XTR3M368 Posted October 25, 2010 Share Posted October 25, 2010 kudos added to baihbalm for having a level head enough to take notes and post your fix. I got a different, but similar one that was even nastier than what was described about this one on the site you provided. There must be a simiar exploit that these are using. I was rushing to stay ahead of this...sorry for not taking notes. I was a little hacked off... :P Link to comment Share on other sites More sharing options...
Arknines Posted October 26, 2010 Share Posted October 26, 2010 I had a hit a few months ago, I just adblock+noscript+host blocked anything related to blacktree and the raw IP address of some domain linking through it that was actually serving it. Link to comment Share on other sites More sharing options...
MadMike710 Posted October 26, 2010 Share Posted October 26, 2010 So it's still not safe to use TESNexus?Damn... Link to comment Share on other sites More sharing options...
KDStudios Posted October 26, 2010 Share Posted October 26, 2010 MadMike.It's about as safe to visit as any other site.The malware came from the adverts... NOT the nexus.Read the rest of this man. Link to comment Share on other sites More sharing options...
LHammonds Posted October 26, 2010 Share Posted October 26, 2010 Screenshots people....SCREENSHOTS. If Dark0ne sees a screenshot of the ad with the problem, it can be removed in minutes...until then, I'm not sure what can be done since Dark0ne will see completely different ads than me because of demographic targeting. It is still entirely possible the "drive-by-infection" occurred on another site/tab and didn't reveal itself until later. The Google malware scanner does a pretty good job at finding problems even if the ads are demographic-based but they are not showing any infection coming from ads on any Nexus site...but still, we need S*C*R*E*E*N*S*H*O*T*S for maximum effectiveness. Press the Print Screen button to capture your view in memory and open any image editor (Windows comes with MS Paint which can be found in Start --> All Programs --> Accessories), paste it (CTRL+V) and save the image for later upload to this site, Photobucket or Imageshack. One more time.... NEED SCREENSHOTS Link to comment Share on other sites More sharing options...
XTR3M368 Posted October 26, 2010 Share Posted October 26, 2010 (edited) I feel for the staff and owner. It is not their fault and those attacks must be very frustrating. KD is right, it is not the site that is dangerous, it is the ads....some of the ads (at least one for sure) are VERY dangerous though. Check through the past comments for fixes and hope you don't get the virus I did....I seriously considered reformatting a couple of times. *sorry LHammonds....I know I should have done some screenies...I was just running my bum off trying to stay ahead of it. (added after I saw his post) *edit* I just realized that I couldn't have done screenies...the virus disabled all programs from opening...which would have included paint. :( Edited October 26, 2010 by XTR3M368 Link to comment Share on other sites More sharing options...
MadMike710 Posted October 27, 2010 Share Posted October 27, 2010 MadMike.It's about as safe to visit as any other site.The malware came from the adverts... NOT the nexus.Read the rest of this man. Well forgive me if I didn't want to read through 30 pages...I said what I said based on post #312 by LHammonds.I thought that you just had to BE on the website (not clicking any ads) to get an infection. Link to comment Share on other sites More sharing options...
LHammonds Posted October 27, 2010 Share Posted October 27, 2010 I said what I said based on post #312 by LHammonds.I thought that you just had to BE on the website (not clicking any ads) to get an infection."the website" mentioned in my post you referenced is NOT any of the Nexus sites. It was to drive home the point that you can get infected without clicking on anything AND you can get infected even if you use Firefox (some people incorrectly think that Firefox is immune) and I wanted to also point out that a fully patched Windows XP (and probably Vista and Win7) by itself is also not enough to thwart drive-by attacks from infected sites / ads. No, the Nexus sites were not "infected", however an ad being funneled through the ad system was infected on a remote site which was cleaned quite quickly despite being temporarily "banned" by Google and Firefox for 3 or so days after the incident. Anyone "cruzing" the Internet needs to be aware and correctly use the tools available to them for protection against such nasty critters. Anti-virus, Firewall, anti-spyware, white/black lists, anti-malware tools, browser add-ons like NoScript and WOT, etc. This is especially true for Windows users since they are the largest audience on the net and thus the largest target for scumbag malware programmers. A Mac guy here at work loves to chime in after we remove or prevent a threat on our network and say "Mac users are unaffected" The Mac OS might be pretty tight for the moment but malware makes its way in through the weak links which are currently add-ons and services such as Adobe Reader, Flash, XML readers, etc. Regardless of your trust-level of any site, a good web user should always have an elevated suspicion that something "could" be wrong because nothing is 100% immune from attacks. I grew up with the saying "wish for peace but be ready for war" which means YOU take an active part in your own defense. As far as "infected" ads, this does occur from time to time but are extremely rare. You also have to be aware that sometime the malware does not reveal itself immediately. It might get onto your system and wait for a random amount of time before deploying its payload in order to keep the original source from being easily detected and shutdown. If you visit site of poor quality (crack/keygen sites, porn sites, anything with illegal activity, etc.), do not be surprised if you catch an infection there and don't realize it until much later. Summary: Nexus sites are NOT infected. The ads are NOT infected. It doesn't appear that we have a wide-spread problem at this moment. Any ad that is reported to Dark0ne as being irritating (loud sounds, malware, etc.) are quickly removed from the ad rotation. Of course, this relies on the COMMUNITY to identify the offending ads (e.g. SCREENSHOTS or verbal description) which makes it extremely simple for Dark0ne to identify and remove. LHammonds Link to comment Share on other sites More sharing options...
zenobite Posted October 27, 2010 Share Posted October 27, 2010 Well that was a total bastard of a virus to remove, as it disabled any programs from updating and I had to rename my anti-spyware for them to run (It wouldn't let me run mbam.exe etc). Anyway it infected the ipsec.sys file, Kaspersky TDSSKiller sorted it out, so if anyones still having problems try downloading it. I think I got infected due to playing around with my security settings as I was having problems with downloading. Link to comment Share on other sites More sharing options...
MadMike710 Posted October 28, 2010 Share Posted October 28, 2010 Thanks for clearing that up LHammonds. Kudos to you (if I haven't already).Sorry for my misunderstanding.Also I thought Malwarebytes was Anti-Malware, not Anti-Spyware. But then again I don't know the difference. ^_^ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now