lenneth
11-09-2008, 05:52 AM
I picked up a bunch of crap from what I can only assume was a brief visit (using Opera) to the FFS main site and/or GH.
Don't recall the name of the trojan atm but it was associated with a file called "orz.exe". orz.exe would reinitialize in my processes when I visited the forums this morning, and I don't know if that had something to do with the weirdness we experienced this morning or not. Every time I visited the forums, something would boot up the orz.exe until I ended the process. it wouldn't return until I checked the forums.
Anyway, got that cleaned up via TrendMicro's Housecall (it had little info on the trojan itself, just some crap about being a backdoor program + other stuff ~_~ ). ALSO, I'm pretty sure it was putting an entry in my Services (control panel > administrative tools > services) called "Security 2@)#@#%*" or something (literally a bunch of random characters that definitely didn't belong there). I disabled it (it masks itself as "stopped" even though when you check properties it is listed as "started") and it is no longer there so I think Housecall cleared that up.
After that, I came across something called "LoveFly.dll" and "smart.dll" (in Windows/system32) which are keyloggers to steal WoW account passwords only, apparently. Those were easy enough to remove, but I can only assume they came from FFS as well, since it's the only gaming site I go to regularly and it'd make sense that a file that specific would target gaming sites.
ANYWAY. I know at least the Trojan was from FFS and the orz.exe file reinitializing is a concern because it came up on the forums. I don't make a habit of visiting GH or the main site so I can avoid those, but if there's something on the forums that would sorta suck. It suggests something in the code of the forums is working with the trojan. Unless something with the code errors this morning was to explain.
I couldn't get a hold of you on IRC so I figured I'd post it here. Also just to notify anyone else who may have been at the site to check for those things (orz.exe, weird entry in Services, smart.dll/LoveFly.dll). The .dll files I think I picked up on Oct 25, according to the "Date Modified" dealy.
Update: Still have the weird entry in my Services. "Security Control" is what it's called and it's description is full of random/weird characters. Associated with the file "zordisa.dll" which is a trojan/backdoor. Not sure if this is from FFS but I really wouldn't doubt it given the other crap I've picked up ;\ Back to fixing this, I guess.
Don't recall the name of the trojan atm but it was associated with a file called "orz.exe". orz.exe would reinitialize in my processes when I visited the forums this morning, and I don't know if that had something to do with the weirdness we experienced this morning or not. Every time I visited the forums, something would boot up the orz.exe until I ended the process. it wouldn't return until I checked the forums.
Anyway, got that cleaned up via TrendMicro's Housecall (it had little info on the trojan itself, just some crap about being a backdoor program + other stuff ~_~ ). ALSO, I'm pretty sure it was putting an entry in my Services (control panel > administrative tools > services) called "Security 2@)#@#%*" or something (literally a bunch of random characters that definitely didn't belong there). I disabled it (it masks itself as "stopped" even though when you check properties it is listed as "started") and it is no longer there so I think Housecall cleared that up.
After that, I came across something called "LoveFly.dll" and "smart.dll" (in Windows/system32) which are keyloggers to steal WoW account passwords only, apparently. Those were easy enough to remove, but I can only assume they came from FFS as well, since it's the only gaming site I go to regularly and it'd make sense that a file that specific would target gaming sites.
ANYWAY. I know at least the Trojan was from FFS and the orz.exe file reinitializing is a concern because it came up on the forums. I don't make a habit of visiting GH or the main site so I can avoid those, but if there's something on the forums that would sorta suck. It suggests something in the code of the forums is working with the trojan. Unless something with the code errors this morning was to explain.
I couldn't get a hold of you on IRC so I figured I'd post it here. Also just to notify anyone else who may have been at the site to check for those things (orz.exe, weird entry in Services, smart.dll/LoveFly.dll). The .dll files I think I picked up on Oct 25, according to the "Date Modified" dealy.
Update: Still have the weird entry in my Services. "Security Control" is what it's called and it's description is full of random/weird characters. Associated with the file "zordisa.dll" which is a trojan/backdoor. Not sure if this is from FFS but I really wouldn't doubt it given the other crap I've picked up ;\ Back to fixing this, I guess.