-
November 15th, 2003, 03:38 PM
#1
RealPhx
Now this really isn't a virus, it's actually adware, but thisis the closest forum i could find for it...well, rercently i have been seeing a lot of links in peoples AIM profiles to either www.realphx.com or www.talkstocks.net ... when you click on either one of those sites, a windows pops up asking you to download a "plugin" for IE, when in fact, it clearly states at the bottom of the page that this is adware. once you go to the site, you are trapped in a loop between saying no to downloading it, and clicking ok to the download aborted you must click yes box, whihc brings you right back to the first box. then, after a few more clicks, it asks you to download either iav.hta ot detour.hta, both of which are adware. even worse, if you dowenload it, then want to remove it, the link on the bottom of the page that says "Click here to remove our adware from your computer" does not work. just thought i'd give the heads up...
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
November 15th, 2003, 04:34 PM
#2
Well!
That was the best DoS attack I have tried in ages
I locked up and had to do a cold boot to get back............I guess that my "countermeasures" behaved like a "pack of mountain lions with a jackrabbit thrown between them"
For P2P stuff, I recommend having a look at this site, it is worth a visit anyway http://www.bitdefender.com/
You should also look at your ActiveX security settings................and set java to high security?
Just a few thoughts
Cheers
-
November 16th, 2003, 05:06 AM
#3
Junior Member
I had realphx on my computer, i hate who ever created that haha. I went through registery and deleted it.
-
November 19th, 2003, 04:21 AM
#4
Member
That seems to be running rampid thru AIM. Many users profiles have it listed in there. Here's what Syamantec thinks the program is.
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Sinkin
File: C:\WINDOWS\b.exe
Location: C:\WINDOWS
Computer: AMD450
User: Amy
Action taken: Clean failed : Delete succeeded : Access denied
Date found: Tue Nov 18 21:57:17 2003
What do you say we tell Mr. Ryan Lakey @ admin@realphx.com what we think of his program. This could be a fake name but its a pretty good place to start. here is info from realphx and talkstocks.net. Notice they are the same contact info. I am on a mission to find this guys email and home phone number and publish it to the hacker community. These sites took advantage of many users at his expense. i am out for revenge. I have already started by reporting them to abuse@peer1.net which is the host of that IP range. I plan to do muh more.
Registrant:
RealPhx
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Domain Name: REALPHX.COM
Administrative Contact:
Lackey, Ryan admin@realphx.com
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Technical Contact:
Lackey, Ryan admin@realphx.com
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Record last updated 11-10-2003 04:40:09 PM
Record expires on 05-21-2004
Record created on 05-21-2003
---------------------------------------------
Registrant:
RealPhx
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Domain Name: TALKSTOCKS.NET
Administrative Contact:
Lackey, Ryan admin@realphx.com
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Technical Contact:
Lackey, Ryan admin@realphx.com
C.F. Mollers Alle
Aarhus, Not Applicable DK-8000
DK
+45.89421115
Record last updated 11-10-2003 04:39:44 PM
Record expires on 03-14-2004
Record created on 03-14-2002
Domain servers in listed order:
NS1.LOUDHOSTING.COM 69.28.208.72
NS2.LOUDHOSTING.COM 69.28.208.68
-
November 19th, 2003, 04:50 AM
#5
Member
here's some good information about them. this tells about all the people on the website right now that could be getting infected as you look at this.
http://69.28.208.72///server-status
both of the websites are run from this IP address. port scan shows many TCP ports open
21 - ftp
22 - ssh v1.99 OpenSSH 3.4p1
389 -ldap
25 smtp - Qmail toaster v1.0 smtp server ESMTP
80 http - Apache
110 pop3
111 sunrpc
143 - imap
995 pop3s
993 imaps
3306 mysql
The open UDP are
53 - DNS
68 bootpc
111 rpc
123 -NTP
135 epmap
137 netbios
138 netbios -dgm
445 Microsoft CIFS
520 routed rip
few alerts
fam service running - you can run arbititrary commands as root
couple MYSQL vulnerabilites
Apache vulernabilities
Critter
http://www.chrisstokes.com
Man, I hate it when people take advantage of the inexperienced users. That really pisses me off. I don't know about you all, but i intend on doing somethng about this situation. I will make sure the authorities take it down or else i will!
-
November 19th, 2003, 04:58 AM
#6
good stuff critter...anyways i am currently writing a tutorial on how to remove it all from your computer. Almost all of my friends have it on their machines and it is annoying to view their profile and to be constantly harrassed. Anyways, tutorial should be done by the end of this week...read it
EDIT: well i got to excited and i finished my mini tutorial, you can go to http://www.antionline.com/showthread...hreadid=251135 and download it....i hope it fixes your problems
Support your right to arm bears.
^^This was the first video game which i played on an old win3.1 box
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|