Malicious link with Opera

Discussion in 'malware problems & news' started by aigle, Aug 28, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    When I go to this page with Opera via a google search, suddenly Opera tries to acees a lot reg enteries, maily related to disbling an AV running on the sytem I think. I came to know this from geswall.

    hxxp://www.bleepingcomputer.com/files/adsspy.php

    Can anyone check this page? Alos click on download ADS Spy link.

    May be this link is causing trouble or my recent play with a lot of malware left some nasty remnants. It,s more of a test XP SP2 installation. o_O

    I have good image backup on an external but just curious to know what is this infact. :)

    Thanks
     

    Attached Files:

    • log.txt
      File size:
      52.4 KB
      Views:
      12
    • pin.png
      pin.png
      File size:
      13.6 KB
      Views:
      494
    Last edited: Aug 28, 2009
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Just went there with Opera 9.64 and encountered no problems or warnings. running XP sp2
     

    Attached Files:

  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Just tried the link with Opera 10 RC and I get an error.
    The address type is unknown or unsupported

    Tried again and it connects.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I tried with Opera 9.64 and IE6 and nothing happens out of the ordinary. I don't see anything about redirects in the source code.

    ----
    rich
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    thanks. So some thing wrong on my system. By the way, can you try to download and save it to desktop until it it's complete. Then wait a few min.
    Thanks
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Download what?

    ----
    rich
     
  7. The_1337

    The_1337 Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    112
    I'm using Opera 10 RC2 and I downloaded the file and nothing happened.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks all. As i said, i was going to restore am image. It's sure on my system only.
     
  9. thathagat

    thathagat Guest

    hey....agile did you run some scans: prevx/hitman/mbam etc so as to find what it is....?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Seems i figured it out. I tried many things.

    1- Antivir free- can,t update due to some rerason. Nothing found
    2- MBAN- can,t update, nothing found except hijacked reg enteries
    3- Hostman- nothing found
    4- Prevx- nothing found
    5- SAS- can,t update, nothing found
    6- gmer seems clear
    7- IceSword will not run
    8- RootRpeal showed a hidden driver :thumb:
    9- An autostart reg entery in Autoruns with no associated file

    Seems a rootkit( however I am not an expert and not sure about my findings) that uses different processes n browsers to download tons of malware from internet. It,s at this point that Antivir, Prevx, MAM, SAS etc start catching the stuff.

    I tried a lot of malware recently in last week, seems something got loose from me. Anyway going to restore a fresh image.

    v (1).png
    v.png
     
    Last edited: Aug 29, 2009
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Both your atapi.sys show 95,360 bytes and they are in the same space.

    What are you trying to show us in Autoruns ?

    Have/can you copy/save atapi.sys with an ARK so others can take a look at it ?

    -

    " Description: atapi.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 95,360 bytes (95% of all occurrence), 96,512 bytes.

    The driver can be started or stopped from Services in the Control Panel or by other programs. It is a Windows system file. The program is not visible. The service has no detailed description. File atapi.sys is a trustworthy file from Microsoft. Therefore the technical security rating is 18% dangerous, however also read the users reviews.

    Some malware camouflage themselves as atapi.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. "

    http://www.file.net/process/atapi.sys.html
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In the autoruns there is any entery with no file. It,s About:Home. About atapi.sys, may be it,s just a false positive from rootrepeal though malware sure looked like a rootkit from the OS and different applications behaviour. I was not able to copy it via rootrepeal.

    Anyway sorry to bother u all and thanks for ur kind replies. I was just fed up and have restored a clean image already.
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    The autorun entery with no file about:Home was nothing to worry about, i've had it and deleted it, doesn't hurt anything to get rid of it.. It happens when you customise/change your start page.

    No bother, only wish i'd posted earlier !

    Glad you got it sorted anyway.
     
  14. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    aigle, see if the live cd from Dr Web identifies anything:

    http://www.freedrweb.com/livecd

    As it boots from CD with it's own OS it can 'see' all files that may be hidden by a rootkit.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    before an image restore i tried dr.web cureit and found nothing.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Interestingly i have solved the mystery how i got it. As a matter of fact i got it again.
    It's a malware that i am playing with recently under shadow mode of shadow surfer. It's bypassing the shadow mode and is still there after a reboot.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have no VM but I have image backups on an external, so it,s OK anyway.
     
Loading...
Thread Status:
Not open for further replies.