Malicious link with Opera

[aigle]

When I go to this page with Opera via a google search, suddenly Opera tries to acees a lot reg enteries, maily related to disbling an AV running on the sytem I think. I came to know this from geswall.

hxxp://www.bleepingcomputer.com/files/adsspy.php

Can anyone check this page? Alos click on download ADS Spy link.

May be this link is causing trouble or my recent play with a lot of malware left some nasty remnants. It,s more of a test XP SP2 installation.

I have good image backup on an external but just curious to know what is this infact.

Thanks

[bigc73542]

Just went there with Opera 9.64 and encountered no problems or warnings. running XP sp2

[the Tester]

Just tried the link with Opera 10 RC and I get an error.
The address type is unknown or unsupported

Tried again and it connects.

[Rmus]

I tried with Opera 9.64 and IE6 and nothing happens out of the ordinary. I don't see anything about redirects in the source code.

----
rich

[aigle]

thanks. So some thing wrong on my system. By the way, can you try to download and save it to desktop until it it's complete. Then wait a few min.
Thanks

[Rmus]

Download what?

----
rich

[The_1337]

I'm using Opera 10 RC2 and I downloaded the file and nothing happened.

[aigle]

Thanks all. As i said, i was going to restore am image. It's sure on my system only.

Quote:

Originally Posted by aigle

Thanks all. As i said, i was going to restore am image. It's sure on my system only.

hey....agile did you run some scans: prevx/hitman/mbam etc so as to find what it is....?

[aigle]

Seems i figured it out. I tried many things.

1- Antivir free- can,t update due to some rerason. Nothing found
2- MBAN- can,t update, nothing found except hijacked reg enteries
3- Hostman- nothing found
4- Prevx- nothing found
5- SAS- can,t update, nothing found
6- gmer seems clear
7- IceSword will not run
8- RootRpeal showed a hidden driver
9- An autostart reg entery in Autoruns with no associated file

Seems a rootkit( however I am not an expert and not sure about my findings) that uses different processes n browsers to download tons of malware from internet. It,s at this point that Antivir, Prevx, MAM, SAS etc start catching the stuff.

I tried a lot of malware recently in last week, seems something got loose from me. Anyway going to restore a fresh image.

[StevieO]

Both your atapi.sys show 95,360 bytes and they are in the same space.

What are you trying to show us in Autoruns ?

Have/can you copy/save atapi.sys with an ARK so others can take a look at it ?

-

" Description: atapi.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 95,360 bytes (95% of all occurrence), 96,512 bytes.

The driver can be started or stopped from Services in the Control Panel or by other programs. It is a Windows system file. The program is not visible. The service has no detailed description. File atapi.sys is a trustworthy file from Microsoft. Therefore the technical security rating is 18% dangerous, however also read the users reviews.

Some malware camouflage themselves as atapi.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. "

http://www.file.net/process/atapi.sys.html

[aigle]

In the autoruns there is any entery with no file. It,s about:Home. About atapi.sys, may be it,s just a false positive from rootrepeal though malware sure looked like a rootkit from the OS and different applications behaviour. I was not able to copy it via rootrepeal.

Anyway sorry to bother u all and thanks for ur kind replies. I was just fed up and have restored a clean image already.

[StevieO]

The autorun entery with no file about:Home was nothing to worry about, i've had it and deleted it, doesn't hurt anything to get rid of it.. It happens when you customise/change your start page.

No bother, only wish i'd posted earlier !

Glad you got it sorted anyway.

[Mapson]

aigle, see if the live cd from Dr Web identifies anything:

http://www.freedrweb.com/livecd

As it boots from CD with it's own OS it can 'see' all files that may be hidden by a rootkit.

[aigle]

before an image restore i tried dr.web cureit and found nothing.

[aigle]

Interestingly i have solved the mystery how i got it. As a matter of fact i got it again.
It's a malware that i am playing with recently under shadow mode of shadow surfer. It's bypassing the shadow mode and is still there after a reboot.

[aigle]

I have no VM but I have image backups on an external, so it,s OK anyway.