Malicious link with Opera

Discussion in 'malware problems & news' started by aigle, Aug 28, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    When I go to this page with Opera via a google search, suddenly Opera tries to acees a lot reg enteries, maily related to disbling an AV running on the sytem I think. I came to know this from geswall.

    hxxp://www.bleepingcomputer.com/files/adsspy.php

    Can anyone check this page? Alos click on download ADS Spy link.

    May be this link is causing trouble or my recent play with a lot of malware left some nasty remnants. It,s more of a test XP SP2 installation. o_O

    I have good image backup on an external but just curious to know what is this infact. :)

    Thanks
     

    Attached Files:

    • log.txt
      File size:
      52.4 KB
      Views:
      12
    • pin.png
      pin.png
      File size:
      13.6 KB
      Views:
      494
    Last edited: Aug 28, 2009
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,896
    Location:
    SW. Oklahoma
    Just went there with Opera 9.64 and encountered no problems or warnings. running XP sp2
     

    Attached Files:

  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Just tried the link with Opera 10 RC and I get an error.
    The address type is unknown or unsupported

    Tried again and it connects.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    I tried with Opera 9.64 and IE6 and nothing happens out of the ordinary. I don't see anything about redirects in the source code.

    ----
    rich
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    thanks. So some thing wrong on my system. By the way, can you try to download and save it to desktop until it it's complete. Then wait a few min.
    Thanks
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Download what?

    ----
    rich
     
  7. The_1337

    The_1337 Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    112
    I'm using Opera 10 RC2 and I downloaded the file and nothing happened.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    Thanks all. As i said, i was going to restore am image. It's sure on my system only.
     
  9. thathagat

    thathagat Guest

    hey....agile did you run some scans: prevx/hitman/mbam etc so as to find what it is....?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    Seems i figured it out. I tried many things.

    1- Antivir free- can,t update due to some rerason. Nothing found
    2- MBAN- can,t update, nothing found except hijacked reg enteries
    3- Hostman- nothing found
    4- Prevx- nothing found
    5- SAS- can,t update, nothing found
    6- gmer seems clear
    7- IceSword will not run
    8- RootRpeal showed a hidden driver :thumb:
    9- An autostart reg entery in Autoruns with no associated file

    Seems a rootkit( however I am not an expert and not sure about my findings) that uses different processes n browsers to download tons of malware from internet. It,s at this point that Antivir, Prevx, MAM, SAS etc start catching the stuff.

    I tried a lot of malware recently in last week, seems something got loose from me. Anyway going to restore a fresh image.

    v (1).png
    v.png
     
    Last edited: Aug 29, 2009
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Both your atapi.sys show 95,360 bytes and they are in the same space.

    What are you trying to show us in Autoruns ?

    Have/can you copy/save atapi.sys with an ARK so others can take a look at it ?

    -

    " Description: atapi.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 95,360 bytes (95% of all occurrence), 96,512 bytes.

    The driver can be started or stopped from Services in the Control Panel or by other programs. It is a Windows system file. The program is not visible. The service has no detailed description. File atapi.sys is a trustworthy file from Microsoft. Therefore the technical security rating is 18% dangerous, however also read the users reviews.

    Some malware camouflage themselves as atapi.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. "

    http://www.file.net/process/atapi.sys.html
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    In the autoruns there is any entery with no file. It,s About:Home. About atapi.sys, may be it,s just a false positive from rootrepeal though malware sure looked like a rootkit from the OS and different applications behaviour. I was not able to copy it via rootrepeal.

    Anyway sorry to bother u all and thanks for ur kind replies. I was just fed up and have restored a clean image already.
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    The autorun entery with no file about:Home was nothing to worry about, i've had it and deleted it, doesn't hurt anything to get rid of it.. It happens when you customise/change your start page.

    No bother, only wish i'd posted earlier !

    Glad you got it sorted anyway.
     
  14. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    aigle, see if the live cd from Dr Web identifies anything:

    http://www.freedrweb.com/livecd

    As it boots from CD with it's own OS it can 'see' all files that may be hidden by a rootkit.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    before an image restore i tried dr.web cureit and found nothing.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    Interestingly i have solved the mystery how i got it. As a matter of fact i got it again.
    It's a malware that i am playing with recently under shadow mode of shadow surfer. It's bypassing the shadow mode and is still there after a reboot.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,112
    Location:
    Saudi Arabia/ Pakistan
    I have no VM but I have image backups on an external, so it,s OK anyway.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.