| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 107078 | 2010-02-03 07:37:00 | IS2010.exe/IS15.exe | linw (53) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 854937 | 2010-02-04 15:14:00 | Yep, that is certainly what it was/is. I think this comp was attacked via a script in an mp3 file that loaded a trojan loader. The rest (including a password copier) got loaded from there. Malwarebytes and MSE found and deleted several baddies but there is still something else lurking. Not trying to hijack this thread or anything, but I'm curious about how a mp3 file can run a script...(not being sarcastic, I genuinely don't understand how this works)... Do you mean it's a fake double-extension file, eg filename.mp3.exe?? If so, I could understand it doing dodgy things. But it the file extension was indeed just .mp3, wouldn't it just try and load through the default media player and not play if it's not a valid music file? How does it actually run a script?? |
Chikara (5139) | ||
| 854938 | 2010-02-04 19:38:00 | That would be a good question for the WMP devs....:xmouth: | fred_fish (15241) | ||
| 854939 | 2010-02-04 19:53:00 | If he means something like this (www.informationweek.com) then its not an MP3 at all. Its fake | Speedy Gonzales (78) | ||
| 854940 | 2010-02-04 20:15:00 | See here:- . dslreports . com/forum/r20444683-Rogue-MP3-Trojan-streaks-across-P2P-networks" target="_blank">www . dslreports . com Seems like wmp can execute a script file in an mp3 . In the case I have at the moment, indeed, IE did get run around the right timeframe but my friend only uses FF so it was likely IE was called by rougue software . Anyway, this system is still loading gambling sites . I am now looking at add-ons/plugins but it is tedious as the nasties don't appear reliably . |
linw (53) | ||
| 854941 | 2010-02-05 02:08:00 | Combofix didn't even fix it in spite of deleting about 20 files (numerically named exes from system32 directory). Guess it is a hopeless case if all the scanners I have run can't find the rogues. Damn, I really didn't want to reinstall everything! |
linw (53) | ||
| 854942 | 2010-02-05 02:10:00 | Get teamviewer if you want, then boot into safe mode / networking. And I'll check it out. Send the ID and pw to me in a PM | Speedy Gonzales (78) | ||
| 854943 | 2010-02-07 11:30:00 | Thanks, Speedy, for the help on Friday night - much appreciated . I am pretty sure I now know what is wrong with the infected machine . The malware scanners got rid of pretty much all the nasties but couldn't see the TDSS rootkit installed . This rootkit uses a google redirect scheme to fire up advertising sites . Kaspersky has a TDSSKiller exe to detect and remove this bad boy . It did detect files and registry entries and hopefully removed it . So a warning to keep an eye out for this one . Will test it for a while but am not sure the setup can be trusted anymore . The 'fix' is here as well as a severe warning! . bleepingcomputer . com/forums/index . php?showtopic=289566&hl=google+redirect" target="_blank">www . bleepingcomputer . com |
linw (53) | ||
| 1 2 | |||||