May 09, 2009


Earlier today, I was looking for a review of the show Shuffle!, and decided to visit to see what they had to say about it.  I hadn't been there since they were purchased by, but I didn't think anything about it.

So, I followed a google link to their main page.

Five or six antivirus alerts later, all hell was breaking loose in my computer.  Multiple trojans, backdoor thingies, vundo deposits, and something that prevented me from visiting any of the anti-virus program manufacturers and Microsoft but allegedly wasn't the Conficker worm.  This was at 2pm.

It's now 903pm, and I think I've gotten all of it.  Five or six runs of malwarebyte's Anti-Malware, three of my antivirus program, two of my spyware program, and repeated banging of my head against a wall, everything seems to be back to normal.  Maybe.  Perhaps.

I'm still not sure, to be honest.

But do NOT go to animeondvd.

Posted by: Wonderduck at 08:08 PM | Comments (11) | Add Comment
Post contains 162 words, total size 1 kb.


Seems like there are two possibilities. First, an unscrupulous advertiser. Two, someone broke into Mania's server. I wonder which it was.

But I'm not going there to find out.

Posted by: Steven Den Beste at May 09, 2009 09:17 PM (+rSRq)

2 Honestly, these days, I don't go there anyway.

Posted by: Avatar at May 09, 2009 10:01 PM (vGfoR)

3 It's now 111am on Sunday, and now I think I've gotten everything.  Again.  After I put up this post, I wound up finding a few other things.  This is NOT the way I had planned to spend Saturday.

Posted by: Wonderduck at May 10, 2009 12:08 AM (rvJXE)

4 Oh, bugger.

My three indispensable malware utils: McAfee Rootkit Detective 1.1, Malwarebytes, and Process Explorer. If I can't get rid of it with a combination of those three, it's time to nuke the site from orbit.

The trick is that ProcExp can be used to suspend all of the offending processes first, before killing them, neatly getting around the "buddy system" effect. Once the processes are gone, I break out MBAM. If it doesn't catch everything, I break out the Detective, zot any suspicious-looking files it finds, reboot, then let MBAM have another crack (at which point it finds the formerly-rootkitted files).

Posted by: GreyDuck at May 10, 2009 07:16 AM (o5Lvb)

5 In comments on my site you said you still couldn't access the web with IE. Look to see if it's set up to use a proxy.

Posted by: Steven Den Beste at May 10, 2009 09:38 PM (+rSRq)


That's what it was, all right.  Thank you, Steven!  Again, not that I use IE at all, but it's nice to have it working, just in case.

Posted by: Wonderduck at May 10, 2009 10:00 PM (UdB9M)

7 Some malware does that, so that all your browsing is under their control, passing through their server. They can replace sites with others, and they get to watch everything you send to those sites (e.g. your login to your bank).

Posted by: Steven Den Beste at May 10, 2009 10:30 PM (+rSRq)

8 Yeah, I know... which doesn't fill me with warm fuzzies.

To be clear, by the way, I set it up so that it ISN'T running through a proxy, and it worked again.  I made the same change to Firefox, and it's running nice and smooth, too.

Posted by: Wonderduck at May 10, 2009 10:39 PM (rvJXE)

9 Just ran a Hijack This!, and there's nothing on there that I didn't expect... yay me!

Posted by: Wonderduck at May 10, 2009 11:09 PM (rvJXE)


"No proxy" is usually the right answer.

Posted by: Steven Den Beste at May 10, 2009 11:48 PM (+rSRq)

11 Of course the real problem is, once you're infected like this, it's generally impossible to be 100% sure that there isn't something still lurking in your system.  So could you ever again trust this PC for anything even remotely private (online shopping or banking, reading personal email, etc)?  I think that nuking it from orbit is the only way.

Posted by: Anthony DiSante at May 11, 2009 09:17 AM (xJ4r5)

Hide Comments | Add Comment

Comments are disabled. Post is locked.
27kb generated in CPU 0.0193, elapsed 0.2242 seconds.
47 queries taking 0.2148 seconds, 287 records returned.
Powered by Minx 1.1.6c-pink.