Virus killing
By
Aggelakis,
Posted on: 2009-08-03 02:27 in ALL ACCESS Gameplay Technical Issues Bugs
Malwarebytes for the win. I've had a similar thing happen to me recently, and the use of that along with a nice program called combofix helped me out. If Malwarebytes can't find it, it probably isn't something you need to worry about.
And when your done with Malwarebytes, you can run Hijack This and post the log from it here.
If you want to try to understand what the Hijack This log is telling you, look here.
You might want to consider using NoScript, an add-on for Firefox that prevents scripts from running. Its easy to use and set up and can help keep you safe.
"I used to make diddly squat, but I've been with the company for 16 years and have had plenty of great raises. Now I just make squat" -- Me
Pediatric brain tumors are the #1 cause of cancer related deaths in children.
Thanks both...
...however, NoScript wouldn't have helped in this case. The virus worked by redirecting from a fake background image to a PHP script which then started the upload. They're getting smarter... 
Is it time for the dance of joy yet?
But... That is exactly the kind of thing NoScript is good for stopping.
Quote:
I would like you to re-read the two bolded items... |
Originally Posted by dreamweaver_EU
Thanks both...
...however, NoScript wouldn't have helped in this case. The virus worked by redirecting from a fake background image to a PHP script which then started the upload. They're getting smarter... |
Paragon Wiki: http://www.paragonwiki.com
City Info Terminal: http://cit.cohtitan.com
Mids Hero Designer: http://www.cohplanner.com
Quote:
|
Originally Posted by Dispari
I don't know why Dink thinks she's not as sexy as Jay was. In 5 posts she's already upstaged his entire career.
|
Quote:
In case you didn't know, PHP is a server side scripting language. NoScript does NOT (and can not) do anything about that, it can only disable client side scripts(+plugins).|
Originally Posted by Aggelakis
I would like you to re-read the two bolded items...
|
NoScript doesn't protect you against attacks that don't depend on third party plugins (such as Flash) or JavaScript (such as one that exploits a flaw in their handling of jpegs).
Quote:
|
Originally Posted by ShadowNate
;_; ?!?! What the heck is wrong with you, my god, I have never been so confused in my life!
|
It still doesn't make sense, someone had to click on something, the most PHP can do is send a prompt for a download or upload, it can't do it automatically or arbitrarily.
But whatever..
We still need to see a Hijackthis to give a good opinion.
Quote:
That's what's called a vulnerability. Bugs with Firefox's JavaScript implementation are by far the most common (just look at their bugzilla, looks like they average 5+ JS vulnerabilities that have to be fixed with each release), but they aren't the only ones. Just recently there was a bug with how Firefox handled text, potentially leading to a remote code execution vulnerability on both OS X (CoreGraphics) and Linux (pango). It's also quite common for bugs to be discovered in the image-processing libraries firefox uses (I remember a particularly nasty vulnerability in (iirc) libjpeg a while back which impacted all browsers (that could handle images) on Windows, OS X, and Linux).|
Originally Posted by Hugginator
It still doesn't make sense, someone had to click on something, the most PHP can do is send a prompt for a download or upload, it can't do it automatically or arbitrarily.
But whatever.. |
JavaScript/Flash/Java/Silverlight/etc aren't the only ways for your system to get infected. NoScript isn't a panacea.
Quote:
|
Originally Posted by ShadowNate
;_; ?!?! What the heck is wrong with you, my god, I have never been so confused in my life!
|
I read daily about vulnerabilities:
http://isc.sans.org/diary.html
http://secunia.com/advisories/
There is no current JPG vulnerability.
NoScript handles the script/flash/java.
I'm still puzzled by the description the OP gave.
Quote:
|
Originally Posted by Hugginator
I read daily about vulnerabilities:
http://isc.sans.org/diary.html http://secunia.com/advisories/ There is no current JPG vulnerability. NoScript handles the script/flash/java. I'm still puzzled by the description the OP gave. |
I hope I did enough to that one word above to bring it to people's attention.
Not everyone is running the most current versions of all software. Previous version of Firefox possibly, a java version with a vulnerability, a flash version with a vulnerability, etc. could all lead to problems.
Since I haven't seen any reports from the OP's system, I have no clue whether everything is current.
If the game spit out 20 dollar bills people would complain that they weren't sequentially numbered. If they were sequentially numbered people would complain that they weren't random enough.
Black Pebble is my new hero.
Quote:
Thats fine, I still claim with the information at hand, JPG and PHP, the highest probability is user error, and the 2nd is something that NoScript could have helped with unless the first overrode that as well.|
Originally Posted by Texas_Justice
I hope I did enough to that one word above to bring it to people's attention.
Not everyone is running the most current versions of all software. Previous version of Firefox possibly, a java version with a vulnerability, a flash version with a vulnerability, etc. could all lead to problems. Since I haven't seen any reports from the OP's system, I have no clue whether everything is current. |
To debate further is useless unless the OP decides to give us more information.
Quote:
Those sites don't list vulnerabilities. They list publicly disclosed vulnerabilities. There's a massive difference between the two.|
Originally Posted by Hugginator
There is no current JPG vulnerability.
|
Those sites won't list any vulnerabilities that are unknown.
Those sites won't list any vulnerabilities that Mozilla Corp/Foundation knows about and is sitting on until they fix them (they'll only release the information once they fix it or if they believe it's being actively exploited in the wild).
Those sites won't list any vulnerabilities that are known only by the black hats.
Those sites also won't list any vulnerabilities that they weren't told about. It's not unusual for a bug to be fixed without realizing the bug could have allowed possible remote code execution.
And I only mentioned libjpeg as an extremely nasty and rather high profile example from a while back where something that had nothing to do with Javascript/Flash/Silverlight/Java/etc caused arbitrary code execution.
Quote:
|
Originally Posted by ShadowNate
;_; ?!?! What the heck is wrong with you, my god, I have never been so confused in my life!
|
Quote:
JS, ActiveX, Java and Flash are client-side scripts (i.e.: they run on your own machine.)|
Originally Posted by Hugginator
I read daily about vulnerabilities:
http://isc.sans.org/diary.html http://secunia.com/advisories/ There is no current JPG vulnerability. NoScript handles the script/flash/java. |
C#, PHP, CGI and all that lot are server-side (i.e.: run on the web server you've connected to.)
NoScript can only stop nasties that try to run on your side, once the page has loaded.
Quote:
| I'm still puzzled by the description the OP gave. |
http://explabs.blogspot.com/2007/11/...is-hacked.html
Is it time for the dance of joy yet?
Quote:
Yes, but no one was confused about that. However the most a server side 'script' can to is prompt the user for an action.|
Originally Posted by dreamweaver_EU
JS, ActiveX, Java and Flash are client-side scripts (i.e.: they run on your own machine.)
C#, PHP, CGI and all that lot are server-side (i.e.: run on the web server you've connected to.) |
Quote:
| NoScript can only stop nasties that try to run on your side, once the page has loaded. |
Quote:
|
Right - I've found a report from the Exploit Prevention Labs that describes this in detail. However, I'm fairly sure I didn't click on the page at all, so they may have changed it to an OnLoad event... http://explabs.blogspot.com/2007/11/...is-hacked.html |
Quote:
| the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site. |
I'm not claiming NoScript is the 2nd coming but it does put a lot of control into the users hands, i'm not entirely sure why you or anyone is resistant to this.
Right...
MalwareBytes has reported back that I'm clean on both Fast and Full scans. So has Spybot. Only thing is that Norton (hey, it's awake!) uploaded some Suspect files marked "Vundo" for further examination. I think I'll probably wait a few days and keep checking before I resume normal service.
Thanks for help/advice so far.
Is it time for the dance of joy yet?
Quote:
Except the person I was responding to that thought that NoScript blocked PHP because a prior poster said a 'PHP script'.| Yes, but no one was confused about that. |
Quote:
| However the most a server side 'script' can to is prompt the user for an action. |
Saying that a server side 'script' can't infect you is a bit silly. Less likely? Sure. But no where near the impossible that you keep trying to claim.
Quote:
|
Originally Posted by ShadowNate
;_; ?!?! What the heck is wrong with you, my god, I have never been so confused in my life!
|
Hi all.
Apologies if this is slightly OT, but I'm too paranoid to play the game at the moment, so...
Went onto a friend's MySpace the other day and immediately regretted it. It started accessing Chinese and Italian pages with random names - it was a background jpg infection - and in the 10 seconds or so before I spotted and killed the process, I got at least one adware infection uploaded to my machine. Yes, I was using Firefox, and no, it didn't help.
Now, I've run it through the following:
Norton AV (didn't catch anything... not surprising, since it FAILED at stopping the inbound)
Yahoo CA AntiSpy (caught one adware)
Spybot Search and Destroy (nothing)
AVG (nothing)
Kaspersky Online (nothing)
Also currently have Spybot running Resident.
However, still worried, especially as I need this machine for my design business, banking, and other uses. Other than consigning it to holy cleansing fire - which may void warranty - what's the best way of ensuring a clean machine?
Is it time for the dance of joy yet?