Is Trade Me spreading virus again? (updated: metservice)

Forums › Desktop computing › Is Trade Me spreading virus again? (updated: metservice)

1 | 2 | 3 | 4 | 5 | 6 | 7 | ... | 8

BDFL - Memuneh
79034 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#506419 14-Aug-2011 20:00

And you checked the hosts files (run notepad \windows\system32\drivers\etc\hosts) to see if there's anything left over from the infection?

My technology disclosure

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

graciem

32 posts

Geek

Trusted

#506424 14-Aug-2011 20:05

freitasm: And you checked the hosts files (run notepad \windows\system32\drivers\etc\hosts) to see if there's anything left over from the infection?

no .txt files in there. There are: hosts, Imhosts.sam, networks, protocal, services.

now googling google URL hijacking. luckily i got this good laptop to use.

cisconz

cisconz
1337 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#506429 14-Aug-2011 20:09

graciem:
freitasm: And you checked the hosts files (run notepad \windows\system32\drivers\etc\hosts) to see if there's anything left over from the infection?

no .txt files in there. There are: hosts, Imhosts.sam, networks, protocal, services.
now googling google URL hijacking. luckily i got this good laptop to use.

Yes open the "hosts" file in notepad.

Hmmmm

graciem

32 posts

Geek

Trusted

#506433 14-Aug-2011 20:13

cisconz:
Yes open the "hosts" file in notepad.

oh i see. there's:
127.0.0.1 localhost

Ragnor

8196 posts

Uber Geek

Trusted

#506468 14-Aug-2011 21:19

graciem:
cisconz:
Yes open the "hosts" file in notepad.

oh i see. there's:
127.0.0.1 localhost

That's normal.

What OS, browser and browser version are on this laptop?

Most browsers have an option to startup with addons/extensions disabled., try that.

Shoes2468

784 posts

Ultimate Geek

#506476 14-Aug-2011 21:40

One of my family members also called me up about a virus they recently got, they swore all they were doing was surfing trademe and such, I didn't really believe them but this makes me wonder, they have an older windows xp machine. Interesting.

BarTender

3587 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#506495 14-Aug-2011 22:23

My wife somehow managed to get a variant of TDSS on her laptop. The only way we noticed was random sound kept only playing when we weren't doing anything. Symantec didn't pick it up, neither did AVG, it was only Mcafee did, but couldn't remove it. Windows Personal Firewall did nothing too. TDSSKiller from kaspersky was the only thing that cleaned it.

Doesn't surf anything weird basically tm/stuff/facebook etc. It could have been my daughter accidentally clicking on something, but she is only 6 so not exactly a dodgy site.

TDSS was one nasty piece of malware and I found it very had to remove. A bit of googling picked up these interesting site about it.

http://www.securelist.com/en/analysis/204792131/TDSS

http://support.kaspersky.com/viruses/solutions?qid=208280684

Nasty stuff....

My bet is it was delivered via an add.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#507564 16-Aug-2011 21:12

I've just picked this up this evening as well on one of my older machines running server 2003 with IE8 and up to date MS security essentials. It's definately come from a legit site, presumably from an ad.

29k

8 posts

Wannabe Geek

#507608 16-Aug-2011 22:15

I'm in the process of finally removing 'Personal Shield Pro' from my PC right now (Vista). I've been on things like Stuff, FB, Twitter and Metservice all day, so I've picked it up from a legit site somewhere. I did notice loading issues with Metservice tonight and then once it did load suddenly I had issues...but as I had other sites open too, no way of proving it.

wallross

42 posts

Geek

Trusted

#507731 17-Aug-2011 10:00

My work PC Antivirus alerted a virus yesterday afternoon whilst browsing the MetService site around 4pm yesterday. I would highly suspect it was Ad related as others have mentioned. McAfee stated it was some kind of Trojan (can't find the full details in the quarantine logs).

I have droped some of the guys there a line to get them to check it out from their end.

freitasm

BDFL - Memuneh
79034 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#507775 17-Aug-2011 10:47

It was the metservice website: http://twitter.com/#!/MetService/statuses/103597899644026880

My technology disclosure

graciem

32 posts

Geek

Trusted

#507782 17-Aug-2011 10:53

freitasm: It was the metservice website: http://twitter.com/#!/MetService/statuses/103597899644026880

legend! I hope they have a cure for me, my old laptop is still infected with the google url hijacking :(

Ragnor

8196 posts

Uber Geek

Trusted

#507790 17-Aug-2011 11:05

graciem:
freitasm: It was the metservice website: http://twitter.com/#!/MetService/statuses/103597899644026880

legend! I hope they have a cure for me, my old laptop is still infected with the google url hijacking :(

Have you tried closing all programs and running a scan with malwarebytes?

Also start your web browser in it's safe mode with addon's disabled if the hijack is being done by browser addon, or use a different browser (Firefox, Google Chrome) until you can fix IE (presuming you are using IE).

Ragnor

8196 posts

Uber Geek

Trusted

#507792 17-Aug-2011 11:08

freitasm: It was the metservice website: http://twitter.com/#!/MetService/statuses/103597899644026880

Anyone know the specifics of how the infection worked and what it infected, seems to be another IE only exploit on unpatched Windows XP and 2003...

cyril7

9050 posts

Uber Geek

ID Verified

Trusted

Subscriber

#507796 17-Aug-2011 11:11

Hi, we have no twitter access here at work, could someone kindly post the guts of the Metservice notice, I see they have plucked their syndicated ad roll.

Cyril

1 | 2 | 3 | 4 | 5 | 6 | 7 | ... | 8