Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with malware website diagnosis


  • Please log in to reply
7 replies to this topic

#1 conib

conib

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 13 November 2011 - 05:50 PM

Hello!

A couple of hours ago my spouse called me over to look at what appeared to be a virus alert apparently generated after clicking on a link sent in an email from a friend.

I saw that the browser was displaying a site that said it had scanned the computer. There was also a pop-up that said it wanted to run Windows Defender. I tried to cancel the pop-up, which generated another pop-up. I then killed Firefox via the Task Manager.

Norton Internet Security 2012 was and is still running and has never generated any kind of warning or alert about anything.

My spouse says that only the link in the email had been clicked, nothing else prior to calling me over.

Can anyone point me to someone or some entity that can look at the website in question and tell me what kind of issues I should be looking for? (i.e. *was* there a driveby download, perhaps that happened when I clicked on the cancel button -- ouch --, or ...?) I'd like to know what, if anything, may have been compromised.

I won't type the URL here, but can (for example) email it upon request.

My spouse's computer is running Windows 7 x64 with Norton Internet Security 2012.

Thanks for reading this far, and thanks in advance for any help!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:14 AM

Posted 13 November 2011 - 09:13 PM

Welcome aboard Posted Image

Post the link in non-clickable form.
For instance: www_dot_google_dot_com

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 conib

conib
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 13 November 2011 - 09:49 PM

Hi Broni, and thanks for the welcome!

Here's the link, in non-clickable form:

feelthemusic_host56_com/templates/feel-the-music/blog.php?html138

(here's no "www" in front of "feelthemusic")

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:14 AM

Posted 13 November 2011 - 10:34 PM

The site is listed in "orange" by WOT: http://www.mywot.com/en/scorecard/feelthemusic.host56.com
No complains listed though.
It's registered in Lithuania: http://whois.domaintools.com/host56.com

However if you try to go to "feelthemusic_host56_com/templates/feel-the-music/blog.php?html138" it redirects you to: healthlnesscare_dot_com, which is listed by WOT in red (dangerous): http://www.mywot.com/en/scorecard/healthlnesscare.com
One comment there:

(Canadian Health&Care Mall is an illegal Pharmacy Operated/Promoted by Criminals - Scam/Spam/Phish) "


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 conib

conib
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 14 November 2011 - 01:43 PM

Thanks for the info and links to WOT.

Can you tell me the (nonclickable) full path of the redirect?

According to various posts to the WOT forum the general pattern of the Canadian Health & Care Mall sites is to sell pharmaceuticals; however, the webpage I was looking at was spoofing the results of a virus scan and displaying a pop-up to run "Windows Defender".

Do you happen to know of someone or some entity that can look at and tell me what that end site is actually doing? My concern is that it was attempting to install a trojan of some sort, and it would be good to know what to look for in case it was successful.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:14 AM

Posted 14 November 2011 - 04:37 PM

This is the redirection "feelthemusic_host56_com/templates/feel-the-music/blog.php?html138"

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 conib

conib
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 14 November 2011 - 06:00 PM

If I'm understanding you correctly, I believe you're saying (in your post yesterday at 7:34PM) that "feelthemusic_host56_com/templates/feel-the-music/blog.php?html138" redirects to some URL in the "healthlnesscare_dot_com" domain. Is that right?

If so, then can you tell me the full path that "feelthemusic_host56_com/templates/feel-the-music/blog.php?html138" is redirecting to? (i.e. a URL within the "healthlnesscare_dot_com" domain.)

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:14 AM

Posted 14 November 2011 - 06:43 PM

If you type this ""feelthemusic_host56_com/templates/feel-the-music/blog.php?html138" (clickable, no quotes) it doesn't go there but it's immediately redirected to "healthlnesscare_dot_com"

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users