1 reply to this topic

[Swerve]

The actual virus I was infected with isn't what I'm concerned about. Both times I was infected while viewing a webpage. For the record, the first time it was Security Tool (Vundo.H). The second time I didn't even check, I just killed it, but it was some variation that said my PC was infected by millions of malware programs. The website I was infected from was The Pirate Bay. I know what you're thinking, "OMG, you were downloading pirated software and/or porn!! No wonder you got infected!". I don't do either. Let me explain.

I use Pirate Bay to download TV programs when my wife misses one of her "must watch" shows (90210 in both cases). No, I don't have Tivo. Also, I've been working with computers for almost 20 years. Its not my main profession, but I repair PCs on the side. My specialty is malware removal, but I also do a bit of forensics and programming. I prefer to remove malware manually using a boot CD because I don't trust anti-virus and malware removal software. I've removed far too many viruses from PCs that had these installed. Sorry to ramble, but I don't want you to think I'm some newbie that got infected from a file sharing website. I'm well versed in how malware infects PCs and how to remove it.

I was hit last Wednesday and today. In both cases I was infected while viewing the torrent description page (I hadn't clicked the torrent download link). My PC bogged down and I got an hourglass cursor. I immediately checked task manager and new processes were popping up everywhere, so I know this is when the infection happened. I believe its coming from an ad banner on the site. The first time this happened I powered off my PC immediately and used my boot disc to remove the malware. As soon as I restarted (virus free) I checked Windows Update and found no critical updates. About two days later I saw an update notification for 5 critical updates, four for XP "allowing a remote hacker to take control of your PC" and one for IE 8 that would "allow your computer to be infected by viewing a specially crafted webpage". Aha! So I installed these updates and restarted thinking the problem was solved. Not so.

Apparently there are a few more vulnerabilities to be discovered. While removing the malware this time I searched my web cache for all files that were created at the time of infection. I archived these files to a folder. If anyone is interested in analyzing to find the infection method I'll gladly zip and upload them.

[jedi]

I wouldn't mind taking a look, can you upload them for me Here.Thanks.