Extreme Dimensions

Hi everyone, I just wanted to remind you that for 2008 we will be giving away 1 free body kit every month until the end of the year. Please visit http://www.extremedimensions.com/freebodykit/ in order to sign up to be eligible for the drawing for a free bodykit. Also be sure to visit our website: http://www.extremedimensions.com for all of your aftermarket aerodynamic needs. Good luck!!!

MJ50

site's working now....

C230 Sport Coup

I just tried to go to this site.
When I go to the mercedes portion, it completely locked my system,
installed some backdoor software, apparently known as "Qbot" which caused
Norton Anti-Virus to tell me I had a virus,
Internet Explorer opened on it's own, and wanted to access the internet (I use firefox, told it to get bent)
rebooting didn't get rid of it.
Ending process of IE (running in the background I might ad, against my will)
just immediately opened another instance.

THIS SITE INSTALLED A VIRUS ON MY SYSTEM! I'm still trying to clean up the mess.

TruTaing

Gotta use the noscript addon when surfing the web w/ firefox :x

MJ50

my firefox froze on me too but didn't know it was a virus..
damn, gotta scan my computer now...
giveaway FTL...

karma23

Same thing with mine. My work IT guy just came over and said that he's getting a report of a site trying to dump a virus on my machine.

MJ50

and this thread is posted everywhere in this forum....

C230 Sport Coup

Can you elaborate please?
Where do we get this addon?

C230 Sport Coup

This site says it's a rootkit, which is VERY BAD!
http://www.wilderssecurity.com/showthread.php?t=156461
http://www.fileresearchcenter.com/Q/Q1.32585-9799.html
That being said, I think I got it before it could do too much damage.
I saw a process I didn't recognize (sorry, I didn't jot the name)
once I killed that I was able to stop IE.

I used a program called "ATF Cleaner" to clean out all my temp files.
Plus, I cleared my Firefox cache.
I deleted the folder and files mentioned in the link above, and
then ran ATF Cleaner again. (It's a small utility for clearing temp files, just search on it)
I went to c:\windows\prefetch
and deleted everything from today (sort by date)
and usually you can delete all this, but I just renamed the folder and then created a new empty one to be sure. There was a reference to the
offending file.
I scanned my system for qbot and deleted everything it found (you must enable hidden folders) And emptied my recycle bin.

Since I didn't allow access to the internet with Zonealaem via IE, I think I was lucky.
God knows what this thing wanted to download to my system!
(or upload elsewhere)

Someone please contact the Mods and get this thing taken down, till the
site owner can get things properly sorted!

This really pisses me off!

TruTaing

Google "housecall" and use its features to remotely clean your computer. It is pretty dang good imo.

http://housecall.trendmicro.com/

You can just google "firefox noscript addon" too. Itll prevent little (java)scripts from running and thus preventing many potential harmful things from finding their way onto your computer. You can also directly choose what scripts to run and which ones NOT to run.

http://noscript.net/

GL

To admins/OP: Maybe these links should be temporarily disabled....

JLD2k3

ED has a banner ad at the top of this page, but it's a virus planting spyware site...what's the deal? Moderator?

C230 Sport Coup

Geez, I was going to try to warn people in other forums, but he's got this link posted in a zillion places.
I could spend all day trying to warn people.

I called them directly to let them know their site has been compromised.

FrankW

i just went to their site, but it's fine for me.

C230 Sport Coup

Define "fine.
Fine as you aren't noticing anything unusual?
But still no way for to you know if it installed.
Thats the point of a rootkit. Invisible to you,
while it sends your personal data off to some former eastern block country.

Once installed according to the stuff I read it hides itself completely.
I got lucky before it could completely install.
It did actually create the files they mention.
Since the only thing I'd used recently in IE was the
epc site, it did actually contain my username and login.
Since I blocked IE via Zonealarm firewall, it couldn't complete what it wanted to do. (Which likely is compile all your data, credit cards, logins etc and send off to whoever is on the receiving end)

I would recommend scanning your system with a rootkit scanner.
The IP address on the site seems to have changed, as I pinged it initially, it came up as one address, now it's showing as another, so perhaps they're on top of it.
In any case, I've blocked them in my hosts file so I can't accidentally go there.

FrankW

i always have 3 AVP running. I would know if some thing's wrong with it.

if you have norton, I would suggest making the change. Kaspersky is much better.

C230 Sport Coup

Hey that Noscript thing works really well.
Turns out the issue isn't on the exact pages he lists.
But if you dig deeper as I did, to look at W203 parts, thats where I got hit. adserv.cn is trying to load a script.

Thats when the trouble started for me. .cn is the domain suffix for China. I think they got hacked and someone put in some scripts to download to this site in china which is associated with Malware. http://malwaredomains.com/ So, not every page has the redirects to the download of this rootkit. Just checked and all if not most of the W203 parts the pages are infected.

Nice stuff they have though, now that I can safely check it out. AMG bumpers and such for $299 ! But alas nothing for the coupe.

C230 Sport Coup

I dare you to go to the W203 section and see if it catches it.
Well, no don't. But the noscript add on blocks it.
Just curious if Kaspersky see's it.

Mu9enx

i've been on that site plenty of times, but it seems fine also. i also logged in with 2 different computers, and i know i'm protected. seems fine to me

but thanks for the heads up though, i'mma have to hella scan it now

UK-C200

Highly reccommend Spybot Search and Destroy - available here http://www.safer-networking.org/en/index.html

C230 Sport Coup

Yes, good program.
But it didn't catch it.

Anyone who's already infected needs a rootkit scanner.

Extreme Dimensions

I want to apologize for everything that has happened with our site yesterday. Lucikly C230 Sport Coup gave me a call and alerted me as to what was going on with our site. My management has told me that someone has hacked our site, but everything should be fine now. If anyone finds anything else wrong at all, please let me know right away so that I can have it properly fixed. Thanks!

C230 Sport Coup

I updated S&D today, and noticed it had a 3 rootkit updates that loaded.
Well, too bad I wasn't up to date.I went from 1.5 to 1.52.
Rootkits are like the new thing to the security industry, but they've actually been around a long time. (back orifice for instance)
Also, immunized my system, which may very well block the connection to the offending server that was running the toxic scripts. But I added them to my hosts file so either way I can't be connected.

Well it was a learning experience for me, which I can likely apply in my job to the real world.
Just hate when it happens to me!

Thomas, just went to your site, and I do see at least in the W203 section, it no longer it trying to run scripts from the offending server (which I won't list here, as someone may inadvertently click on it).
Hopefully they got all the scripting removed from all the pages it was affecting, and your people took the time to check every page.

BTW, nice stuff. Too bad there's nothing for the coupe!

TruTaing

Spybot is best for its smaller application called "tea timer." It monitors registry changes and you can chose to allow them or not, but for whatever reason the last versions of spybot came w/ tea timer defaulted to being off and not even being installed.

Sport Coup: if you had tea timer on, you would have probably been able to tell if the program was installing itself and not give it permission to make changes to your registry and to fully install itself.

edit: id also be a bit weary of DLing/installing programs that are suppose to get rid of malicious programs too... Often its just a ploy to get you to install more malicious software.

C230 Sport Coup

Yes, actually it was Tea Timer that tipped me off.
It was asking if some Usrpromt thing could be changed.
Turned out, it was NAV trying to tell me I had a virus.
I disallowed it, yanked my network card, and then went into the
SD to see what I'd disallowed.
It showed that NAV was trying to alert me to files in a folder
called c:\doc_settings\all users\ _qbothome

A quick search on the name of the directory was what alerted me I'd been hosed.
I run Zone Alarm free, and it also popped up and IE wanted access to the internet. But I wasn't using IE. (I have it set to ASK for IE, just in situations like this) I use Firefox, and for good reason.
Saved my butt yesterday.

I noticed a process running I didn't recognize (since I pretty much know whats supposed to be running on my system), it was one related to one of the files in the _qbothome. (Which I determined using process explorer)

I killed that, then was able to delete the _qbothome folder.
I did a search on anything with Qbot in it, and found some stuff in the prefetch folder, and deleted that too.
Once that process was shut down, I was able to kill IE, which previously would not end, or would just restart instantly.

One of the links mentioned some registry keys, but I wasn't effected since it never fully installed, since I didn't allow it access to the internet.
Still , I'm amazed the way it deftly downloaded the files and folder to my system and ran the program all in about 5 seconds.
According to what I read,
If it had installed it would have made itself invisible, and attached itself to the windows UI (part of making itself invisible), and you'd have to use a windows CD to boot to a command prompt to delete the files.
NASTY STUFF!!!!! I wonder how many people now have a backdoor into their system transmitting credit cards, SS #'s, and whatever else off to some internet crook because of this.