Here is a list of all the nasty stuff found after clicking 1 x-ray ptp links
X-ray is not responsilbe of that.. it is a site in rotator... but apparently the site target Can, USA, only. and the malware is on site randomly.. this is making very hard to find source. My friend say that, is the new wave of trojan... The bad guy know the ip of po so it will never be present for him when looking for or when approving the ad.
Hope they will arrest this people.....
Detected
--------
Status Object
------ ------
detected: riskware Invader Running process: c:\Program Files\Spyware Doctor\swdsvc.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\nvsvc32.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\control.exe
detected: riskware Invader Running process: C:\WINDOWS\SYSTEM32\winlogon.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\services.exe
detected: riskware Invader Running process: C:\WINDOWS\System32\cisvc.exe
detected: riskware Invader Running process: c:\Program Files\Spyware Doctor\swdsvc.exe
detected: riskware Invader Running process: C:\WINDOWS\System32\svchost.exe
detected: riskware Invader Running process: c:\Program Files\Spyware Doctor\SDLoader.exe
deleted: virus P2P-Worm.Win32.VB.dz File: C:\antivirscan.exe
deleted: virus P2P-Worm.Win32.VB.dz File: C:\bac.exe
deleted: virus P2P-Worm.Win32.VB.dz File: C:\bac2.exe
detected: riskware Invader Running process: C:\WINDOWS\Explorer.EXE
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\windows\csrss.exe//PKLite32
detected: riskware Invader Running process: C:\Program Files\WinRAR\WinRAR.exe
deleted: Trojan program Trojan-Dropper.Win32.Delf.xo File: C:\WINDOWS\NDNuninstall7_14.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\svchost.exe
deleted: adware not-a-virus:AdWare.Win32.NaviPromo.gen File: C:\WINDOWS\SYSTEM32\ZPDOQL.EXE//PE_Patch.PECompact//PecBundle//PECompact
detected: riskware Invader Running process: C:\Program Files\Outlook Express\setup50.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\rundll32.exe
detected: riskware Invader Running process: C:\WINDOWS\inf\unregmp2.exe
detected: riskware Invader Running process: C:\WINDOWS\SYSTEM32\cidaemon.exe
deleted: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\21\1a6fec95-137c23f0/NewSecurityClassLoader.class
deleted: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\21\1a6fec95-137c23f0/NewURLClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\28\6d8c825c-6a32d609
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\28\6d8c825c-6a32d609/NewSecurityClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\28\6d8c825c-6a32d609/NewURLClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\38\635eaa6-1d4a79ff
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\38\635eaa6-1d4a79ff/NewSecurityClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\6.0\38\635eaa6-1d4a79ff/NewURLClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-509f0663-2365b827.zip
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-509f0663-2365b827.zip/NewSecurityClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-509f0663-2365b827.zip/NewURLClassLoader.class
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-68d0d310-61175c79.zip
disinfected: malware Exploit.Java.ByteVerify File: C:\Documents and Settings\Mcgadget\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7317f359-1ab9a491.zip
deleted: Trojan program Trojan-Downloader.Win32.Zlob.fjh File: C:\WINDOWS\Temp\pcb5k82z.exe//stream//Script
deleted: Trojan program Trojan-Downloader.Win32.Zlob.eoq File: C:\WINDOWS\Temp\pcb5k82z.exe//stream//data0004
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP1.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP11.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP13.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP15.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP17.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP177.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP179.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP17B.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP17D.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP19.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP1A7.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP1B.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP1D.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP1F.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP21.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP27.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP3.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP5.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP7.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DP9.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPB.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPBC.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPBE.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPCD.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPCF.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPD.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPD3.exe//PKLite32
deleted: Trojan program Trojan-Proxy.Win32.Agent.kj File: C:\WINDOWS\Temp\~DPE.exe//PKLite32
deleted: Trojan program Trojan-Dropper.Win32.Delf.xo Email message attachment:
This try to turn you computer in a spam mail server....
Mtlgold
Full Version: Very nasty thing
Get Paid Forum - Get Paid Discussion > Get Paid To Programs > Sites Allegedly with problems of hacking/virus/0-iframes, autosearches etc ... > Nasties, trojans, 0iframes and downloads when surfing : Info and discussions
That looks really nasty! I'm sorry you got hit with it and it caused such bad problems 
Can I ask if you're using firefox or IE? Did you see what page was inside the rotator? I know it's hard to see anything like that while you're fighting a virus though and it locks your browser so you can't see, just that it might help to find out where it came from
A little bit of info that may or may not be relevant...
*trojan zlob is inside pay-ads "banners". But POs should be able to see pay-ads even if they can't see what's inside them.
*Cpxinteractive and media servers are serving banners (via Zedo) that contain vundo family webpages, make sure you have your browser set to prompt for downloads/installations and never just click "enter" when you get a prompt.
*Orana-ads is serving Clicksor content and the Clicksor is serving especialads that still seems to have viruses inside. That virus is/was coming in via a java applet and the only thing that seemed to save me was using FF with sun/java rather than the MS Java but there was no warning from my AV when I came across that in FF about a month ago and I think it had the potential to do something like what you've just got. I just wrote to Xray about Orana, but there will probably be other sites with orana-ads on them and Clicksor need to get these bad banners out of their rotation.
If this virus is USA/Can targeted then the owner of Xray wouldn't get it anyway and neither would I in the UK :-(
If you use firefox, adblock can be a good way to block viruses but still be able to check pages effectively to see nasties on them.
You have to check inside adblock manually though because it won't give any warning that there's something blocked - blocked URLs show up in dark red inside adblock when you open that while viewing a page.
I'd recommend blocking:
*pay-ads*
*kasdfps.net*
*especialads*
*adxrnet.net*
also you can do this with any of the vundo pages or anything else with viruses or autosearches or 0 iframes and keeping the list up to date every time you read about or come across anything personally that is potentially dangerous in these ways. It offers the best protection when you fill up that adblock with bad URLs as soon as you find out about them and keep it up to date.
Link to adblock download
https://addons.mozilla.org/en-US/firefox/addon/10
Or adblock plus
https://addons.mozilla.org/en-US/firefox/addon/1865
Can I ask if you're using firefox or IE? Did you see what page was inside the rotator? I know it's hard to see anything like that while you're fighting a virus though and it locks your browser so you can't see, just that it might help to find out where it came from
A little bit of info that may or may not be relevant...
*trojan zlob is inside pay-ads "banners". But POs should be able to see pay-ads even if they can't see what's inside them.
*Cpxinteractive and media servers are serving banners (via Zedo) that contain vundo family webpages, make sure you have your browser set to prompt for downloads/installations and never just click "enter" when you get a prompt.
*Orana-ads is serving Clicksor content and the Clicksor is serving especialads that still seems to have viruses inside. That virus is/was coming in via a java applet and the only thing that seemed to save me was using FF with sun/java rather than the MS Java but there was no warning from my AV when I came across that in FF about a month ago and I think it had the potential to do something like what you've just got. I just wrote to Xray about Orana, but there will probably be other sites with orana-ads on them and Clicksor need to get these bad banners out of their rotation.
If this virus is USA/Can targeted then the owner of Xray wouldn't get it anyway and neither would I in the UK :-(
If you use firefox, adblock can be a good way to block viruses but still be able to check pages effectively to see nasties on them.
You have to check inside adblock manually though because it won't give any warning that there's something blocked - blocked URLs show up in dark red inside adblock when you open that while viewing a page.
I'd recommend blocking:
*pay-ads*
*kasdfps.net*
*especialads*
*adxrnet.net*
also you can do this with any of the vundo pages or anything else with viruses or autosearches or 0 iframes and keeping the list up to date every time you read about or come across anything personally that is potentially dangerous in these ways. It offers the best protection when you fill up that adblock with bad URLs as soon as you find out about them and keep it up to date.
Link to adblock download
https://addons.mozilla.org/en-US/firefox/addon/10
Or adblock plus
https://addons.mozilla.org/en-US/firefox/addon/1865
I use firefox with adbock pluse and grease monkey to detect o iframe.. but the hijack freeze computer before site load. i never see the ptp page and bybpass all security. it disable antivirus and firewall, make fals activated report but they are not enable. You think you are sure, but you computer is wide open wainting the remote to take control.
Many other site may be infected. it is not always on the site that upload the nasty...but in a rotator, So only a small part of traffic get the nasty stuff. Because they promote site into ptp rotator, you have a chance not lodind the bad site... it's kind of loto, if you got both you are the big winner..It's almost sure they do not have it on site when they are not working. Before we format disk, the scan detected 278 nasty files, the one you see here is the one that came back as soon as you log to internet.and disk have been erarase and reformated 5 times, and the stuff cannot be remove, i put new hd reinstal, and they are gone..... I give the HD to police....
Mario
Many other site may be infected. it is not always on the site that upload the nasty...but in a rotator, So only a small part of traffic get the nasty stuff. Because they promote site into ptp rotator, you have a chance not lodind the bad site... it's kind of loto, if you got both you are the big winner..It's almost sure they do not have it on site when they are not working. Before we format disk, the scan detected 278 nasty files, the one you see here is the one that came back as soon as you log to internet.and disk have been erarase and reformated 5 times, and the stuff cannot be remove, i put new hd reinstal, and they are gone..... I give the HD to police....
Mario
I don't understand why POs are still running Orana and Clicksor ads. Clicksor doesn't accept PTR sites anymore and Orana has gone broke.
Jane
Jane
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.