There is a nasty trojan, a variant of the downloader trojan in rotation in multiple site's PTP rotators. Click N Win, Paying Cash, 3Bears, Fusion, Cash Desks, at least a half dozen others. I've been seeing it in one form or another for the past couple of weeks but in the past three days it has exploded. I believe it is emanating from an ad banner on these sites.

The site it is originating from is adxrnet.net and this is all coming from an ad banner(s) that are in rotation at many sites.

adxrnet.nets ip address is 216.185.111.10 in Dallas, TX. From adxrnet.net a file named showmsr[1].htm is downloaded into your temporary internet files. That file isn't a virus itself, but contains code which redirects you to the website where the real bad stuff is located. Once the file is in your temporary internet files and runs you are connected to 83.216.217.242 located in a data hosting center in Vienna, Austria where it proceeds to download rootkits, and various other other trojans, spyware, porn, you name it. Once you realize that the flood of garbage has started if you kill your internet connection in time you can probably prevent infection.

The whois info for adxrnet.net is blocked by Moniker Privacy services. I have sent an email to the isp in Vienna with this info and am going to track down further info about the associated ip in Dallas and follow up there as well.

All POs who see this message, PLEASE check your PTP rotator and sites themselves to see if any of the banners submitted by your advertisers are referring to adxrnet.net or the above-referenced ip addresses. If they are lets post the contact info of the offenders and nail 'em.

Also- I would like to point out that I beleive that a javascript process is involved here as well. I am only getting attakced when I surf the tx exchanges and that is generally the only time that i enable javascript because the timers and anti-cheats don't work without it. It is very possible that the redirects to the bad domains and ips is embedded in the javascript code somewhere, and not directly in the paid links that the perpetrator(s) is submitting to the websites.

I also believe that the rash of bad stuff hapopening lately is the result of only one or two individuals. If those individuals are members of this site and are reading this then you are advised to pull all your infected banners and other stuff right away because I am coming after you and I am getting closer to finding out your real identity each time you hit me with your garbage.







.

It's in 3rd party banners, POs won't find that URL in rotation at their sites.

In addition to the adxrnet URL, there's another called lefjios.net and one called kasdfps.net

Clicksor and Axill look like the main sources.

The IP addy you got (the Texas one) is for an open proxy server -good job on all your research though!!

It's coming through a java applet btw, I guess noscript also stops java as well as javascript?

hth

eta I have written to one site and put a note in the PO folder of the forum that can't be named here, along with more posts in the open sections there.

Also did your AV catch this? I use AVG and it isn't recognising it at all... I noticed a java byte verify thingy in my system before and got that again today from one of those other two URLs, but having to clean it off manually It does freeze your browser very badly, so if that happens do virus scans in various places and check your PC thoroughly...

It hit me twice today- both time from Soaring Eagle. Once in their PTP rotator and once on an affiliate page I visited. In both cases the offending banner was a java applet from Adshuh.com, and in both cases the adshuh loaded directaclick.com.

Unfortunately I have to run javascript when surfing the tx exchanges which is the only time this happens. Usually javascript is turned off.

My Norton usually catches these intrusions and attempted intrusions, but a couple of times it slipped by. There is also an annoying series of popunders that are happening from time to time where an ie window is started but not visible except in the process tree. This invisible ie window proceeds to blast ads at itself and who knows what else. I figured it out last week when I had nothing opened and all of a sudden I could hear the audio for a movie preview playing somewhere on my machine. I am going to start directing my detective skills at this offender next.

-MisterChris

Did you look to see if those invisible windows are actually loading in banners or in quick flashes of layers, or scroll down the pages inside PTP rotators to see if they've loaded at the bottom of one of those? I've noticed that happen frequently lately. Several 3rd party networks are having webpages inside banner frames coming out of Zedo, but that's not what they have on their sites, it's being served through other 3rd parties... Some of the webpages occurring like this though seem to have popunder in their URL so that makes me think that is what they are designed for but they arne't appearing as popunders, they're hidden somewhere on the page instead.

Thank you for posting here I will pull everything from Adshush, I am sorry for the problems. Wish you had contacted the site so we could catch it faster.

Thank you

Lisa

No- those invisible windows aren't hidden in banners. It is an actual ie window opened up and running but not visible in the taskbar or on my screen, only in the process tree. I have verified that by closing all my windows and even though everything is closed and it appears that nothing is open there is still a page running because I can hear audio ads streaming. The invisible popunder problem has only started within the past couple of weeks so I suspect its probably an undeclared vulnerability in windows and ie. I wouldn't be surprised if we hear about MS releasing a patch for this in the very near future.



Thank you Lisa for your attention to this. Be assured it is not only your site that is affected by these. It is happening on at least 8 - 10 sites. Soaring Eagle just happened to be the ones that it happened to me on this morning when I was doing my surfing and decided enough was enough and changed into my detective hat to start getting to the bottom of this. If I see anythign in the future with one of your sites I'll be sure to PM you immediately.

-MisterChris

There are indeed many ads outhere with trojans downloading to your pc, One thing to stop the major part of the downloading is using firefox instead of IE, because that has a build in popupblocker for the most of them. Because that is where the trouble comes from: The popups and popunders.
Another advice: Use Nod32 as a virusscanner instead of AVG or even Norton and add a spywarescanner to your system too.

Most of these trojans do not much harm to your system, but slows down the system and start controlling your internetexperience. The fast majority of them are looking for internetpayments made from your pc. You can recognize a problem by the way your browser reacts after a page has loaded and then starts to load many, many links ( can be seen in the bottom of your browser and not in the actual display).

The one you have to be very carefull about is the activeX downloader at some sites and i hope that thread has been eliminated by now because i've reported it at many sites.

BTW if you need the nod32 scanner i can get you that for free with lifetime update

Thanks for info..
Got blasted last weekend.. Now i have much high security... i catch and block url..
I add all domain in my adbloker plus too , it shloud prevent to load them

Mario

I got hit by the trojan downloader a few days ago and just now got back on line. It hit all my media files, changing webpages on it's own, not allowing me to have control at all. I couldn't figure how to get rid of it. Just by reading here I know all of you are more computer savy than I, but I just learned a whole lot more. I had the voices in the background and no pages opened, pages freezing or changing. It was all different sites or ads. My Norton 360 found it and I thought it got rid of it and all my online and offline web pages and cookies. Then I found a folder of cookies that said I could not get rid of because they were being used by another user. That other user, I believe was IE. When I uninstalled that it seemed to be the end of my problems. I also had to get rid of my Norton and re install it because when I was busy on the net and that page came up, I thought it was my Norton update and I clicked YES. Dummy me actually downloaded that Norton with the virus. Color me Stupid!
I am not sure what PT site I was in for the life of me. The only thing I remember is that I was checking out a site it gave me which was from Canada. It offered good money to take surveys, offers and paid to write. I thought it was too good to be true and like a fool, I went on the site and BAM! Trojan Downloader.

Hehehehe there is that nasty wanna be W32 virus again.
IE7 users can fix this easy. Really easy. Type %system% into your browser. Exclude .cab files.

Norton users are here. I use it myself.
Here is a tip for those XP/norton users who think they have a virus.
(Vista users have to visit the symantec site for extra exclusions.)

Open norton.
Click the norton "internet security" tab.
Click "settings"
Click "auto protect"
Click "Configure"
Click "Scan exclusions"
Click "new" on the auto protect scanning box.
Type this in exactly. (copy and paste)
C:\Windows\SoftwareDistribution
and add it.
Your done. You have got up to 90% (or more) of your CPU use back.
Bla bla bla is why it works.

To see if you have the 90% CPU use thing going on. Push down ctrl+alt+del all at the same time when your PC is going ultra slow dial up style. Click the process tab and look to see if something is using 90% of the CPU. With norton you will also notice that lucallbackproxy is going nuts. (multiples) you will also see lucoms~1. Your browser may stop clicking those links also when this is happening. (most people just reboot to fix this)

A virus huh?
Maybe not.

Thx for the info

Thanks for the heads up, I'm happy I use kaspersky... it's still the champion of anti-virus, norton sucks many things including processing power. And 9/10 times it misses stuff.

Thanks for the info !

Thanks for the info, appreciated I will stay clear of these sites from now on.

I kept getting hit by trojans this morning while trying to surf at SAS and hogshollow, I finally had to stop surfing. I think it is the same nasty that you are talking about here. I think it is on the donkey website. I is rather hard to tell when you are sufing more than one site at a time, but donkey seems to be the one site that was always on screen whenever I was hit with it.

ccofer which antivirus are you using?

I use Avast, which did take care of it and stop it from loading on my computer. It's just really annoying when it keeps popping up like that. I finally just stopped surfing for today because I was getting it on just about every traffic exchange. I can't be the only one this is happening to. I can't believe other's haven't complained.

Ccofer when i saw your post last nite I started surfing at hogshollow and about the fifth page I got stuck solid for over 10 minutes from a site with blue advertise and credit burner and all the nasty ptp with autosearches, probably the worst I had ever seen, unfortunately I didnt get the site name and couldnt report it cos I had to shut my puter down. Im not sure if this is the same thing that you came across, but I wanted you to know that I did try to have a look for you!

You're not the only one, everyone with Avast is probably getting this. It's reacting to a popunder network called adsrevenue.net. It's not the same virus this thread was started about.

On the good side I think Avast is reacting to a false positive, not an actual virus. There's no evidence of a virus in the popups and it's giving the alert before the popup even has a chance to load, so it's almost certainly not a virus.

On the bad side there are so many sites either with the popunders from adsrevenue, or with Axill banners (which have the popunder attached to them) or with a site in rotation that has one or the other of those.

I don't know how to sort out the mess of this. One owner I wrote to has removed adsrevenue popunders from her sites though

Hi,

I had also the same problem, but i´m using AntiVir, mostly from adsrevenue.net but also from another side and from http://popunder.paypopup.com.
On the following sites:
dragonpaidmail
earncash4email
jaguarcash
paodexplosion
postalpennies

Anyone have the same problems on this sites?

Ines

Thank you for posting here