Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Angry about your PC invasion? Vent here!


  • Please log in to reply
14 replies to this topic

#1 FatalComputer

FatalComputer

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:12:54 PM

Posted 09 January 2009 - 11:00 AM

Wow....i woke up yesterday morning and turned on my computer...only to find all this SH@#! on it.....so i downloaded some antivirus scan stuff and scanned i left it over night so i would know in the morning...when i woke up there was excatly 2034 internet explorers.....all f(&(*&!(*!! advertising!!@!@!@!@!@! omg !@!@!@

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:54 PM

Posted 09 January 2009 - 11:58 AM

Since this topic isn't discussing how to remove an infection but rather venting about getting them, I am moving it to general chat. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 xXAlphaXx

xXAlphaXx

  • Members
  • 867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carlona
  • Local time:01:54 PM

Posted 09 January 2009 - 01:47 PM

Yeah, some times viral infections like those can just get so bad. Some times its just better to reinstall if its really that bad. I've only come across infections like that twice.
If I am helping you and I do not respond within 24 hours, please send me a PM. :)

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:54 AM

Posted 09 January 2009 - 06:19 PM

Indeed, malicious software is quite a pain in the rear-mid-section-fault zone, and those who create them ought to be slathered in honey and tied to a red ant hill (one ant for each infected computer.)


*thinks about mentioning Linux; decides not to and chuckles to himself.*

Edited by Amazing Andrew, 09 January 2009 - 06:21 PM.


#5 BlackSpyder

BlackSpyder

    Bleeping Big Rig


  • BC Advisor
  • 2,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huddleston, VA USA (Home Sweet Home)
  • Local time:01:54 PM

Posted 09 January 2009 - 09:07 PM

Yeah, obviously giving them blueberry muffins and attacking them with birds is too easily escaped. (heh heh heh)

PITA, you bet they are.


Preach on, brother AA, preach on!





edit:Must always remember BBC code

Edited by BlackSpyder, 09 January 2009 - 09:14 PM.

Posted Image




#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:54 AM

Posted 10 January 2009 - 01:30 PM

Yeah, obviously giving them blueberry muffins and attacking them with birds is too easily escaped. (heh heh heh)

Sure, mock me and my horrific brush with death.

Preach on, brother AA, preach on!

Can I get an "amen"?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:54 PM

Posted 10 January 2009 - 05:57 PM

Amen brother !! :flowers: but mostly as you are so merciful...one ant per occurrance. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:54 AM

Posted 10 January 2009 - 06:31 PM

Well, considering the proliferation of malware, I think one per infection is perhaps unconstitutional (damned laws against cruel and unusual punishment... *grumble*)

#9 nospam

nospam

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:pueblo
  • Local time:01:54 PM

Posted 14 January 2009 - 09:44 PM

My rant as well:

I recently dealt with this malware just a few days ago: real-av (you HJT guys have helped several people here with variants of that really bad malware) I don't know how I got infected as I rarely do, but this one was extremely time consuming to deal with even after googling it to get the answers on how to address it as soon as I saw URLs or funky file names.

DON'T GO to these DOMAIN NAMES, I am posting them here as information about my RANT



I did some research with the names associated with this garbage:
names:

domains, IPs, ASN
REAL-AV. ORG = netplace. ru = webalta. ru =wahome. ru
Network info: AS41947 = 77.91.225.235

Interesting Site Advisor comments -
http://www.siteadvisor.com/sites/real-av.org


Talk about a royal PITA!

Huge amounts of trojans were hidden in the WINDOWS\System32 folder and the registry area. I used Malwarebytes and scanned repeatedly. I did a few other things and finally got rid of the virus without reformatting. Before I figured out what was going on, my desktop was offline a good bit anyway and I kept getting these tcsd_win32.exe shutdown errors. Then the malware was disabling my AV and Firewall, etc. Then when I figured out it was malware, it nearly prevented me from removing it, very nasty and time consuming. I hope the people behind this get prosecuted and go to jail for cybercrime.

Interestingly enough, I found from searches online that Spamhaus has a /24 blocked on this gang.

This listing has been there since mid December 2008, it would seem to me the host has no intention of getting rid of this awful customer.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL70442

Ref: SBL70442

77.91.225.0/24 is listed on the Spamhaus Block List (SBL)

15-Dec-2008 00:23 GMT | SR04

Botnet C&C control hub and malware drop

Yet more service provided to botmasters by "netplace.ru"

77.91.225.234:443.

ns1.s-avirus2009.com A 77.91.225.234
ns2.s-avirus2009.com A 77.91.225.234
ns1.smartantivirus2009v2.com A 77.91.225.234
ns1.smartantivirus-2009v2buy.com A 77.91.225.234
ns1.smart-antivirus2009v2buy.com A 77.91.225.234
ns1.smartantivirus2009v2-buy.com A 77.91.225.234
ns1.sa-vir2009-buy.com A 77.91.225.234
ns2.sa-vir2009-buy.com A 77.91.225.234

___________________________________


77.91.225.234 ns1.antivirusdoc.net
77.91.225.234 ns1.dr-protection-adv.com
77.91.225.234 ns1.dr-protection.com
77.91.225.234 ns1.guard-center-adv.com
77.91.225.234 ns1.guard-center.com
77.91.225.234 ns1.installratio.com
77.91.225.234 ns1.killspy-adv.com
77.91.225.234 ns1.killspy.org
77.91.225.234 ns1.liveantispy-adv.com
77.91.225.234 ns1.liveantispy.com
77.91.225.234 ns1.liveprotection-adv.net
77.91.225.234 ns1.liveprotection.net
77.91.225.234 ns1.mr-antispy.com
77.91.225.234 ns1.online-guard-adv.net
77.91.225.234 ns1.online-guard.net
77.91.225.234 ns1.pornpromocollection.com
77.91.225.234 ns1.s-avir2009-buy.com
77.91.225.234 ns1.s-avirus2009.com
77.91.225.234 ns1.sa-vir2009-buy.com
77.91.225.234 ns1.sav2008.com
77.91.225.234 ns1.smart-antivirus2009sqbuy.com
77.91.225.234 ns1.smart-antivirus2009v2buy.com
77.91.225.234 ns1.smartantivirus-2009sqbuy.com
77.91.225.234 ns1.smartantivirus-2009v2buy.com
77.91.225.234 ns1.smartantivirus2009sq-buy.com
77.91.225.234 ns1.smartantivirus2009sq.com
77.91.225.234 ns1.smartantivirus2009v2-buy.com
77.91.225.234 ns1.smartantivirus2009v2.com
77.91.225.234 ns1.stopingspy-adv.com
77.91.225.234 ns1.stopingspy.com
77.91.225.234 ns1.systemantiviruspro-scanner.com
77.91.225.234 ns1.systemantiviruspro.com
77.91.225.234 ns1.tocash.biz
77.91.225.234 ns1.try-our-conversion-and-stay-here.biz
77.91.225.234 ns1.try-our-conversion-and-stay-here.com
77.91.225.234 ns1.try-our-conversion-and-stay-here.net
77.91.225.234 ns1.try-our-conversion-and-stay-here.org
77.91.225.234 ns1.websurfsecure.com
77.91.225.234 ns1.winantiviruspro-install.com
77.91.225.234 ns1.winantiviruspro-scanner.com
77.91.225.234 ns1.winantiviruspro.net
77.91.225.234 ns1.winprotector.net
77.91.225.234 ns1.workingtraff.com
77.91.225.234 ns2.dr-protection-adv.com
77.91.225.234 ns2.dr-protection.com
77.91.225.234 ns2.guard-center-adv.com
77.91.225.234 ns2.guard-center.com
77.91.225.234 ns2.killspy-adv.com
77.91.225.234 ns2.killspy.org
77.91.225.234 ns2.liveantispy-adv.com
77.91.225.234 ns2.liveantispy.com
77.91.225.234 ns2.liveprotection-adv.net
77.91.225.234 ns2.liveprotection.net
77.91.225.234 ns2.mr-antispy.com
77.91.225.234 ns2.online-guard-adv.net
77.91.225.234 ns2.online-guard.net
77.91.225.234 ns2.s-avir2009-buy.com
77.91.225.234 ns2.s-avirus2009.com
77.91.225.234 ns2.sa-vir2009-buy.com
77.91.225.234 ns2.sav2008.com
77.91.225.234 ns2.smart-antivirus2009sqbuy.com
77.91.225.234 ns2.smartantivirus-2009sqbuy.com
77.91.225.234 ns2.smartantivirus2009sq-buy.com
77.91.225.234 ns2.smartantivirus2009sq.com
77.91.225.234 ns2.stopingspy-adv.com
77.91.225.234 ns2.stopingspy.com
77.91.225.234 ns2.winantiviruspro.net
77.91.225.234 ns2.winprotector.net

77.91.225.235 ns1.nruss.com
77.91.225.235 ns1.smart-antivirus-2009hq.com
77.91.225.235 ns1.smart-antivirus2009hq.com
77.91.225.235 ns1.smartantivirus-2009hq.com
77.91.225.235 ns1.smartantivirus2009-hq.com
77.91.225.235 ns1.smartantivirus2009hq.com
77.91.225.235 ns2.smart-antivirus-2009hq.com
77.91.225.235 ns2.smart-antivirus2009hq.com
77.91.225.235 ns2.smartantivirus-2009hq.com
77.91.225.235 ns2.smartantivirus2009-hq.com
77.91.225.235 ns2.smartantivirus2009hq.com


___________________________________

inetnum: 77.91.225.224 - 77.91.225.239
netname: NETPLACE
descr: NETPLACE
country: RU
admin-c: PM946-RIPE
tech-c: PM946-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Pavel Malinkovich
address: Tevosyana 40a-89
address: Electrostal, Moscow Region
address: Russia
phone: +7 495 5434485
abuse-mailbox: abuse@netplace.ru
nic-hdl: PM946-RIPE
source: RIPE # Filtered

% Information related to '77.91.224.0/21AS41947'

route: 77.91.224.0/21
descr: WEBALTA / Internet Search Company
descr: Moscow, Russia
origin: AS41947
mnt-by: RU-WEBALTA-MNT
mnt-routes: RU-WEBALTA-MNT
source: RIPE # Filtered
___________________________________


domain: NETPLACE.RU
type: CORPORATE
nserver: ns1.netplace.ru. 81.177.22.10
nserver: ns2.netplace.ru. 81.177.23.10
state: REGISTERED, DELEGATED
org: JSC "Net Place"
phone: +7 495 9685374
fax-no: +7 495 9166072
e-mail: support@netplace.ru
registrar: RUCENTER-REG-RIPN
created: 2003.06.02
paid-till: 2009.06.02
source: TC-RIPN


Edited by nospam, 14 January 2009 - 09:45 PM.


#10 Guest_fuzzywuzzy6_*

Guest_fuzzywuzzy6_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2009 - 11:00 PM

For all we know, Vladimir Putin used the same people to disable the Georgian government's computer system. It may be they are getting some government support, there.

#11 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...

Posted 14 January 2009 - 11:47 PM

For all we know, Vladimir Putin used the same people to disable the Georgian government's computer system. It may be they are getting some government support, there.


I'd laugh if that was true.

The last infection that I was ripping my hair over on was a flash infection. Took three weeks to finally get it cleaned out (as well as fix a registry issue...which I know is stupid to mess with that). Of course, that was about a year ago when that happened.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#12 nospam

nospam

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:pueblo
  • Local time:12:54 PM

Posted 15 January 2009 - 11:06 AM

For all we know, Vladimir Putin used the same people to disable the Georgian government's computer system. It may be they are getting some government support, there.


You have a point. All we know is that it is hosted in Russia. The people behind it could be from anywhere. I wonder where it will move next? or what other domains they will use.

I complained about real-av.org a few days ago to its webhosts.

I just checked today and this:

Domain ID:D151970735-LROR
Domain Name:REAL-AV.ORG
Created On:10-Mar-2008 10:35:47 UTC
Last Updated On:15-Jan-2009 07:38:29 UTC
Expiration Date:10-Mar-2009 10:35:47 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:CLIENT HOLD

OnlineNIC, the registrar, appears to have disabled it. The status is no longer OK.

Edited by nospam, 15 January 2009 - 11:07 AM.


#13 Guest_fuzzywuzzy6_*

Guest_fuzzywuzzy6_*

  • Guests
  • OFFLINE
  •  

Posted 15 January 2009 - 12:54 PM

The reasons why I suggested the Russian government may be involved, and only half in jest:

(1) Vladimir Putin is former KGB. The KGB was one of the very few soviet government agencies that promoted creativity and took a truly long-term approach to achieving its goals;

(2) Putin has been known to harbor imperialist and tyrannical goals. He has punished honest, creative businessmen in Russia who have dared to criticize him and the government, while promoting or rewarding those who endorse him, regardless of their behaviors;

(3) The Russian "mafia" has also been endlessly creative on an international front, and I would not be surprised to learn that they have been given a "pass" because they are useful tools of intimidation;

(4) Google and Mozilla have had mixed results from their Russian programmers;some are good guys, but if you remember the mess from "All the Web", which resulted in tons of spam mail being received from folks who used that search option, you will see where I am going with this. I don't think Google supports Putin, but there are some selections on the "Customize Google" in Firefox and in the Google search preferences account page which will still enable "All the Web." I never chose anything labelled "All the Web", but there is more than one way to end up with it, and I have found after some updates that my preferences had been reset. Hasn't been a problem for some months, as when I started getting return e-mails with Russian domains, i reset my search options. I wish Google desktop had a simple toggle or an additional choice listed: "go straight to this site", and there are many users at BC who have had problems with their typed-in URL going to a search page instead. I have been using bookmarks and Fast Dial/Speed Dial a lot, tired of having to switch over for the simplest things.

I think the troublesome Russian programmers/hackers are probably independent contractors, not government servants. But Putin would find the infection of ads on the internet a particularly elegant and satisfying way to achieve some of his goals by disrupting Western consumers and intellectuals, two groups he probably has a lot of disdain for. And if he were to use these malware designers to disrupt various government internet functions, such as was the case in Georgia? And he is using the dispute with the Ukraine over natural gas payments to make his strength felt in all of Europe during a very cold winter. He has disrupted the flow of gas to make a point.

It is unfortunate that Gorbachev has been so vilified in the former Soviet Union. While he is former KGB, he was a great reformer and is an obviously decent man with ideals and an understanding of history. There was a survey done in the former Soviet Union recently as to which two persons in Russia made the biggest mark on Russian history. While it is not clear what the wording of the actual question was, the Western press nade it look like it was "Who were the 2 greatest Russian heroes?" The selections: Josef Stalin and an emperor who was especially savage, brutal, depraved, and probably insane.

Boy, am I glad my ancestors had the insight and the drive to immigrate from Eastern Europe to the United States. Living situation there is miserable and getting worse, and many of the folks there seem to celebrate Putin and his actions. Ah, for the greater glory of the Russian empire!

#14 nospam

nospam

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:pueblo
  • Local time:01:54 PM

Posted 16 January 2009 - 11:10 AM

Google search preferences account page which will still enable "All the Web."

Your bring up some interesting points. I knew of AllTheWeb, but had no idea about that. That makes for some interesting research. Cybercriminals are everywhere, but it does seem Russia has a significant representation in the criminal mix.

#15 Guest_fuzzywuzzy6_*

Guest_fuzzywuzzy6_*

  • Guests
  • OFFLINE
  •  

Posted 16 January 2009 - 11:52 AM

If you click on the customize google option on the firefox tools menu, and check the box which enables automatic search with other search engines, I believe that will give you All the Web. Once I unchecked that box, I no longer had that problem. One could always add buttons or speed dial settings for the desired alternate search engines if they are used a lot. There is not always sufficient disclosure with firefox updates and add-ons, and the same for google.

Edited by fuzzywuzzy6, 16 January 2009 - 12:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users