Free Body Kit Giveaway!
#1
Former Vendor of MBWorld
Thread Starter
Free Body Kit Giveaway!
Hi everyone, I just wanted to remind you that for 2008 we will be giving away 1 free body kit every month until the end of the year. Please visit http://www.extremedimensions.com/freebodykit/ in order to sign up to be eligible for the drawing for a free bodykit. Also be sure to visit our website: http://www.extremedimensions.com for all of your aftermarket aerodynamic needs. Good luck!!!
#3
MBWorld Fanatic!
I just tried to go to this site.
When I go to the mercedes portion, it completely locked my system,
installed some backdoor software, apparently known as "Qbot" which caused
Norton Anti-Virus to tell me I had a virus,
Internet Explorer opened on it's own, and wanted to access the internet (I use firefox, told it to get bent)
rebooting didn't get rid of it.
Ending process of IE (running in the background I might ad, against my will)
just immediately opened another instance.
THIS SITE INSTALLED A VIRUS ON MY SYSTEM! I'm still trying to clean up the mess.
When I go to the mercedes portion, it completely locked my system,
installed some backdoor software, apparently known as "Qbot" which caused
Norton Anti-Virus to tell me I had a virus,
Internet Explorer opened on it's own, and wanted to access the internet (I use firefox, told it to get bent)
rebooting didn't get rid of it.
Ending process of IE (running in the background I might ad, against my will)
just immediately opened another instance.
THIS SITE INSTALLED A VIRUS ON MY SYSTEM! I'm still trying to clean up the mess.
Trending Topics
#8
MBWorld Fanatic!
#9
MBWorld Fanatic!
ROOTKIT
This site says it's a rootkit, which is VERY BAD!
http://www.wilderssecurity.com/showthread.php?t=156461
http://www.fileresearchcenter.com/Q/Q1.32585-9799.html
That being said, I think I got it before it could do too much damage.
I saw a process I didn't recognize (sorry, I didn't jot the name)
once I killed that I was able to stop IE.
I used a program called "ATF Cleaner" to clean out all my temp files.
Plus, I cleared my Firefox cache.
I deleted the folder and files mentioned in the link above, and
then ran ATF Cleaner again. (It's a small utility for clearing temp files, just search on it)
I went to c:\windows\prefetch
and deleted everything from today (sort by date)
and usually you can delete all this, but I just renamed the folder and then created a new empty one to be sure. There was a reference to the
offending file.
I scanned my system for qbot and deleted everything it found (you must enable hidden folders) And emptied my recycle bin.
Since I didn't allow access to the internet with Zonealaem via IE, I think I was lucky.
God knows what this thing wanted to download to my system!
(or upload elsewhere)
Someone please contact the Mods and get this thing taken down, till the
site owner can get things properly sorted!
This really pisses me off!
http://www.wilderssecurity.com/showthread.php?t=156461
http://www.fileresearchcenter.com/Q/Q1.32585-9799.html
That being said, I think I got it before it could do too much damage.
I saw a process I didn't recognize (sorry, I didn't jot the name)
once I killed that I was able to stop IE.
I used a program called "ATF Cleaner" to clean out all my temp files.
Plus, I cleared my Firefox cache.
I deleted the folder and files mentioned in the link above, and
then ran ATF Cleaner again. (It's a small utility for clearing temp files, just search on it)
I went to c:\windows\prefetch
and deleted everything from today (sort by date)
and usually you can delete all this, but I just renamed the folder and then created a new empty one to be sure. There was a reference to the
offending file.
I scanned my system for qbot and deleted everything it found (you must enable hidden folders) And emptied my recycle bin.
Since I didn't allow access to the internet with Zonealaem via IE, I think I was lucky.
God knows what this thing wanted to download to my system!
(or upload elsewhere)
Someone please contact the Mods and get this thing taken down, till the
site owner can get things properly sorted!
This really pisses me off!
Last edited by C230 Sport Coup; 04-29-2008 at 05:50 PM.
#10
Moderator Alumni
Google "housecall" and use its features to remotely clean your computer. It is pretty dang good imo.
http://housecall.trendmicro.com/
You can just google "firefox noscript addon" too. Itll prevent little (java)scripts from running and thus preventing many potential harmful things from finding their way onto your computer. You can also directly choose what scripts to run and which ones NOT to run.
http://noscript.net/
GL
To admins/OP: Maybe these links should be temporarily disabled....
http://housecall.trendmicro.com/
You can just google "firefox noscript addon" too. Itll prevent little (java)scripts from running and thus preventing many potential harmful things from finding their way onto your computer. You can also directly choose what scripts to run and which ones NOT to run.
http://noscript.net/
GL
To admins/OP: Maybe these links should be temporarily disabled....
Last edited by TruTaing; 04-29-2008 at 03:26 PM.
#12
MBWorld Fanatic!
Geez, I was going to try to warn people in other forums, but he's got this link posted in a zillion places.
I could spend all day trying to warn people.
I called them directly to let them know their site has been compromised.
I could spend all day trying to warn people.
I called them directly to let them know their site has been compromised.
Last edited by C230 Sport Coup; 04-29-2008 at 04:10 PM.
#14
MBWorld Fanatic!
Define "fine.
Fine as you aren't noticing anything unusual?
But still no way for to you know if it installed.
Thats the point of a rootkit. Invisible to you,
while it sends your personal data off to some former eastern block country.
Once installed according to the stuff I read it hides itself completely.
I got lucky before it could completely install.
It did actually create the files they mention.
Since the only thing I'd used recently in IE was the
epc site, it did actually contain my username and login.
Since I blocked IE via Zonealarm firewall, it couldn't complete what it wanted to do. (Which likely is compile all your data, credit cards, logins etc and send off to whoever is on the receiving end)
I would recommend scanning your system with a rootkit scanner.
The IP address on the site seems to have changed, as I pinged it initially, it came up as one address, now it's showing as another, so perhaps they're on top of it.
In any case, I've blocked them in my hosts file so I can't accidentally go there.
Fine as you aren't noticing anything unusual?
But still no way for to you know if it installed.
Thats the point of a rootkit. Invisible to you,
while it sends your personal data off to some former eastern block country.
Once installed according to the stuff I read it hides itself completely.
I got lucky before it could completely install.
It did actually create the files they mention.
Since the only thing I'd used recently in IE was the
epc site, it did actually contain my username and login.
Since I blocked IE via Zonealarm firewall, it couldn't complete what it wanted to do. (Which likely is compile all your data, credit cards, logins etc and send off to whoever is on the receiving end)
I would recommend scanning your system with a rootkit scanner.
The IP address on the site seems to have changed, as I pinged it initially, it came up as one address, now it's showing as another, so perhaps they're on top of it.
In any case, I've blocked them in my hosts file so I can't accidentally go there.
Last edited by C230 Sport Coup; 04-29-2008 at 04:59 PM.
#16
MBWorld Fanatic!
Hey that Noscript thing works really well.
Turns out the issue isn't on the exact pages he lists.
But if you dig deeper as I did, to look at W203 parts, thats where I got hit. adserv.cn is trying to load a script.
Thats when the trouble started for me. .cn is the domain suffix for China. I think they got hacked and someone put in some scripts to download to this site in china which is associated with Malware. http://malwaredomains.com/ So, not every page has the redirects to the download of this rootkit. Just checked and all if not most of the W203 parts the pages are infected.
Nice stuff they have though, now that I can safely check it out. AMG bumpers and such for $299 ! But alas nothing for the coupe.
Turns out the issue isn't on the exact pages he lists.
But if you dig deeper as I did, to look at W203 parts, thats where I got hit. adserv.cn is trying to load a script.
Thats when the trouble started for me. .cn is the domain suffix for China. I think they got hacked and someone put in some scripts to download to this site in china which is associated with Malware. http://malwaredomains.com/ So, not every page has the redirects to the download of this rootkit. Just checked and all if not most of the W203 parts the pages are infected.
Nice stuff they have though, now that I can safely check it out. AMG bumpers and such for $299 ! But alas nothing for the coupe.
Last edited by C230 Sport Coup; 04-29-2008 at 05:43 PM.
#17
MBWorld Fanatic!
Well, no don't. But the noscript add on blocks it.
Just curious if Kaspersky see's it.
#18
MBWorld Fanatic!
Join Date: Aug 2007
Location: Sacramento/San Gabriel/Riverside
Posts: 3,560
Likes: 0
Received 2 Likes
on
2 Posts
01' C32o
i've been on that site plenty of times, but it seems fine also. i also logged in with 2 different computers, and i know i'm protected. seems fine to me
but thanks for the heads up though, i'mma have to hella scan it now
but thanks for the heads up though, i'mma have to hella scan it now
#19
Super Member
Join Date: Nov 2007
Location: London, GB
Posts: 529
Likes: 0
Received 0 Likes
on
0 Posts
RHD C200 Sport Coupe, RHD SLK-55, LHD SLK-350
#20
MBWorld Fanatic!
Highly reccommend Spybot Search and Destroy - available here http://www.safer-networking.org/en/index.html
But it didn't catch it.
Anyone who's already infected needs a rootkit scanner.
#21
Former Vendor of MBWorld
Thread Starter
I want to apologize for everything that has happened with our site yesterday. Lucikly C230 Sport Coup gave me a call and alerted me as to what was going on with our site. My management has told me that someone has hacked our site, but everything should be fine now. If anyone finds anything else wrong at all, please let me know right away so that I can have it properly fixed. Thanks!
#22
MBWorld Fanatic!
I updated S&D today, and noticed it had a 3 rootkit updates that loaded.
Well, too bad I wasn't up to date.I went from 1.5 to 1.52.
Rootkits are like the new thing to the security industry, but they've actually been around a long time. (back orifice for instance)
Also, immunized my system, which may very well block the connection to the offending server that was running the toxic scripts. But I added them to my hosts file so either way I can't be connected.
Well it was a learning experience for me, which I can likely apply in my job to the real world.
Just hate when it happens to me!
Thomas, just went to your site, and I do see at least in the W203 section, it no longer it trying to run scripts from the offending server (which I won't list here, as someone may inadvertently click on it).
Hopefully they got all the scripting removed from all the pages it was affecting, and your people took the time to check every page.
BTW, nice stuff. Too bad there's nothing for the coupe!
Well, too bad I wasn't up to date.I went from 1.5 to 1.52.
Rootkits are like the new thing to the security industry, but they've actually been around a long time. (back orifice for instance)
Also, immunized my system, which may very well block the connection to the offending server that was running the toxic scripts. But I added them to my hosts file so either way I can't be connected.
Well it was a learning experience for me, which I can likely apply in my job to the real world.
Just hate when it happens to me!
Thomas, just went to your site, and I do see at least in the W203 section, it no longer it trying to run scripts from the offending server (which I won't list here, as someone may inadvertently click on it).
Hopefully they got all the scripting removed from all the pages it was affecting, and your people took the time to check every page.
BTW, nice stuff. Too bad there's nothing for the coupe!
Last edited by C230 Sport Coup; 04-30-2008 at 12:18 PM.
#23
Moderator Alumni
Highly reccommend Spybot Search and Destroy - available here http://www.safer-networking.org/en/index.html
Sport Coup: if you had tea timer on, you would have probably been able to tell if the program was installing itself and not give it permission to make changes to your registry and to fully install itself.
edit: id also be a bit weary of DLing/installing programs that are suppose to get rid of malicious programs too... Often its just a ploy to get you to install more malicious software.
Last edited by TruTaing; 04-30-2008 at 01:17 PM.
#24
MBWorld Fanatic!
Yes, actually it was Tea Timer that tipped me off.
It was asking if some Usrpromt thing could be changed.
Turned out, it was NAV trying to tell me I had a virus.
I disallowed it, yanked my network card, and then went into the
SD to see what I'd disallowed.
It showed that NAV was trying to alert me to files in a folder
called c:\doc_settings\all users\ _qbothome
A quick search on the name of the directory was what alerted me I'd been hosed.
I run Zone Alarm free, and it also popped up and IE wanted access to the internet. But I wasn't using IE. (I have it set to ASK for IE, just in situations like this) I use Firefox, and for good reason.
Saved my butt yesterday.
I noticed a process running I didn't recognize (since I pretty much know whats supposed to be running on my system), it was one related to one of the files in the _qbothome. (Which I determined using process explorer)
I killed that, then was able to delete the _qbothome folder.
I did a search on anything with Qbot in it, and found some stuff in the prefetch folder, and deleted that too.
Once that process was shut down, I was able to kill IE, which previously would not end, or would just restart instantly.
One of the links mentioned some registry keys, but I wasn't effected since it never fully installed, since I didn't allow it access to the internet.
Still , I'm amazed the way it deftly downloaded the files and folder to my system and ran the program all in about 5 seconds.
According to what I read,
If it had installed it would have made itself invisible, and attached itself to the windows UI (part of making itself invisible), and you'd have to use a windows CD to boot to a command prompt to delete the files.
NASTY STUFF!!!!! I wonder how many people now have a backdoor into their system transmitting credit cards, SS #'s, and whatever else off to some internet crook because of this.
It was asking if some Usrpromt thing could be changed.
Turned out, it was NAV trying to tell me I had a virus.
I disallowed it, yanked my network card, and then went into the
SD to see what I'd disallowed.
It showed that NAV was trying to alert me to files in a folder
called c:\doc_settings\all users\ _qbothome
A quick search on the name of the directory was what alerted me I'd been hosed.
I run Zone Alarm free, and it also popped up and IE wanted access to the internet. But I wasn't using IE. (I have it set to ASK for IE, just in situations like this) I use Firefox, and for good reason.
Saved my butt yesterday.
I noticed a process running I didn't recognize (since I pretty much know whats supposed to be running on my system), it was one related to one of the files in the _qbothome. (Which I determined using process explorer)
I killed that, then was able to delete the _qbothome folder.
I did a search on anything with Qbot in it, and found some stuff in the prefetch folder, and deleted that too.
Once that process was shut down, I was able to kill IE, which previously would not end, or would just restart instantly.
One of the links mentioned some registry keys, but I wasn't effected since it never fully installed, since I didn't allow it access to the internet.
Still , I'm amazed the way it deftly downloaded the files and folder to my system and ran the program all in about 5 seconds.
According to what I read,
If it had installed it would have made itself invisible, and attached itself to the windows UI (part of making itself invisible), and you'd have to use a windows CD to boot to a command prompt to delete the files.
NASTY STUFF!!!!! I wonder how many people now have a backdoor into their system transmitting credit cards, SS #'s, and whatever else off to some internet crook because of this.
Spybot is best for its smaller application called "tea timer." It monitors registry changes and you can chose to allow them or not, but for whatever reason the last versions of spybot came w/ tea timer defaulted to being off and not even being installed.
I took the advise and installed the noscript which then allowed me to see which script was the offending site.
I then did a search to find a reasonably up to date list of known malicious sites in the form of a hosts file.
I added all those sites to my hosts file, + the one that had the bad script
adserv dot cn.
I updated Spybot, which also added a large list of blacklisted sites via the
internet security settings, but the hosts file is the sure way to block, as I'm not sure if in using Firefox if it looks at the Internet security settings.
I'll go back and make sure tea timer is turned on!
And yes, often so called "programs that are suppose to get rid of malicious programs " can often be spyware.
Best to do a search before downloading, and read the EULA and privacy agreements well on something new and unknown.
When it says something about you agreeing to allow info to be sent back for the purposes of providing ad content, or "custom" content, just say no!
Sport Coup: if you had tea timer on, you would have probably been able to tell if the program was installing itself and not give it permission to make changes to your registry and to fully install itself.
edit: id also be a bit weary of DLing/installing programs that are suppose to get rid of malicious programs too... Often its just a ploy to get you to install more malicious software.
I took the advise and installed the noscript which then allowed me to see which script was the offending site.
I then did a search to find a reasonably up to date list of known malicious sites in the form of a hosts file.
I added all those sites to my hosts file, + the one that had the bad script
adserv dot cn.
I updated Spybot, which also added a large list of blacklisted sites via the
internet security settings, but the hosts file is the sure way to block, as I'm not sure if in using Firefox if it looks at the Internet security settings.
I'll go back and make sure tea timer is turned on!
And yes, often so called "programs that are suppose to get rid of malicious programs " can often be spyware.
Best to do a search before downloading, and read the EULA and privacy agreements well on something new and unknown.
When it says something about you agreeing to allow info to be sent back for the purposes of providing ad content, or "custom" content, just say no!
Sport Coup: if you had tea timer on, you would have probably been able to tell if the program was installing itself and not give it permission to make changes to your registry and to fully install itself.
edit: id also be a bit weary of DLing/installing programs that are suppose to get rid of malicious programs too... Often its just a ploy to get you to install more malicious software.
Last edited by C230 Sport Coup; 04-30-2008 at 01:57 PM.