IMPORTANT! Strictly forbidden plug-in is spreading the net! - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Skype & Live Messenger (/forumdisplay.php?fid=10)
+----- Thread: IMPORTANT! Strictly forbidden plug-in is spreading the net! (/showthread.php?tid=40380)
IMPORTANT! Strictly forbidden plug-in is spreading the net! by dafrizz on 03-17-2005 at 07:29 PM
Dear staff member(s),
Recently a site named <removed> has started. This site contains an MSN-hijacking tool that is used by many people. Opening the site will result in an automessage saying the following:
Wanna be a MSN-hacker? So you can mess with al your friends? Go to <link removed>
This program violates a law that must be respected. That law is privacy violation and is STRICTLY forbidden. I had contact with MSN Netherlands, and they said the following [translated from Dutch to English]:
"Dear Frits,
The problem you have brought to us is ONLY possible to be active with any version of Messenger Plus! installed. We recoomend you to get in contact with Patchou."
I e-mailed the internet host aswell, called Planet Internet BV. [www.planet.nl] I'm still waiting for their reply. I did a little research and found out that the MSNFunMaker is an MSN Trojan 5.0/MSN Spider and that the .exe makes a file on the Pad it's put in named gmon.out. I tried to delete it, but no result came out of it.
What I want to reach with this forum post is that you, from MessengerPlus.NET/Patchou.com consider making a program against it, or preform legal steps against the site owner(s).
Sincerly,
Frits Mijnders
The Netherlands
dafrizz@gmail.com
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 08:00 PM
Frits, it's very good that you inform people about this. 
WHOIS on the <removed> gives this address:
Registrant:
Ab Decor
Ijsselstraat 21
Ijsselstein, Utrecht 3401DY
NL
I checked this address with Routenet.nl (I'm also Dutch) and this address is fake 
. Same goes for the telephone number on the WHOIS page: 0573408448. The province of Utrecht, and IJsselstein for sure, has regional number 03(0) and not 057.
You're right that Planet.nl should remove this site from their servers as soon as possible, and I hope they will.
(The 'root' of the Planet.nl account picturecentre is hosted on shows this site: <link removed> which contains no info about the user..)
BTW.. I downloaded the installer exe but Norton doesn't detect it as a virus. I scanned the file with the online malware scanner and only 2 of the 12 scanners give a hit:
Kaspersky Anti-Virus Trojan-Dropper.Win32.WinAD.d (1.02 seconds taken)
mks_vir Trojan.Dropper.Winad.D (0.22 seconds taken)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by albert on 03-17-2005 at 08:22 PM
dang that seems dangerous.. so if we get Plus! off are we sure to b okay?!
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Yousef on 03-17-2005 at 08:26 PM
I don't see any way Messenger Plus has anything to do with this. Strange reply from MSN...
(btw, isn't this in the wrong forum?
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by L. Coyote on 03-17-2005 at 08:36 PM
quote:Don't download that file on the web the guy is pointing at. That's how you are safe.
Originally posted by lp15
dang that seems dangerous.. so if we get Plus! off are we sure to b okay?!
MsgPlus! has nothing to do with it.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by saralk on 03-17-2005 at 08:44 PM
its probably a plugin for messenger plus!, and there is a disclaimer saying that messenger plus! plugins may cause dodgy behaivour (not in those exact words)
Its like blaming bropia on microsoft.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 08:44 PM
Just to clear some things up:
What I understand from dafrizz and the <removed> site is that it's supposed to be a hacking tool which attacks people using Msgplus. I think this is not true and it's just a virus/trojan that's installs itself and claims to be Msgplus.
If you read the readme of the tool it says you have to type commands like
"name(...)" where '...' should be the name you want you contact's name to change to.
These are no normal Msgplus commands... (which start with a '/').
@ lp15:
There is NO need to remove Plus. This is a virus/trojan, and it doesn't spread trough MSN/Msgplus, so only if you download/execute it yourself it's a problem. Just don't run it and never accept anything like it from your contacts.
@ Juzzi:
Msgplus has nothing to do with it in the first place, but the 'hacking tool' claims to be a tool which attacks Msgplus users. I think Microsoft is just being naïve; this is just a MSN trojan which probably also works on MSN users without Msgplus.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Vilkku on 03-17-2005 at 08:48 PM
I know a firend who uses this... 
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by andrey on 03-17-2005 at 08:51 PM
quote:And it works ?
Originally posted by Vilkku
I know a firend who uses this...
hm. I'll test that thing on my network tomorrow...
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by saralk on 03-17-2005 at 08:52 PM
me and ash tried it, but it didnt work.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 08:56 PM
I don't think it matters if it works or not... . It's probably a backdoor trojan, so the 'creator' of the program can also 'hack' your msn...
The 'hacker' needs to give another contact 'a file', before he can 'hack' his contact. I think it promotes itself to the 'contact' as a colored message or something (that's why it should only work with people who have Msgplus installed). Maybe it promotes itself as a plugin. I don't know.... 
. At least I don't believe that it's something that only affects Msgplus users..
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-17-2005 at 09:07 PM
<link removed>
Check that out, "Robert de Vries"... no Ab Decor, that's a prank
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 09:12 PM
"Robert de Vries" sounds kinda prank too. It's "too typically Dutch" (I don't know how to say this well). My guess is that it's a second fake name 
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-17-2005 at 09:13 PM
quote:No, Robert is true. His father is a GP in a village in NL... I discovered that
Originally posted by Markus
"Robert de Vries" sounds kinda prank too. It's "too typically Dutch" (I don't know how to say this well). My guess is that it's a second fake name
http://www.huisartsen-laren.com/
there you are... The domain name was previously registered by Robert the Vries he is on the game
for a long time..
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 09:16 PM
'GP'...? 
in 'a village in NL'? You 'found that out'? (You mean discovered)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-17-2005 at 09:17 PM
quote:
The problem you have brought to us is ONLY possible to be active with any version of Messenger Plus! installed. We recommend you to get in contact with Patchou.
quote:Indeed... even in the readme within the archive it states:
Originally posted by Markus
I think Microsoft is just being naïve;
quote:You don't need to be a rocket scientist to figur out that that means that MsgPlus isn't even needed....
This cool thing works on all MsnVersions, inclusief MsnPlus.
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-17-2005 at 09:17 PM
quote:My mistake, but indeed, he is a dutch guy, check my updated previous post.
Originally posted by Markus
'GP'...?
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by segosa on 03-17-2005 at 09:20 PM
It just installs adware/spyware, and a shitload of it. (Internet Optimizer, etc..)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-17-2005 at 09:21 PM
quote:
Originally posted by CraigDowel
http://www.huisartsen-laren.com/
there you are... The domain name was previously registered by Robert the Vries he is on the game for a long time..
quote:
Originally posted by CraigDowel
My mistake, but indeed, he is a dutch guy, check my updated previous post.
I see... <link removed> was also about Laren. (which is a small town in gelderland, holland. I checked the postal code from the huisartsen-laren.com site)
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-17-2005 at 09:26 PM
quote:Jep, but that's just a start. He has built MSN Trojans previously, with the MSN api. This one works like a proxy...
Originally posted by Markus
quote:
Originally posted by CraigDowel
http://www.huisartsen-laren.com/
there you are... The domain name was previously registered by Robert the Vries he is on the game for a long time..quote:
Originally posted by CraigDowel
My mistake, but indeed, he is a dutch guy, check my updated previous post.
I see... <link removed> was also about Laren. (which is a small town in gelderland, holland. I checked the postal code from the huisartsen-laren.com site)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-17-2005 at 09:33 PM
quote:how do you 'find out' that 'GP' is the father of Robert de Vries?????? Also Robert de Vries can be a very common name. You can't 'find out' such details (father/son/etc...) without a page where it clearly states and links all these together, and even then it can be someone with the same name...
Originally posted by CraigDowel
No, Robert is true. His father is a GP in a village in NL... I found that it out.
http://www.huisartsen-laren.com/
there you are... The domain name was previously registered by Robert the Vries he is on the game
quote:how do you know this?
Originally posted by CraigDowel
Jep, but that's just a start. He has built MSN Trojans previously
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by bungleMX on 03-17-2005 at 10:38 PM
hehehe LOL de program works perfect with or without plus yes it's Ilegal and the only thing your are doing is making free promotion and telling us to download, in fact maybe that was the propuse of these thread... you sholud thing about it!!
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-17-2005 at 11:01 PM
I tried it....when I tried opening from zip archive....It said.... Error: win32.ddl not found....
edit: it does the same when it's out of the zip also.... wtf!! what is this peice of shit virus?
* Purity will shit if norton doesn't update their software to this shit!
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by bungleMX on 03-17-2005 at 11:03 PM
quote:
Originally posted by Purity
* Purity will shit if norton doesn't update their software to this shit!
Yes thats the trick!
Someone should erease the thread if it is Ilegal
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-17-2005 at 11:20 PM
F***!, No one download this! Installs a bunch of malware, and possible virus! F***!!!!! So many processes!!
This is screwing up my computer big time!
I did a system restart right....but before restart I deleted all the unneeded processes and backround programs....such as: bargins, slml, MediaAccess, MediaAAK. And when I logged back in after restart...I got a message saying invalid Reg key.... or someting like that then it said that it fixed it....(in the same message...) And it took forever to log in!
This just disabled my auto protect...
quote:
Symantic user session
Blah blah blah....
Send report dont sent
Something like that
* Purity pouts...
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by bungleMX on 03-17-2005 at 11:40 PM
yes, it socks, system freeze softwares are cool in theses cases, I alwayas turn it on before install trojans like this one...
The computer's client is the one who crash, not yours, You don't need to install anything..
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-17-2005 at 11:46 PM
I'm scanning for viruses right now....my Norton auto protect was on when I tried installing the program...
This virus has covered everything. 
like seriously, I stopped it from starting at startup and it fixes it back to enable on startup! F*** sakes!
This is pissing me off soo much!:mad:
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by cloutier_39 on 03-18-2005 at 12:25 AM
lol, stupid plug-in, it just about got me yesterday 
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-18-2005 at 12:33 AM
ermmm... guys I hope you all were smart enough to not launch such things in your main Windows Installation.
NEVER EVER run stuff like that outside a closed virtual environement or test computer and without the proper knowledge on what you exactly are doing!!!!!!!!!!
Things like this always leave stuff behind or stuff which can not be recovered from.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by alewington on 03-18-2005 at 12:54 AM
get the ip address of the site and then go to http://network-tools.com
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by stephen_wq on 03-18-2005 at 05:50 AM
Did you actually install it?!?!?!?!
Hasnt this whoel thread been about not installing it......
and hwy would you download a virus anyway? leave that to symantec
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by segosa on 03-18-2005 at 06:40 AM
quote:
Originally posted by Purity
I'm scanning for viruses right now....my Norton auto protect was on when I tried installing the program...
This virus has covered everything.
like seriously, I stopped it from starting at startup and it fixes it back to enable on startup! F*** sakes!
This is pissing me off soo much!:mad:
This is just the dumbest thing I've ever seen. You deserve this if you're so stupid to run it on your normal Windows installation. Seriously, what the fuck were you thinking?
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Moo on 03-18-2005 at 06:55 AM
quote:Exactly what it did here... didnt touch MSN though...
Originally posted by Segosa
It just installs adware/spyware, and a shitload of it. (Internet Optimizer, etc..)
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-18-2005 at 06:56 AM
quote:Welll, quite a while ago, about 2 years, he made a trojan horse, and infected my sisters pc. I did some research, and I discovered that they even called him, but the google cache seems to be updated. BUT, google shows something nice: <link removed>
Originally posted by CookieRevised
quote:how do you 'find out' that 'GP' is the father of Robert de Vries?????? Also Robert de Vries can be a very common name. You can't 'find out' such details (father/son/etc...) without a page where it clearly states and links all these together, and even then it can be someone with the same name...
Originally posted by CraigDowel
No, Robert is true. His father is a GP in a village in NL... I found that it out.
http://www.huisartsen-laren.com/
there you are... The domain name was previously registered by Robert the Vries he is on the game
quote:how do you know this?
Originally posted by CraigDowel
Jep, but that's just a start. He has built MSN Trojans previously
Now look at the third result, that's the Robert de Vries I'm talking about, he does exist.
Furthermore, he uses the nickname CrackerJack, and guess what google comes up with <link removed>
So, Robert de Vries seems to be CrackerJack, CrackerJack writes a trojan horse, which works like a proxy. He makes his trojan horse available for download.
And the prank Ab Decor, seems to own another domain name, on exactly the same address: <link removed>
He offers a file called webrebates, well, I've not yet tried to install it but I am quite sure that it contains spy or adware..
Do you still have any doubts? Well, call the GP. He's name is Roel de Vries, and lives in Laren. Compare GP site with the picturecentre site, both sucky html, both don't look good... And here is another detail, check the frames source!
<NOFRAMES>
Sorry, your browser doesn't seem to support frames! <br>
Proceed to <A href="<link removed>"><link removed></A> manually.
</NOFRAMES>
Well, doubtful now?
Edit: another scrap of evidence: <link removed>
Edit2: Guess what, <removed> seems to be an registered passport account, so maybe he uses it for his own msn....
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by jtstone1983 on 03-18-2005 at 08:18 AM
Ummm....If the plugin is strictly forbidden...then why did you post the link? Also if it were possible to shut someone's computer down via Messenger; and do all kinds of other things to their contact list, shouldn't someone be a little suspicious;
*psssttt* For future reference; "msntrojan supermsntrojan msn" appears at the top of the Title Bar in your Internet Browser
Common Sense People Just use Common sense, don't download anything that sounds too good to be true.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by segosa on 03-18-2005 at 08:26 AM
quote:
Originally posted by jtstone1983
Ummm....If the plugin is strictly forbidden...then why did you post the link? Also if it were possible to shut someone's computer down via Messenger; and do all kinds of other things to their contact list, shouldn't someone be a little suspicious;
*psssttt* For future reference; "msntrojan supermsntrojan msn" appears at the top of the Title Bar in your Internet Browser
Common Sense People
It isn't even a trojan, just an ad/spyware installer.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-18-2005 at 08:26 AM
It's not stricly forbidden.. it's just a program that installs shitloads of mal-/ad-/spyware. But it's hosted from a Planet.nl homepage site, and that's against the Terms & Conditions of Planet.nl. They should delete his webspace (and maybe cancel his internet account, because if he has a planet.nl homepage site he also has planet.nl as ISP.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by jtstone1983 on 03-18-2005 at 08:32 AM
Still making a point though, just use common sense, anything with the word Hack and Take Over always leads to spyware and viruses...
Eventually it will be deleted, the same thing happened on the mess.be forums when somebody posted a direct link to updates.exe for Bropia;
Side Note: The Main link on the first post should be removed and renamed; this prevents complaints to Patchou, and pointless threads in the Help and Support section complaining about spyware that isn't related to Plus.
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by jtstone1983 on 03-18-2005 at 08:38 AM
quote:
Originally posted by Segosa
quote:
Originally posted by jtstone1983
Ummm....If the plugin is strictly forbidden...then why did you post the link? Also if it were possible to shut someone's computer down via Messenger; and do all kinds of other things to their contact list, shouldn't someone be a little suspicious;
*psssttt* For future reference; "msntrojan supermsntrojan msn" appears at the top of the Title Bar in your Internet Browser
Common Sense People
It isn't even a trojan, just an ad/spyware installer.
Sadly, I was one of the people who downloaded it, my Anti-Virus and Anti-Spyware softwares went off the wall with alerts, It is a trojan (still unidentified) but it's mainly spyware. It's Identifing it as a trojan because it has same similarities as Bropia does...only without the dropping of random pictures and automatically spreading through Messenger. I have a working version of Spyware Doctor, and Spybot Search and Destroy (not running at the same time) but both work really well and have been updated.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Chestah on 03-18-2005 at 08:39 AM
time to prun this thread 
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by jtstone1983 on 03-18-2005 at 08:42 AM
Good Idea; maybe remove the link too; prevent further downloads as well
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-18-2005 at 02:04 PM
I came to a total of 53 possble/adware viruses, I kinda wish norton wouldn't look for spyware and adware, because all I really wanted to see was how much viruses I had..
Bah, deleted it all!
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by John Anderton on 03-18-2005 at 02:46 PM
It doesnt look good.
quote:I hope that it doesnt work for everyone cause i got really odd msg's
Originally posted by saralk
me and ash tried it, but it didnt work.
I got a invite from someone i dont know (invite to add to the list) and then she said that it wasnt added by her
. Also i got a msg from a person that was a friend of my friends and i had added her once but i only spoke to her once then deleted her address but i got a pic from her (msg asked me permission to send it) and it was titled new naked pic of me and i know she wouldnt do that WTF is happening
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by segosa on 03-18-2005 at 03:56 PM
quote:
Originally posted by John Anderton
It doesnt look good.
quote:I hope that it doesnt work for everyone cause i got really odd msg's
Originally posted by saralk
me and ash tried it, but it didnt work.
I got a invite from someone i dont know (invite to add to the list) and then she said that it wasnt added by her
WTF is happening
You've been abducted by aliens.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by John Anderton on 03-18-2005 at 04:04 PM
quote:huh ???
Originally posted by Segosa
You've been abducted by aliens.
What ?? Pardon me
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by andrey on 03-18-2005 at 04:21 PM
quote:Welcome back i guess.
Originally posted by John Anderton
quote:huh ???
Originally posted by Segosa
You've been abducted by aliens.
What I wanted to say is that the <link removed> website has just disappeared and has been replaced by a "page not found" page.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-18-2005 at 04:52 PM
quote:It probably means Planet Internet kicked the site offline
Originally posted by andrey
What I wanted to say is that the <link removed> website has just disappeared and has been replaced by a "page not found" page.
. Finally. So don't worry about the link in the first page anymore
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Glennage on 03-18-2005 at 05:19 PM
Its back up.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by sjaakie on 03-18-2005 at 06:04 PM
He's my classmate from last year, he's a pritty weird guy I can tell you..
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-18-2005 at 06:50 PM
LOL.. the stupid fool uploaded his website somewhere else. Now it's angelfire. Let's send them an email 
.
EDIT:
* user13774 clicks the angelfire banner
* user13774 finds a 'report abuse' button...
* user13774 reads the Report Abuse information page[/url]
* user13774 thinks the site is violating this rule:
Piracy / Hacking / Copyright Violations - It is forbidden to provide pirated materials on your Lycos web site. This includes software and serial numbers. We will remove your site if it provides tools or information about computer hacking. Your account will also be removed if it is found to be in violation of the Digital Millennium Copyright Act.
* user13774 fills in the 'Report Abuse' form..
DONE
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by DJeX on 03-18-2005 at 08:25 PM
Ahh it dont work. Pile of crap it is.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by spektor on 03-18-2005 at 08:26 PM
quote:
Just send the file <removed> to someone in your MSNlist.
When this person opens the file, he or she will go offline for a few secconds and then come online again.
At the moment she or he comes back online again, you can start messing around with him/her.
theres a quote from the read me, it only works by sending that file to the victim,proving its a trojan, for everyone actually running the file...umm , dont? the whoole point of the file is that it will run processes that should allow you to type al lthe commands it has in whatever window the infected victim is in, basically it works like all those really big ones like Sub7 and ProRat so if you run it...EVERYONE that knows the commands for this thing will be able to use all of those commands on you and probably be able to do alot more if they have the knowledge
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by DJeX on 03-18-2005 at 08:29 PM
it don't work tho
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by spektor on 03-18-2005 at 08:30 PM
or maybe it seems like it doesnt? the whole point of it being a trojan would for it to be hidden
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Vilkku on 03-18-2005 at 08:35 PM
Sorry for the late reply, but my friend said it works. After a day he had to format his comp because of some problems...
Anyway, he is a computer n00b and formats every week because the comp gets slow.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-18-2005 at 09:09 PM
hmmm... now I have to phone another hosting company? Djeez....
* CookieRevised thinks this guy isn't going to give up... me neither
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-18-2005 at 10:02 PM
too bad DDossing is forbidden in Holland 
he but yeah reporting abuse over and over would work
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-18-2005 at 10:08 PM
Well... Whois.net says:
Registrar: <removed>
Domain Name: <removed>
Created on: 19-MAR-01
Expires on: 19-MAR-06
Last Updated on: 15-MAR-05
So I went to <link removed> and there you can Report Spam as they call it. I think that is what we're looking for. I will fill in their 'Domain Complaint'.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-18-2005 at 10:15 PM
filed one if every one does it they cant ignore us
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-18-2005 at 10:29 PM
quote:How does that sound?
Dear NamesDirect,
I want to complain about the domain <removed>. The owner of this domains promotes hacking software for MSN Messenger, a product of Microsoft Corporation. But next to that the program itself contains virusses and multiple types of ad-/spyware. He has been kicked from a few webhosts (i.E. Planet Internet, www.planet.nl) where he hosted his site. Currently his site is being hosted by Angelfire, but I already reported his site to Lycos, the owner of Angelfire.
Can you please take action against (the owner of) this domain?
Thank you,
Mark
quote:
Your complaint has been submitted. Our Abuse Department will contact the owner
of the domain that a complaint has been filed. They will investigate and if
necessary disable the domain. This process can take up to 15 days.
Thank you for your patience.
NOTE: Please do not enter multiple complaints. This can prolong the
investigation and delay resolving the situation in a timely manner.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-18-2005 at 10:34 PM
quote:
Originally posted by Markus
NOTE: Please do not enter multiple complaints. This can prolong the
investigation and delay resolving the situation in a timely manner.
hehe that should be fun
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Fredzz on 03-19-2005 at 02:28 AM
why would anyone install that thing when they saw this thread? 
![[Image: plzdie.gif]](http://shoutbox.menthix.net/images/smilies/plzdie.gif)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-19-2005 at 02:39 AM
quote:YES THEY CAN.... if eveybody does this, it is called SPAMMING, and will do more damage then good.
Originally posted by Lieter
filed one if every one does it they cant ignore us
quote:DO NOT !!!
Originally posted by Lieter
quote:
Originally posted by Markus
NOTE: Please do not enter multiple complaints. This can prolong the
investigation and delay resolving the situation in a timely manner.
hehe that should be fun
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Fredzz on 03-19-2005 at 03:01 AM
IT clearly states on the "NOTE" that multiple reports will just delay the process! Why would you feel another one?
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-19-2005 at 07:28 AM
stupid me, ok youre right.. i gotta agree (i filed 1 in total)
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-19-2005 at 07:45 AM
This is like the bropia kinda, sending links to contacts saying 'Wanna hack msn messenger [URL]"
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-19-2005 at 08:02 AM
Guys, this domain is not directly registered to namesdirect, but to namezero. But namezero is a namesdirect company. The site works with an url forwarder... <link removed>
And another hint, just phone the company and file your complain. They mostly ignore such complains filed by email, their policy also says that picturecentre is not 'directly' acting illegal...
Oh <link removed> is the real site, maybe complaining works here...
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-19-2005 at 08:34 AM
quote:This is just his host. I already reported the site yesterday to Lycos (the owner of Angelfire)
Originally posted by CraigDowel
Oh <link removed> is the real site, maybe complaining works here...
. But now we're trying to find the company where he registered his domain <removed>. Read this post: Markus's reply to IMPORTANT! Strictly forbidden plug-in is spreading the net!quote:How do you know that? The site looks almost the same as NamesDirect, that's true...
Originally posted by CraigDowel
Guys, this domain is not directly registered to namesdirect, but to namezero. But namezero is a namesdirect company. The site works with an url forwarder... <link removed>
quote:Cookie is right
Originally posted by CookieRevised
quote:YES THEY CAN.... if eveybody does this, it is called SPAMMING.
Originally posted by Lieter
filed one if every one does it they cant ignore us
quote:DO NOT
Originally posted by Lieter
quote:
Originally posted by Markus
NOTE: Please do not enter multiple complaints. This can prolong the
investigation and delay resolving the situation in a timely manner.
hehe that should be fun
. DON'T send useless complaints! If you want to this guy to lose his domain, you need to send only well-founded complaints!
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CookieRevised on 03-19-2005 at 02:55 PM
Indeed, I urge everyone to stop 'finding things out' and 'filing complaints'....
I'm already on top of this and found some related things but also found that some information posted in this thread is NOT true. Don't put links were links don't exist, or do a proper search before saying something. _Especially_ in such matter!
Filing undocumented, bad reports will do more damage then good. DDossing doesn't work either....
As far as I'm concearned this thread should be closed and pruned so the information posted here can't be misused to file reports or whatever. The more you talk about such subjects, the more people will get victimized. Proof? look at the people in this thread who executed the trojan without the propper knowledge, because they were curious if it worked....
Those who have more info or wanna say something about this can always PM me...
-------------------------------
quote:no they don't. That is where he hosts his current site. He has moved there since a few days because his other host (planet.nl) has closed his accounts (also the hosted link of huisartsen-laren). He will simply keep on moving his site...
Originally posted by CraigDowel
Oh angelfire is the real site, maybe complaining works here...
* CookieRevised phoning 2 other host companies atm...
-------------------------------
To close this trojan (yes it IS a trojan and it doe works. If you got an errormessage, that is just part of its startup routine) so you can safely start a virus cleaner and spyware cleaners:
* Start up In SAFE MODE
* Delete C:\Windows\svchost.exe ... (don't delete svchost.exe which is in your \Windows\System32 directory!)
* Delete C:\Windows\Prefetch\msnfun*.pf
* Delete C:\Windows\Prefetch\scvhost.exe*.pf
* Remove the registry key wich has svchost.exe in it's value in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Purity on 03-19-2005 at 06:24 PM
Thanks very much for that quick removal tutorial...
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-19-2005 at 07:23 PM
Ok Cookie. You're doing a good job . I already filled in a 'Abuse report' @ Angelfire two days ago, but I'll leave it to you now . I like to hear how the calls with the hosting companies turned out. I'll talk to you about it on MSN.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-20-2005 at 11:10 AM
Cookie, any updates?
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by user13774 on 03-22-2005 at 10:20 AM
Update:
Got a mail back from Lycos (owner of angelfire):
quote:Thank you Lycos
Hello,
Thank you for contacting the Lycos Network Abuse Department.
The account you have brought to the attention of the Lycos Network Abuse
Department was found to be in violation of our Terms and Conditions. As
a result, it has been removed from our servers. Thank you for reporting
it to us.
Please note that the creator of this page is in no way directly
associated with the Lycos Network or its web publishing products. We
exercise no editorial control over the content posted by or the actions
of our users. All users are expected to abide by our Terms and
Conditions, which can be found at the following URL:
http://www.lycos.com/lycosinc/legal.html
I hope you find that our prompt response to this situation addresses
your concerns. If you have any questions or find more accounts that
require our attention please feel free to contact us again.
Sincerely,
Fred
Lycos Network Abuse Specialist
http://reportabuse.lycos.com
. .
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by CraigDowel on 03-25-2005 at 11:26 AM
Christ, he's up again :/
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by jtstone1983 on 03-25-2005 at 06:08 PM
I don't think it really matters anyways. Why would you want something that is just annoying. I had to reinstall windows just to stop the automatic messages being sent to my contacts.
Because of all the feed back on the abuse part, anyone who sent them a complaint, got an email....this usually never happens....I got mine 4 days ago.
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Dane on 03-26-2005 at 01:50 AM
Hello,
I just want to provide some information on this program which I have done a viral analysis on. It adds "C:\WINDOWS\Systray.exe" and "C:\Program Files\Media Access" as far as I can tell. It appears as a Windows Installer Package but really is nothing more than a viral executeable.
I have submitted this file to McAfee AntiVirus Emergency Response Team (AVERT) and Symantec. McAfee has responded by adding this to its "Potentially Unwanted Programs" list. I feel it should be in there next virus definitions, they feel otherwise. Symantec has yet to comment on the virus.
Anyway,
Just avoid it,
Dane .
Edit: My varient doesnt appear to do the same routine as Cookie's does. Perhaps Cookie has a different varient.
RE: RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-26-2005 at 09:55 AM
quote:
Originally posted by Dane
Hello,
I just want to provide some information on this program which I have done a viral analysis on. It adds "C:\WINDOWS\Systray.exe" and "C:\Program Files\Media Access" as far as I can tell. It appears as a Windows Installer Package but really is nothing more than a viral executeable.
isn't Systray.exe a windows executable needed to start windows...
see here: http://www.liutilities.com/products/wintaskspro/p...sslibrary/systray/
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Tochjo on 03-26-2005 at 10:11 AM
quote:The genuine executable is not located in C:\Windows but in C:\Windows\System32 (on Windows XP).
Originally posted by Lieter
isn't Systray.exe a windows executable needed to start windows...
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Lieter on 03-26-2005 at 10:17 AM
Youre right.. mine(win 2k pro) is locaded in C:\WINNT\System
RE: IMPORTANT! Strictly forbidden plug-in is spreading the net! by Dane on 03-26-2005 at 10:23 AM
Yep, Tochjo is right, all the files I listed were created in a monitored environment at the time of analysis.
Removal Tool: Click Here