New bug in town
New bug in town
Anyone heard of or contracted this new bug? Can't figure out where I picked it up. The first thing you notice that it does is replace your wallpaper with a active webpage that says your infected. After trying to remove it with various tools I found that it makes logs of all your activity and seems to start infecting all active proccesses. So my first thought is, ok its a worm...great.... The only thing I was doing at the time was watching some streams of movies from a few different websites which since I had to reformat I lost my bookmarks, as it didn't seem like that big of the deal to me at the time to keep them. But I've been hearing reports of this bug from some friends more and more recently. Anyone heard anything on this bug, and or how to remove it completely without a format?
\"The OS is detected as NetBSD (it will even run on your toaster).\"
Unfortunately I was forced to make a full reformat, since my *nix box was out of commission due to bad software installation, and another thing I just remembered about the virus all activity in your browser was proxy redirected through as many as 5 proxies then forced your action to another site. I found that the only way to get to a security site to try and find more info was to use a web proxy as a base, since it would hide the referrer. In this case I used vtunnel, but as i was saying I found no information on it. My browser by the way is firefox 2. I've always heard about hijackthis but I never fully understood its purpose or why it is better than its competitors. What makes it so special? By the way this makes me curious bad_brain, what is your security setup. If it isn't to personal I would like to know to strengthen my own using your design, because lets face it, reformatting is a tiresome process when no easier solution can be found. If you don't mind can you include software names, and any hardware such as exterior firewalls, routers, switches etc, I can have all of those at my disposal with a few calls to some friends at my local tech shop. Software is my major concern, its hard today finding what really is top of the line, also keeping in mind my belief in never paying for software (goes back to the classic belief data is information, information should be free, services on the other hand I consider differently) and yes I do understand the man hours that go into making the software because I've slaved over a text editor for hours on my own software, but now I'm getting away from the point. Point is I'm cheap So fill me in on what your using and if anyone else reads this I'd love to compare setups to everyone's.
\"The OS is detected as NetBSD (it will even run on your toaster).\"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
my setup is no secret:
- XP SP1 (SP2 only if REALLY needed, by a game for example ^^)
- Kaspersky Internet Security (firewall always in training mode)
- disabled unnecessary services:
SSDP
netbios
windows time service
plug and play
- browser: K-Meleon
- email client: Thunderbird with Spamato plugin
also very important is to check the running services and used ports regularly:
- TCPView
- Process Explorer as replacement for the crappy MS task manager
- XP SP1 (SP2 only if REALLY needed, by a game for example ^^)
- Kaspersky Internet Security (firewall always in training mode)
- disabled unnecessary services:
SSDP
netbios
windows time service
plug and play
- browser: K-Meleon
- email client: Thunderbird with Spamato plugin
also very important is to check the running services and used ports regularly:
- TCPView
- Process Explorer as replacement for the crappy MS task manager
user friendly software
Huh!
Mine is
XP SP2
Comodo firewall (train w/ safe mode)
comodo AVP only for suspicious
IE7
Email: Gmail
Ccleaner
MS Process explorer.exe
Nmap-win32
Netstumbler
Kremlin Kit
Copernic agent
Everest Home
Wireshark
Sam Spade
Various; httprecon, superscan,angry ip scanner, Proxys-4-All, etc
DNR
Mine is
XP SP2
Comodo firewall (train w/ safe mode)
comodo AVP only for suspicious
IE7
Email: Gmail
Ccleaner
MS Process explorer.exe
Nmap-win32
Netstumbler
Kremlin Kit
Copernic agent
Everest Home
Wireshark
Sam Spade
Various; httprecon, superscan,angry ip scanner, Proxys-4-All, etc
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
- floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact:
I have seen this type of "bug" on many occasions. It is not to bad when trying to removing it.
a lot of toggling and between doing the following:
- go into safe mode and unplug from the network
- between regedit (searching all the known run folders)
- msconfig (turning things off at run time and services)
- search and delete from regedit all names that were in run spots
Its a bit more complex and I cant write it all now, but i am sure you get the idea.
a lot of toggling and between doing the following:
- go into safe mode and unplug from the network
- between regedit (searching all the known run folders)
- msconfig (turning things off at run time and services)
- search and delete from regedit all names that were in run spots
Its a bit more complex and I cant write it all now, but i am sure you get the idea.
i really should have given more information from the start but my memory is bad. Ok it changed the wallpaper, but i forgot to say it also removed all gui forms of changing the desktop settings, as in display only had 1 tab... Also I did find it it launched multiple exe's, i found it by searching for files changed that day, and as i found it i used unlocker to manually delete the files starting ofcourse with all the exes. Then the htmls and so on. Problem was i started with 9 new files researched after deleteing them and all 9 were back as well as 20 or so more, it was moving as i was deleteing. Sorry if i remember anything more interesting about it ill let you know but at the moment i think im dry again.
\"The OS is detected as NetBSD (it will even run on your toaster).\"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
yeah, that's a good idea.....but on the other side: never trust a system that was exploited already, you never know what changes have been done to the system and if all of them are found. imo it's the best to handle such incidents like it is done by a good server admin: check where the flaw was and then full reinstall with improved settings to avoid the problem in the future.Nerdz wrote:Next time, shutdown and boot with a live CD with an antivirus...