ImageShack and Trojans?

[dalek]

So how many of you out there use ImageShack for your pictures?

Free image hosting is becoming more and more popular, the ordinary user on the internet finds it handy and useful, after all you only need to upload your image to the host and you can then post the link on a forum so that everyone can see the full image or a thumbnail of the image, this is great if you want to share some photos or post a screenshot of a computer problem that you may be having.

One of the favourite and easy to use hosts is ImageShack. Of course they have to make their money somehow or they wouldn't be able to provide a free hosting service, but seeing a few ads on the site that is serving the image is a small price to pay and something that I can cope with.

It's all getting a little more sinister than that now I'm afraid, a good friend and moderator at Computer Trouble reported that, after clicking on a thumbnail from ImageShack that had been posted at the forum, he got a pop up that he couldn't close and was subsequently infected with a couple of trojans. He wasn't the only one either, four other forum members reported problems too.

http://malwareremoval.com/plog/index.php?blogId=4

Found this blog on this problem, may not end there with ImageShack as I am sure Putfile and Photobucket are just as susceptible as well?......

[brokencrow]

Lawdy, I thought WinAntiVirus2006 and SpyFalcon were using gambling sites primarily. I've removed WinAV from a slew of computers lately. The whois puts them in Kiev. SpyFalcon is another rogue app using the same MO.

[morganlefay]

yeah...just had my bros laptop in for service...(my desk at home)

and it had spywarequake....piece of crap that was very hard to get rid of...

and various trojans

from his history...all from gambling sites.

MLF

[brokencrow]

Yeah, interestingly enough, these outfits are using a lot of the same rogue apps. WinAV is registered to a party in the Ukraine, SpyFalcon to a party in the Phillipines. Both apps are using the same binaries (updated of course):

SecurityToolbar.dll
atmclk.exe
dcomcfg.exe
uninst.exe
regperf.exe
appmagr.exe

Panda's scan pegged all of them as infected. It's ironic to see these binaries in May as SpyFalcon, then again in July as WinAV.

[morganlefay]

Spyware quake used these two that I recognize

dcomcfg.exe

atmclk.exe

Used Trend Micro house call to finally get rid of it...avast found it ..but couldnt do anything "Access denied"


Stupid thing would pop up everytime you reboot...."you are infected..blah blah blah click here to remove" which took you to a website...to buy a removal tool....

you couldnt get rid of the window either...without clicking on it...

Never did find where the piece of crap was hiding....on start up would recreate the files in system 32 directory....

MLF

[brokencrow]

I remove the stuff manually. First I let Panda's scan find the stuff, then I make a list and reboot into Safe Mode w/ Command Prompt. Then I use Ye Olde "del" command.

Panda will turn up some .tmp files as infected if I'm not mistaken. The last WinAV infection I worked had a rogue .tmp in C:\Windows\system32\1024 folder.

You might also run Ccleaner to clean out all the standard temp folders. Then after manually removing the offending files, use Ccleaner's Issues option to clean up the empty registry entries for those same files.

Does the trick for me. I can get rid of WinAV in a half-hour or less without waiting out a series of scans.

[morganlefay]

Yeah...had that 1024 folder too

Thanks for the tips...Brokencrow

will use those the next time.

as for image shack... and other sites along the same flavor.........I am pretty sure thats how my kids computer gets infected ...continually.

Limited accounts too


MLF

[brokencrow]

He-heh, I learned most of what I know about viruses and spyware working on my nephew's computers and my friends' teenage sons' machines. Told my sister once if my nephew was having sex anything like the way he uses a computer, he's in trouble.

[morganlefay]

So is it coming through with the images....?????

Or is the site doing this???

MLF

[brokencrow]

I'm not sure. My sense is it's often coming in bundled with other software, but that doesn't jibe with dalek's post.

I'd lay money it's an IE/ActiveX thing...