itxt.vibrantmedia info? 'shrinking' hosts file info?

[|3iff //ullins]

hey, something pretty strange happened to one of my pc's today and i
can sure use any help/info that i can get...

first of all, i try to be pretty good about "battening down the
hatches" security-wise, and i always use a good, beefed-up hosts file.
one of the entries i have in the hosts file is:
127.0.0.1 sitefinder.verisign.com

however, i noticed late yesterday that sitefinder was getting through
again. i went to check the hosts file, and the entry for that *plus
alot of other stuff had disappeared from the hosts file and that its
size had gone from about 150k down to 34k. i have absolutely no idea
why.

anyhoo, today when reading a story on the neowin site, i noticed that
a few static words on the page had strange links associated with them,
and when i'd roll over them with my mouse, a yellow popup ad would
appear. after a small bit of research i was able to see they were
associated with some "itxt.vibrantmedia" site. i'm assuming this is
very much like ezula top text?

i did some googling and didn't find much. i ran both adaware and
spybot, but neither of them found a thing. i decided to try
downloading another hosts file, and it seems to be working properly
again now, as both sitefinder and itxt.vibrantmedia are blocked and
those strange links on the neowin page i saw them on earlier have
disappeared.

so, does anyone know if i still need to worry about 'uninstalling'
that vibrantmedia shiz-nit at this point even though it now seems to
be blocked by my hosts?

also, has anyone ever heard of their hosts file 'shrinking' the way
i've described at the begining of this post? i don't want that
happening again...

thanks.

--
"enjoy every sandwich."
-warren zevon

[Robin T Cox]

"|3iff //ullins" <biff.mullins3@3premeditatedfun.com> wrote in
news:3379nv4t0v4a3f4dekcs9toj03uf6cjd0m@4ax.com:

> i went to check the hosts file, and the entry for that *plus
> alot of other stuff had disappeared from the hosts file and that its
> size had gone from about 150k down to 34k. i have absolutely no idea
> why.
>

CWS Hijacker is one of the parasites that attacks the hosts file:
http://www.spywareinfo.com/articles/cws/

As such, I'd recommend that you use CWShredder a.s.a.p.

[|3iff //ullins]

Blick auf wie gut Robin T Cox <robin2803@hotmail.com> goh, a hundert
LKWAS in einer Reihe geht, einige mit Kühen und einige mit Enten on
Sat, 27 Sep 2003 10:41:56 GMT:

>"|3iff //ullins" <biff.mullins3@3premeditatedfun.com> wrote in
>news:3379nv4t0v4a3f4dekcs9toj03uf6cjd0m@4ax.com :
>
>> i went to check the hosts file, and the entry for that *plus
>> alot of other stuff had disappeared from the hosts file and that its
>> size had gone from about 150k down to 34k. i have absolutely no idea
>> why.
>>
>
>CWS Hijacker is one of the parasites that attacks the hosts file:
>http://www.spywareinfo.com/articles/cws/
>
>As such, I'd recommend that you use CWShredder a.s.a.p.
>
thanks. i did, but it came up with nothing. i've already run adaware
and spybot too. can you think of something else i might want to try
out?

[jayjwa]

|3iff //ullins wrote:
i noticed that
> a few static words on the page had strange links associated with them,
> and when i'd roll over them with my mouse, a yellow popup ad would
> appear. after a small bit of research i was able to see they were
> associated with some "itxt.vibrantmedia" site. i'm assuming this is
> very much like ezula top text?
>

From their website:

IntelliTXTSM

Vibrant Media's patent-pending IntelliTXTSM technology creates
commercial text links from keywords appearing within pages of online
content.

These unobtrusive and relevant links provide the reader with further
product information while offering the publisher alternative revenue
streams.

Our proprietary technology automates the analysis and categorization of
content, identifies the most appropriate marketing message to deliver,
and dynamically serves advertising messages to the right user at the
right time.


I'd say it's exactly like Ezula!

--
--------------nonoffensive sig.v1.2RC1------------------------
- jayjwa 4 Spammers: mailto: listme@listme.dsbl.org
The New Atr2. PGP/GPG Keys onsite

==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============

[|3iff //ullins]

lucat bene, der jayjwa <jayjwa@hotspam.microsoftsux.suk> goh, a
hunnert truxx inero, sumwit kowz n' sumwit duxx on Sat, 27 Sep 2003
13:56:33 +0000:

>
>
>|3iff //ullins wrote:
> i noticed that
>> a few static words on the page had strange links associated with them,
>> and when i'd roll over them with my mouse, a yellow popup ad would
>> appear. after a small bit of research i was able to see they were
>> associated with some "itxt.vibrantmedia" site. i'm assuming this is
>> very much like ezula top text?
>>
>
> From their website:
>
>IntelliTXTSM
>
>Vibrant Media's patent-pending IntelliTXTSM technology creates
>commercial text links from keywords appearing within pages of online
>content.
>
>These unobtrusive and relevant links provide the reader with further
>product information while offering the publisher alternative revenue
>streams.
>
based on this, i am led to believe that the site's webmaster had
installed code for this in the page, rather than it being an
infection/trojan on my system?...

>Our proprietary technology automates the analysis and categorization of
>content, identifies the most appropriate marketing message to deliver,
>and dynamically serves advertising messages to the right user at the
>right time.
>
>
>I'd say it's exactly like Ezula!
>
yeah, me too. ya know, linux is sounding pretty damn good about now.

[|3iff //ullins]

Blick auf wie gut jayjwa <jayjwa@hotspam.microsoftsux.suk> goh, a
hundert LKWAS in einer Reihe geht, einige mit Kühen und einige mit
Enten on Sat, 27 Sep 2003 13:56:33 +0000:

>
>
>|3iff //ullins wrote:
> i noticed that
>> a few static words on the page had strange links associated with them,
>> and when i'd roll over them with my mouse, a yellow popup ad would
>> appear. after a small bit of research i was able to see they were
>> associated with some "itxt.vibrantmedia" site. i'm assuming this is
>> very much like ezula top text?
>>
>
> From their website:
>
>IntelliTXTSM
>
>Vibrant Media's patent-pending IntelliTXTSM technology creates
>commercial text links from keywords appearing within pages of online
>content.
>
>These unobtrusive and relevant links provide the reader with further
>product information while offering the publisher alternative revenue
>streams.
>
>Our proprietary technology automates the analysis and categorization of
>content, identifies the most appropriate marketing message to deliver,
>and dynamically serves advertising messages to the right user at the
>right time.
>
>
>I'd say it's exactly like Ezula!
>
from what i can tell, it *is encoded into the webpage's html code! can
someone else try viewing the code of this page and let me know if they
see the code too? please go to:
http://makeashorterlink.com/?K4B023806

view the source, then do a search for "Vibrant Media". its at the
bottom of neowin's article pages. (oddly enough, right below the link
to their privacy policy, which doesn't mention this crap at all...)

if neowin has decided to subject their visitors to this kind of crap,
i feel the visitor should at least know about it...

[sponge]

On Fri, 26 Sep 2003 20:20:41 GMT, "|3iff //ullins"
<biff.mullins3@3premeditatedfun.com> wrote:

>hey, something pretty strange happened to one of my pc's today and i
>can sure use any help/info that i can get...
>
>first of all, i try to be pretty good about "battening down the
>hatches" security-wise, and i always use a good, beefed-up hosts
file.
>one of the entries i have in the hosts file is:
>127.0.0.1 sitefinder.verisign.com

It's funny you mentioned this, because only about half an hour before
this I had noticed them for the first time in my hardware firewall
logs.
They supposedly are a B2B advertising service -- mainly IT right now
-- which supposedly has some keyword-harvesting features. My guess is
they use some sort of script, but I can't tell yet what kind or if
it's IE specific. They seem to be tied to an advertising service
called gotoast.com.
I checked the link and it contacted itxt.vibrantmedia.com, but I have
no idea what it returned; it doesn't look like executable code, nor a
script.
Either way, they are worthy of blocking:
HOSTS:
127.0.0.1 www.gotoast.com
127.0.0.1 www.vibrantmedia.com
127.0.0.1 itxt.vibrantmedia.com

DNSKong:
gotoast
vibrantmedia

Firewall: Network Mask
GoToast 66.7.128.0 255.255.255.0
VibrantMedia 213.86.59.0 255.255.255.240
VibrantMedia 63.211.210.221 255.255.255.255 (or, single IP)

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge