Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Systemerrorfixer...//adnetserver.com/...


  • Please log in to reply
No replies to this topic

#1 bummed_in_southGA

bummed_in_southGA

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 PM

Posted 21 April 2008 - 07:35 AM

I'm infected with this thing, I believe called: "SystemErrorFixer"

Red desktop background with "YOUR PRIVACY IS IN DANGER!"
"DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW"

One "feature" of the infection is that it won't let me Ctrl-Alt-Delete. Says "Task manager has been disabled by your administrator"

Clicking on the background sends me off to a page trying to download software called "SystemErrorFixer".

Right clicking->Properties on the red desktop background shows

file:///C:/WINDOWS/privacy_danger/images/spacer.gif

When left click on red screen, firefox starts up to an address shown by selecting "View Page Info" on that page...

<http://adnetserver.com/?cmpname=ranr&gai=swranr&gli=5993&gff=pp_353726715&ed=2&ex=5&eu=http%3A%2F%2Fadvancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3Dadctm>
p%26clone_name%3Dswpadcex%26ida%3Dswranr_exx51%26led%3D5993%26afr%3Dpp_353726715&cmpname=null&tmn=es31&eai=swranr&eli=5993&eaf=pp_353726715&mt_info=5290_0_1
4217&rdr=1


Viewing the source of the web page shows:

<html>
<script>

var main_url = "http://adfarm.mediaplex.com";
var type = "";
var dest_place = "";
var new_querys = "";

now = new Date();
offset = now.getTimezoneOffset()/60;
z = -(offset);

mpt = new Date();
mpts = mpt.getTimezoneOffset() + mpt.getTime();

var vars = window.location.search.substring(1).split("&");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if (pair[0] == "dest") {
var parce = pair[1].split("-");
type = parce[0];
dest_place = parce[1];
for (var j=2;j<parce.length;j++) {
dest_place += "-"+ parce[j];
}
}else{
new_querys += "&" + vars[i];
}
}

if (dest_place){
document.location.replace(main_url+"/ad/"+type+"/"+dest_place+"?zzt="+z+new_querys+"&mpt="+mpts);
}
</script>
<body>
</body>

Edited by Orange Blossom, 21 April 2008 - 09:53 PM.
Deactivate hot-link. Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users