G
Guest
The results of my search thus far.
The offending IP
http://66.250.130.200/
aka, thesten.com, thesten.net, thestas.com, spyass.com, spyorg.com, etc.etc.
and making use of Windows/system32/redir.exe to change the URLs of webpages to their own by use of a test.html page containing the URL list which I have downloaded to my computer, so that I can verify this..
Found in jp_i.cache
VerifierBug.class
Dummy.class
VideoPullPlayer.jar
tradecontrol.jar
counter.jar
Found in windows media player folder.
Loader.exe
and another .exe which I forgot the name of, but I suspect they rename files so that the situation is always in flux.
The counter works in conjunction with redir.exe to tell it to "key" to certain words, then it then changes a URL on the page to one on the list.
The offending IP
http://66.250.130.200/
aka, thesten.com, thesten.net, thestas.com, spyass.com, spyorg.com, etc.etc.
and making use of Windows/system32/redir.exe to change the URLs of webpages to their own by use of a test.html page containing the URL list which I have downloaded to my computer, so that I can verify this..
Found in jp_i.cache
VerifierBug.class
Dummy.class
VideoPullPlayer.jar
tradecontrol.jar
counter.jar
Found in windows media player folder.
Loader.exe
and another .exe which I forgot the name of, but I suspect they rename files so that the situation is always in flux.
The counter works in conjunction with redir.exe to tell it to "key" to certain words, then it then changes a URL on the page to one on the list.