Summary: the site adxtend.net through kontera.com, and (possibly) fc.webmasterpro.de / miislita.com / doubleclick.net / atdmt.com
attempts to install the Ad PopUp Generator " Outerinfo " without your knowledge or approval.

WEBSITES TO BLOCK (use security settings or hosts file ):

WEBSITES TO BLOCK (June 2007)
*!*
  *.adxtend.net the exectuable files are from adxtend.net !
details
*!*   *.kontera.com  http://kona.kontera.com details
*?   *.webmasterpro.de http://fc.webmasterpro.de  read note/update
re: webmasterpro.de
website
*?      http://www.miislita.com/ details
*?      http://ad.doubleclick.net
details
*?      http://rmd.atdmt.com details


*? = suspicious -- not confirmed offenders, but block anyway because one of these allowed the ad file from adxtend.net to load!

Summary: Offenders (find and delete if new to your system) : Files created:

is67678.exe , xrun.exe ,  MBDownloader_876919.exe ,  MBDownloader*.exe , snapsnet.exe ,wr-1-2000219.exe , chvdct.exe


C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe
C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe
C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\CAWQ4V3H.exe
C:\Documents and Settings\LUSER\Local Settings\Temp\xrun.exe
C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe

:: This virus requires Windows Scripting Host and the interpreter file "MSHTA.EXE" in order to execute. ::
C:\WINDOWS\system32\mshta.exe
:: This virus utilizes C:\WINDOWS\system32\MSINET.OCX :: (" Microsoft Internet Transfer Control" for Visual Basic 5 or 6.")

MBDownloader_876919.exe  http://adxtend.net/MBDownloader_876919.exe  Application  100 KB  2007-06-07 06:31 AM  2007-06-25 06:25 PM
 wr-1-2000219.exe  http://adxtend.net/wr-1-2000219.exe  Application  31 KB  2007-06-21 02:45 AM  2007-06-25 06:25 PM
 is67678.exe  http://adxtend.net/is67678.exe  Application  38 KB  2007-06-18 02:44 PM  2007-06-25 06:25 PM
 const.php  http://adxtend.net/code/const.php  HTML Document  1 KB  None  2007-06-25 06:25 PM
 Outerinfo-1281.exe  http://adxtend.net/Outerinfo-1281.exe  Application  942 KB  2007-06-12 01:12 AM  2007-06-25 06:25 PM
 snapsnet.exe  http://adxtend.net/snapsnet.exe  Application  108 KB  2007-06-12 03:20 AM  2007-06-25 06:25 PM

? associated with/ identified as 'Trojan-Downloader.Win32.VB.axa' ?

 

[update July 7 2007, regarding WebmasterPro.de ]

[ someone from webmaster pro contacted us to protest their inclusion on this page. The explanation given is that some other site (probably adxtend.net) is using a counter provided by webmasterpro.de. It might be that, or it might be the embedded advertising... In any case, I'm moving them from 'block absolutely' to 'unconfirmed but block anyway' ]

 


Temp Folder File Info, and McAfee/network associates Detedection/Nominclature

Method of Infection - Installs automatically and silently when visiting certain websites using Microsoft Internet Explorer.

Attributes Name Description Size Type Date Modified Date Created File Version Product Name Company Product Version
 A  ~DFD617.tmp  16 KB  TMP File  2007-06-25 06:20 PM  2007-06-25 06:20 PM
 A  snapsnet.exe  108 KB  Application  2007-06-25 06:25 PM  2007-06-25 06:25 PM
 A  Outerinfo-1281.exe  Outerinfo.com AdWare Installer  942 KB  Application  2007-06-25 06:25 PM  2007-06-25 06:25 PM
 A  ~DFC0C6.tmp  16 KB  TMP File  2007-06-25 06:25 PM  2007-06-25 06:25 PM
 A  MBDownloader_876919.exe  Mirar 1.0.0.5 Affiliate Downloader AD Setup  100 KB  Application  2007-06-25 06:25 PM  2007-06-25 06:25 PM  1.0.0.5  Affiliate Downloader AD Setup  M i r a r  1, 0, 0, 5
 HSA  removalfile.bat @echo off
:df
del %1
if exist %1 goto df
 1 KB  MS-DOS Batch File  2007-06-25 06:25 PM  2007-06-25 06:25 PM
 A  mitDB.tmp Adware.Mirar (Spyware Bar Plugin)
Includes:
BAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00075110.EXE
(Mirar Toolbar)
 257 KB  archive (compressed folders)
* Adware-Mirar (Adware)
 2007-06-25 06:25 PM  2007-06-25 06:25 PM
 A  adkseimop43855.exe  113 KB  Application  2007-06-25 06:26 PM  2007-06-25 06:26 PM
 A  chdvct.exe  216 KB  Application  2007-06-25 06:26 PM  2007-06-25 06:26 PM
is67678.exe Vundo (Trojan) * Vundo (Trojan)
C:\Program Files\Outerinfo\OUTERINFOUPDATE.EXE Adware-ClickSpring (VARIANT: Outerinfo.com) Downloader-BCF (Trojan)
wr-1-2000219.exe\wr-1-2000219.exe
= PER MCAFEE VIRUS SCAN ENTERPRISE: =
2007-06-25	11:32 PM	Deleted
 	c:\Documents and Settings\luser\Local Settings\Temp\is67678.exe	Vundo(Trojan)
2007-06-25	11:44 PM	Deleted
 	c:\Documents and Settings\luser\Local Settings\Temp\mitDB.tmp.cab \NNBAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00075110.EXE	Adware-Mirar (VARIANT = outerinfo)
2007-06-25	11:46 PM	Deleted
  	c:\Documents and Settings\luser\Local Settings\Temp\mitDB.tmp.cab \NNBAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00019110.EXE	Adware-Mirar (VARIANT)
2007-06-25	11:46 PM	Deleted
 	c:\Documents and Settings\luser\Local Settings\Temp\NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe\00075110.EXE	Adware-Mirar (AdWare)
2007-06-25	11:46 PM	Deleted
 	c:\Documents and Settings\luser\Local Settings\Temp\wr-1-2000219.exe\wr-1-2000219.exe	Downloader-BCF (Trojan)

2007-06-26	12:08 AM	Deleted
  	temp-internet-files_content.IE5-quarantined.rar\OUTERINFOUPDATE.EXE	-- Adware-ClickSpring (AdWare); Adware-Outerinfo (AdWare)

2007-06-26	12:08 AM	Deleted
 	temp-internet-files_content.IE5-quarantined.rar\IS67678[1].EXE	-- Vundo (Trojan) 

2007-06-26	12:08 AM	Deleted
 	temp-internet-files_content.IE5-quarantined.rar\WR-1-2000219[1].EXE	-- Vundo (Trojan) 

Because Adware.Mirar functions as a Microsoft Internet Explorer plugin, it is necessary to close all open Internet Explorer windows to remove it.

More info: http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-091714-4329-99
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99&tabid=2

http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99&tabid=1

---

OinADInst.exe (found in 'Temp' directory: C:\Documents and Settings\luser\Local Settings\Temp)

Info from http://www.fileresearchcenter.com/O/OINADINST.EXE-10950.html :

Summary : Adware.ClickSpring/Outer Info Network-Installer.Process
   
Description : Outer Info/ClickSpring adware-releated process. May be deployed with/used by several applications distributed by or affiliated with ClickSpring.

Adware applications, toolbars and browser extensions may serve advertisements even while you are not surfing the Internet.

This application may serve various types of advertising, not limited to pop-up ads.
   
Company : Outerinfo.com
(http://www.outerinfo.com)
   
Threat Level : 7
Category : ADWARE
   
Processes : OINADINST.EXE

 

 

Posted/ Date Available: June 25 2007
Submitted to lyberty.com from "L.R. Miller"
Last Updated: July 8 2007

index