Just dodged a driveby rootkit, I think

[login123]

Had Powershadow running, Returnil probably would have worked also.

Used eDintori.net, Irish search engine to look for Piriform forums.

 

One of the links (about hanged people, dont go) went to a site which locked me up. All I did was open it. It tried to install a rootkit, I think. Edit: would welcome any comments from members more knowledgeable about what happened.

 

Not entirely sure of the following order, but IE was locked up, thats for sure.

 

Got warning 1. Clicked cancel.

Window wouldn't get out of the way...always on top. Windows key+d will clear the screen.

Got the install prompt.

Clicked cancel on the install prompt. It cancelled.

Clicked cancel on the download prompt. The prompt just repeated itself. 5 times

Clicked the x to close the next install prompt. The prompt just repeated itself. 5 times

Clicked on another tab in IE. Wouldn't change tabs. Got the bloop sound.

Clicked on the x to close IE. Nope.

Clicked on the system tray to close IE. Nope.

Disabled 'net connection from systray.

 

ctl+alt+delete brought up task manager.

Used tskmgr to shut down IE. worked.

 

Scans of C:\Documents and Settings\Compaq_Owner\Local Settings before reboot

Avast = nothing

SuperAnti = nothing

mbam = nothing

A2 = Rootkit.win32.TDSS!K in c:\...Local Settings\temporary internet files\ContentIE5\O9H2O13\[1].EXE.

Apparently this is a fairly new malaware. ?

 

Scans after reboot: Apparently nothing installed.

 

Don't Know what would have happened if I hadn't had PS running. Wish it was still free, but Returnil has the same capabilities, I guess. I notified eDintori.

 

 

 

 

Edit: Well, OK, guess I'll quit using xs.to for image hosting. Lotsa junk comes with those thumbnail links.

[YoKenny]

This is a symptom of the infamous antivirus2009 gang that are currently rampant on the Internet

 

See Newest Rogue Threats:

http://www.malwarebytes.org/forums/index.php?showforum=30

 

Malwarebytes MBAM is on top of them.

[login123]

Thanks for the info, YoKenny. MBAM is a great app.

[Andavari]

You should block that URL you went to in everything you have including IE, HOSTS and even input it into Avast's Web Shield as a blocked site.

 

We have listed sites on here before to let others know to block them, if you do list it just put it inside of a code box that way the URL won't be active:

 

It would look like this for example:

 

www.bad-site-address.com

 

[Humpty]

Just to give an idea of what the AV/AS authors (good guys) have to try and stay on top of.

 

Below is a pic of a few Antivirus 2009 installers I've picked up in the last month or so.

 

On the day they are released most AV/AS won't pick them up as they have been morphed (changed) ever so slightly so as to avoid detection until the AV/AS apps have their databases updated in order to detect these new rogue installers.

 

I think over at MBAM's forum we've found 6-8 new installers since Friday, and that's only for Antivirus 2009 with a lot of other rogue apps doing exactly the same thing.

 

The installer I uploaded to Virus Total wasn't being flagged on the day I found it.

File InstallAVg_77019105.exe received on 01.09.2009 10:51:02 (CET)

Current status: finished

Result: 0/38 (0.00%)

Virus Total

 

And on re-uploading just now a few AV's are starting to detect it.

File InstallAVg_77019105.exe received on 01.11.2009 00:40:38 (CET)

Current status: finished

Result: 6/34 (17.65%)

Virus Total

 

[YoKenny]

You should block that URL you went to in everything you have including IE, HOSTS and even input it into Avast's Web Shield as a blocked site.

By the way hpHosts and MVPS HOSTS files have been recently updated.

 

I'm finally getting around to Ripping my old CDs to my recently rebuilt XP Pro system.

The Best of the Moody Blues, Magic Bus and Who's Next The Who, The best of Eric Clapton and The Seeger Sessions Bruce Springsteen

[login123]

OK, thanks, Andavari, I will post the site below. I didn't before for fear someone would go to it.

Humpty, the anti-malaware business must be like fighting a swarm of bees. Are those all variations of a single install.exe?

 

The site:

http://new4scan.com/22/?uid=117

 

 

It was (and is right now) the only anomalous finding when searching for "Piriform". The site is listed as "the Hanging Tree...etc", and appears to go to dealfa . com but it is an obfuscated url. It is listed below:

 

 

http://ie.edintorni.net/search/redirector.asp?t=&u=http%3A//wzey1.ask.com/r%3Ft%3Dp%26d%3Dsyneu%26s%3Dedn%26c%3Dbh%26l%3Ddir%26o%3D0%26sv%3D0a5c4318%26ip%3D415004db%26id%3D4F3614A90464748B0D62A6C4A7E71196%26q%3Dpiriform+forums%26p%3D1%26qs%3D121%26ac%3D7%26g%3D7edbaRxFOjIJSA%26en%3Dte%26io%3D5%26b%3Dalg%26tp%3Dd%26ec%3D10%26pt%3DThe+Hanging+Tree%253A+Execution+and+the+English+Hanged+People.%26ex%3D%26url%3D%26u%3Dhttp%3A//dealfa.com/wp-content/uploads/2007/04/oudelcn-2381.html

 

 

Now lookit, guys, I don't hang around (no pun intended) morbid sites. It was anomalous, I'm tellin ya...

[davey]

Now lookit, guys, I don't hang around (no pun intended) morbid sites. It was anomalous, I'm tellin ya...

OK !!! We will grant you the anomaly.

We can overlook the short-term memory or long-term memory loss.

But the lack of being granted a Favorites entry or a Bookmark?

forum.piriform.com members

You better dig up a good "guilty smiley" or this one.

You have "cut us to the quick". davey

P.S. After further contemplation, all is forgiven.

After all, you did discover a new "meany" out there. Trying to entrap others searching for "piriform forums".

These guys are truly "deceivers".

THANKS FOR THE WARNING !!!

[Humpty]

Site seems down atm?

Firefox can't find the server at www.new4scan.com.

Yep, most if not all of those installers belong to the rogue Antivirus 2009.

 

A couple may be for Antivirus 360 which is a clone of AV 2009.

 

Funny thing is I changed the url to:

www.new5scan.com

and picked up an installer for Internet Antivirus Pro which is another rogue app which must be quite a new one as not too many are flagging it including MBAM.

File install.exe received on 01.11.2009 17:44:44 (CET)

Current status: finished

Result: 8/38 (21.05%)

Virus Total

[Humpty]

Just to follow up, the installer I downloaded for Internet Antivirus Pro was a morphed version from the other five samples I have.

 

You can see in the pic below they are the same size but packed at a different size.

 

 

Edit:

Changed the url again to:

www.new6scan.com

and picked up another installer for Internet Antivirus Pro which is different again.

 

Ya gotta pity those poor Antimalware good guys trying to keep up with these rogues, huh.

[slowday444]

Just to follow up, the installer I downloaded for Internet Antivirus Pro was a morphed version from the other five samples I have.

 

You can see in the pic below they are the same size but packed at a different size.

 

 

Edit:

Changed the url again to:

 

and picked up another installer for Internet Antivirus Pro which is different again.

 

Ya gotta pity those poor Antimalware good guys trying to keep up with these rogues, huh.

I feel even more sorry for people who are trying to find utilities to protect or keep their systems running and get duped by this garbage. Fortunately, most of us here have our defenses and utilities set up.

Despite a hardware firewall, OA Free, NOD32, ThreatFire, Windows Defender, Sandboxie, some on demand scanners, and AyRecovery, I've come to the conclusion that one of the great defenses and first line of defense (besides common sense) is WOT or similar, and to never, never, ever open anything that isn't green in search results.

[YoKenny]

Ya gotta pity those poor Antimalware good guys trying to keep up with these rogues, huh.

There are quite few complaints on avast! and McAfee forums about those infections and they are slowly starting to detect and remove them plus I notice avast! preventing access to their download sites.

[Tunerz]

Also, take note that the malware authors are aware of a person clicking the red X button to close the window. So far, it is preferred to end the task of the browser rather than simply clicking the X button, which will execute the malware rather than closing the browser.

[login123]

Thanks, Davey, for letting me off the hook. Be comforted, I have Piri on speed dial. The eDintori foray was an experiment to see how different search engines find the same entry.

 

Tunerz, you are quite right, and maybe a lot of people don't know that. If I hadn't had a virtualization app running, I would have just shut down IE. Might have been too late anyway.

 

edit: The malicious site is still there. Going to go there 3 times: once w/ PS running, once with Returnil running, and once with Sandboxie running, see what happens. Back soon, I hope. Don't try this at home.

[login123]

Site is still there, looks and behaves differently. Several clicks required to get to the install prompt. No warning from avast nor from A2 this time, even upon installation. ?

[DennisD]

Disabled 'net connection from systray.

 

ctl+alt+delete brought up task manager.

Used tskmgr to shut down IE. worked.

 

You got there in the end login.

 

For anyone who hasn't had the misfortune to be hit with this crazy situation of warnings popping up all over the screen, with what appears to be the good guys scanning your system with the offer of immediate help, there's one very important rule to follow. As mentioned by Tunerz above.

 

Do not click on anything:

 

The "cancel" buttons, and the red x "close window" buttons are usually spring loaded with links to other nasty stuff, or may even trigger the actual download of a virus.

 

Although not easy to do, stay calm and do two things in whichever order you find easiest.

 

Launch Task Manager with Ctrl+Alt+Del, scroll to your browser, highlight it, and select "End Task".

 

Disconnect your connection by whichever way you find easiest. Right click or double click your Internet icon in the system tray, and select "disconnect".

 

Or maybe via the "Start" button:

 

 

Lets hope you never have to do this, but make sure you know how to.

[Andavari]

Thanks for listing the sites. They're now blocked on my end.

[Humpty]

Firefox with noscript stops those rogue sites cold.

 

Or if browsing sandboxed with scripts allowed globally you can right click Sandboxie's taskbar icon and terminate programs or delete contents will have the same effect.

[login123]

Thanks for listing the sites. They're now blocked on my end.

 

You're welcome, Andavari. The last trip gave 2 more:

 

 

http://new5scan.com/21/?uid=167\?uid=167

 

and when you close that, to

 

http://www.online-safe-way.com/

 

 

And a new installer file, called installer_00526.exe

 

Still no warnings are triggered from avast or A2, even though it installed.

 

Gonna sign out now. Would be glad to help or report more about it if need be.

[Humpty]

new5scan.com/21/?uid=167\?uid=167 seems dead atm.

 

Went to hxxp://www.online-safe-way.com/ and picked up an "installer_00001.exe" which installs Antivirus Plus which is another rogue.

 

Not too many are flagging the above installer so it must be a fairly new one and which I've uploaded to Malwarebytes.

File installer_00001.exe received on 01.13.2009 04:54:11 (CET)

Current status: finished

Result: 4/38 (10.53%)

Virus Total

 

[login123]

I sent installer_00526._xe to MBAM just now. By the way, the picture looked different on "safe-way" earlier today. Also, don't know if it is related, but tcpview showed an attempt to connect to a site in Italy, one in Latvia, and one in Mexico.

[davey]

Thanks, Davey, for letting me off the hook. Be comforted, I have Piri on speed dial. The eDintori foray was an experiment to see how different search engines find the same entry.

 

edit: The malicious site is still there. Going to go there 3 times: once w/ PS running, once with Returnil running, and once with Sandboxie running, see what happens. Back soon, I hope. Don't try this at home.

Glad to have you checking for those "bad guys" and their "bag of tricks". Really bugs me to think they are trying to trap people looking for Piriform forums.

I give all my friends exact links. I never want them just "browsing" for "Cleaners" and "Spystuff" etc.

Of course, you already know that there are too many imitation sites on the Internet using all these keywords to lure the "un-informed". I want all those persons that I know to go directly to safe sites.

Thanks for your efforts to find these "evil kinds" of sites.

Do not worry, "I won't be trying this at home". davey

[Andavari]

Of course, you already know that there are too many imitation sites on the Internet using all these keywords to lure the "un-informed"

That's true. Even misspelling a website address can have the user going into the nefarious zone. I remember accidentally typing in Ford Vehicles website address wrong once and instead of cars there where "flotation devices" on the screen.