Spyware Warrior

[Shane]

Hi guys,

Just saw a post on one of the MS newsgroups ala:

<snip>

Every time I've tried to go to http://www.merijn.org/cwschronicles.html, I get the message "The connection was refused when attempting to contact www.merign.org.

</snip>

I was able to get www.merign.org and I think it needs adding to the rogue anti-spyware sites list.

[wyrmrider]

thats really ugly

did this look like someone was camped or has purchased the merjin.org website or did you see any evidence of a program transfering you to the site??

watch for scripts running or activity in the lower bar of your screen

let me know please

wyrmrider

[wyrmrider]

http://www.spywareinfo.com/~merijn/

still works
looks like a spelling error in the post

www.merign.org. j swapped for g

should be merijn.org

what concerns me is
is this rouge web site
and/ or web page address bar error behaviour


any sign of oingo, domaine park or dp.information.com or ???

wyrmrider

[suzi]

Merijn posted this quite sometime ago:

[wyrmrider]

I can understand that merijn.org has been down for some time
I get the cannot find message

What I want to know is how Shane
got to the look alike site?

does not initially look like new.net

any ideas?

If merijn had given up his site and someone had bought the name I can understand

but it looks here like something is redirecting, or search and find

(of course with me it'd be a typo)

wyrmrider

[Moore]

There are a lot of "scam" type sites set up to capitalize on people mis-typing popular website urls.

Looks like this is another one , but sponsored by someone who likes to recommend everything people should be avoiding ..

[suzi]

The main site explains what they are doing:

http://www.sedoparking.com/

They should call it "Scams R Us".

Looks like a good one for the block lists and hosts files too.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Trpm]

Hi suzi,

That sounds like a great topic for your Blog "Scams R Us".
It has heart!
Have a great day.
Trpm
_________________
I'm a reasonable person just ask Eeyore or Christopher R.

[Shane]

Apparently www.merign.org was a typo and the poster on the MS newsgroup never did go there. I got there by the simple expedient of pasting it into the address bar.

And having got there, it struck me that untrustworthy so-called anti-spyware sites or programs were being linked to from a domain that is a look-alike and sound-alike of www.merijn.org. So I made my original post here and that's more-or-less all there was to it.

Except, that I came to the SpywareWarrior forums perhaps a week ago. Someone asked on one of the MS newsgroups for opinions on RegistryNuker. I thought it sounded familiar and before long found myself here reading the thread involving that Ashley idiot.

A day or two later someone asked if they should go ahead and pay for XoftSpy, and here I was again, this time reading the thread involving the guy from AdwareReport.com.

A couple more days passed and I saw someone (knowledgable in the anti-malware field - so it just goes to show!) answering a post by linking to an article at AdwareReport.com. So I intervened in that one.

Then, yesterday, the merign.org post. It doesn't end, does it?

[suzi]

[flicman]

I know this thread is just about a year old and I'm bumping it from obscurity, but it comes up #1 on google when I search for "remove sedoparking malware" (no quotes), so I've read it like three times in the vain hope that this problem was solved last year. Unfortunately, I'm noticing a similar redirect issue (also involving sedoparking.com) going on with some sites that I host through a reseller.

Only affecting these particular sites, anytime I try to access a subdomain (whether it exists or not), I get redirected to sedoparking.com. This only happens A) with the subdomain entry - I can get to the main domain just fine, B) with accounts on my *resold* hosting space and C) only on my home workstation. My laptop is fine, other computers that I use at work and various places are fine.

examples:

clapboard.org is my main domain. Accessing it is no problem.
411archive.clapboard.org is a valid subdomain of the same server, hosted in the same account. No trouble there, either. Now, just for completeness, foobar.clapboard.org gives me a 'page cannot be found' error.

Now, while http://carolinadeckpros.com is a valid and working site that I host on the reseller portion of my account, the valid subdomain http://portfolio.carolinadeckpros.com redirects me to sedoparking.com. A site that I have just created aghart.com has no index page yet, even, and the designer has uploaded nothing (and no subdomains exist), but if you type in foobar.aghart.com on my system, you're going to see sedoparking again.

I've run Ad-Aware with the latest definitions, as well as hijack this, and am happy to note that the first time I ran the latest version of Ad-Aware, it found something and removed it. I could instantly access valid subdomains and was denied at things like foobar.aghart.com, and all was right in the world. Unfortunately, one restart later, the redirecting started and the scanning turned up nothing. Some searching has led me to the fact that I have a file in C:\WINDOWS\PCHEALTH\UploadLB\Binaries called uploadm.exe that respawns on removal, and may (or may well not) be related). I can't seem to find reliable info on from whence that software spawns as well. The page on symantec that talks about the registry keys to check contains nothing for me, as I don't even have listed the registry locations they're talking about.

I'm running winxpsp2 with the latest patches, etc. and am running Firefox 1.0.7. Any thoughts you might have would be greatly appreciated.

Thanks!

[aquias]

I see some references to that file...but not a lot after a quick search.

Try uploading the file to http://virusscan.jotti.dhs.org/ and see what it comes back with...let us know.

Additionally, I'd recommend running hijack this and posting your log to the hijack this forum.

[Bubba]