Another thread that had external image link to a virus

[rubiks6]

I was here .. Akiba-Online > Torrent Station > Idol Torrents > IV Torrents .. viewing thread titled "[AVI 725M]EXSM-039 (EX寫女) 素人著エロ娘 うぶ系ロリドル のぞみ 早熟入學式 ". When I clicked in the cover image thumbnail I was taken to an image host. I saw the image momentarily, and then something weird started running in the browser window. I closed it quick, but not quick enough to stop a really nasty virus from jumping into my machine - scareware crap, y'know, it tells you a virus has been detected, looks all microsoft-ish, says you can remove it by buying their (bogus) antivirus software. It screwed up my proxy settings, and I was unable to navigate to any website whatsoever except theirs. I was unable to stop their damned 'warning' from popping up every 5 to 10 seconds. I couldn't even run task manager. Step one was booting to safe mode. I won't go into any further details of the hoops I had to jump through to get my machine working again. I took me several hours to stop it from running and repair the damage it had done.

Mods - Please remove the offending image and link. Please block all future links to this image host. -

This thread.

 

[Rollyco]

Ouch, that sucks.

hotlinkimage.com is one of the most used third-party hosts on Akiba-Online. I just scanned that particular URL with urlvoid and novirusthanks, and it came up clean.

If I had to guess, one of hotlinkimage's ad affiliates probably sneaked an infected payload into one of their flash movies. It's not there now, as far as i can tell. There have been a lot of highly critical 0-day Adobe exploits in the wild recently. I highly recommend installing Secunia PSI on any computer you browse the web with, and let it scan your system every week for unpatched and vulnerable software. If it finds anything out of date, it gives you a direct link to the official source on the web where you can download the needed update. Very convenient.

 

[CoolKevin]

and please everybody can help us, if you find a link with a virus, report it straight away, the first thing we can do is delete the thread, and look into it afterwards
The report button is that little red triangle above the post, on the right hand side

 

[lowleg26]

Damn, that sucks. I'm sorry you had to deal with that rubiks.

what browser are you using? I've had nearly no issue with pups or malware while using Firefox with Adblock and NoScript add ons enabled.

NoScript can be a real pain, since you have to manually allow a lot of sites, but I consider it worth the trouble for the protection it gives.

You alluded to nearly using the "auto restore" function on your comp in the other thread, isn't there some way to adjust your "factory restore" so that it only affects a system partition and leaves data alone? I'm not too familiar with those pre-made "system restore" options. I find the best thing to do with a new compy is to do a complete wipe out of the box, repartition all the drives, and reinstall the OS on a dedicated OS partition.

After that, even if a virus or malware works its way on your system, its a snap to reinstall from disk while preserving the savory data partitions. erfectplan:

And, remember, theres always linux! andalaugh:

 

[rubiks6]

Thanks for your help, Rollyco.

hotlinkimage.com is one of the most used third-party hosts on Akiba-Online.

Yes, I'm aware of this. I'm at a loss as to how to prevent this sort of attack in the future. For me personally, I'll just have to always look at the url before I click an image.

 

[Rollyco]

Apart from keeping everything updated (Windows, your browsers, Flash, Adobe Reader, Java, etc.) I strongly suggest you run your browser in a Sandbox that can keep any malicious payloads out of your system. Sandboxie (payware) or CIS Premium (free) have very capable sandbox functionality. The latter is a more intrusive installation (also includes firewall + antivirus), I would try Sandboxie first.

http://rapidshare.com/files/404977807/Sandboxie.v3.46.WinAll.Incl.Keygen-CRD.rar (password: rl-team.net)

 

[rubiks6]

Well, I'll have to leave many of your questions unanswered (and many of my own). I need to sleep now.

Thanks for your suggestions, Rollyco. I'll try to figure out what it all means.

Anyway, I've attached an image of the culprit (uploaded to Akiba, of course).
Check out the first 4 of 58 registry changes that bugger made. Nasty.\

.

 

[sicklychild]

My AVG antivirus keeps blocking access to these pages - which seems to do the trick and protects my PC.
Also my AdAware program sometimes pops up and blocks a page.
Next time it happens I'll report the post as well.

 

[rubiks6]

I kept asking myself yesterday why I failed to report the post. This morning it occurred to me - duh - I never had a chance until five hours later. By then, I was reluctant to even open the thread containing the image.

_____ . :scared: . _____

 

[CoolKevin]

I kept asking myself yesterday why I failed to report the post. This morning it occurred to me - duh - I never had a chance until five hours later. By then, I was reluctant to even open the thread containing the image.

_____ . :scared: . _____

I would not let it get you down, there was many others, that looked as well,
I hope your pc is running well now

 

[rubiks6]

I hope your pc is running well now

Yes, things are running smoothly now. But, it was a wake up call that I will not soon forget. Again, thank you for your support.

 

[Joelle]

Sorry you had to go through that, Rubiks, been there, sucks beyond believ/

Thank you 4 heads up in spite ov it, classy.


Joelle

 

[gyoza ramen & a beer]

So, them crafty Ukrainians is at it again...

Everyone has probably seen this (or a related article on the subject) by now, but if not, go here:

http://www.nytimes.com/2008/10/30/t...tml?scp=2&sq=windows xp antivirus 2008&st=cse

It's the part about the "affiliates" program that particularly caught my attention. That, and the fact that the virus does not attack computers whose keyboards are mapped for the Ukrainian alphabet.

From reading the above replies, it's obvious I am in the company of very knowledgeable people and, likely, have little to offer by way of help. But I can tell you that when my computer was infected the virus had attached itself in places it would never have occurred to me to look; even, for instance, the application for the mouse/trackball I was using.

 

[scorres]

rogue spyware

I had my dance with this BS. The tricky part is that when you search for
possible remedies, the first 50 matches are possible traps! I was able
to function normally for a month, with my speakers off, (to avoid the 'pop'
every 10 seconds), while I sought a cure. When I finally beat it, I was actually
missing the intense, hectic state-of-mind I had been surfing with.
All that aside, the second it happens, the(fake)spybot runs and you get the
task-bar caution, DON"T click anything!. Hit cntrl/alt-delete, find it,
end/task it, and wipe your cache. Once a day do a manual system restore point. Takes 20-30 seconds.
If it's too late for you, don't panic and start deleting it's pieces. the 5 files you need to delete, wil rebirth themselves in increasingly stealthy manners. Best to do it right the first time. Make note of the exact day and time it occured, the designers overlooked randomizing the 'born-on-date.
I thank them however for showing me that paying yearly fees to Norton,
was a waste. They ran together. avast is free. like me. L8R ssss
I see that mr Norton helped save rubiks, so they get my thanks, but no
more money.

 

[CoolKevin]

another way to solve the problem is run lynix, I was using ubuntu, and I put in a password, and when I changed it I must have made a typo, and I cannot get back into it, but the good thing about ubuntu, it is very rare for people to try and invade it and its registry, but the best thing it is free, so what I was doing surfing with ubuntu, download and scanned it for all the possible problems, and if I needed windows, to run whatever I downloaded I would start windows

 

[rubiks6]

exact day and time it occured, the designers overlooked randomizing the 'born-on-date.
I thank them however . . .

No worries, scorres. I gave my money to Mr. Norton without embarassment. Damned if I would give it to the bastards who thought up this crap. I purchased Norton Antivirus the very day that this started. It helped clean things up. I'm not trying to sell this product, but for God's sake people - don't pay ANY money to the people running these scams.

 

[scorres]

I found a cap

My mind was back at ease after I ran
my Spybot - Search & Destroy
free as the wind. It wouldn't fix nuthin'
but it reassured me that all those infections were fake. Spybot has a tab for start-up programs too. Anything that changed since last use comes up in bold print. I take a snapshot too, for reference.

The newer version you got disables task-manager, and did it
change your desktop? I got so lucky that time, I reset to a system check restore point more than a week old from safe mode. I've never had a successful restore more than 1-2 days. I watched it reboot peeking through
my fingers, sure it was gonna say, 'sorry,Try another point"
Rubiks you might not want to look at the first pic.
could cause flashbacks, it's just a jpg over 2 years old. (b4 IE8)

View attachment 321138

View attachment 321139