AOL Radio REALLY infected?

[fidmas]

My wife hasn't been able to use the new http://aolradio.slacker.com/ player for the past week, without at least 4 WebShield alerts an hour.  Anyone know if maybe their ads are REALLY that sleazy?

[Sirmer]

Hello,
it will be fixed in next virus definition update ( 1 ).

[fidmas]

Looks good so far.

[fidmas]

I need to take that back!!  AOL Radio just infected me with "XP Antivirals 2012" and stopped the machine cold by directing ALL .EXES TO %Temp%\lbu.exe

I needed Safe Mode and Unlocker http://www.emptyloop.com/unlocker/ to delete lbu.exe, and a command box to run Malwarebytes from mbam.exe.

This one is nasty!

Go ahead and block that site.  Too bad. :-(

[scottls]

I learned the hard way that once you install AOL "anything..." on your computer, it is almost impossible to get it "completely" off (Free Revo Advanced uninstall in Safe Mode worked best for me).

[fidmas]

I learned the hard way that once you install AOL "anything..." on your computer, it is almost impossible to get it "completely" off (Free Revo Advanced uninstall in Safe Mode worked best for me).

Didn't Install anything.  Just went to the player URL.  After playing an hour, the music stopped.  I looked the the screen and avast was prompting me to run an exe, from the %TEMP% folder, in the sandbox.  Of course it was already too late.

Unlocker and Mailwarebytes seem to have done the trick.   But, the ads on that site ARE infections.

[fidmas]

Update:  It's not so much as the "AOL Radio."  It's the hundreds of ads they give you.  This https://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/ is what got me.  The night before, I got an unsolicited pop-up complaining about a "Bad PDF format".  That's what installed the worm.

Since there's no way to get IE to ask before downloading PDFs, the only defence against this is to install "Foxit" as your PDF reader and set it to not open PDF files in the browser.  Now, the browser asks what to do before it downloads "applocation/pdf" MIME types (just like other types).  If you're supprised by such a request, you know it's malicious and [Cancel].

Hope this saves someone.

[Pondus]

urlQuery - Suspicious  http://urlquery.net/report.php?id=13566

[fidmas]

urlQuery - Suspicious  http://urlquery.net/report.php?id=13566

I see.  I'm not quite sure how to interpret the "Suspicious", when I see 0 alerts.  Of course, I understand it's the ads, not the site itself, that makes it dangerous.  Can I contribute to their analysis in any way?

[Pondus]

well it is a reputation scan....but where they collect that info i do not know!

I also tried to scan it at URLVoid.com  but it seems to never stop scanning ?