Is Trade Me spreading virus again? (updated: metservice)

Forums › Desktop computing › Is Trade Me spreading virus again? (updated: metservice)

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8

19 posts

Geek

Trusted

Reply # 508049 17-Aug-2011 16:14
and nzherald: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663

freitasm

BDFL
43710 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 508053 17-Aug-2011 16:16
DonGould: So far I've read that AVG and MSE aren't stopping it. Try Norton Power Eraser and let us know: http://security.symantec.com/nbrt/overview.aspx?lcid=1033 Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

DonGould

don@i.am.a.can.do.kiwi.nz
3132 posts

Uber Geek

Subscriber

Reply # 508070 17-Aug-2011 16:31
graciem: and nzherald: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663 http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663 With the link fixed :) it opened on to gz for me. Promote New Zealand - Get yourself a .kiwi.nz domain name!!! Check out mine - i.am.a.can.do.kiwi.nz

cws82us

663 posts

Ultimate Geek

Reply # 508090 17-Aug-2011 16:45
Maybe it's the govt using it to spy on us. Like they trying to do.

kiwitrc

2760 posts

Uber Geek

Trusted

Subscriber

Reply # 508099 17-Aug-2011 16:59
cws82us: Maybe it's the govt using it to spy on us. Like they trying to do. Bit cold for tin hats aint it?

deltadelta

13 posts

Geek

Reply # 508128 17-Aug-2011 17:45
I've acquired a sample that Windows Defender is calling "Rogue:Win32/Winwebsec" - it calls itself "Personal Shield Pro" in the popups that it creates. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ame=Rogue%3aWin32%2fWinwebsec&threatid=133077

freitasm

BDFL
43710 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 508133 17-Aug-2011 17:50
Interesting that was published in 2010, and Microsoft Security Essentials failed to get it... Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

deltadelta

13 posts

Geek

Reply # 508164 17-Aug-2011 18:34
I've just re-scanned it with Microsoft Security Essentials, which did detect it, also as http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Rogue%3aWin32%2fWinwebsec&threatid=2147616725

DonGould

don@i.am.a.can.do.kiwi.nz
3132 posts

Uber Geek

Subscriber

Reply # 508171 17-Aug-2011 18:48
kiwitrc: cws82us: Maybe it's the govt using it to spy on us. Like they trying to do. Bit cold for tin hats aint it? * Does the virus have a back door? * Was the back door put in the OS by someone's government for someones government? * Is the virus there to highlight the government back door to make the OS provider close the door? * Is the virus an attempt to get into your computer, or an attempt to draw attention to the open door and make sure you actually do something to close it? * Is the <Insert Government of choice> spying on me or are they attempting to prevent <Insert another government of choice> from spying on me? A good friend always tells me the 13th floor has the "antivirus developers" and the 14th floor of the same building has the "virus developers" and it's nothing but a scam to make us spend money on software... * Or are the hackers being a bit busy because they have to much time on their hands, so infecting a bunch of their customers will give them something else to do for a week or so... * Or are the sales in <Insert International Cable provider of your choice> down and needing more network traffic to justify <Insert next big upgrade/project of your choice> * Or ..... pffft... you're only paranoid if they're not watching you.... Personally security always scares the crap out of me... is mine good enough? If it is good enough and no one can look in, then do they start to wonder what I'm hiding in here? So should I have the doors and windows open so people can see I'm not hiding anything I shouldn't be... but then does that mean someone could put something here that I shouldn't have... and am I compromising my customers and putting my self at risk of breaching privacy rules for not making enough effort to secure data? Should I use PGP on my email, for example, but then do others have the perception they can communicate things to me they wouldn't if I just have plan text email? Do I want those messages? We could play the tin foil hat game all day... do we sleep better for it? Promote New Zealand - Get yourself a .kiwi.nz domain name!!! Check out mine - i.am.a.can.do.kiwi.nz

DonGould

don@i.am.a.can.do.kiwi.nz
3132 posts

Uber Geek

Subscriber

Reply # 508182 17-Aug-2011 19:18
ps - on reading my last post to my wife, she tells me I've got it all wrong... ...it's not governments at all, it's drug companies who make paranoia medicine. Promote New Zealand - Get yourself a .kiwi.nz domain name!!! Check out mine - i.am.a.can.do.kiwi.nz

freitasm

BDFL
43710 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 508360 18-Aug-2011 09:10
Back on topic folks... I want to write instructions on removing this infection. Does anyone has a software recommendation that actually worked? Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

deltadelta

13 posts

Geek

Reply # 508362 18-Aug-2011 09:24
Malwarebytes Free, installed and updated in Safe Mode with Networking on Windows XP SP3. Run a Full Scan and delete the found items (in my case there was only 1 found, and removing it did the trick). Consider though that the site may have served up different malware variants to different people (perhaps based on user agent string or JS version?), or that some people will also have other infections in addition to this one that malwarebytes might find and be unable to fix.

wjw

150 posts

Master Geek

Reply # 508364 18-Aug-2011 09:29
freitasm: Back on topic folks... I want to write instructions on removing this infection. Does anyone has a software recommendation that actually worked? I used this: MalwareBytes Anti-malware As linked from here: wjw: From another website I'm on: http://deletemalware.blogspot.com/2011/07/how-to-remove-personal-shield-pro.html Two people so far have said this removal process works

freitasm

BDFL
43710 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 508379 18-Aug-2011 10:05
Folks, on request of MetService I have created this blog post: http://www.geekzone.co.nz/freitasm/7776 Could you please check that the information is correct or closer to what we know, and if there's anything else we can add or change please send me a PM so I can update it? I guess there will be quite a few readers on that so it would be good to get it as easier as possible for people to follow. Thanks! Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

freitasm

BDFL
43710 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 508397 18-Aug-2011 10:24
Just saw the comments on NBR. People complaining about online ads, etc. This was a drive-by download. No need to click ads The problem was probably a SQL Injection in their ad serving database. This means it could affect ANY database driven website. They've done through the ad server because they used a known vulnerability and as MetService admitted a new version has been deployed, fixing it. But still, it's not about the ads themselves (unlike the Trade Me case few months back). It seems the problem was not the browser. The problem was with a Java exploit being used. For example I am using Internet Explorer and visited the MetService many times this week but did not have problems because I don't have Java installed on my computer. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8