February 20, 2005

Curious George: Curse of Lolo... I was on Google last night looking for more info on Lolo Ferrari, clicked on a link to a site, saw a split-second glimpe of a plain white background with 30 typed ones in the top left-hand corner, like this; 111111111111111111111111111111

and then there was a bwoop sounding noise (like you get when you shut the whole computer down) and my screen went black. I thought it had actually shut my computer off until the 'you've shut Windows down improperly so now we have to do a disk check before we can restart' screen appeared. It restarts, then I get the "The system has recovered from a serious error" message in that Microsoft Windows pop-up that asks if you want to send an error report. One of my security apps pops up wanting to know if I want to allow a new start-up app; %systemroot%\system32\dumprep 0 -k which I refuse. Then I realise it's dumped both my IE and Firefox sidebar histories and ditched and relaunched my Stickies app, so all the old stickies are gone. I know this much detail because I clicked on the link again to see if it had been a coincidence (plus, whatever damage was done was done) and to print out what details I could, and it did exactly the same thing. Scans by Ad-aware and Search and Destroy turned up nothing but a generic data miner tracking cookie, and a Panda virus scan found nothing. My computer seems to be running normally at this point. What the hell was that? Sorry for the long post, but without supplying detail, this question would be useless. I have the exact link to the site, if anybody wants to try it. Creepily enough, the header for it is 'Hitler Returns to the Heart of Berlin'.

posted by moneyjane 19 years ago
  • The curse lingers...I had to do a system restore before this would post to Monkeyfilter because it kept timing out. Really hope this FPP doesn't post three times or something :(
  • How 'bout posting the url so the technoid monkeys can take a look at it? It might be best to not include an actual link. :-)
  • Was there any load period before you saw the site (relative to your connection speed, obviously)? As in, might it have had time to send you something other than a simple webpage (though, if you have broadband, I suppose such distinctions might be impossible to tell)? Also, which browser were you using, IE or FF? Not asking out of any expertise, it was just one thing you didn't mention in your post, which I guess would make the difference between "the website which crashes Windows by itself" and "the Website which sends you a file which crashes Windows". From what you say, it sounds more like the latter, but... um, anybody else wanna step in here?
  • I don't know what the site you visited did, but dumprep.exe is the Microsoft dump reporter. It's the program that sends the report of what happened to Seattle. However, something has definitely happened to your computer. Assuming you have a virus checker already, install all the spyware checkers you can, run them, and do what they tell you to do. Spyware checkers I use: Spybot-S&D SpywareBlaster Ad-Aware Then install Webwasher Classic and use it in future with full protection turned on when visiting dodgy sites.
  • Ignore my previous comment. Fuyugare found the url, and I downloaded it onto my hardened test system. It's a well-known kernel exploit triggered by a deliberately faulty animated cursor file contained in the site's css. Visiting a site that contains the exploit does completely kill a current XP2 installation running Internet Explorer, requiring a reboot. If anyone cares to do more research, Googling for "kernelblue.ani" will find you some links. IF YOU DO NOT KNOW WHAT YOU ARE DOING, DO NOT CLICK ON ANY OF THEM! Full details of the exploit here. (This is an explanation, not the exploit, and is a safe link.)
  • I'll echo the IE or FF question; it'd be helpful to know which of those you were running. Also, if you could please post which version of your browser you were using (should be able to go to Help >> About this program to get this). Do you have the url for this site handy? I'd love to have a look. As someone mentioned in the previous thread, AVG also offers a free antivirus program you can use, although if Ad-Aware and Panda gave you a clean bill of health, it probably didn't manage to install anything too malicious.
  • Ah, heh, hicinbaby beat me to the whole story... oops.
  • This is the link as it appeared in Google, with the layout slightly different because of how Monkeyfilter lays out posts. Needless to say, DO NOT CLICK ON THE SITE unless you know what you're doing. Hitler Returns to the Heart of Berlin ..."Lolo Ferrari was in Cyprus before we got her, " said Vollstaedt...I guess not, if you only look at the end results...I think loser is a bit harsh But I have to admit... gnr.dyndns.org/yabbse/index. php?board=8;action=display;threadid=11084 - 101k - Supplemental Result
  • Yay! I'm not crazy! It was the weirdest thing I've come upon yet in Internetville. I was using Firefox 1.0, Windows XP Home. And, thank God, I've got AVG, Spybot S&D, Spyware Blaster and Ad-Aware as well, so it appears, after a restore, as though I escaped unscathed. Thank you!
  • Correction - Google is my homepage for IE, so I was using IE. Won't be doing that anymore.
  • Also just realised I still screwed up on the 2 posts rule. Sorry about that.
  • I don't think it's a problem, moneyjane. You had a pretty bad and urgent problem. Not like you were linking Chuck Norris or anything.*grin* Glad that you found some help and I'm sorry I couldn't provide you with any.
  • Hope your machine's recovered--the Lolo Ferrari story was a very good post. As an aside, I like pretty much all your posts.
  • speaking of exploits, has anyone else noticed that someone's figured out how to trigger popups in FF?
  • Yeah, I noticed that. Well, one only one website so far, actually - Snopes. FF is still blocking popups everywhere else I've been. Has it happened to you on more than one site?
  • ...on only one website...
  • I've been getting them on a couple of sites. I think E!Online, and somewhere else I was doing dissertation research. (Honest! I love my job)
  • The other site was TV Tome. I'm also running the google toolbar with popup blocker. That's one tough popup.
  • a Alas,More monkey talk!
  • You can stop the newer form of popups by turning javascript off in the preferences/options. It won't stop java applets, just that crappy java script nonsense bad webdev's use for menu's 'n stuff like that. I turned if off yonks ago and I haven't come a cross a site that doesn't work for me. drudgereport.com use the javascripts function to bring up a pop up when you click on a story link. also, adblock is your friend.
  • Free Surfer Mk II I've been running it for two years and it works like a charm.
  • Just my two cents on browsing: Run a local proxy like AdSubtract, Webwasher, Proxomitron, Junkbuster, etc. Other than google text ads, I haven't seen a pop-up or banner for several years. Also works with either IE or FF or any http traffic. It always blows my mind how bad the web sucks in it's native format when browsing on someone elses computer.
  • I've been seeing a few pop-unders in Firefox lately as well. Drudge is one example. If you have the Adblock extension installed, updating your Adblock filters may help.
  • Slashdot just had a story about the new crop of pop-unders that are plaguing FF (and Safari) users. A fix that was suggested in the comments (and which seems to have worked for me so far) is to do the following in FF: 1. Go to Tools->Options 2. Click "Web Features" 3. Beside the "Enble Javascript" option click "Advanced" 4. uncheck the top three items I haven't had any more pop-unders since making this change.