Last night Aussie time i had to rebuild my computer as some sort of virus or bug had got onto my computer and my computer was sending hundreds of emails to random addresses
this morning i was putting everything back on my computer and i got a message from nortons pop up and tell me that a malicious attack had been made on my computer the address given was fast exchange

i dont know if someone has attached a virus to the site as i have seen a lot of ads for this site lately or if the site is being used as a backdrop for hacking attempts

im not accusing the site or owners of anything but be wary everyone

well i just tried to log into fast exchange site to send them a message in case its not them and it closed my browser and came up with the error again this is what it said

ALERT MALICIOUS SCRIPT DETECTED

object filesystem object

activity createtextfile


your computer is halted and needs to do somethind about this script

fILE C:\Documents and Settings\Leanne\http:\fast-exchange.com\1.hta

aCTION STOP THIS SCRIPT (RECOMMENDED)


if anyone has any ideas please let me know

######! I got this to!!!!

now I really hate them!

My internet explorer frozes every time I get that page, can't use any traffic programs at the moment where people rotate them 'cos I get stuck every two senconds not to mention that little ###### that comes with the page Luckily Norton stops it but still I loose every window I have opened at the moment

What about taking their site down?
ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR

dutchtraffic u mean try out your software? pls pm me for info really hate them

Isn't that illegal?

yes its definitely thier site every time i try and open their site for an ad it closes my browser and gives me the error am going to send email to a few sites and see if we can get the site banned from advertising

I was just thinking the same thing.

Quite bold to publicly suggest doing something "malicious" to someone else's site. :ph34r:

I'm not getting that, all I see is "Cannot create process. " Maybe my anti-virus is stopping the script before it starts? I'm not getting any message though...

Do you care if it is a scam and installing virisses on your computer?

Something like" dont hurt the killer when you try to capture him".

Yep, just came here to report the same thing, whenever I get a banner for these scammers, I click on it, it closes my browser with the message "cannot create proccess"

I could always avoid the banners, but the trouble is, most of them are using the PTR sites generic banners. I think WMs need to take these down.

You get errors when watching their banners on a page?

Paid email can give problems.... but what do you think they do for my autosurf?

Yeah, I can imagine...

Dutch, why not just delete all the members links for this scam?

There again, I suppose there are quite a lot of them?

What is this ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR ?

ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR ?

Well, I guess if you're into the whole "vigilante justice" thing, it's ok then

ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR

ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR

ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR

Might be illegal, but it sure is cool

I can think of a few sites I'd love to do that with

ILLEGAL ACTIVITY REMOVED BY ADMINISTRATOR

Nice one

I have just emailsed about 50 webmasters warning them of the problems CTBX has altready taken all ads from this site down

all we can do is get the word out to the sites and get it banned from advertising

also if your antivirus is set to automatically close these scripts then you wont get a warning about it but you may get a browser shut down anti virus automaitically shuts the script and stops it from running

if the script is allowed to run then probably what will happen is what happened to me last night my computer went stupid and kept scanning and sending hundreds of emails first to yahoo accounts some that didnt even exist then it went through hotmail accounts then on to aol accounts so if this happens to you then the script is on your computer and there is nothing you can do unless you can locate the script i had to rebuild my computer

everyone lets get emails out to webmasters and get this site banned before it does any more damage to others computers

i got this too.


thanks

i do not get mad so quick.
but this realy makes me , well its not allowed to post that word, lol

I did already send a mail to his host and server lets hope they can do something about.
I also wish that wm reading this would get the banners and links for fas exhange out.

Sometimes is just a click link and no discreption of the site it's going to.
And, yes, browser closed again.

Lucky for me thats so far everything that happend.

Well securityshields are on maximum at my pc until this is solved.

I wonder if the WM of Fast Exchange has aknowledged this problem yet? Has he sent any mails out about it, or is he MIA?

It's pointless emailing them about this.


They set it up so it would do this.


I would advise you if you want to stop this from running, and the page it tries to load up is this. Taken from their site right now:



I dont have a problem loading up the site, why, because I have added them to my restricted sites area of IE. I also blocked any cookies from there.


The reason they have done this is because yesterday I put a warning up about them on the e-gold discussion list warning people there. They reacted by doing this.

Considering who they are run by, it doesnt surprise me.

who are they runned by

Scammer/hacker group called GMTech. They ran a site called egoldforum at one stage, but it disappeared.

http://www.getpaidforum.com/forums/index.p...hange\.com

That was from when they first started up.

They have changed their domain registration since then to show it being PA Australia. But nothing much else changed.

Go go dutchtraffic!

I have had replies from a lot of the sites i sent emails to and they have taken down advertising for this site and sent emails out to members warning them

Just updating this. They have now added something extra to their page. Make sure your active X controls are off, or you have this site on your restricted list.

That above then tries to download a file called 2.exe

If ANYONE has been to that site and that file has downloaded to your system. Check your system for that file. Or any EXE file that looks out of place on your C drive.

They will change the name of the file, but I will keep people posted to what it is.


But as I said, dont allow anything from that site to run on your system, so add it to your restricted list within your settings.


PS: I have reported their site to Telia hosting. Plus to ispsystem.com. Hopefully they do something about their site asap.

And what do you do if you get the 2.exe? I got it, it's sitting in my recycle bin. My computer updated config. files, so I did a system restore, I also found a system file that came up in a search of my files for "fast-exchange.com" before I did the restore, and did a google search on it. It came up on norton, and I was reading it when my computer decided to crash. (that's just my computer, does that 10 times a day)

But now, nothing's coming up, so hopefully the restore got rid of it. I don't know though..

If it's a keylogger, they haven't gotten anything important at least.

I would go here:

http://www.symantec.com/sabu/ghost/ghost_personal/

Run a security check on your system.

I would also be changing your passwords just to be safe.



But fast-exchange.com needs to be added to people's restricted sites list. I am still going through emails for PMI and coming across ads for it. I'm still that far behind. Aug 24 and catching.

Originally I was going to post that the site owners might not know about this, that tgeir site could have been hacked...

But seeing as the owner is GMTech, then all bets are off...I would agree with Jaik that they are aware of it and in fact are causing this...Did a visrus scan this morning but ran my autosurfs again this afternoon, so back to scanning I go...or maybe just check recent files unless they can download a file and change the last modified registry on it to show an earlier date?

I did that already, before I did the restore, it came up with nothing.

I've added it to my restricted site list, and I'm too paranoid at the moment to change passwords. but I'll get to that. I didn't go to anything important while it was on my computer though, so I'm not too worried about that.

Using a very well known problem with VBS and IE the site creates a file called 2.exe then runs this file.

This file is packed with UPX.

When it first gets loaded, it checks if its already loaded (By checking for a GlobalAtom Program12345)

It then registers its self as a service with RegisterServiceProcess on machines with that function.

It then copys its self to the System Folder with the name load32.exe

It then creates a new value in the registry at

Software\Microsoft\Windows\CurrentVersion\Run

With the name load32 and the path to the copy it made in the System folder.

It then finds the path to the Startup Directory and creates a file called rundllw.exe in it

It gets the startup directory from the Startup key in
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

It then copys its self again to the system folder with the name dllreg.exe

It then changes the win.ini in the run path in the Windows it puts the path to the dllreg.exe that it just created.

Then it creates a copy in the system folder with the name vxdmgr32.exe

It then updates the system.ini making the shell value in boot be "vxdmgr32.exe explorer.exe"

It creates hooks on the keyboard and monitors keyboard actvitiy, it also monitors clipboard activity...

I haven't finished exploring the rest of it, but I gotta go, just finally got a half hour now to check out that.

The creation of it recreating everything is in the first few stops so removing is there. I see a few sections checking for things like e-gold, evocash, etc then if its them it will mail information off to alex@mail.ru

Anyone wanna rewrite my post in layme terms? for removing it, change all your passwords people..

I also heard the same thing is on hiningtom.com

When I get back, I will explore what it does, and provide some more information for people..

I am getting the same.....

######.... I'll not click on any Fast-Exchaneg banner now

Thanks Reductor.

This was the file I found:

It's not there anymore, so I'm pretty sure the system restore got rid of it all. Hope so anyhow.

file not found so i have not the problem?? or what??

I have just had to rebuild my computer again twice in 2 days as it went stupid again sending masses of emails dont know if this is related to fastexchange but seems a coincidence it happened the same time the first time as the problem started with fast exchange if anyone knows why else my computer would be sending mass emails i would appreciate the info the only reason i know it was sending mass emails is norton kept scanning them hundreds at a time

i had to turn off email scanning to get important stuff off puter so i could rebuild

It looks like Telia or ISPSystems have taken action against the site and removed it. I have tried getting there using both their .com address, and IP address. Same thing results.

DO any of you ever take you head out of your butt?????? Before you blame it on "fast exchange" did you ever think THEY MYBE THE VICTOM here as some HACKER may have hacked there site and did this ?????
Thay maybe out more then anyone of us!!!
THINK BEFORE you condem a site or say THEY are the scamers...THERE ARE TO MANEY OTHER SO CALLED WEBMASTER in here that are scamers and cheats...YOU KNOW WHO THE ARE as the are some that DO THE MOST POSTING IN HERE!!!!

Hello,

You have no idea where you are talking about.
Maybe you should do some research yourself before posting here.

It is happening again I have my computer sending mass emails if anyone knows why this would be happening please HELP ME i have already rebuilt my computer twice in 2 days i dont want to have to do it again

Amazing how you didnt last longer than 4 posts on here.


Oh, and hello Tim Johnson, how nice of you to reappear and make another spectacle of yourself.

Ok.

Need more details on your system.

What OS you running?
What IE version you running?

If you are running IE 5.x immediately update to IE 6.x


But no matter what OS version of Windows you run, immediately get all patches you can installed.

Block sites like fast-exchange.com and the other one I listed.

Get yourself a good firewall, this is the first thing you get once you reconnect back to the net, and virus protection. Get yourself a spyware detector program.