unimind
join:2002-04-29
england
clubs:
moderated:
April 14th, @04:11PM
| msn suprise
I've just got in from a night out, and I noticed that one of my contacts has sent me an message with the following link:
The link .... Link Removed --WCB!
When I shut that down, I noticed that my own msn messenger has also sent a link to one of my contacts with the same link detail, but containing their own msn email address.
Out of interest, I saved the file that the link was pointed to and it was an msDOS file, which i then scanned with a fully updated copy of Norton anti-virus 2005. It showed up clean in the virus check.
From that, I went back to the original link. Loading up the page Link Removed --WCB!
just opened up a page which to cut a short story even further, suggested I install some spyware.
I did a search on this forum (which i thought would be the most appropriate place) and found no link to this website. I would be interested if any other member has either a link to this site, or further any information with regards to what this site trying to do.
I am currently running windows xp, with sp2. I also have the newly released version of msn 7. I have performed a full scan using ad-aware (with the latest updates) which came up clean, so i doubt that this is due to spyware.
If anyone has any ideas as to how this problem came about I would be very thankful, also, any further questions regarding network setup, computer setup or software setup which may help with regards to this problem are welcome.
Thanks for any help.
Richard.
ps, I haven't posted the link which was sent from my own msn as I would prefer to keep my contacts email privite. I have also put in some ** because I don't want to create a link to the site incase anyone clicks it and ends up with spyware on my behalf. |
|
garys_2k
join:2004-05-07
Farmington, MI | Follow these instructions:
»Security »I think my computer is infected or hijacked. What should I do? |
|
unimind
join:2002-04-29
england
clubs:
edit:
April 13th, @11:04PM
| I've run anti spyware checks etc. I DON'T think than my system is infected or hijacked.
Does anyone have any information about the mentioned site which might be of interest?
Edit
As it's late (4am) I'm going to bed now. I look forward to any suggestions, but I'll run a hijack this log tomorrow just incase it drags up anything. I doubt it is a problem due to being hijacked etc, as I was sent the link by a single contact and it was sent to a single (but different) contact.) But then, to be honest, I'm puzzled as I have not seen anything like this before, and I would like to make sure it doesn't happen again.
I'm more curious as to the nature of the link, as I would quite like to be able to ensure my contacts computer is ok. (It is a family computer which I don't have immediate access to) so I would really appreciate any information as to where this link might have come from, and why it has been automatically sent on by msn messenger) |
|
dadkins
Land of Confusion
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
| reply to unimind
That would be IstBar! Nasty little POS! |
|
B
Premium,MVM
join:2000-10-28
| reply to unimind
said by unimind  :I've run anti spyware checks etc. I DON'T think than my system is infected or hijacked. Funny; I do.
Your instant messaging program is sending out specially coded links to your contacts, all by itself, and you don't think you're infected with anything?
-- B
--
In a realm outside causality and function |
|
unimind
join:2002-04-29
england
clubs:
| reply to unimind
As I said in my first post, I have run spyware checks and norton runs 24-7. I can't find any spyware or viruses so I doubt it is due to that. I have edited my post to say I'll run a hijack this log tomorrow.
My main interest is how this link appeared, i.e. is there a programme which is involved. I haven't installed anything new at all over the last few days and my internet use has been just looking at news and emails for the last couple of days so nothing new has been installed or downloaded over the last 48 hours or so.
Also, is it possible that the link itself may have triggered msn to send another link to a seperate contact once it was recieved from the first contact?
I'm off to bed now. Thank you for the replies I have recieved and as stated, I'll post a hijack this log as soon as possible. If anyone has any information with regards to the site involved then I would be most grateful.
Richard. |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Vonage
| reply to unimind
What are you asking? You say you got a message from someone with a link to a porn site. OK. You also say you seem to have somehow sent that same link to another person. If you didn't do this, are you asking how that went out without your help? My suggestion is that perhaps your system has been compromised and that's how that took place.
If I missed your point, I guess even after rereading your original post four times I still can't figure out what you want. Send that dos file to one of the online checkers (in the link you dismissed), I'll bet Kaspersky will ID the bad guy in it. |
|
unimind
join:2002-04-29
england
clubs:
| reply to dadkins
dadkins:
Thanks for your post. I'll have a look into that more tomorrow. Appreciate the fact that you have obviously taken some time to look at the matter in hand and I would like to thank you for the time that you have taken. I will look further into this when I get up tomorrow.
Richard. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Vonage
| said by unimind :dadkins: Thanks for your post. I'll have a look into that more tomorrow. Appreciate the fact that you have obviously taken some time to look at the matter in hand and I would like to thank you for the time that you have taken. I will look further into this when I get up tomorrow. Richard. Good idea. Start by following ALL of the steps in the link I posted. If you don't your thread will be locked. Good night. |
|
B
Premium,MVM
join:2000-10-28
| reply to unimind
said by unimind :As I said in my first post, I have run spyware checks and norton runs 24-7. I can't find any spyware or viruses so I doubt it is due to that. I have edited my post to say I'll run a hijack this log tomorrow. My main interest is how this link appeared, i.e. is there a programme which is involved. By "programme" may I assume you mean the malware that you don't think you have?
Are you really under the impression that Norton or any antivirus program will prevent virus and other malware infections? If so, you are operating under false assumptions. The software does a decent job of detecting known threats. But NONE of them catches everything, and NONE of them can detect all new threats, or attacks geared specifically to you.
I don't know what your problem is; it could be something as simple as HTML or Javascript redirects. But please follow up on some of the advice given in this thread. We have ALL taken your post seriously, and dismissing well-intentioned advice doesn't serve your cause well. Good luck.
-- B
--
In a realm outside causality and function |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
·Comcast
| reply to unimind
The domain malignancy.us is appropriately named.
Whois shows it to be a cloaked registration (the true owners identification is not available), and the url you provided attempts to automatically download an executable file.
I can only think of one reason for either a cloaked domain registration or for attempting to automatically download an executable file to a web site visitor. Need I say more?
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
spooler0
Premium
join:2004-11-17
| reply to unimind
said by unimind :"Also, is it possible that the link itself may have triggered msn to send another link to a seperate contact once it was recieved from the first contact?" You might want to download and run an A2 anti-trojan scan (A-squared). Also try the Avast program used by Dadkins and consider the 30 free trial of TDS-3 and Trojan Hunter.
Let us know what you find. Lots of interest here.
Mr. B is rarely wrong. |
|
dadkins
Land of Confusion
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to unimind
Re: msn suprise
No worries friend!
It WOULD be a good idea to follow the instructions here: »Security »I think my computer is infected or hijacked. What should I do? Just to be sure that nothing made it in. |
|
bpm3k
join:2004-08-15
Simi Valley, CA
| I downloaded the file from the OP. Then i went to the main malignancy website on my test computer. And WOW, it does bad things. I will post a hijackthis log soon.
Here is jotti results:
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Win32.IRC-Backdoor (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
mks_vir Found Trojan.Rbot.Lv
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
Here is virus total results:
Antivirus Version Update Result
AntiVir 6.30.0.7 04.13.2005 no virus found
AVG 718 04.13.2005 no virus found
BitDefender 7.0 04.13.2005 BehavesLike:Win32.IRC-Backdoor
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 Win32/Kelvir.G!SFX!Worm
eTrust-Vet 11.7.0.0 04.13.2005 no virus found
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16a 04.13.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 Backdoor.Win32.Rbot.gen
McAfee 4468 04.13.2005 W32/Kelvir.worm.gen
NOD32v2 1.1060 04.14.2005 no virus found
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32/Kelvir.G!SFX!Worm
Symantec 8.0 04.14.2005 no virus found |
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to unimind
The file downloaded is an sfx archive.
It contains a new Kelvir variant, IM-Worm.Win32.Kelvir.k and Backdoor.Win32.Rbot.gen.
--
Not speaking for Kaspersky Lab |
|
bpm3k
join:2004-08-15
Simi Valley, CA
| I went to the malignancy website and let it have its way with my computer. It was fully updates xp sp2 install. Only protection it had turned on was spybot immunize and a NAT firewall. The computer was clean before i went to the website. Here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:44:03 PM, on 04/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Media Access\MediaAccK.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\vjwrsyo.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\imgtuf.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\gah95on6.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\program files\zango\zango.exe
C:\PROGRA~1\LeapFrogMessenger\LeapFrogMessenger.exe
C:\WINDOWS\system32\spas.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINDOWS\system32\l?gonui.exe
C:\WINDOWS\system32\mnmadhlp.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\billy\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »www.oemji.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = »www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: load=C:\Program Files\WAFFLEz\mlg1.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteins32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [uchHPF88E] C:\WINDOWS\vjwrsyo.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\billy\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [v33V38i] imgtuf.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LeapFrogMessenger\LeapFrogMessenger.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [Ettm] C:\WINDOWS\system32\spas.exe
O4 - HKCU\..\Run: [Elatiieo] C:\WINDOWS\system32\l?gonui.exe
O4 - HKCU\..\Run: [e0s9RUG8S] mnmadhlp.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: v3cab - »searchmiracle.com/cab/2.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - »static.windupdates.com/cab/CDT/i···-c46.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···00464234
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - »www.xxxtoolbar.com/ist/softwares···dult.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - »www.mt-download.com/MediaTickets···fid=3965
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by bpm3k :I went to the malignancy website and let it have its way with my computer. WOW!
I hope the LU just released has got this covered [ in part - at least]
»NAV IU & LU -- 14 April 2005
 |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH | reply to bpm3k
Hmm i guess i know where to go if i decide to test a new anti spyware app heh |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| reply to amysheehan
I suspect that most AV providers will have updated their def files by now for the new Kelvir variants. F-Prot did not detect it last night, but the updates today caught it with no problems (including the copy from last night which was still in my browser cache).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
