Malicious link with Opera

When I go to this page with Opera via a google search, suddenly Opera tries to acees a lot reg enteries, maily related to disbling an AV running on the sytem I think. I came to know this from geswall.

hxxp://www.bleepingcomputer.com/files/adsspy.php

Can anyone check this page? Alos click on download ADS Spy link.

May be this link is causing trouble or my recent play with a lot of malware left some nasty remnants. It,s more of a test XP SP2 installation.

I have good image backup on an external but just curious to know what is this infact.

Thanks

 

Just went there with Opera 9.64 and encountered no problems or warnings. running XP sp2

 

Just tried the link with Opera 10 RC and I get an error.
The address type is unknown or unsupported

Tried again and it connects.

 

I tried with Opera 9.64 and IE6 and nothing happens out of the ordinary. I don't see anything about redirects in the source code.

----
rich

 

thanks. So some thing wrong on my system. By the way, can you try to download and save it to desktop until it it's complete. Then wait a few min.
Thanks

 

Download what?

----
rich

 

I'm using Opera 10 RC2 and I downloaded the file and nothing happened.

 

Thanks all. As i said, i was going to restore am image. It's sure on my system only.

 

hey....agile did you run some scans: prevx/hitman/mbam etc so as to find what it is....?

 

Seems i figured it out. I tried many things.

1- Antivir free- can,t update due to some rerason. Nothing found
2- MBAN- can,t update, nothing found except hijacked reg enteries
3- Hostman- nothing found
4- Prevx- nothing found
5- SAS- can,t update, nothing found
6- gmer seems clear
7- IceSword will not run
8- RootRpeal showed a hidden driver
9- An autostart reg entery in Autoruns with no associated file

Seems a rootkit( however I am not an expert and not sure about my findings) that uses different processes n browsers to download tons of malware from internet. It,s at this point that Antivir, Prevx, MAM, SAS etc start catching the stuff.

I tried a lot of malware recently in last week, seems something got loose from me. Anyway going to restore a fresh image.

 

Both your atapi.sys show 95,360 bytes and they are in the same space.

What are you trying to show us in Autoruns ?

Have/can you copy/save atapi.sys with an ARK so others can take a look at it ?

-

" Description: atapi.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 95,360 bytes (95% of all occurrence), 96,512 bytes.

The driver can be started or stopped from Services in the Control Panel or by other programs. It is a Windows system file. The program is not visible. The service has no detailed description. File atapi.sys is a trustworthy file from Microsoft. Therefore the technical security rating is 18% dangerous, however also read the users reviews.

Some malware camouflage themselves as atapi.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. "

http://www.file.net/process/atapi.sys.html

 

In the autoruns there is any entery with no file. It,s About:Home. About atapi.sys, may be it,s just a false positive from rootrepeal though malware sure looked like a rootkit from the OS and different applications behaviour. I was not able to copy it via rootrepeal.

Anyway sorry to bother u all and thanks for ur kind replies. I was just fed up and have restored a clean image already.

 

The autorun entery with no file about:Home was nothing to worry about, i've had it and deleted it, doesn't hurt anything to get rid of it.. It happens when you customise/change your start page.

No bother, only wish i'd posted earlier !

Glad you got it sorted anyway.

 

aigle, see if the live cd from Dr Web identifies anything:

http://www.freedrweb.com/livecd

As it boots from CD with it's own OS it can 'see' all files that may be hidden by a rootkit.

 

before an image restore i tried dr.web cureit and found nothing.

 

Interestingly i have solved the mystery how i got it. As a matter of fact i got it again.
It's a malware that i am playing with recently under shadow mode of shadow surfer. It's bypassing the shadow mode and is still there after a reboot.

 

I have no VM but I have image backups on an external, so it,s OK anyway.