Are Advertisers promoting Malware?

I was going to blog about another Trojan.Codec site I found, but truthfully this is getting boring … instead I thought I’d do a follow-up on something I saw at Sunbelt’s blog


Looking at the image SunBelt provided I saw oemtop(dot)com at the bottom. Now this is yet another “Google Warning” site … so do not visit there, as there are multiple exploits on this Warez type site. In the image below you can see the cast of characters involved …



What I find disturbing is, notice the two “CONNECT softwareprofit.com” entries? This is part of the WinFixer group … nice place to advertise your products, a Warez type site that will infect your machine if you do not have the latest Windows updates, etc … Now if you follow those connections:


hxxp://go.errorsafe.com/MTIxNjU=/2/3891// it redirects to the following:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177051780&aid=swp_ers&lid=3891&affid=pp_2296726171&p=ers&
(view safely here)


And another hxxp://go.winantivirus.com/MTM4MTM=/2/3891// that redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177052230&aid=swp_wa7p&lid=3891&affid=pp_2642226173&
(view safely here)


So here again we have “adfarm.mediaplex.com” involved with the WinFixer gang … Sandi and others have exposed this ValueClick ad server before, yet they have not changed their ways suggesting that the $$$ is all they are after, even at the expense of their reputation.


Another exploit on the site is “vevdqimkcm(dot)info” (Trojan.PWS.Tanspy) which is already included in the HOSTS file, so a word to the wise … stay far away from these Warez type sites!


You know I’m often asked why I block these ad servers … “you may be blocking revenue from that site” … well as you can see a huge majority of these ad servers are involved in very questionable tactics.



Leave a Reply

*