Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«93 »
  • Post
  • Reply
Otacon
Aug 13, 2002



Hillridge posted:

Something weird is still going on here.

I just did a google search for Scene It: Box Office Smash

I clicked the first link, which should be this:
http://www.xbox.com/en-US/games/s/sceneitbos

Instead it took me to here:

http://www.shopica.com/search.php?q=office


I hit back and clicked it again and it went to the right site. I did a scan in safemode using malwarebytes a day ago and it found nothing. Should I just throw some more programs at it and see what turns up?

Take a travel to C:\windows\system32\drivers\etc, and open the HOSTS file in notepad. See if there's anything in there, other than the default which would be:
code:
127.0.0.1       localhost
Sometimes, a virus will rewrite things in this file. This is always the first thing I check when I have anything to do with sitejacking.

EDIT: You might need to check permissions on HOSTS, sometimes it is write protected. If there's anything in there in addition to localhost, delete those lines, save, and write protect the file.

Adbot
ADBOT LOVES YOU

Scott808
Jul 11, 2001


Regarding XP Antivirus 2009 and its variants, I ran into this by accident this weekend.

If you do a Google search for salon808, the first result should be for www.salon808.com . However, clicking this link, which in the status bar is shown as http://www.salon808.com , leads to http://antivirusonlinescanner.com/360/1/en/_freescan.php .

This, to me, is the strangest part. If I look at the Google cache of the Salon 808 page, it shows a legit page, and typing www.salon808.com into the address bar manually leads to the legit page, but clicking the Google search result will lead to the antivirusonlinescanner.com page every time. If I type in the URL manually and get to the legit page, then clicking the Google search result link will also go to the legit page. How does it do this; where along the line is the hijack happening? The results are consistent across 3 machines, and all 3 machines are clean to the best of my knowledge.

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


It sounds like a browser hijacker. Try scanning it with SUPERAntiSpyware. The only reason I say that is because I'm seeing similar symptoms on a machine I'm working on at this very moment. One of our managers will use his laptop for about five minutes after logging on to the domain, then it will lose network connectivity. It doesn't matter if it's wired or wireless, just drops all network connections. HOSTS file is clean, Malwarebytes came up clean. ComboFix might have done something but the system was still showing the same symptoms. I'm scanning it with SUPERAntiSpyware right now and it's telling me it found 12 items of "Browser Hijacker.Internet Explorer Zone Hijack" and 53 "Adware.Tracking cookies". Probably just end up formatting it in the end.

Looks like some kind of adware/spyware called atdmt.com. Research seems to indicate it's nasty poo poo. It apparently made a bunch of registry entries at the very least.

GREAT BOOK OF DICK fucked around with this message at Dec 23, 2008 around 00:27

thelightguy
Feb 6, 2007

Well there's your problem.


Um, atdmt.com is an advertising company, like in page banner ads, not adware/malware. Unless you're one of the paranoid people who don't like tracking cookies.

thelightguy fucked around with this message at Dec 23, 2008 around 00:55

TheWevel
Apr 14, 2002
Send Help; Trapped in Stupid Factory

Scott808 posted:

Regarding XP Antivirus 2009 and its variants, I ran into this by accident this weekend.

If you do a Google search for salon808, the first result should be for http://www.salon808.com . However, clicking this link, which in the status bar is shown as http://www.salon808.com , leads to http://antivirusonlinescanner.com/3...n/_freescan.php .

This, to me, is the strangest part. If I look at the Google cache of the Salon 808 page, it shows a legit page, and typing http://www.salon808.com into the address bar manually leads to the legit page, but clicking the Google search result will lead to the antivirusonlinescanner.com page every time. If I type in the URL manually and get to the legit page, then clicking the Google search result link will also go to the legit page. How does it do this; where along the line is the hijack happening? The results are consistent across 3 machines, and all 3 machines are clean to the best of my knowledge.

Yeah that's weird, I'm on a completely clean machine and got the same result.

fishmech
Jul 16, 2006

I see a ship in the harbor
I can and shall obey
But if it wasn't for your misfortune
I'd be a heavenly person today


TheWevel posted:

Yeah that's weird, I'm on a completely clean machine and got the same result.

I believe their web server has been hijacked, and depending on the referrer information it will redirect you to the malware site. I know I've read of this elsewhere.

Hillridge
Aug 3, 2004

WWheeeeeee!

Just so I don't inadvertently infect myself with something, this is the correct download link for SUPERAntiSpyware right?

http://www.superantispyware.com/dow...ANTISPYWAREFREE

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


thelightguy posted:

Um, atdmt.com is an advertising company, like in page banner ads, not adware/malware. Unless you're one of the paranoid people who don't like tracking cookies.

They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.

Mr. Nice!
Oct 13, 2005

I'd fuck on the first date but truckers usually just want their salads tossed

Also



That's crazy to see a site hijacked like that.

I'm so glad I don't have to fix these things with any frequency anymore.

Scott808
Jul 11, 2001


I've been messing around with that antivirusonlinescanner.com page, and it seems the installer that you get prompted to download/run on the page is detected by almost no virus scanners according to Virus Total. I think MS and 2 McAfee variants picked it up as something, but we have McAfee Enterprise 8.5 fully updated here, and it doesn't detect anything in the installer. Personally, I use Antivir and it also doesn't pick up the installer as anything nasty.

Malwarebytes' Anti-Malware lets you run the installer executable, but once it downloads and tries to run its payload Malwarebytes' will catch it (tries to run av360.exe) and give you the option to terminate it. This seems to work and the machine seems to have no lasting ill effects.

Elected by Dogs
Apr 20, 2006


GREAT BOOK OF DICK posted:

They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.
is probably like them trying to make moneys off hacked computers (like install adware ,etc )

Carecat
Apr 27, 2004



Hillridge posted:

Just so I don't inadvertently infect myself with something, this is the correct download link for SUPERAntiSpyware right?

http://www.superantispyware.com/dow...ANTISPYWAREFREE

I just got it from zdnet's download.com, seems the safest way to find most things.

brc64
Mar 21, 2008

I wear my sunglasses at night.

I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1.

Let me tell you, that HOSTS file was great. It was no only blocking Windows Update and a variety of Microsoft download servers, but it also had a pretty comprehensive list of different antivirus update servers as well. So I fixed the HOSTS file and since they don't have any local antivirus software () I loaded up Housecall to see what came up.

I think the final count was somewhere around 4500 infections found. Most of them appeared to be hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.

It always fills me with warm fuzzies when I come across crap like this in a medical environment. I'm glad my confidential patient information is in safe hands.

Edit: here's a blurry pic of the scan in progress (sorry, my cell phone camera doesn't have a macro mode)

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

brc64 posted:

I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1.

Let me tell you, that HOSTS file was great. It was no only blocking Windows Update and a variety of Microsoft download servers, but it also had a pretty comprehensive list of different antivirus update servers as well. So I fixed the HOSTS file and since they don't have any local antivirus software () I loaded up Housecall to see what came up.

I think the final count was somewhere around 4500 infections found. Most of them appeared to be hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.

It always fills me with warm fuzzies when I come across crap like this in a medical environment. I'm glad my confidential patient information is in safe hands.

Edit: here's a blurry pic of the scan in progress (sorry, my cell phone camera doesn't have a macro mode)


I'm sure I don't need to tell you that disinfecting a win2k machine is a waste of your time. It's just going to get reinfected the very next time it touches the internet. You should recommend that he upgrade his machines to XP, there is absolutely no reason not to at this point.

brc64
Mar 21, 2008

I wear my sunglasses at night.

abominable fricke posted:

I'm sure I don't need to tell you that disinfecting a win2k machine is a waste of your time. It's just going to get reinfected the very next time it touches the internet. You should recommend that he upgrade his machines to XP, there is absolutely no reason not to at this point.
All of the Win2k machines are going to be replaced in the near future, yes. I'm amazed they actually had a 2k3 server.

By the way, Housecall locked up on that machine trying to disinfect LONGHORN BETA LEAKED.EXE

Hillridge
Aug 3, 2004

WWheeeeeee!

webcomics thread posted:

I just got it from zdnet's download.com, seems the safest way to find most things.

I ran it and found a bunch of cookies, but not much else. It's mildly annoying in that it sets itself to run at startup though.


Oh, my hosts file was normal btw.

I haven't had the problem yet today, so I'm going to keep my fingers crossed and hope I'm clean.

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


brc64 posted:

I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1.

Let me tell you, that HOSTS file was great. It was no only blocking Windows Update and a variety of Microsoft download servers, but it also had a pretty comprehensive list of different antivirus update servers as well. So I fixed the HOSTS file and since they don't have any local antivirus software () I loaded up Housecall to see what came up.

I think the final count was somewhere around 4500 infections found. Most of them appeared to be hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.

It always fills me with warm fuzzies when I come across crap like this in a medical environment. I'm glad my confidential patient information is in safe hands.

poo poo like this worries me every time I go to my doctor and see his laptop sitting on the counter, unlocked, with an RDP session into a Windows 2003 server. Granted, he does have NOD32 running on the server. Can't miss the icon when you're a few feet from the screen.

Toshi
Oct 14, 2005


I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry.

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


Toshi posted:

I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry.

The virus itself is probably still hiding on your system somewhere. You could try http://housecall.trendmicro.com/ and run their online virus scan there to see if it finds anything. If that doesn't work, there are other online virus scanners available from other companies. Just have to do a Google search because I'm not sure who else has one aside from ESET and Kaspersky.

ab0z
Jun 28, 2008

by angerbotSD


Toshi posted:

I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry.

I would post about it in the tech support forum.
You probably need to delete some DLL files or registry entries using recovery console or a live CD.

Deutsch Nozzle
Mar 29, 2008

#1 Macklemore fan


Capnbigboobies posted:

Once you disable the stupid popup antivir is a great antivirus.

Sorry for quoting something from the front page, but I've always hated that popup, how do you disable it?

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


sov68n posted:

Sorry for quoting something from the front page, but I've always hated that popup, how do you disable it?

Here.

Aunt Beth
Feb 23, 2006

Baby, you're ready!

What is everyone's opinion of Windows Defender? As more of the machines that I work on are being either built with/for or redeployed with Vista, Windows Defender is built right in as a Microsoft-managed antimalware tool. Is it worth its salt, or should I use it in tandem with something like Malwarebytes' products?

Or option 3: Ignore it entirely and trust exclusively some third-party application?

Phenwah
Feb 3, 2003



My dad caught the PrivacyProtector virus. I don't know its official name, but it's the kind that bundles itself with an unlicensed anti-spyware trial software, ravages your system, and creates fake Windows alert balloons from your tray telling you that you have an infection. I can't remember whether it uses HOSTS redirection or a keylogger, but the fake Windows error messages tell you to purchase the anti-spyware software license over the web, so clearly that's a very bad idea.

My solution was to flatten and reinstall. I assume a computer's pretty much hosed when it boots up to this:



EDIT: It was SmitFraud, or some variation of it.

Phenwah fucked around with this message at Dec 23, 2008 around 19:24

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

Footboy posted:



That is a much, much cooler graphic and snazzier UI than most virus writers would take the time to put into their product. On the other hand, that more or less screams that it is absolutely not related to Windows, which is the opposite tack that the successful ones are taking these days.

EVGA Longoria
Dec 25, 2005

Let's go exploring!


Midelne posted:

That is a much, much cooler graphic and snazzier UI than most virus writers would take the time to put into their product. On the other hand, that more or less screams that it is absolutely not related to Windows, which is the opposite tack that the successful ones are taking these days.

Pretty sure 90% of people can't tell the difference anyway.

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

I learned as a result of reading through the Microsoft Malware Protection Center's recent entries and Googling one term I didn't recognize that you absolutely should not Google SPTH and click any of the top couple of links that look like they might answer your question as to what the hell SPTH refers to. No really, don't, there are a shitload of hostile links.

I guess if you've got an isolated VM and a virus scanner you want to test out it might be worth a laugh, but I'm running latest-build Firefox 3 and McAfee still logged at least one infection with a name I've never seen.

Luigi Thirty
Apr 30, 2006

Emergency confection port.


hyperborean posted:





Actually, this just showed up on my brother's computer. What's the best tool suite for knocking this out?

FloorMatt
Jul 24, 2007



Luigi Thirty posted:

Actually, this just showed up on my brother's computer. What's the best tool suite for knocking this out?

Superantispyware will probably take care of it.

http://www.superantispyware.com

Luigi Thirty
Apr 30, 2006

Emergency confection port.


FloorMatt posted:

Superantispyware will probably take care of it.

http://www.superantispyware.com

Thanks. On top of that, AVG is barfing alerts (he said he never thought it was important) he's got popups every 30 seconds, Firefox won't start, and he hasn't had automatic updates turned on since 2006. I hope I can get rid of this poo poo

FloorMatt
Jul 24, 2007



Luigi Thirty posted:

Thanks. On top of that, AVG is barfing alerts (he said he never thought it was important) he's got popups every 30 seconds, Firefox won't start, and he hasn't had automatic updates turned on since 2006. I hope I can get rid of this poo poo

Uninstall AVG and install Avira AntiVir. It's free and much better than AVG.

Luigi Thirty
Apr 30, 2006

Emergency confection port.


FloorMatt posted:

Uninstall AVG and install Avira AntiVir. It's free and much better than AVG.

I think that'll be the first thing I do after I get rid of the 235 viruses/trojans/shitwares SuperAntispyware found

JonM1827
Feb 2, 2007


I would just like to add a quick note on all of those TDSSrv things that seem to come along with the Win Anti Virus 2008/9/whatever malewares. If you go into the device manager, and then click on View -> Show Hidden Devices (something similar to that, I'm on a mac right now), and then go down to Non Plug-and-Play devices, then you will be able to see TDSSrv or whatever it is on your machine. You can then go into that and disable it, I haven't had any luck deleting it, but if you disable it you can then generally load up your virus scanners and other things like that whereas you couldn't before. I think that also might have something to do with the DNS changing things that won't allow you to go to certain virus software websites and the like.

Also, another thing that I have found that is pretty nice, well it doesn't look too nice, but it works well is Avenger. Basically you just paste a list of files, registry keys, services, etc into a window, and click run, and it restarts your computer a few times while removing the files you have put into it. So, if you have a fairly comprehensive list of files that are generally used in the infections, you can put that into avenger and run that before you get going too far, like to get rid of TDSSrv , or any other things that you know are bad.

Another thing I'm a pretty big fan of is Process Monitor. Say I know of a registry key that keeps on being automatically regenerating, you can apply a filter to the keys value, and then when it is created you can click on it. Then after that you can look at the process's stack, and then see what file is generating the key. This has helped me a lot!

Last but surely not least is HijackThis. This has saved me on many occasions, and I use this instead of msconfig all of the time. I think it picks up on a few more things, and you can actually use it to delete the files, whereas msconfig will just make them not start up. Be careful when using it though, as it will remove the files!

Hope this helps.

KARMA!
Jan 22, 2006

I NEED THAT GOD DAMN TWIG!!


FloorMatt posted:

Uninstall AVG and install Avira AntiVir. It's free and much better than AVG.

The virus scanner is not really the issue here.

CeciPipePasPipe
Aug 18, 2004
This pipe not pipe!!

fishmech posted:

I believe their web server has been hijacked, and depending on the referrer information it will redirect you to the malware site. I know I've read of this elsewhere.

yup, testing with curl gives completely different results depending on referer:
code:
% curl -i www.salon808.com
HTTP/1.1 200 OK
Date: Wed, 24 Dec 2008 10:44:26 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.11 mod_ssl/2.8.18 OpenSSL/0.9.6b FrontPage/5.0.2.2635 mod_throttle/3.1.2
Last-Modified: Tue, 16 Oct 2007 01:04:54 GMT
ETag: "c5855c-164-47140e36"
Accept-Ranges: bytes
Content-Length: 356
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><title></title>
<meta http-equiv="refresh" content="0;url= Cutting_Edge_Hair_and_Makeup_at_Hawaiis_own_Salon_808_.html" /></head><body></body></html>
vs
code:
% curl -i --referer 'http://www.google.com/' www.salon808.com
HTTP/1.1 302 Found
Date: Wed, 24 Dec 2008 10:46:40 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.11 mod_ssl/2.8.18 OpenSSL/0.9.6b FrontPage/5.0.2.2635 mod_throttle/3.1.2
Location: http://89.28.13.201/go.php?s=ww3
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://89.28.13.201/go.php?s=ww3">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.31 Server at salon808.com Port 80</ADDRESS>
</BODY></HTML>

Hillridge
Aug 3, 2004

WWheeeeeee!

Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.

fishmech
Jul 16, 2006

I see a ship in the harbor
I can and shall obey
But if it wasn't for your misfortune
I'd be a heavenly person today


Hillridge posted:

Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.

I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects.

BillWh0re
Aug 6, 2001




Hillridge posted:

Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.

Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one.

darkforce898
Sep 11, 2007



JonM1827 posted:

TDSServ EVIL BABY EATER

I just spent three hours cleaning my families computer that had TDSServ and Vundo on it. It was honestly the worst experience I have ever had. Still is infected...

Adbot
ADBOT LOVES YOU

highme
May 25, 2001

Timbers Army
for a free

Cascadia


After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«93 »