, you're a
MVP, you know that ;-)

"Shenan Stanley" <***@gmail.com> wrote in message news:***@TK2MSFTNGP04.phx.gbl...
: Sylvain Lafontaine wrote:
: > The real problem here is how can it come that at this moment, these
: > messages have still not be deleted from the server? And also, with
: > a company the size of MS, is there is really no way that these
: > messages could have been filtered out in the first place?
:
: If Microsoft was actually in control of the hundreds (thousands..) of news
: servers that these things get replicated to, that would - I suppose - make
: sense.
:
: Or - better yet - one could use their newsreader to properly block it OR
: just ignore it. ;-)
:
: --
: Shenan Stanley
: MS-MVP
: --
: How To Ask Questions The Smart Way
: http://www.catb.org/~esr/faqs/smart-questions.html
:
:
Shenan Stanley
2008-10-03 23:49:26 UTC
Permalink
Post by Tom [Pepper] Willett
MS is in control of their own news servers, and are responsible
(and have in place) for stoping these type of things on their
servers. C'mon, you're a MVP, you know that ;-)
Unfortunately - their removal (or not) doesn't mean much to the hundreds
(thousands) of replicated groups/forums and other leeches of the original.
;-)

Not everyone access these groups through the same
server/method/applications/etc. ;-)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Continue reading on narkive:
Loading...