Okay, there is no list of sites. We are also a retail computer repair shop and we have been dealing with this program for over a year now. The story is, it's first job is to see if you design websites. If you do and you use something like FrontPage, it will steal your login info, go to your site then infect your index with a script redirecting the visitor to the picture that tells them they are infected and will deposit the infection into their temporary folder and adds a run command in the registry. I've also seen the files in the Java folder and the temp and prefetch folders as well as the software distribution folders. If you do use a webhost, most if not all hosting services have forced the change of passwords as well as taken away support for FrontPage extensions, even though Microsoft did away with them as well awhile back. The United States post office was infected, Kroger was infected, the YMCA, and thousands of others. Google now pre-checks for the infection and will actually block entry into the site until the host or domain holder contacts Google to request a review. Anyhow, the program itself changes every couple of weeks or so in order to get past Norton and the rest. The goal is to have the infected persons click and pay cash which is just extortion because the program they think they are buying does nothing. And eventually the PC cannot be used because it keeps taking away functions. 6 months ago it was estimated that this group has amassed over 5 million dollars this way. Last week it hit hard yet again. We have talks with little old ladies daily about having their bank reverse the charges but they seem too confused to do that so the crooks keep the cash.
So the answer is no. there is no list and can't be. No one is safe from these people unless we all lock down our passwords and not auto save them in the web design software. Also be aware that a lot of the "Personal Anti-Virus" removal tools on the internet are also from the same people trying to get payment on both ends. Beware. I used to tell people that if it popped up to not click on anything, unplug the pc totally and not to go to that site for a few days. Clicking the X to close was a fake, the thing was actually a picture and clicking anything installed it. Now it auto-installs and you're screwed. The one from the past 2 weeks has been easier. It's been going just to the Program Files in an PAV folder. You have to go to safe mode, delete the folder then go to regedit, HKLM\software\Microsoft\windows\currentversion\run and delete anything saying PAV or Personal Anti-Virus. Do the same in HKCU\software\microsoft\windows\currentversion\run AND the other step is to go to control panel and internet options and reset internet explorer including deleting all user settings or else the danger is that the infection also changed your browser and will redirect you to the infection yet again. Been there, done that. This thing sucks but we've made lots of cash with it even though I hate making it from other peoples misfortune. If you have any questions, ask cause I've been everywhere with this little gem. -----Original Message----- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Scottie Arnett Sent: Monday, September 21, 2009 3:51 PM To: wireless@wispa.org; motor...@wispa.org Subject: [WISPA] OT: Rouge antispyware Does anyone have a complete list of URL's that these rouge antispyware programs use to deposit their payload? I am talking Personal Antivirus, Windows Police Pro, Antivirus 2009, etc... I found this site that list URL's for each separately: http://www.spywarevoid.com/ . My idea is to block all these URL's at my border router(while I still can...another topic). I am going to try to block them with Mikrotik, so I guess I will need all the IP's too? Scottie Wireless High Speed Broadband service from Info-Ed, Inc. as low as $30.00/mth. Check out www.info-ed.com/wireless.html for information. ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/