Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Fight back - Report the sites that hijacked You here !

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Tue Jun 14, 2005 6:45 pm    Post subject: Fight back - Report the sites that hijacked You here ! Reply with quote

--

Please help us fight back against the companies and individuals who take advantage of all internet users to make themsleves rich !! Post the sites that hijacked you here

--

Basically we would like everyone's help to track down the ever increasing amount of malicious websites out there that are infecting people with all kinds of malware , which will ultimately make all our lives miserable and in many cases totally trash our PC's.

If you have found that you have been infected by visiting a website and would like to help prevent others from suffering the same fate , please take a moment to report that website here in this thread.

The information you can provide on any sites involved in hijacking internet users will be very useful.

With the information you provide we can then investigate the site in question and take further action if needed , including getting the identified hijack sites into the various HOSTS file and spyware blacklists available to help users protect themselves from these threats.

Your help will be most appreciated by us all , even more so by the people who will be spared the frustration and torment they would otherwise face by having their pc's infected and rendered unusable.

So if you know which website it was that infected you , please let us know about it !



*********************************************

Tracking the hijack IP / domains responsible while they are still active on your PC:

*********************************************

If you are unsure of your web travels , you can use this free program to retrieve your web history and weed out any possible suspicious websites:

Quote:
This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days.

It also allows you to select one or more URL addresses, and then remove them from the history file or save them into text, HTML or XML file. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder


> http://www.nirsoft.net/utils/iehv.html <


================================

If you dont have a firewall which provides logging capabilities , you can gather information about the current connections going to and from your computer in a few other ways ways..
A firewall is highly recommended though , and is one of the most important parts of your computers security while online.

Firewalls such as XP's inbuilt firewall do not monitor outbound connections , and many firewalls that do , still wont prevent spyware or trojans from leaking your information or updating themselves..

For more information on firewalls please read the SpywareWarrior Firewall guide:
http://www.spywarewarrior.com/viewtopic.php?t=14155


================================

You can also use a Netstat viewer , to record/monitor the IP addresses of the current connections to and from your computer and looking them up , using tools such as Whois and Traceroute to identify them.

TCPView is free and should be a part of everyones security toolkit.

It is one of the best Netstat graphic user interface programs available , and shows a live view of the current connections to and from your pc.

You can save a log of the IP addresses currently connected to your pc by going to file -> save

> http://www.sysinternals.com/ntw2k/source/tcpview.shtml <

================================

Mischel Internet Security also has a freeware Netstat viewer:

> http://www.misec.net/freeware/ <

This does not need to be installed , simply run it from the folder you save it to after it has been downloaded.

It does not automatically refresh like TCPView does , so you can capture the traffic easily, and manually refresh the viewer once you have saved the information.

================================


Even the basic netstat utility can be a great help to indentify if you have trojans or Spyware on your computer making outbound connections.

If you happen to see some suspicious connections you can use the IP addresses displayed in Netstat to track them down and block them and even report them to their ISP.

You can use the basic version of netstat , which is part of all windows operating systems, by doing the following :

Go to START > run > [type:] cmd.exe (for xp)
and START > run > [type:] command.exe (for win98)

For a continuous netstat readout , you can use whats called an interval switch , you can type:
Code:
 netstat -an 10


10 = the number of seconds you want to refresh the connections , although the output will get very long very quickly.

When you use the interval switch, netstat will continuously loop until you press CTRL+C.


To output the results of a single readout to a text file to your c-drive , from the cmd prompt type in [ or copy and paste] this line :

Code:
netstat -an >C:\netstatoutput.txt


For more help type in: netstat/?

That will bring up the list of commands you can use as displayed below...

Quote:
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics.
If omitted, netstat will print the current configuration information once.


Heres a few links that you might also find helpful on using netstat:

Netstat explained:
http://www.computerhope.com/netstat.htm
http://www.brienposey.com/kb/netstat.asp

The Art of Interpreting Netstat
http://www.winnetmag.com/Article/ArticleID/40316/40316.html

================================

Further important reading :

Paperghost has written a excellent guide on Bleeping Computer which will also helps to explain how to trace intruders on your PC :
http://forums.bleepingcomputer.com/forums/Tracing_a_hacker-tut99.html

IP addresses explained:
http://forums.bleepingcomputer.com/forums/IP_Addresses_Explained-tut37.html

More great easy to understand guides here:
http://forums.bleepingcomputer.com/forums/tutorials.html


For information on open ports and trojan port listings see here:
http://www.bluetack.co.uk/forums/index.php?showtopic=777

Also more helpful information in the Trojan guide:
http://www.spywarewarrior.com/viewtopic.php?t=10027

The Bluetack Guide to understanding IPs and methods for tracking down IP addresses:
http://www.bluetack.co.uk/forums/index.php?showtopic=52

================================
-- IMPORTANT !! --
================================

For other users safety , who will be viewing this thread , please do not post live links , just disable any links by using the following method for example :

www. hijackersite .com

Thanks for helping us to help keep you protected Cool

================================
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
starfire1117
Junior Member


Joined: 18 Jul 2005
Last Visit: 07 May 2006
Posts: 15

PostPosted: Tue Jul 19, 2005 5:38 am    Post subject: disney.com?? Reply with quote

Hi, our computer was recently infected with aurora and god knows what other spyware/trojan?? Someone got hold of our debit card number and made a duplicate. There were uses in TX and FL.
I just happened to read this post and ran netstat out of curiosity. I'm not a computer expert but I did a whois lookup for some of the addresses and some of the results came up with ORG names:
disney.com and IANA.org
What if anything does this indicate?
The other addresses showed Verizon, which I assume is ok, since we use Verizon DSL.
Back to top
View user's profile Send private message
mr-devious
Junior Member


Joined: 04 Aug 2005
Last Visit: 26 Apr 2006
Posts: 26

PostPosted: Thu Sep 08, 2005 11:40 am    Post subject: Reply with quote

www. slimshield .com and www. smart-security .info (I left spaces in the address so as not to create a link) , who are run by the same people, hijacked my computer and were harder to remove than anything I've ever had. I'd advise to steer clear of these "security" sites.
Back to top
View user's profile Send private message
drUnK DRivEr(jk)
Banned for violating forum policy


Joined: 10 Sep 2005
Last Visit: 08 Oct 2005
Posts: 43

PostPosted: Sat Sep 10, 2005 9:30 pm    Post subject: Alright. Reply with quote

Don't take any action against Adware Filter, but when I tried to acess www.spywarewarrior.com ome time, I came to a place called
www.pcsafe.com
But that only happened once.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Sat Sep 10, 2005 10:11 pm    Post subject: Reply with quote

drUnK DRivEr(jk),

I know what happened with that - you made a typo on the domaiin name. A doman name squatter registered several misspellings of spywarewarrior and is selling rogue apps on them. Unfortunately, there's nothing I can really do about it.

This is one of them:

http://www.whois.sc/spywarewarior.com "warrior" is missing one r there - warior
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
TornShoulder
Newbie


Joined: 10 Dec 2005
Last Visit: 13 Dec 2005
Posts: 3

PostPosted: Tue Dec 13, 2005 5:35 pm    Post subject: Reply with quote

www. multiplayercheats.de did a number on my computer.
Back to top
View user's profile Send private message
Jez
Newbie


Joined: 20 Dec 2005
Last Visit: 20 Dec 2005
Posts: 4

PostPosted: Tue Dec 20, 2005 6:42 am    Post subject: Reply with quote

Hi all, This is my first post here. Not sure if it will be much use to anyone but it may trigger a memory from another user who has greater details than me!.
It was a registry cleaning program called registry something or other (cleaner,doctor whatever, cant remember...), I found it using a yahoo search. It was there as a standalone application rather than one of many on tucows, download.com etc. it installed ok but started asking me if I wanted to upgrade to the all singing all danceing version for $29.95...I ran the software and it asked me to register it first by sending my e-mail address, which I did (oops!). It then appeared to do it's job of cleaning the registry, I dont know if it really did or if it just "went through the motions", certainly lots of file names flashed up the screen much as they would when using AVG etc. A few pop ups then appeared which I did not like the look of, ads for hard core porn sites etc. so I decided to uninstall it. There was no uninstaller so I used the windows one in the control panel. As soon as I started the uninstall the rogue software took me on-line and I started getting screens saying something like " we see you don't like our wonderfull product but maybe a price reduction to just $19.95 would persuade you to change your mind and keep our unique and useful software", I kept clicking NO and kept getting new messages offering larger reductions....ended at $5 I think. It eventually uninstalled, or at least it seemed to have (hmm). Since that time my spam filter has been collecting upto 100 spam e-mails a day (used to be about 8) most of which have files attached, I also have had to remove several trojans etc. and I'm still not sure that I have found everything it's altered/downloaded.
Jez.
Back to top
View user's profile Send private message
Jez
Newbie


Joined: 20 Dec 2005
Last Visit: 20 Dec 2005
Posts: 4

PostPosted: Tue Dec 20, 2005 6:50 am    Post subject: Reply with quote

erm...don't know how that emoticon got there!
Its supposed to read "upto 100 spam e-mails a day (used to be about eight) most of which have files attached"
Having tried preview on this one it seems that when I use the number eight i get an emoticon!....virus?
Back to top
View user's profile Send private message
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Tue Dec 20, 2005 8:40 am    Post subject: Reply with quote

The number 8 followed by ) makes that smiley. Smile Same thing as the colon : followed by ) makes Smile You can disable smilies in posts if that happens again or put an extra space between them.
Back to top
View user's profile Send private message
alhefner
Newbie


Joined: 05 Jan 2007
Last Visit: 05 Jan 2007
Posts: 1

PostPosted: Fri Jan 05, 2007 9:42 pm    Post subject: Reply with quote

WOW! I have been looking for a place like this! Having users post the site where they were hijacked is great.

These people need to be exposed. I will be using this to add suspect sites to my search engine.

Al
_________________
defiant malware hater
http://www.netmorale.com
search engine with a twist
Back to top
View user's profile Send private message
bmoynihan
Newbie


Joined: 15 May 2007
Last Visit: 22 May 2007
Posts: 9

PostPosted: Tue May 15, 2007 9:33 am    Post subject: Myspace hijacker Reply with quote

I got a trojan virus from checking out some girls pictures on a myspace account. Im stupid I know but she was cute.
Back to top
View user's profile Send private message
doucy
Newbie


Joined: 03 Sep 2006
Last Visit: 13 Jul 2007
Posts: 7

PostPosted: Tue Jun 19, 2007 6:14 pm    Post subject: Reply with quote

www. gambling-cnn.com

Edited by admin to break live link. We don't want anyone clicking it and gettng infected.
Back to top
View user's profile Send private message
snakeboy
Newbie


Joined: 24 Jun 2007
Last Visit: 28 Jan 2008
Posts: 9

PostPosted: Sun Jun 24, 2007 6:53 pm    Post subject: Reply with quote

gomyron.com Mad
Back to top
View user's profile Send private message
tripkill201
Warrior


Joined: 24 Jun 2007
Last Visit: 23 Feb 2008
Posts: 175
Location: Approximately 2.3698 billion light years away.

PostPosted: Thu Jul 12, 2007 7:43 pm    Post subject: Reply with quote

www. mywebsearch.com
www. alexa.com
(Both of their toolbars re-stealth installed when I tried to use Add/Remove programs, and when I tried to use them, my computer froze, or redirected to their homepage.)
www. atunnel.com
(Installed 3 Winsoftware files on my computer. The same company that makes Winantivirus, and Errorsafe, among other really bad rogue apps. It appears to be a safe, legitimate proxy, but is not. The homepage is a rip-off picture of Mozilla Firefox's icon, which may indicate that they want people running Firefox to use the proxy.)
_________________


The stakes are immense, the task colossal, the time is short. But we may hope — we must hope — that man’s own creation, man’s own genius, will not destroy him. -Albert Einstein
Back to top
View user's profile Send private message
The Beast
Junior Member


Joined: 16 Jul 2007
Last Visit: 25 Jan 2008
Posts: 32

PostPosted: Tue Jul 17, 2007 3:26 pm    Post subject: Reply with quote

This is the web site I found on yahoo answers because I'm a huge japanese anime fan.And my Mcafee didn't have a chance.I was infected with a trojan calll Aladino that seaches port 5005 I think anyway here it is.*
http:// videodragonball. blogspot.com/...
This place is the King of popups you want to test your computer system go here (just kidding).

It made my life a living hell thats why I'm here today and I had Site advisor(would you believe) in the gray too bad I notice it after I got the virus ah trojan these RATS remote controllers.
Back to top
View user's profile Send private message
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Sat Nov 10, 2007 9:09 pm    Post subject: Reply with quote

Continued in this topic http://www.spywarewarrior.com/viewtopic.php?t=14185
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group