http://aqz.itrodip.info

[ma1028]

I don't really know what this is....or whether it's a virus....But when I'm using firefox....occasionally firefox will get a pop up saying its trying to download "PDF.PDF" from aqz.itrodip.info. It's done this probably 3 or 4 times in the last 3 weeks.
I have no idea what this is. I ran a volume scan a few weeks ago and found nothing.
Has anyone ran into this? Is it spyware? A virus?
I'm going to run one again and see what it finds.

[FreewheelinFrank]

Are you using Linux or Mac?

[ma1028]

Are you using Linux or Mac?

Macintosh.
Oh. And a recent scan found nothing.  Just a lot of error 13's and stuff. Nothing major.
I actually did a search for that url on BING...and it came up with a result.
http://www.bing.com/search?q=http%3A%2F%2Faqz.itrodip.info&go=&form=QBLH&qs=n
You can look at that if you wish. It's not a direct link to the url...just to the search results.

[FreewheelinFrank]

Have you tried allowing Firefox to download (not open) the file and sending it to VirusTotal?

http://www.virustotal.com/

[polonus]

Hi ma1028.

Last time that suspicious content was found on mentioned site was on 2009-10-12.
Malicious software includes 1 scripting exploit.

This site was hosted on 1 network(s) including AS30099 (SB).

Did mentiond site host malcode. Yes, the software has been infecting 1 domain, c.q. jamirlima.blogspot.com/

and look here at the Norton Safe Web report for this site: itrodip.info
Survey
•Computerthreat:   
1
•Identity threats:   
0
•Annoyancy factors:
0
Total number of threats on mentioned site:   1
    
Location of site U.S.A.

Found threats:
   
Threat found: 1
Name of threat:   Trojan.Pidief.F
Locatian:    hXtp://aqz.itrodip.info/mqwove/xd/pdf.pdf

Manual removal instruction if one was to be infected by the trojan:
Manual Removal of Trojan.Pidief.F

Kill Spyware Processes
chkzero.exe
Get rid of Files and Folder
%System%\chkzero.exe
%Temp%\filepages.sys
%Temp%\temp.sys
%Temp%\temp.txt
C:\Documents and Settings\All Users\Application Data\SVCH0ST.dll
C:\Documents and Settings\All Users\Application Data\svchost.exe

Delete following folders
— No traces available —
Delete Registry Values
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\”RUN_XY_Zer0″ = “a.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Marks Info\”Mark” = “kkk”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Marks Info\”SystemTime” = “2009-5-21-20″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUN_XY_Zer0
HKEY_CURRENT_USER\Software\Microsoft\Windows\Marks Info
HKEY_LOCAL_MACHINE\SYSTEM\123
HKEY_LOCAL_MACHINE\SYSTEM\123\SSDT
HKEY_LOCAL_MACHINE\SYSTEM\123\SSDT\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\123\SSDT\Start
HKEY_LOCAL_MACHINE\SYSTEM\123\SSDT\Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REWQREW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDT
go to * 6.

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Find and stop the service
- Click Start > Run.
- Type services.msc, and then click OK.
- Locate and select the following services that was detected.
Service name: rewqrew
Service name: DETrueTime

- Click Action > Properties.
- Click Stop.
- Change Startup Type to Manual.
- Click OK and close the Services window.

5. Run a full system scan and clean/delete all infected file(s)

*
6. Delete/Modify any values added to the registry. [how to edit registry]

Navigate to and delete the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrent Version”RUN_XY_Zer0″ = “a.exe”
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsMarks Info”Mark” = “kkk”
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsMarks Info”SystemTime” = “2009-5-21-20″

Navigate to and delete the following registry subkeys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrent VersionRUN_XY_Zer0
HKEY_CURRENT_USERSoftwareMicrosoftWindowsMarks Info
HKEY_LOCAL_MACHINESYSTEM123
HKEY_LOCAL_MACHINESYSTEM123SSDT
HKEY_LOCAL_MACHINESYSTEM123SSDTErrorControl
HKEY_LOCAL_MACHINESYSTEM123SSDTStart
HKEY_LOCAL_MACHINESYSTEM123SSDTType
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_REWQREW
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SSDT
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDETrueTime
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesrewqrew

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

polonus

[ma1028]

Have you tried allowing Firefox to download (not open) the file and sending it to VirusTotal?

http://www.virustotal.com/

Well...when the popup happens...it never automatically downloads...it just tries to open it.
But no I have not tried that. Would it be safe to?

Oh...and polonus...I do not own a windows based machine....so everything you told me there wouldn't really help me.
I think anyways. Not to mention I do not have Norton.
Thanks though.

[FreewheelinFrank]

Have you tried allowing Firefox to download (not open) the file and sending it to VirusTotal?

http://www.virustotal.com/

Well...when the popup happens...it never automatically downloads...it just tries to open it.
But no I have not tried that. Would it be safe to?

Oh...and polonus...I do not own a windows based machine....so everything you told me there wouldn't really help me.
I think anyways. Not to mention I do not have Norton.
Thanks though.

Just saving it would be safe- as Polonus' post points out, it's probably Windows malware anyway.

EDIT: Actually, reading Polonus' post, it's clear the link is (or was- it seems to be dead) malicious, so there's no point downloading the file- but you do need to investigate what keeps trying to download the file.

Have you tried looking through your Firefox extensions and plug-ins to see if there is a malicious extension installed?

There's a page linked to in this article which will display them all, although it won't tell you if they are malicious- you'll have to Goolge any you don't recognise.

http://blogs.zdnet.com/security/?p=4537&tag=col1;post-4537

[ma1028]

I'm not seeing anything in my plugins or extensions.
There's a divx plug in....flip4mac.....iphoto......java embedding....quicktime....and shockwave.
Oh...and a default gecko plugin. Not really sure what that is...but I'm assuming its safe.
The only extensions I have are noscript. Which I turn on and off periodically.

[ma1028]

EDIT: Actually, reading Polonus' post, it's clear the link is (or was- it seems to be dead) malicious, so there's no point downloading the file- but you do need to investigate what keeps trying to download the file.

Whats a good way to go around this? What should I look for?

[FreewheelinFrank]

Check out your Firefox extensions and plug-ins- that's really all I can think of.

[ma1028]

Check out your Firefox extensions and plug-ins- that's really all I can think of.

aight.
Well....everything appears to be a-ok on that front. The only thing that I dont recognize is default plugin 2.0 Gecko default plugin.
But I'm assuming that's just something normal on firefox.

[FreewheelinFrank]

The issue seems to apply to Windows, Mac and Linux.

http://answers.yahoo.com/question/index?qid=20091012084401AAy95zQ

Still looking into this one: maybe an answer will come up eventually. 

[zilog]

Have you tried allowing Firefox to download (not open) the file and sending it to VirusTotal?

http://www.virustotal.com/

Well...when the popup happens...it never automatically downloads...it just tries to open it.
But no I have not tried that. Would it be safe to?

Oh...and polonus...I do not own a windows based machine....so everything you told me there wouldn't really help me.
I think anyways. Not to mention I do not have Norton.
Thanks though.

Hallo,
try to save it (it won't harm your computer if you don't open it), and upload it to virustotal com. It might be some kind of pdf-exploit.

regards,
pc

[ma1028]

thanks for all the help everyone.
I have yet to get the popup again. We'll just have to wait and see