Where have all the good guys gone

[NY Jester]

Well I woke up today and thought id get a head start on submitting as some TGP's fill up quickly and you have to put off submitting until the next day. Well, I get half way through my process and BAM! Something Killed my PC. I get a shut down notice, asked to save the file I had open (my submit list) and the PC restarts.

After reloading I get:
an ATL.dll error in loading some programs.
My system restore is disabled - error message System restore cannot protect your computer please restart your computer and run system
restore again
my security center is disabled - cannot open the SC to change admin values, add/remove users, etc
User Accounts are disabled - cannot access them to change settings, etc.
Control Panel some options are inaccessible...some just will not open

Internet Explorer :
Home Page changed to "blank"
History Deleted
Cookies Deleted
When I click on Internet Options : I get an error saying there are restrictions on this account please contact administrator
And my searches from IE all show up with a routed results page
the IP being 85.255.120.28/ all results get filtered through that portal although the actual search results are accurate and show the correct URL's on the search results page (which mine is google)

Here is the URL, once clicked for the results on "basket waving"

Code:

http://realsearch.cc/feed/search.php?tpl=adsense&q=basket%20weaving

along with a drop down bar which keeps advertising porn, and clicks through to:

Code:

http://www.pornattitude.com/index.php?id=48113&t=D&cs=rouge&w=0&omp=CB:UP&idf=&tracker=_cdbar_allen&langue=en

These results only occur in IE, FF runs fine, shows the results page and click through to the corresponding web site URL's

I have updated virus always on, I ran a virus scan and the results are clean.

My initial reaction was WTF!
I have narrowed it down to either the Gallery confirmation page of one TGP or the webmaster submit page of another - and Im leaning towards the submit page because the shut down didn't occur until that page had been fully loaded in. I think its pretty horseshit when another adult webmaster needs to have this type of guerrilla tactic on a webmaster accessible page (or any page thats accessible for that matter) is it wrong to assume that this attack came from one of those two sites..as they were the only things I had open at the time and up until then My pc had run fine? I didnt want to out any site just yet ubtil i hear back with an opinion but the sites are known TGP's and not just fly-by-night outfits.

Anyone have any advice on how to rid this little doosey?
Thanks in advance.

J-

[LD]

Man, that sucks. I've had good results with Spybot and Ewido run in safe mode. I use AGV too which seems to offer good protection from this crap.

[Bobc01]

No surprise that IP resolves to "Location: Ukraine (high) [City: Kharkiv, Kharkivs'Ka Oblast']"

Edit: Try a search on "Comclean spyware" see if anything rings any bells.

[NY Jester]

Any advice as to how to rid it? Like I said it has "hijacked" the control center pretty much, for obvious reasons..also Ive come to see that when I manually type a web URL in I get a "security prompt"

The web site you are on is trying to access a site in your Trusted Site Zone - ktu "dot" sv2 "dot" biz . So it seems its wrote itself to my trusted zone as well.

[Jim]

Believe it or not, I just cleaned my daughter's pc with the same problem and more. She had popups coming from nowhere. And, she was protected with pccillan. All I did was a full scan and it all went away...thankfully Her boyfriend borrowed the pc and has no idea where it came from.

[plateman]

try and boot to safe mode, and run your cocktail of cleaners and see if that fixes it

[NY Jester]

Well I did a search for the 85.255.** and found its a trojan made possible by a Quick Time vulnerablity..its unpatched and Im not saying that the site owners knew of the problem as it may have attacked their server but WTF?!

[Tekster]

Hey that sucks man. I am no help here as most of my work is done on Apple but I did read somewhere that Quick Time is vulnerable to some kind of a virus. I think they had a patch but I am not sure.

Good luck and hope you get it fixed soon and without too much grief.

[NY Jester]

Tek - the article I read on it said its vulnerable to Leopard in some instances as well. as of 12/3 there is not a patch.

I run without active x urned on, java has to be accepted, no pop ups, etc. Just sucks that this kind of JUNK is out there. Im running a deep scan through the Symantec site, see what that finds.

[Cleo]

Quote:

Originally Posted by NY Jester

Tek - the article I read on it said its vulnerable to Leopard in some instances as well. as of 12/3 there is not a patch.

So far there has only been proof of concept vulnerabilities for Mac X, that Apple has been quick to patch, but there are still zero actual viruses.

[NY Jester]

Im running a deep scan online from Symantec - its detected a couple things waiting for it to complete so I can see what they are and what steps need to be taken to remove them. Ill keep everyone posted.

[NY Jester]

Cleo you may want to read this article. Just going by what was said here.

I dont know much about MAc if anything, I do know they are less vulnerable to viruses.

[bluebrit]

What you could try depending on what the virus has done is to run sfc /scannow (assuming you use winXP and it may work for other MS systems). Heres a link http://www.updatexp.com/scannow-sfc.html that will explain what it can do but you will need your xp disc if errors are found. On top of virus checkers and spy removal software its always a good thing to run if your having problems. You may find though, once its completed that you also have to download some updates from MS as it may step your files back to the cd versions that are known to be safe.
good luck with sorting your pc.

[NY Jester]

Still working on things. Its weird it only affected my IE but I can still go through with FF and delete TIF and it uses my search and displays the results without the forced "ads"

Im going through all the motions, cleaners etc. Thanks for the heads up Blue..Ill check that out as well.

J-

[tickler]

I had a bit of a weird thing happen last week. Not sure if it was something leftover after killing a virus, or something the tech did the last time he worked on the machine.

I went to check something on my desktop properties, and found out that I was blocked. I was also blocked from running anything control panel related.

A quick search on google for the "error popup message" led me to a regedit procedure to give me back access to the control panel.

[dexcool]

sounds like a about:blank hijack I have used hijack this to get rid of them before but it is very hard to keep it from coming back go to this page for more info.
http://www.pchell.com/support/aboutblank.shtml

[NY Jester]

Thanks Dex and Tickler, I think Ive narrowed it down to that as well. Im working on it. I appreciate the help and advice from everyone.

J-

[hashbury]

I also caught this exact same thing about 8 months back. I tried everything all kinds of spyware removers, eset, norton, avg, even some less known virus removers, but it always came back after few days to a week later. finally i just got pissed and reinstalled xp. that took care of the problem but ,
i would like to know how this goes for you.

[CD Smith]

I had something sort of similar hit my pc a couple of years back. Among lots of other things it would pop up forced ads whenever I would hit certain web pages. And I know they were forced because some of those web pages were MINE... and I know I had no popups running.

Anyway, I was running norton utilities on that pc and it had something called "GoBack" installed. That is ultimately what saved my bacon. After about a week of fighting this annoying bug and trying every manner of anti spyware and adware removal program out there I tried running GoBack... and took my pc back to a restore point before it got infected (about 8 days), reinitialized and POOF.... no more malicious install.

Of course I lost any work/emails etc that took place that week but it was a small price to pay for getting rid of that bug.

My only other option remaining was of course to wipe the harddrive and reinstall Windows.


If I were you I'd be looking at my system restore function in windows, or if you're running Norton then maybe you remembered to enable GoBack and you can restore your system to a time before it got infected.

Either way, best of luck.

[bluebrit]

Just a thought but when you finally sort this out, remember to turn off your system restore and then turn it on again. Turning it off will wipe all your restore points but if the virus has been stored the restores are no good to you anyway. Turning it back on merely covers your ass for the future and you can make a clean instal point knowing its safe.

[lassiter]

I keep getting popups urging me to patch QT, but now Apple will only allow me to update it in a combo package with iTunes, and when I accidentally ran the iTunes/QT installation combo, iTunes totally crippled every single video viewer (Winamp, MediaPlayer, RealPlayer, etc.) I had until I uninstalled the sucker. I have a WinXP machine, and no desire to actually run iTunes.

Previous patches have allowed the option of whether or not to install iTunes along with QT, but not anymore.

[CD Smith]

Quote:

Originally Posted by bluebrit

Just a thought but when you finally sort this out, remember to turn off your system restore and then turn it on again. Turning it off will wipe all your restore points but if the virus has been stored the restores are no good to you anyway. Turning it back on merely covers your ass for the future and you can make a clean instal point knowing its safe.

Great point.

[spookyx]

I am not going to suggest buying a Mac because thats just crazy talk


There is one easy answer though if you are hand submitting. load linux in a dual boot setup... use linux to submit it runs Firefox very well and even IE with a little work if you really need it.

[NY Jester]

Hey guys thanks for all the tips and heads-up. I'm actually working with the Major Geeks guys and they are really helping with everything so dont have to do a fresh install..I hate that. My one good thing is that I keep all my work, graphics, affiliates banners, free sites, galleries, etc anything to do with the work end of my day on an external HD so its not affected by anything and I wont lose any of it regardless of what happens. Ive gone through 4 processes already, and it cured half my ills - the redirected homepage, the forced search results and those things. Now Im working on removing the creepy crawlies! Using a tool called Dr Web and its finding plenty that was thrown at my machine during that attack. so Im hoping that will cure it. As for the restore, yes thats a good point blue, as to not save the restore points with the virus in it. I'll keep everyone posted.

Spooky, that sounds like a good idea, only I have 0 clue about Linux =( id be afraid to f*ck it all up.

Quote:

There is one easy answer though if you are hand submitting.

On a side note, anyone have any solutions to not hand submitting?

[Bobc01]

I got a kind of phising junk mail today which seems to be related to this, it linked to an ip so on a search i blocked the ips in my firewall which might help stop the files from downloading again...

http://thisistech.org/2007/12/04/qui...ill-unpatched/