Hijack: .3utilities.com?

[Spamlet]

XPPro SP3 all up to date. Avast free all up to date.

Whilst browsing innocent looking kitchen furnishing sites, my browser
suddenly came up with a window that looked like Windows Security Centre,
with an inset window looking like my AV. This inset window showed a list of
supposed trojans and other malware, and was accompanied by a popup insisting
that my system was desperately vulnerable and I should click a link to scan
it now.

I, instead, opted for pulling the plug and running ccleaner, clearing
history and running spybot and malware bytes. No malware found yet.

The hijack went to http://x05y08.3utilities.com (Sorry: I can't see how to
write this so it doesn't make a hyperlink: perhaps someone can tell me how
to do that too.) The '0's may be 'o's or a combination.

Searches on this link and its various '0' combinations came up with no other
mentions of this hijack. The 3utilities domain does get a few unreliable
notes.

Anyone know any more about this? Were WSC and Avast actually responding to
this site as they should, or was the site imitating them to fool me into
believing the popup and clicking their 'scan your pc now' button?

Cheers,

S

 

[MowGreen]

Spamlet wrote:
> XPPro SP3 all up to date. Avast free all up to date.
>
> Whilst browsing innocent looking kitchen furnishing sites, my browser
> suddenly came up with a window that looked like Windows Security Centre,
> with an inset window looking like my AV. This inset window showed a list of
> supposed trojans and other malware, and was accompanied by a popup insisting
> that my system was desperately vulnerable and I should click a link to scan
> it now.
>
> I, instead, opted for pulling the plug and running ccleaner, clearing
> history and running spybot and malware bytes. No malware found yet.
>
> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see how to
> write this so it doesn't make a hyperlink: perhaps someone can tell me how
> to do that too.) The '0's may be 'o's or a combination.
>
> Searches on this link and its various '0' combinations came up with no other
> mentions of this hijack. The 3utilities domain does get a few unreliable
> notes.
>
> Anyone know any more about this? Were WSC and Avast actually responding to
> this site as they should, or was the site imitating them to fool me into
> believing the popup and clicking their 'scan your pc now' button?
>
> Cheers,
>
> S
>
>

3utilities.com resolves to this IP: 204.16.252.112
x05y08.3utilities.com yields an 403 Forbidden message and resolves to
this IP: 85.234.191.94
85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
http://hosts-file.net/?s=85.234.191.94
http://malc0de.com/database/index.php?search=85.234.191&IP=on

You were wise to pull the power plug. In situations such as this, one
can open Task Manager and End the Internet Explorer process
(iexplore.exe) instead of pulling the power plug.

What most likely happened was that either an Iframe or a malware
embedded ad (malvertizement) triggered the phony AV scan.
Avast's popup window when encountering embedded malware on a site is
quite unique and should be difficult to mimic. Key word being *should*.
The phony Windows Security Center warning is not quite as easily to
discern from the one you see that actually stems from Windows XP.

The malware it claimed was resident on your computer was not present and
yes, the rogue AV was trying to fool you to click the scan button so it
could download malware to your system. Then, to "clean up" the malware
that was not present and the ensuing malware that would be downloaded,
they would tell you that you had to buy their "product".

The worst part about this rogue AV "software" is that folks get conned
by it, actually purchase it, and then do not dispute the charges -
Rogue Antivirus Victims Seldom Fight Back
http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/

As to munging a possibly malware laden link, just change the http to
hxxp, like this - hxxp/x05y08.3utilities.com


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[smlunatick]

Re: Hijack: .3utilities.com?

On Aug 5, 8:18 pm, "Spamlet" <spam.mores...@invalid.invalid> wrote:
> XPPro SP3 all up to date.  Avast free all up to date.
>
> Whilst browsing innocent looking kitchen furnishing sites, my browser
> suddenly came up with a window that looked like Windows Security Centre,
> with an inset window looking like my AV.  This inset window showed a list of
> supposed trojans and other malware, and was accompanied by a popup insisting
> that my system was desperately vulnerable and I should click a link to scan
> it now.
>
> I, instead, opted for pulling the plug and running ccleaner, clearing
> history and running spybot and malware bytes.  No malware found yet.
>
> The hijack went tohttp/x05y08.3utilities.com (Sorry: I can't see how to
> write this so it doesn't make a hyperlink: perhaps someone can tell me how
> to do that too.)   The '0's may be 'o's or a combination.
>
> Searches on this link and its various '0' combinations came up with no other
> mentions of this hijack.  The 3utilities domain does get a few unreliable
> notes.
>
> Anyone know any more about this?  Were WSC and Avast actually responding to
> this site as they should, or was the site imitating them to fool me into
> believing the popup and clicking their 'scan your pc now' button?
>
> Cheers,
>
> S

Sounds like you hit a web site that by-passed the A/V software and
presented you a "fake" anti-virus screen/ There has been posts of a
fake anti-virus system known as Avast Anti-Virus Pro (???)

Never click on any part of these type of "window." This is a
"malware" and by clicking on the windows, you are actually "accepting"
their "hidden" contract terms. They would stated "you" have accepted
the contract terms and the charge for:
-- each clean up
-- each update
-- Uninstall codes.

 

[Spamlet]

"MowGreen" <mowgreen@nowandzen.com> wrote in message
news:i3f5lg$kst$1@speranza.aioe.org...
> Spamlet wrote:
>> XPPro SP3 all up to date. Avast free all up to date.
>>
>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>> suddenly came up with a window that looked like Windows Security Centre,
>> with an inset window looking like my AV. This inset window showed a list
>> of
>> supposed trojans and other malware, and was accompanied by a popup
>> insisting
>> that my system was desperately vulnerable and I should click a link to
>> scan
>> it now.
>>
>> I, instead, opted for pulling the plug and running ccleaner, clearing
>> history and running spybot and malware bytes. No malware found yet.
>>
>> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see how
>> to
>> write this so it doesn't make a hyperlink: perhaps someone can tell me
>> how
>> to do that too.) The '0's may be 'o's or a combination.
>>
>> Searches on this link and its various '0' combinations came up with no
>> other
>> mentions of this hijack. The 3utilities domain does get a few unreliable
>> notes.
>>
>> Anyone know any more about this? Were WSC and Avast actually responding
>> to
>> this site as they should, or was the site imitating them to fool me into
>> believing the popup and clicking their 'scan your pc now' button?
>>
>> Cheers,
>>
>> S
>>
>>
>
> 3utilities.com resolves to this IP: 204.16.252.112
> x05y08.3utilities.com yields an 403 Forbidden message and resolves to this
> IP: 85.234.191.94
> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
> http://hosts-file.net/?s=85.234.191.94
> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>
> You were wise to pull the power plug. In situations such as this, one can
> open Task Manager and End the Internet Explorer process (iexplore.exe)
> instead of pulling the power plug.
>
> What most likely happened was that either an Iframe or a malware embedded
> ad (malvertizement) triggered the phony AV scan.
> Avast's popup window when encountering embedded malware on a site is quite
> unique and should be difficult to mimic. Key word being *should*. The
> phony Windows Security Center warning is not quite as easily to discern
> from the one you see that actually stems from Windows XP.
>
> The malware it claimed was resident on your computer was not present and
> yes, the rogue AV was trying to fool you to click the scan button so it
> could download malware to your system. Then, to "clean up" the malware
> that was not present and the ensuing malware that would be downloaded,
> they would tell you that you had to buy their "product".
>
> The worst part about this rogue AV "software" is that folks get conned by
> it, actually purchase it, and then do not dispute the charges -
> Rogue Antivirus Victims Seldom Fight Back
> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>
> As to munging a possibly malware laden link, just change the http to
> hxxp, like this - hxxp/x05y08.3utilities.com
>
>
> MowGreen

Thanks Mow, a very good response.

I thought I already had a hosts file with all these black listed sites on.
Perhaps I lost it when I uninstalled Spybot during a recent hard drive
change. Would the SpyBot Resident protection - now reinstalled - have
picked this up? If not, how do I incorporate all the blacklisted sites, or
get a regularly updated hosts list (I used to have something called Hosts
Secure, but it seems to have disappeared now I come to think of it?). I've
added *3utilities.com* to my Add Block Plus filters in Firefox: is there a
similar add on for IE8?

A lot of new questions: sorry! And, finally: should I be posting this as a
warning somewhere else?

Thanks very much for the prompt reply.

S

 

[Spamlet]

Re: Hijack: .3utilities.com?

"smlunatick" <yveslec@gmail.com> wrote in message
news:2d375cef-0e5f-434f-9f9e-b4586f2eefa5@o19g2000yqb.googlegroups.com...
On Aug 5, 8:18 pm, "Spamlet" <spam.mores...@invalid.invalid> wrote:
> XPPro SP3 all up to date. Avast free all up to date.
>
> Whilst browsing innocent looking kitchen furnishing sites, my browser
> suddenly came up with a window that looked like Windows Security Centre,
> with an inset window looking like my AV. This inset window showed a list
> of
> supposed trojans and other malware, and was accompanied by a popup
> insisting
> that my system was desperately vulnerable and I should click a link to
> scan
> it now.
>
> I, instead, opted for pulling the plug and running ccleaner, clearing
> history and running spybot and malware bytes. No malware found yet.
>
> The hijack went tohttp/x05y08.3utilities.com (Sorry: I can't see how to
> write this so it doesn't make a hyperlink: perhaps someone can tell me how
> to do that too.) The '0's may be 'o's or a combination.
>
> Searches on this link and its various '0' combinations came up with no
> other
> mentions of this hijack. The 3utilities domain does get a few unreliable
> notes.
>
> Anyone know any more about this? Were WSC and Avast actually responding to
> this site as they should, or was the site imitating them to fool me into
> believing the popup and clicking their 'scan your pc now' button?
>
> Cheers,
>
> S

Sounds like you hit a web site that by-passed the A/V software and
presented you a "fake" anti-virus screen/ There has been posts of a
fake anti-virus system known as Avast Anti-Virus Pro (???)

Never click on any part of these type of "window." This is a
"malware" and by clicking on the windows, you are actually "accepting"
their "hidden" contract terms. They would stated "you" have accepted
the contract terms and the charge for:
-- each clean up
-- each update
-- Uninstall codes.

Thanks very much for the tip offs.
Looks like I had a narrow escape, and will pass it on.

S

 

[MowGreen]

Spamlet wrote:
> "MowGreen"<mowgreen@nowandzen.com> wrote in message
> news:i3f5lg$kst$1@speranza.aioe.org...
>> Spamlet wrote:
>>> XPPro SP3 all up to date. Avast free all up to date.
>>>
>>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>>> suddenly came up with a window that looked like Windows Security Centre,
>>> with an inset window looking like my AV. This inset window showed a list
>>> of
>>> supposed trojans and other malware, and was accompanied by a popup
>>> insisting
>>> that my system was desperately vulnerable and I should click a link to
>>> scan
>>> it now.
>>>
>>> I, instead, opted for pulling the plug and running ccleaner, clearing
>>> history and running spybot and malware bytes. No malware found yet.
>>>
>>> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see how
>>> to
>>> write this so it doesn't make a hyperlink: perhaps someone can tell me
>>> how
>>> to do that too.) The '0's may be 'o's or a combination.
>>>
>>> Searches on this link and its various '0' combinations came up with no
>>> other
>>> mentions of this hijack. The 3utilities domain does get a few unreliable
>>> notes.
>>>
>>> Anyone know any more about this? Were WSC and Avast actually responding
>>> to
>>> this site as they should, or was the site imitating them to fool me into
>>> believing the popup and clicking their 'scan your pc now' button?
>>>
>>> Cheers,
>>>
>>> S
>>>
>>>
>>
>> 3utilities.com resolves to this IP: 204.16.252.112
>> x05y08.3utilities.com yields an 403 Forbidden message and resolves to this
>> IP: 85.234.191.94
>> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
>> http://hosts-file.net/?s=85.234.191.94
>> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>>
>> You were wise to pull the power plug. In situations such as this, one can
>> open Task Manager and End the Internet Explorer process (iexplore.exe)
>> instead of pulling the power plug.
>>
>> What most likely happened was that either an Iframe or a malware embedded
>> ad (malvertizement) triggered the phony AV scan.
>> Avast's popup window when encountering embedded malware on a site is quite
>> unique and should be difficult to mimic. Key word being *should*. The
>> phony Windows Security Center warning is not quite as easily to discern
>> from the one you see that actually stems from Windows XP.
>>
>> The malware it claimed was resident on your computer was not present and
>> yes, the rogue AV was trying to fool you to click the scan button so it
>> could download malware to your system. Then, to "clean up" the malware
>> that was not present and the ensuing malware that would be downloaded,
>> they would tell you that you had to buy their "product".
>>
>> The worst part about this rogue AV "software" is that folks get conned by
>> it, actually purchase it, and then do not dispute the charges -
>> Rogue Antivirus Victims Seldom Fight Back
>> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>>
>> As to munging a possibly malware laden link, just change the http to
>> hxxp, like this - hxxp/x05y08.3utilities.com
>>
>>
>> MowGreen
>
> Thanks Mow, a very good response.
>
> I thought I already had a hosts file with all these black listed sites on.
> Perhaps I lost it when I uninstalled Spybot during a recent hard drive
> change. Would the SpyBot Resident protection - now reinstalled - have
> picked this up? If not, how do I incorporate all the blacklisted sites, or
> get a regularly updated hosts list (I used to have something called Hosts
> Secure, but it seems to have disappeared now I come to think of it?). I've
> added *3utilities.com* to my Add Block Plus filters in Firefox: is there a
> similar add on for IE8?
>
> A lot of new questions: sorry! And, finally: should I be posting this as a
> warning somewhere else?
>
> Thanks very much for the prompt reply.
>
> S
>
>

There's no need to block 3utilities.com. There's nothing in any database
that indicates that it's a "bad site".
What you want to do is to at least receive a prompt when an IFrame is
involved. Open Internet Options in Control Panel. Click the Security tab.
Click on Internet.
Click the Custom level button.
Scroll down to the Miscellaneous heading.
Scroll down to Launching programs and files in an IFRAME
Set it to at least " Prompt (recommended) "
You can choose to set it to Disable as that will never allow an IFrame
to open.

As for Spybot, it's Resident protection has been known to interfere when
a newer Version of the Windows Update Agent is installed.

You can post to their forum for any of your questions about using it -
http://forums.spybot.info/forumdisplay.php?f=4


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[Spamlet]

"MowGreen" <mowgreen@nowandzen.com> wrote in message
news:i3hira$93o$1@speranza.aioe.org...
> Spamlet wrote:
>> "MowGreen"<mowgreen@nowandzen.com> wrote in message
>> news:i3f5lg$kst$1@speranza.aioe.org...
>>> Spamlet wrote:
>>>> XPPro SP3 all up to date. Avast free all up to date.
>>>>
>>>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>>>> suddenly came up with a window that looked like Windows Security
>>>> Centre,
>>>> with an inset window looking like my AV. This inset window showed a
>>>> list
>>>> of
>>>> supposed trojans and other malware, and was accompanied by a popup
>>>> insisting
>>>> that my system was desperately vulnerable and I should click a link to
>>>> scan
>>>> it now.
>>>>
>>>> I, instead, opted for pulling the plug and running ccleaner, clearing
>>>> history and running spybot and malware bytes. No malware found yet.
>>>>
>>>> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see
>>>> how
>>>> to
>>>> write this so it doesn't make a hyperlink: perhaps someone can tell me
>>>> how
>>>> to do that too.) The '0's may be 'o's or a combination.
>>>>
>>>> Searches on this link and its various '0' combinations came up with no
>>>> other
>>>> mentions of this hijack. The 3utilities domain does get a few
>>>> unreliable
>>>> notes.
>>>>
>>>> Anyone know any more about this? Were WSC and Avast actually
>>>> responding
>>>> to
>>>> this site as they should, or was the site imitating them to fool me
>>>> into
>>>> believing the popup and clicking their 'scan your pc now' button?
>>>>
>>>> Cheers,
>>>>
>>>> S
>>>>
>>>>
>>>
>>> 3utilities.com resolves to this IP: 204.16.252.112
>>> x05y08.3utilities.com yields an 403 Forbidden message and resolves to
>>> this
>>> IP: 85.234.191.94
>>> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
>>> http://hosts-file.net/?s=85.234.191.94
>>> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>>>
>>> You were wise to pull the power plug. In situations such as this, one
>>> can
>>> open Task Manager and End the Internet Explorer process (iexplore.exe)
>>> instead of pulling the power plug.
>>>
>>> What most likely happened was that either an Iframe or a malware
>>> embedded
>>> ad (malvertizement) triggered the phony AV scan.
>>> Avast's popup window when encountering embedded malware on a site is
>>> quite
>>> unique and should be difficult to mimic. Key word being *should*. The
>>> phony Windows Security Center warning is not quite as easily to discern
>>> from the one you see that actually stems from Windows XP.
>>>
>>> The malware it claimed was resident on your computer was not present and
>>> yes, the rogue AV was trying to fool you to click the scan button so it
>>> could download malware to your system. Then, to "clean up" the malware
>>> that was not present and the ensuing malware that would be downloaded,
>>> they would tell you that you had to buy their "product".
>>>
>>> The worst part about this rogue AV "software" is that folks get conned
>>> by
>>> it, actually purchase it, and then do not dispute the charges -
>>> Rogue Antivirus Victims Seldom Fight Back
>>> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>>>
>>> As to munging a possibly malware laden link, just change the http to
>>> hxxp, like this - hxxp/x05y08.3utilities.com
>>>
>>>
>>> MowGreen
>>
>> Thanks Mow, a very good response.
>>
>> I thought I already had a hosts file with all these black listed sites
>> on.
>> Perhaps I lost it when I uninstalled Spybot during a recent hard drive
>> change. Would the SpyBot Resident protection - now reinstalled - have
>> picked this up? If not, how do I incorporate all the blacklisted sites,
>> or
>> get a regularly updated hosts list (I used to have something called Hosts
>> Secure, but it seems to have disappeared now I come to think of it?).
>> I've
>> added *3utilities.com* to my Add Block Plus filters in Firefox: is there
>> a
>> similar add on for IE8?
>>
>> A lot of new questions: sorry! And, finally: should I be posting this as
>> a
>> warning somewhere else?
>>
>> Thanks very much for the prompt reply.
>>
>> S
>>
>>
>
> There's no need to block 3utilities.com. There's nothing in any database
> that indicates that it's a "bad site".
> What you want to do is to at least receive a prompt when an IFrame is
> involved. Open Internet Options in Control Panel. Click the Security tab.
> Click on Internet.
> Click the Custom level button.
> Scroll down to the Miscellaneous heading.
> Scroll down to Launching programs and files in an IFRAME
> Set it to at least " Prompt (recommended) "
> You can choose to set it to Disable as that will never allow an IFrame to
> open.
>
> As for Spybot, it's Resident protection has been known to interfere when a
> newer Version of the Windows Update Agent is installed.
>
> You can post to their forum for any of your questions about using it -
> http://forums.spybot.info/forumdisplay.php?f=4
>
> MowGreen

Thanks Mow,
I do have IFrame set to prompt, but the only 'prompt' I received was the one
to have my computer 'scanned'. (?) I was using Firefox at the time though,
so perhaps this works differently to IE.

I'll remember to turn off Resident protection before installing the next lot
of genuine Windows updates - of which the blog on your hosts-file.net link
tells there are some big ones on the way.

I was more interested in getting another hosts file. Is the one that can be
downloaded from hosts-file.net recommended, and is this or another you could
recommend automatically updateable?

Thankyou,
S

 

[MowGreen]

Spamlet wrote:
> "MowGreen"<mowgreen@nowandzen.com> wrote in message
> news:i3hira$93o$1@speranza.aioe.org...
>> Spamlet wrote:
>>> "MowGreen"<mowgreen@nowandzen.com> wrote in message
>>> news:i3f5lg$kst$1@speranza.aioe.org...
>>>> Spamlet wrote:
>>>>> XPPro SP3 all up to date. Avast free all up to date.
>>>>>
>>>>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>>>>> suddenly came up with a window that looked like Windows Security
>>>>> Centre,
>>>>> with an inset window looking like my AV. This inset window showed a
>>>>> list
>>>>> of
>>>>> supposed trojans and other malware, and was accompanied by a popup
>>>>> insisting
>>>>> that my system was desperately vulnerable and I should click a link to
>>>>> scan
>>>>> it now.
>>>>>
>>>>> I, instead, opted for pulling the plug and running ccleaner, clearing
>>>>> history and running spybot and malware bytes. No malware found yet.
>>>>>
>>>>> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see
>>>>> how
>>>>> to
>>>>> write this so it doesn't make a hyperlink: perhaps someone can tell me
>>>>> how
>>>>> to do that too.) The '0's may be 'o's or a combination.
>>>>>
>>>>> Searches on this link and its various '0' combinations came up with no
>>>>> other
>>>>> mentions of this hijack. The 3utilities domain does get a few
>>>>> unreliable
>>>>> notes.
>>>>>
>>>>> Anyone know any more about this? Were WSC and Avast actually
>>>>> responding
>>>>> to
>>>>> this site as they should, or was the site imitating them to fool me
>>>>> into
>>>>> believing the popup and clicking their 'scan your pc now' button?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> S
>>>>>
>>>>>
>>>>
>>>> 3utilities.com resolves to this IP: 204.16.252.112
>>>> x05y08.3utilities.com yields an 403 Forbidden message and resolves to
>>>> this
>>>> IP: 85.234.191.94
>>>> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
>>>> http://hosts-file.net/?s=85.234.191.94
>>>> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>>>>
>>>> You were wise to pull the power plug. In situations such as this, one
>>>> can
>>>> open Task Manager and End the Internet Explorer process (iexplore.exe)
>>>> instead of pulling the power plug.
>>>>
>>>> What most likely happened was that either an Iframe or a malware
>>>> embedded
>>>> ad (malvertizement) triggered the phony AV scan.
>>>> Avast's popup window when encountering embedded malware on a site is
>>>> quite
>>>> unique and should be difficult to mimic. Key word being *should*. The
>>>> phony Windows Security Center warning is not quite as easily to discern
>>>> from the one you see that actually stems from Windows XP.
>>>>
>>>> The malware it claimed was resident on your computer was not present and
>>>> yes, the rogue AV was trying to fool you to click the scan button so it
>>>> could download malware to your system. Then, to "clean up" the malware
>>>> that was not present and the ensuing malware that would be downloaded,
>>>> they would tell you that you had to buy their "product".
>>>>
>>>> The worst part about this rogue AV "software" is that folks get conned
>>>> by
>>>> it, actually purchase it, and then do not dispute the charges -
>>>> Rogue Antivirus Victims Seldom Fight Back
>>>> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>>>>
>>>> As to munging a possibly malware laden link, just change the http to
>>>> hxxp, like this - hxxp/x05y08.3utilities.com
>>>>
>>>>
>>>> MowGreen
>>>
>>> Thanks Mow, a very good response.
>>>
>>> I thought I already had a hosts file with all these black listed sites
>>> on.
>>> Perhaps I lost it when I uninstalled Spybot during a recent hard drive
>>> change. Would the SpyBot Resident protection - now reinstalled - have
>>> picked this up? If not, how do I incorporate all the blacklisted sites,
>>> or
>>> get a regularly updated hosts list (I used to have something called Hosts
>>> Secure, but it seems to have disappeared now I come to think of it?).
>>> I've
>>> added *3utilities.com* to my Add Block Plus filters in Firefox: is there
>>> a
>>> similar add on for IE8?
>>>
>>> A lot of new questions: sorry! And, finally: should I be posting this as
>>> a
>>> warning somewhere else?
>>>
>>> Thanks very much for the prompt reply.
>>>
>>> S
>>>
>>>
>>
>> There's no need to block 3utilities.com. There's nothing in any database
>> that indicates that it's a "bad site".
>> What you want to do is to at least receive a prompt when an IFrame is
>> involved. Open Internet Options in Control Panel. Click the Security tab.
>> Click on Internet.
>> Click the Custom level button.
>> Scroll down to the Miscellaneous heading.
>> Scroll down to Launching programs and files in an IFRAME
>> Set it to at least " Prompt (recommended) "
>> You can choose to set it to Disable as that will never allow an IFrame to
>> open.
>>
>> As for Spybot, it's Resident protection has been known to interfere when a
>> newer Version of the Windows Update Agent is installed.
>>
>> You can post to their forum for any of your questions about using it -
>> http://forums.spybot.info/forumdisplay.php?f=4
>>
>> MowGreen
>
> Thanks Mow,
> I do have IFrame set to prompt, but the only 'prompt' I received was the one
> to have my computer 'scanned'. (?) I was using Firefox at the time though,
> so perhaps this works differently to IE.
>
> I'll remember to turn off Resident protection before installing the next lot
> of genuine Windows updates - of which the blog on your hosts-file.net link
> tells there are some big ones on the way.
>
> I was more interested in getting another hosts file. Is the one that can be
> downloaded from hosts-file.net recommended, and is this or another you could
> recommend automatically updateable?
>
> Thankyou,
> S
>
>

YW, Spamlet.

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

The above hosts file will work in FF and IE.

The issue with Spybot's Resident protection involves the updating of the
Windows Update Agent, not with "normal" windows updates.
The ActiveX components of the WUA may fail to register properly
That would be either muweb.dll and/or wuwebv.dll, depending upon if the
system is opted into Microsoft or Windows Update. The former is for MU,
the latter for WU.

I've been using SeaMonkey, another Mozilla-based browser, but see no
setting for IFrames.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[Spamlet]

"MowGreen" <mowgreen@nowandzen.com> wrote in message
news:i3htis$pkq$1@speranza.aioe.org...
> Spamlet wrote:
>> "MowGreen"<mowgreen@nowandzen.com> wrote in message
>> news:i3hira$93o$1@speranza.aioe.org...
>>> Spamlet wrote:
>>>> "MowGreen"<mowgreen@nowandzen.com> wrote in message
>>>> news:i3f5lg$kst$1@speranza.aioe.org...
>>>>> Spamlet wrote:
>>>>>> XPPro SP3 all up to date. Avast free all up to date.
>>>>>>
>>>>>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>>>>>> suddenly came up with a window that looked like Windows Security
>>>>>> Centre,
>>>>>> with an inset window looking like my AV. This inset window showed a
>>>>>> list
>>>>>> of
>>>>>> supposed trojans and other malware, and was accompanied by a popup
>>>>>> insisting
>>>>>> that my system was desperately vulnerable and I should click a link
>>>>>> to
>>>>>> scan
>>>>>> it now.
>>>>>>
>>>>>> I, instead, opted for pulling the plug and running ccleaner, clearing
>>>>>> history and running spybot and malware bytes. No malware found yet.
>>>>>>
>>>>>> The hijack went to hxxp/x05y08.3utilities.com (Sorry: I can't see
>>>>>> how
>>>>>> to
>>>>>> write this so it doesn't make a hyperlink: perhaps someone can tell
>>>>>> me
>>>>>> how
>>>>>> to do that too.) The '0's may be 'o's or a combination.
>>>>>>
>>>>>> Searches on this link and its various '0' combinations came up with
>>>>>> no
>>>>>> other
>>>>>> mentions of this hijack. The 3utilities domain does get a few
>>>>>> unreliable
>>>>>> notes.
>>>>>>
>>>>>> Anyone know any more about this? Were WSC and Avast actually
>>>>>> responding
>>>>>> to
>>>>>> this site as they should, or was the site imitating them to fool me
>>>>>> into
>>>>>> believing the popup and clicking their 'scan your pc now' button?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> S
>>>>>>
>>>>>>
>>>>>
>>>>> 3utilities.com resolves to this IP: 204.16.252.112
>>>>> x05y08.3utilities.com yields an 403 Forbidden message and resolves to
>>>>> this
>>>>> IP: 85.234.191.94
>>>>> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad
>>>>> sites:
>>>>> http://hosts-file.net/?s=85.234.191.94
>>>>> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>>>>>
>>>>> You were wise to pull the power plug. In situations such as this, one
>>>>> can
>>>>> open Task Manager and End the Internet Explorer process (iexplore.exe)
>>>>> instead of pulling the power plug.
>>>>>
>>>>> What most likely happened was that either an Iframe or a malware
>>>>> embedded
>>>>> ad (malvertizement) triggered the phony AV scan.
>>>>> Avast's popup window when encountering embedded malware on a site is
>>>>> quite
>>>>> unique and should be difficult to mimic. Key word being *should*. The
>>>>> phony Windows Security Center warning is not quite as easily to
>>>>> discern
>>>>> from the one you see that actually stems from Windows XP.
>>>>>
>>>>> The malware it claimed was resident on your computer was not present
>>>>> and
>>>>> yes, the rogue AV was trying to fool you to click the scan button so
>>>>> it
>>>>> could download malware to your system. Then, to "clean up" the malware
>>>>> that was not present and the ensuing malware that would be downloaded,
>>>>> they would tell you that you had to buy their "product".
>>>>>
>>>>> The worst part about this rogue AV "software" is that folks get conned
>>>>> by
>>>>> it, actually purchase it, and then do not dispute the charges -
>>>>> Rogue Antivirus Victims Seldom Fight Back
>>>>> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>>>>>
>>>>> As to munging a possibly malware laden link, just change the http to
>>>>> hxxp, like this - hxxp/x05y08.3utilities.com
>>>>>
>>>>>
>>>>> MowGreen
>>>>
>>>> Thanks Mow, a very good response.
>>>>
>>>> I thought I already had a hosts file with all these black listed sites
>>>> on.
>>>> Perhaps I lost it when I uninstalled Spybot during a recent hard drive
>>>> change. Would the SpyBot Resident protection - now reinstalled - have
>>>> picked this up? If not, how do I incorporate all the blacklisted
>>>> sites,
>>>> or
>>>> get a regularly updated hosts list (I used to have something called
>>>> Hosts
>>>> Secure, but it seems to have disappeared now I come to think of it?).
>>>> I've
>>>> added *3utilities.com* to my Add Block Plus filters in Firefox: is
>>>> there
>>>> a
>>>> similar add on for IE8?
>>>>
>>>> A lot of new questions: sorry! And, finally: should I be posting this
>>>> as
>>>> a
>>>> warning somewhere else?
>>>>
>>>> Thanks very much for the prompt reply.
>>>>
>>>> S
>>>>
>>>>
>>>
>>> There's no need to block 3utilities.com. There's nothing in any database
>>> that indicates that it's a "bad site".
>>> What you want to do is to at least receive a prompt when an IFrame is
>>> involved. Open Internet Options in Control Panel. Click the Security
>>> tab.
>>> Click on Internet.
>>> Click the Custom level button.
>>> Scroll down to the Miscellaneous heading.
>>> Scroll down to Launching programs and files in an IFRAME
>>> Set it to at least " Prompt (recommended) "
>>> You can choose to set it to Disable as that will never allow an IFrame
>>> to
>>> open.
>>>
>>> As for Spybot, it's Resident protection has been known to interfere when
>>> a
>>> newer Version of the Windows Update Agent is installed.
>>>
>>> You can post to their forum for any of your questions about using it -
>>> http://forums.spybot.info/forumdisplay.php?f=4
>>>
>>> MowGreen
>>
>> Thanks Mow,
>> I do have IFrame set to prompt, but the only 'prompt' I received was the
>> one
>> to have my computer 'scanned'. (?) I was using Firefox at the time
>> though,
>> so perhaps this works differently to IE.
>>
>> I'll remember to turn off Resident protection before installing the next
>> lot
>> of genuine Windows updates - of which the blog on your hosts-file.net
>> link
>> tells there are some big ones on the way.
>>
>> I was more interested in getting another hosts file. Is the one that can
>> be
>> downloaded from hosts-file.net recommended, and is this or another you
>> could
>> recommend automatically updateable?
>>
>> Thankyou,
>> S
>>
>>
>
> YW, Spamlet.
>
> Blocking Unwanted Parasites with a Hosts File
> http://www.mvps.org/winhelp2002/hosts.htm
>
> The above hosts file will work in FF and IE.
>
> The issue with Spybot's Resident protection involves the updating of the
> Windows Update Agent, not with "normal" windows updates.
> The ActiveX components of the WUA may fail to register properly
> That would be either muweb.dll and/or wuwebv.dll, depending upon if the
> system is opted into Microsoft or Windows Update. The former is for MU,
> the latter for WU.
>
> I've been using SeaMonkey, another Mozilla-based browser, but see no
> setting for IFrames.
>
>
> MowGreen

Very helpful. Thanks very much for all your help.
I don't see anything about IFrames in Firefox either, but it does have quite
a long list of sites where popups and images are blocked.

S

 

[MowGreen]

Spamlet wrote:
> Very helpful. Thanks very much for all your help.
> I don't see anything about IFrames in Firefox either, but it does have quite
> a long list of sites where popups and images are blocked.
>
> S


The NoScript add on can be installed to forbid IFRAMES for Untrusted
Sites in Mozilla based browsers. Forbid IFRAMES is Enabled by Default
when NoScipt is installed,
The setting is on the Embeddings page of Options.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[Spamlet]

"MowGreen" <mowgreen@nowandzen.com> wrote in message
news:i3pcs2$bdi$1@speranza.aioe.org...
> Spamlet wrote:
>> Very helpful. Thanks very much for all your help.
>> I don't see anything about IFrames in Firefox either, but it does have
>> quite
>> a long list of sites where popups and images are blocked.
>>
>> S
>
>
> The NoScript add on can be installed to forbid IFRAMES for Untrusted Sites
> in Mozilla based browsers. Forbid IFRAMES is Enabled by Default when
> NoScipt is installed,
> The setting is on the Embeddings page of Options.
>
>
> MowGreen

Well thank you once again: this is going beyond the call of duty!
That looks like quite a sophisticated add on: I'll give it a try - though I
notice its own website appears to be encouraging a click and scan...

Cheers,
S

 

[David in Normandy]

On 09/08/2010 229, Spamlet wrote:
> "MowGreen"<mowgreen@nowandzen.com> wrote in message
> news:i3pcs2$bdi$1@speranza.aioe.org...
>> Spamlet wrote:
>>> Very helpful. Thanks very much for all your help.
>>> I don't see anything about IFrames in Firefox either, but it does have
>>> quite
>>> a long list of sites where popups and images are blocked.
>>>
>>> S
>>
>>
>> The NoScript add on can be installed to forbid IFRAMES for Untrusted Sites
>> in Mozilla based browsers. Forbid IFRAMES is Enabled by Default when
>> NoScipt is installed,
>> The setting is on the Embeddings page of Options.
>>
>>
>> MowGreen
>
> Well thank you once again: this is going beyond the call of duty!
> That looks like quite a sophisticated add on: I'll give it a try - though I
> notice its own website appears to be encouraging a click and scan...
>

NoScript is one of the most widely used and trusted add-ons for Firefox.
I've used it for years... along with AdBlock Plus and Flashblock all of
which make browsing safer and faster by cutting out most of the crap.

--
David in Normandy. DavidinNormandy@yahoo.fr
To e-mail you must include the password FROG on the
subject line, or it will be automatically deleted
by a filter and not reach my inbox.

 

[MowGreen]

Spamlet wrote:
> Well thank you once again: this is going beyond the call of duty!
> That looks like quite a sophisticated add on: I'll give it a try - though I
> notice its own website appears to be encouraging a click and scan...
>
> Cheers,
> S
>


YW, S. NoScript is Trustworthy. Pay no mind to the scan. Someone has to
pay for NoScript's development.

After you've used NS for awhile you'll learn which domains can be
allowed to run scripts and which ones to block *permanently*.
I rarely mark sites as Trusted as even Trusted sites can contain
malvertizing or malware linked IFrames.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[Spamlet]

"MowGreen" <mowgreen@nowandzen.com> wrote in message
news:i3rted$1cm$1@speranza.aioe.org...
> Spamlet wrote:
>> Well thank you once again: this is going beyond the call of duty!
>> That looks like quite a sophisticated add on: I'll give it a try - though
>> I
>> notice its own website appears to be encouraging a click and scan...
>>
>> Cheers,
>> S
>>
>
>
> YW, S. NoScript is Trustworthy. Pay no mind to the scan. Someone has to
> pay for NoScript's development.
>
> After you've used NS for awhile you'll learn which domains can be allowed
> to run scripts and which ones to block *permanently*.
> I rarely mark sites as Trusted as even Trusted sites can contain
> malvertizing or malware linked IFrames.
>
>
> MowGreen

Thanks Mow, it will take a while to get used to all the options, but for now
it seems enough to use the temporary options, as in most searches one only
needs to glance at a site to see if it is likely to offer what one is
seeking.

As for the host file, I think this has slowed things down a little but so
far not enough to be inconvenient.
With your help I feel that things should be safer now.

Cheers,
S