www.replacementdocs.com, THREAT SITE!
 

I've not been here for a while so this might have already been posted (I had a quick search but didn't find anything) but when I recently went to the popular replacementdocs.com the damn site managed to install an exploit on one of my PC's, this exploit kit makes a mess of many windows applications like windows update which it prevents working and it also stopped my anti virus updating and some other programs from working correctly, Comodo anti virus/firewall suite with real time scanning didn't stop it :lynch: but found and removed most of it when I ran a scan (bit late now!) but the programs still didn't work correctly and after spending a while trying to fix everything I gave up and used a back up image file to rebuild the entire drive.

I was as usual curious as to what had happened and what this exploit was so I used a spare expendable HDD and loaded AVG link scanner and revisited Replacement docs.com, If your not familiar with AVG link scanner it checks websites you search for with google and reports if they are safe sites etc, this is a free AVG plugin for Firefox and you don't need to be using any AVG products to use it.
Now, the annoying thing is that AVG link scanner does not initially report the site as dangerous but as soon as you go to the site it freaks and reports that it has blocked the site from trying to send a black hole exploit kit, that's great if you have the link scanner but if you don't have it your anti virus might not stop it, so you might want to give the site a miss :nono:

And how does it install that? You need to download something, or is it in the adds?

There is very often such exploits in adds, and sites which use a third party company to cycle adds on their sites often have such problem even though they really have no way to prevent it.

Hi, I'm not sure how it installs the blackhole exploit kit once AVG scanner had identified it and blocked it I didn't proceed any further, I didn't click on anything but as AVG had identified it I assumed it would infect if I just visited the site?

http://www.fazerfetish.eclipse.co.uk...20exploit2.jpg

The site has been probably hijacked by a third party, unless they suddenly turned evil. I once witnessed PhotoBucket.com being hijacked and spreading a virus, they admitted it outright via email and all.

If you want to test it, besides all that software that doesn't protect you in the end, the first thing you must do is NOT surfing with an admin account, or enabling UAC, for God's sake. Nothing would have happened, even if you had no anti-virus.

I've disabled the link we have on main page just to be sure.
Please keep me updated and if possible contact the administrator of the site reporting him what you have experienced.

If it is like I think and you want real protection, go get SpywareBlaster.

It don't stop threats from developing in your computer, it prevents you from accessing them. Ultimate protection (as long as you keep the list up to date).

The website looks like it is running phpNuke, which is notable for being easy to compromise.

I am noticed this exploit on last week and send the letter to admin. No answer was receved, and site is still infected.

It tries to execute [somerandomname].pdf. On most of pages (but site could have the same ads on every page, so it's not matter anything). As my Opera have all such autoruns disabled, it simply suggest to download it for me. When I downloaded it, yes, my scanner immediately said "it is a virus!" So I, personally, simply denied download every time after that. :)

Update: Checked it right now. "auto-pdf" is gone. But no any explanations posted. As I installed new update of Opera, it may be simply false negative. Can anyone check it too?

It looks like the problem has been sorted this update is on the site and AVG link scanner no longer blocks the site.

"Wow, those hackers have been busy these past few weeks. I kept removing the malware and they kept putting it back because I didn't have the time to really fix the vulnerability that allowed them to put the malware on the site in the first place.

So, I just had to sit down and really take the time to fix it right. It took most of the day, but it's done. And I'm pretty sure that will mark the end of the hacking and malware.

I gave everything a good once over to make sure the key features are still operational, but as always, if you notice anything weird, let me know. Thanks!
Read/Post Comment: 0bysleepyonFriday 10 June 2011"

Yes, we have been in contact with the owner of replacementdocs.com. Initially he removed the malware but it kept coming back, until he fixed the vulnerability. Now he's reasonably sure that it's over.