stay away from maps4fun.org

phantazm
Posts: 4906
Joined: Thu Jan 03, 2008 1:46 pm

Dangerous urls

Post by phantazm » Mon Jan 05, 2009 2:41 pm

Perhaps it would be a good idea if WOT checked a new link,
and if not green, automatically changed it to a passive link..?

petersohn
Posts: 74
Joined: Sun Jul 13, 2008 9:08 am

My research

Post by petersohn » Mon Jan 05, 2009 6:40 pm

Okay, this is what I've done:
- I typed www . maps4fun . org into firefox, I arrived at a page, got the WOT warning, ignored it, and there was a site which seems to be legitimate. I don't say it is, but it doesn't seem like a typical malware site.
- I searched for maps4fun at google. I got maps4fun . com as first, and maps4fun . org as the second hit.
- The first one is unrated by WOT, and also seems legitimate.
- As for the second one, as I would expect to see the same site as before, but instead, I get redirected to virusandspywarescaning . com; no WOT warning. I don't think I have to explain what I found there.

So come on, please rate virusandspywarescaning . com red fast!

Athlonite
Posts: 1198
Joined: Tue Oct 07, 2008 11:31 am

It's still there!!

Post by Athlonite » Mon Jan 05, 2009 7:48 pm

OK, I just had to try it again. I was still in Sandboxie and again it opened a window
Unsandboxed . No matter what I tried to do (Click the X at the top) it still redirected me
to the scanner page (Antivirus 2009) and started the scan . I didn't let it finish and closed all browsers, sandboxed and unsandboxed. The funny thing this time is that ,
the warning that you get to scan your PC for infection , was in French. So, it must have
moved from it's first location.This is what the top of the warning says:

"The page at Antispywarescanner.com says : ". ( is it possible that they are
using this site with out authorization ? )

that's the heading of the warning but, the body of the pop-up is all French and says
that your PC is infected and "Asks you IF you would like to install "Antivirus 2009".
Pretty polite for malware distributors.

If you do a Google search for "maps4fun" , Google will also suggest looking at
"Map4fun" which seems to be a legitimate site.here's the address :
map4fun.com/en/ . Now no one has rated this site yet and SiteAdvisor
doesn't have a rating for it either. I did not rate this site because I haven't fully
checked it out. If someone here could also verify the authenticity of this site , it would
give me a hand in making a good decision about it.

Athlonite.

Your help is always needed.

Guest

Re Research

Post by Guest » Mon Jan 05, 2009 8:20 pm

Its all red now.Well done for going there,a big risk for most.From what you and athlonite say everyone else should stay clear.It sounds a very bad site.

Athlonite
Posts: 1198
Joined: Tue Oct 07, 2008 11:31 am

RE.

Post by Athlonite » Mon Jan 05, 2009 11:53 pm

Thankx Everyone !
I have left my mark on this site also. I went again , but , this time I let it scan my PC and then, it gave me a report. WOW! If I had any two of these infections, my PC could NOT function at all.

Now, after the report stating that I had ZLOB and other very nasties, I clicked on the Cancel button . WELL, right away it started the download of the Antivirus 2009. No wonder so many people get infected. No matter what button you click on , YOU ARE CAUGHT. It will install itself whether or not , you want it.

I have cleaned many infected PCs with this malware and also the Antivirus 360. They are the worst so far. MalwareBytes Antimalware will clean SOME of this infection , enough for your PC to be able to re-connect to antimalware sites .

From the HijackThis logs that I have seen , they also leave behind a ROOTKIT. If you should come across this one "MSAntivirus" , MalwareBytes will delete some of the infected files but, these are not completely gone:

C:\WINDOWS\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

The only way to completely rid your PC of these is with "ComboFix" .
I hope this info. will be of help.

Athlonite.


Your help is always needed.

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

no forced install

Post by c۞g » Tue Jan 06, 2009 1:09 am

The only interference I experience with FF [current] is WOT's warning screen.
I've clicked every click to click and no fake AV installs.
There is nothing malicious about this site at all; infact it's kind of cute.
Also, there is this link at the bottom - prob. the web design company:
http://www.ihoos.net/

BTW, maps4fun.org seem pretty legit. [url=http://centralops.net/co/DomainDossier.aspx?addr=maps4fun.org&dom_whois=true&dom_dns=true&net_whois=true&svc_scan=true t=_self]Domain Dossier[/url]
as does ihoos.net - [url=http://centralops.net/co/DomainDossier.aspx?addr=ihoos.net&dom_whois=true&dom_dns=true&net_whois=true&svc_scan=true t=_self]Domain Dossier[/url]

Sami
Posts: 6987
Joined: Sat Oct 07, 2006 11:43 am

Re: no forced install

Post by Sami » Tue Jan 06, 2009 1:27 am

There is nothing malicious about this site at all

Unless you happen to open it from Google, in which case it redirects you to a malware site:

Code: Select all

$ wget -S -O file.html --referer="http://www.google.com/" http://maps4fun.org/
...
Resolving maps4fun.org... 76.163.186.238
Connecting to maps4fun.org|76.163.186.238|:80... connected.
...

Code: Select all

HTTP/1.1 302 Found
...
Location: <strong>http://87.248.180.89/topic.html?s=s</strong>
...

Code: Select all

HTTP/1.1 302 Found
...
Location: <strong>http://newlyclickssystem.cn/soft.php?aid=0865&d=1&product=XPA&refer=ff94bbac7</strong>
...

Code: Select all

HTTP/1.1 302 Found
...
Location: <strong>http://virusandspywarescaning.com/2009/1/freescan.php?nu=880865</strong>
...

I'd say it's pretty malicious, although probably because of a compromised server. This is pretty common these days and makes it more difficult for the site owner or someone trying to verify the problem to notice it. If you remove the --referer parameter, it opens up the front page normally.

Athlonite
Posts: 1198
Joined: Tue Oct 07, 2008 11:31 am

Be aware !!

Post by Athlonite » Thu Jan 15, 2009 1:28 am

I am about to put together a tutorial on how to get rid of Antivirus 2009 and came across
this site which you people here at WOT should visit and make sure you warn everyone you know about ALL the variants involved with this Rogue Program. I won't start to name them all because I would need two post. But here is the address where you can
check out the info.Just look on the right hand side of the page and click on the names.
A complete profile comes up along with the method and manual removal procedure.

http://www.xp-vista.com/ .

Athlonite.


Your help is always needed.

Xp54321
Posts: 1046
Joined: Sun Oct 05, 2008 3:14 am

SpyHunter

Post by Xp54321 » Thu Jan 15, 2009 2:38 am

The link says to use SpyHunter, a former rogue and now a mediocre removal program. I do not recommend SpyHunter and while the tutorials are good (Lists all the stuff to nuke); don't use SpyHunter. ;)

YoKenny
Posts: 1179
Joined: Wed Aug 13, 2008 4:52 pm

SpyHunter is mediocre

Post by YoKenny » Thu Jan 15, 2009 3:02 pm

Malwarebytes MBAM is the best!

It has just been updated to v1.33:
http://www.malwarebytes.org/mbam.php

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests