Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

www.merign.org

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
Shane
Newbie


Joined: 25 Sep 2004
Last Visit: 01 Jan 2006
Posts: 4

PostPosted: Sun Sep 26, 2004 6:31 am    Post subject: www.merign.org Reply with quote

Hi guys,

Just saw a post on one of the MS newsgroups ala:

<snip>

Every time I've tried to go to http://www.merijn.org/cwschronicles.html, I get the message "The connection was refused when attempting to contact www.merign.org.

</snip>

I was able to get www.merign.org and I think it needs adding to the rogue anti-spyware sites list.
Back to top
View user's profile Send private message
wyrmrider
Warrior Addict


Joined: 25 Jun 2004
Last Visit: 17 Jan 2009
Posts: 730

PostPosted: Sun Sep 26, 2004 8:27 am    Post subject: really ugly Reply with quote

thats really ugly

did this look like someone was camped or has purchased the merjin.org website or did you see any evidence of a program transfering you to the site??

watch for scripts running or activity in the lower bar of your screen

let me know please

wyrmrider
Back to top
View user's profile Send private message
wyrmrider
Warrior Addict


Joined: 25 Jun 2004
Last Visit: 17 Jan 2009
Posts: 730

PostPosted: Sun Sep 26, 2004 8:35 am    Post subject: spelling Reply with quote

http://www.spywareinfo.com/~merijn/

still works
looks like a spelling error in the post

www.merign.org. j swapped for g

should be merijn.org

what concerns me is
is this rouge web site
and/ or web page address bar error behaviour


any sign of oingo, domaine park or dp.information.com or ???

wyrmrider
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Sun Sep 26, 2004 8:47 am    Post subject: Reply with quote

Merijn posted this quite sometime ago:

Quote:
March 19, 2004:
Merijn.org will not be online again soon.
Mike Healan has gotten all the sites that have been attacked back up, but when he tried to put up merijn.org for a few hours, it was immediately flooded off the net again. The DDoS is attack still continuing. A mirror of my site will be kept online at http://www.spywareinfo.com/~merijn/.


I think that's probably the reason you can't get to merijn.org
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
wyrmrider
Warrior Addict


Joined: 25 Jun 2004
Last Visit: 17 Jan 2009
Posts: 730

PostPosted: Mon Sep 27, 2004 7:16 am    Post subject: merijn to merign Reply with quote

I can understand that merijn.org has been down for some time
I get the cannot find message

What I want to know is how Shane
got to the look alike site?

does not initially look like new.net

any ideas?

If merijn had given up his site and someone had bought the name I can understand

but it looks here like something is redirecting, or search and find

(of course with me it'd be a typo)

wyrmrider
Back to top
View user's profile Send private message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 22 Jul 2013
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Mon Sep 27, 2004 11:09 am    Post subject: Reply with quote

There are a lot of "scam" type sites set up to capitalize on people mis-typing popular website urls.

Looks like this is another one , but sponsored by someone who likes to recommend everything people should be avoiding .. Twisted Evil

Quote:
http://www.merign.org/

This page provided free by Sedo's Domain Parking program.

212.227.34.3
www1.sedoparking.com

Quote:
Domain Name Parking
Earn money from your unused domain names!

Sedo's new Domain Parking Program lets you earn money from your domain names without needing to develop your own site. Even better, Sedo's statistics show that domains parked with Sedo are 5 times more likely to be sold!


IP Address: 212.227.34.3
IP Location: Schlund+partner Gmbh & Co

Domain ID:D104780307-LROR
Domain Name:MERIGN.ORG
Created On:19-Aug-2004 23:42:02 UTC
Last Updated On:24-Aug-2004 17:32:52 UTC
Expiration Date:19-Aug-2006 23:42:02 UTC
Sponsoring Registrar:eNom Inc. (R39-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:BB46F0B6EC475F68
Registrant Name:James Strongs
Registrant Organization:Fuz Pty Ltd
Registrant Street1:1 Majorize St
Registrant City:Melbourne
Registrant State/Province:VICTORIA
Registrant Postal Code:3000
Registrant Country:AU
Registrant Phone:+61.345434322

Admin ID:BB46F0B6EC475F68
Admin Name:James Strongs
Admin Organization:Fuz Pty Ltd
Admin Street1:1 Majorize St

Name Server:NS1.SEDOPARKING.COM
Name Server:NS2.SEDOPARKING.COM


Quote:
merign.org

Spyware - we recommend these sponsored links:
Top-Rated Spyware Remover
Free Scan, awarded Spyware and Trojan removal - Download Now!
pctools.com

Which Spyware Remover?
Compare and Download Up To 4 Top Spyware Virus Removers for Free.
SpywareRemoversReview.com

Spyware Removal
Remove Spyware, Adware & Viruses. Protect your PC and identity. aff
Free-Spyware-Scan.com

which Spyware Remover?
10 side-by-side descriptions of the top Spyware removal products.
AdwareReport.com

Anti-Spyware Reviews 2004
20 Spyware removers reviewed. Spy Sweeper, SpyHunter, Spykiller.
TopTenReviews.com

Remove Spyware
Complete Adware / Spyware Removal Huge database. Clean your system!
AdwareSpy.com

Free Spyware Scan
Search and Remove Trojans, Spyware, Adware and other Intruders. aff
Anti-Adware.net

Spyware Remover - Free
2004 Highest-Rated Spyware Remover. Stop All Popups. Free Download! Aff
NoAdware.net

Symantec - great prices
Norton Internet Security only $69 Never pay full price again!
protocol1.com.au

Anti-Spyware Software
STOPzilla suppresses Adware/Spyware CNet Editor's Choice. Download now.
STOPzilla.com


Notice the similarities with this Google cached one , I wonder just how many there are out there ?

LoL ,scam sites galore -> Google LINK

I see a lot of p2p and anti-spyware scam sites worth IP blocking in all these sedoparking.com pages

Surprised Arrow Twisted Evil
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Mon Sep 27, 2004 12:57 pm    Post subject: Reply with quote

The main site explains what they are doing:

http://www.sedoparking.com/

Rolling Eyes They should call it "Scams R Us".

Looks like a good one for the block lists and hosts files too.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Trpm
SWW Expert


Joined: 18 Feb 2004
Last Visit: 22 Feb 2008
Posts: 112
Location: USA

PostPosted: Mon Sep 27, 2004 1:46 pm    Post subject: Reply with quote

Hi suzi,

That sounds like a great topic for your Blog "Scams R Us".
It has heart!
Have a great day. Smile
Trpm
_________________
I'm a reasonable person just ask Eeyore or Christopher R.
Back to top
View user's profile Send private message
Shane
Newbie


Joined: 25 Sep 2004
Last Visit: 01 Jan 2006
Posts: 4

PostPosted: Mon Sep 27, 2004 7:36 pm    Post subject: Reply with quote

Apparently www.merign.org was a typo and the poster on the MS newsgroup never did go there. I got there by the simple expedient of pasting it into the address bar.

And having got there, it struck me that untrustworthy so-called anti-spyware sites or programs were being linked to from a domain that is a look-alike and sound-alike of www.merijn.org. So I made my original post here and that's more-or-less all there was to it.

Except, that I came to the SpywareWarrior forums perhaps a week ago. Someone asked on one of the MS newsgroups for opinions on RegistryNuker. I thought it sounded familiar and before long found myself here reading the thread involving that Ashley idiot.

A day or two later someone asked if they should go ahead and pay for XoftSpy, and here I was again, this time reading the thread involving the guy from AdwareReport.com.

A couple more days passed and I saw someone (knowledgable in the anti-malware field - so it just goes to show!) answering a post by linking to an article at AdwareReport.com. So I intervened in that one.

Then, yesterday, the merign.org post. It doesn't end, does it?
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Mon Sep 27, 2004 10:43 pm    Post subject: Reply with quote

Quote:
That sounds like a great topic for your Blog "Scams R Us".
It has heart!


Good idea Trpm! Very Happy

Shane, you wrote:
Quote:
A couple more days passed and I saw someone (knowledgable in the anti-malware field - so it just goes to show!) answering a post by linking to an article at AdwareReport.com. So I intervened in that one.


Where did you see that? I'm curious.

Quote:
Then, yesterday, the merign.org post. It doesn't end, does it?


You are exactly right - it doesn't end. That's why we are here.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
flicman
Newbie


Joined: 26 Sep 2005
Last Visit: 26 Sep 2005
Posts: 1
Location: Hollywood, CA

PostPosted: Mon Sep 26, 2005 5:38 am    Post subject: Reply with quote

I know this thread is just about a year old and I'm bumping it from obscurity, but it comes up #1 on google when I search for "remove sedoparking malware" (no quotes), so I've read it like three times in the vain hope that this problem was solved last year. Unfortunately, I'm noticing a similar redirect issue (also involving sedoparking.com) going on with some sites that I host through a reseller.

Only affecting these particular sites, anytime I try to access a subdomain (whether it exists or not), I get redirected to sedoparking.com. This only happens A) with the subdomain entry - I can get to the main domain just fine, B) with accounts on my *resold* hosting space and C) only on my home workstation. My laptop is fine, other computers that I use at work and various places are fine.

examples:

clapboard.org is my main domain. Accessing it is no problem.
411archive.clapboard.org is a valid subdomain of the same server, hosted in the same account. No trouble there, either. Now, just for completeness, foobar.clapboard.org gives me a 'page cannot be found' error.

Now, while http://carolinadeckpros.com is a valid and working site that I host on the reseller portion of my account, the valid subdomain http://portfolio.carolinadeckpros.com redirects me to sedoparking.com. A site that I have just created aghart.com has no index page yet, even, and the designer has uploaded nothing (and no subdomains exist), but if you type in foobar.aghart.com on my system, you're going to see sedoparking again.

I've run Ad-Aware with the latest definitions, as well as hijack this, and am happy to note that the first time I ran the latest version of Ad-Aware, it found something and removed it. I could instantly access valid subdomains and was denied at things like foobar.aghart.com, and all was right in the world. Unfortunately, one restart later, the redirecting started and the scanning turned up nothing. Some searching has led me to the fact that I have a file in C:\WINDOWS\PCHEALTH\UploadLB\Binaries called uploadm.exe that respawns on removal, and may (or may well not) be related). I can't seem to find reliable info on from whence that software spawns as well. The page on symantec that talks about the registry keys to check contains nothing for me, as I don't even have listed the registry locations they're talking about.

I'm running winxpsp2 with the latest patches, etc. and am running Firefox 1.0.7. Any thoughts you might have would be greatly appreciated.

Thanks!
Back to top
View user's profile Send private message Visit poster's website AIM Address
aquias
Warrior


Joined: 26 Jul 2005
Last Visit: 15 Oct 2007
Posts: 84

PostPosted: Mon Sep 26, 2005 8:05 am    Post subject: Reply with quote

I see some references to that file...but not a lot after a quick search.

Try uploading the file to http://virusscan.jotti.dhs.org/ and see what it comes back with...let us know.

Additionally, I'd recommend running hijack this and posting your log to the hijack this forum.
Back to top
View user's profile Send private message
Bubba
Security Expert


Joined: 28 Jul 2004
Last Visit: 11 Jul 2008
Posts: 45

PostPosted: Thu Sep 29, 2005 11:11 am    Post subject: Reply with quote

flicman wrote:
Some searching has led me to the fact that I have a file in C:\WINDOWS\PCHEALTH\UploadLB\Binaries called uploadm.exe that respawns on removal, and may (or may well not) be related).
I would definetly check the files properties to make sure it is or isnot the valid MS uploadm.exe file.

Filename: uploadm.exe
File Size: 293,376 bytes
Description: PC Health Upload Manager
Product: Microsoft® Windows® Operating System
Version: 5.2.3790.1830
Company: Microsoft Corporation
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group