Daily newsletter has link to virus infected site
-
All I can tell you is as the page was loading I got a popup asking if I wanted to allow Java to run. Without clicking anything I immediatly went to kill IE and I saw the maliciuos code pop up in my Process Explorer with the common name lsass.exe, but in a diferent directory from Microsofts version. Probably what happened is one of the advertisements on the page was infected, but the same adds don't pop up every time. I've seen this before on other web sites (cough - Yahoo - cough). I'm doing an offline scan of my drive now just to make sure I cleaned it out ok.
-
Sorry, but I'm not having any problems with that site.
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
It has to be a problem with one of the advertisments that get's randomly put on the page. I wish I did a better job at capturing the offending ad before I killed it. Love the news letter, it's absolutly the best read in my inbox everyday!
modified on Monday, August 30, 2010 10:01 AM
-
The link in the daily news letter: 7 Interface Design Techniques to Simplify and De-clutter Your Interfaces For your interfaces, which are cluttered. installed a virus on my computer located in: C:\documents and settings\\application data\systemproc called lsass.exe. It's size is 78 KB. It also set itself to start in the registry under: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run I just started looking into it and I'm not sure if it's anywhere else. I just went to the web page and didn't click on anything but it got in.
lsass is a Windows service process launcher IIRC. Try verify the file to see if it indeed comes from Microsoft. If so, you just made an idiot of yourself ;P
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Edition -
lsass is a Windows service process launcher IIRC. Try verify the file to see if it indeed comes from Microsoft. If so, you just made an idiot of yourself ;P
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Edition -
It has to be a problem with one of the advertisments that get's randomly put on the page. I wish I did a better job at capturing the offending ad before I killed it. Love the news letter, it's absolutly the best read in my inbox everyday!
modified on Monday, August 30, 2010 10:01 AM
code_junkie wrote:
It has to be a problem with one of the advertisments that get's randomly put on the page.
That is possible. I didn't get a virus/trojan alert either but the page did freeze up for a few seconds prior to loading completely (on IE8).
Regards, Nish
Blog: blog.voidnish.com
-
harold aptroot wrote:
It wouldn't be in that folder if it were "real"
True, will be in SYSTEM32 or equivalent. Also, only 22KB in size on Windows 7 here.
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Edition -
lsass is a Windows service process launcher IIRC. Try verify the file to see if it indeed comes from Microsoft. If so, you just made an idiot of yourself ;P
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth EditionAs stated in the OP: "installed a virus on my computer located in: C:\documents and settings\(User Dir)\application data\systemproc" Not my system32 directory. I've been programming for 30 years now, I know a virus when I see one :omg:
-
As stated in the OP: "installed a virus on my computer located in: C:\documents and settings\(User Dir)\application data\systemproc" Not my system32 directory. I've been programming for 30 years now, I know a virus when I see one :omg:
code_junkie wrote:
I've been programming for 30 years now, I know a virus when I see one
While I do believe you, I just had to make sure ;P So, I expect you to do what I do, clean the virus up without a stinking anti-virus :)
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Edition -
code_junkie wrote:
I've been programming for 30 years now, I know a virus when I see one
While I do believe you, I just had to make sure ;P So, I expect you to do what I do, clean the virus up without a stinking anti-virus :)
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth EditionLOL, It's my fault. I don't run anti-virus, never have never will. This is the first virus to get to my computer in quiet some time. It's a pain to clean them by hand but I enjoy finding out how the hackers are operating these days.
-
LOL, It's my fault. I don't run anti-virus, never have never will. This is the first virus to get to my computer in quiet some time. It's a pain to clean them by hand but I enjoy finding out how the hackers are operating these days.
code_junkie wrote:
LOL, It's my fault. I don't run anti-virus, never have never will. This is the first virus to get to my computer in quiet some time. It's a pain to clean them by hand but I enjoy finding out how the hackers are operating these days.
Sounds just like me, I already like you! :)
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Edition -
As stated in the OP: "installed a virus on my computer located in: C:\documents and settings\(User Dir)\application data\systemproc" Not my system32 directory. I've been programming for 30 years now, I know a virus when I see one :omg:
code_junkie wrote:
I know a virus when I see one
and yet you insist on using IE? :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.
-
Ankurm/ wrote:
After seeing your post, I tried it too.
If he told you traffic was dangerous would you go play in the road?
-
The link in the daily news letter: 7 Interface Design Techniques to Simplify and De-clutter Your Interfaces For your interfaces, which are cluttered. installed a virus on my computer located in: C:\documents and settings\\application data\systemproc called lsass.exe. It's size is 78 KB. It also set itself to start in the registry under: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run I just started looking into it and I'm not sure if it's anywhere else. I just went to the web page and didn't click on anything but it got in.
How do you know the virus came from that site and didn't just decided to manifest when you visited that site (i.e., you got it somewhere else and it just looks like it came from there)?
-
code_junkie wrote:
I've been programming for 30 years now, I know a virus when I see one
While I do believe you, I just had to make sure ;P So, I expect you to do what I do, clean the virus up without a stinking anti-virus :)
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth Editionleppie wrote:
So, I expect you to do what I do, clean the virus up without a stinking anti-virus
On the rare occasion that I have got a virus, I have often just reinstalled the OS... I just don't take the risk that Anti-virus didn't totally clear the virus up!
"People demand freedom of speech to make up for the freedom of thought which they avoid."
-
code_junkie wrote:
LOL, It's my fault. I don't run anti-virus, never have never will. This is the first virus to get to my computer in quiet some time. It's a pain to clean them by hand but I enjoy finding out how the hackers are operating these days.
Sounds just like me, I already like you! :)
xacc.ide
IronScheme - 1.0 RC 1 - out now!
((λ (x) `(,x ',x)) '(λ (x) `(,x ',x))) The Scheme Programming Language – Fourth EditionNow, go and get a room, you two.
-
The link in the daily news letter: 7 Interface Design Techniques to Simplify and De-clutter Your Interfaces For your interfaces, which are cluttered. installed a virus on my computer located in: C:\documents and settings\\application data\systemproc called lsass.exe. It's size is 78 KB. It also set itself to start in the registry under: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run I just started looking into it and I'm not sure if it's anywhere else. I just went to the web page and didn't click on anything but it got in.
-
code_junkie wrote:
I know a virus when I see one
and yet you insist on using IE? :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.
LOL, I use IE because I refuse to write code for every new browser that comes out. Heck, keeping up with Microsoft is a full time job in itself. Then add in Firefox, Safari and Chrome, there just isn't enough time in the day X| .
-
How do you know the virus came from that site and didn't just decided to manifest when you visited that site (i.e., you got it somewhere else and it just looks like it came from there)?
Actually I think it came from an infected Advertisment server...
-
The link in the daily news letter: 7 Interface Design Techniques to Simplify and De-clutter Your Interfaces For your interfaces, which are cluttered. installed a virus on my computer located in: C:\documents and settings\\application data\systemproc called lsass.exe. It's size is 78 KB. It also set itself to start in the registry under: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run I just started looking into it and I'm not sure if it's anywhere else. I just went to the web page and didn't click on anything but it got in.
The last time I got a virus I wrote a little explanation about it here. That is, I described what I did to squash it. It acted quite a bit like what you are describing. It also started a guard thread to continually restart it and replace its registry entries. I stopped it by starting up in safe mode and deleting all traces of it. Then I copied a zero-byte file to where it made its directory and set attributes to be read-only, hidden, system. That thing won't be back and I know it has tried. It was one of the only MSN-IM virii I have ever heard of. You might want to copy a file to C:\documents and settings\(user)\application data\ named systemproc and setting to have attributes of RHS just to make sure it has a harder time coming back. I did.
-
The last time I got a virus I wrote a little explanation about it here. That is, I described what I did to squash it. It acted quite a bit like what you are describing. It also started a guard thread to continually restart it and replace its registry entries. I stopped it by starting up in safe mode and deleting all traces of it. Then I copied a zero-byte file to where it made its directory and set attributes to be read-only, hidden, system. That thing won't be back and I know it has tried. It was one of the only MSN-IM virii I have ever heard of. You might want to copy a file to C:\documents and settings\(user)\application data\ named systemproc and setting to have attributes of RHS just to make sure it has a harder time coming back. I did.
That's a really great idea! Thanks! :-D