Salon - - infection in Action

Gary Richardson · #1 01-10-2007, 02:00 AM

For those of you who know, I spend a lot of my time removing Malware from other people's computers.

This clip at UTube gives you an idea of why you should browse cautiously and pay attention to your security.

It shows a typical "Spy Sherriff" install, which is one of the "Smitfraud" family of infections, an extremely common infection, usually contracted by downloading an infected codec.

Enjoy!

http://www.youtube.com/watch?v=MaKv_...elated&search=

PS. This is an Add for McAfee Site Advisor, which is a tool for giving indication of which sites contain infected links.

McAfee AV funnily enough (though not surprisingly) does not remove this infection.

chrishoggy · #2 01-10-2007, 03:52 AM

Nice clip Gary

Kraellin · #3 01-10-2007, 07:40 AM

hehe, never had one quite that bad, but close

CJ Swartz · #4 01-10-2007, 12:52 PM

Gary, thanks for the clip -- if it wasn't so scary

I'd say I enjoyed it. The music really adds to the drama. I hope I never let my poor computer get that sick...

I really like McAfee's SiteAdvisor add-on to Firefox -- I like that the free version gives me info about potential threats at a particular website (getting bugged with emails if you sign up on that page, spyware attached to downloads from a site, etc.), and I feel much better when I see that nice green color saying that a site is relatively safe.

Gary Richardson · #5 01-10-2007, 04:24 PM

Yeah, I like Site Advisor too, though it is not always totally reliable.

Some good sites were recently listed as red because some of the tools there had processes which could be used maliciously, they weren't, but Site Advisor relies on a bot system to gather data, and tends to err on the side of caution.

The good thing is that McAfee responded quickly when their error was pointed out to them, and the site listing was revised.

Full marks therefore to McAfee, now if only they could do something about the over bloated pile of junk they sell as an Anti-Virus.

T Paul · #6 01-15-2007, 11:52 PM

My sister's computer now looks like the YouTube clip...her's was spysoldier and ultimately Win32.MatrixHasYou. She gave up in defeat tonight and we are going to try to tackle it tomorrow.

Gary Richardson · #7 01-16-2007, 09:31 AM

Hi T,

Get her to run a HJT (HijackThis) scan and I'll look it over for you, if we know what the infection is, it'll probably save you hours of possibly fruitless endeavour. (Sounds like one of the Smitfraud varients offhand, but I'll be better placed to help her if I can see a HJT log).

Click here to download HJTsetup.exe, and save it to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Copy and paste the log here

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

T Paul · #8 01-16-2007, 09:53 AM

Thanks so much Gary! I haven't heard back from her today, but I will let her know about your extremely kind offer!!!!

Gary Richardson · #9 01-16-2007, 12:24 PM

You're welcome. Just post it in this thread and I'll see it.

T Paul · #10 01-17-2007, 01:09 PM

Well I just talked to my sister. She ended up purchasing SpyDoctor and I think it found over 600 infected files. She is trying to install HiJackThis right now but gets the following error:

Quote:

an error occured while trying to rename a file in the destination directory Movefile failed; code 5 Access denied

Kraellin · #11 01-17-2007, 01:33 PM

600! oh my lord. i thought i was in trouble when i found 3 a year ago

you might inform your sister that ANY personal data she had on that computer is now public knowledge, including passwords, bank statements, email addresses, pin numbers, credit card numbers and so on. she shld inform the bank if she had a pin number on the computer, credit card companies if she had any credit card numbers on there and so on down the line. many of these modern viruses and spyware do nothing but search such data out on an infected computer and send that data out for thieves to use.

T Paul · #12 01-17-2007, 01:38 PM

That's not going to make her happy. She still hasn't had any luck installing HJT.

T Paul · #13 01-17-2007, 01:41 PM

It all happened when she was trying to send me some photos. Her computer came with Adobe Photoshop Album Starter 2.0 and she was having some trouble emailing from the problem so she clicked on the link to go to the software web site and wamm her computer was taken over! Sounds like something is nesting in her computer.

Gary Richardson · #14 01-17-2007, 02:10 PM

Hi T,

OK, lets try re-naming HJT and then seeing if we can install it and run a scan.

Won't be able to use the version I linked to, as that auto installs.

Try this.

Create a new folder C:\HJT

Download HijackThis.exe to this folder. (This is a free-standing executable version).

Now rename HijackThis.exe to FredFlintstone.exe then try to run a scan. Post back here if possible, if not let me know, there's other things we can try.

Question: When you say SpyDoctor, do you mean SpywareDoctor by PC Tools?

Kraellin · #15 01-17-2007, 02:15 PM

try gary's method first. but, i also recently ran HJT and went to their web site and noticed that they also recommend, in some instances, using earlier versions of HJT due to some viruses attacking the later versions specifically. so, that might be an option also, if gary's method doesnt work.