Author Topic: Information knowing what virus could have being the one....  (Read 3403 times)

0 Members and 1 Guest are viewing this topic.

Mrfus

  • Guest
Information knowing what virus could have being the one....
« on: April 02, 2012, 04:23:12 PM »
I couple of day ago my PC just go crazy, after I download a file from a link on the Orbiter site (the link was to a site who have HD textures for the software)... I dowload the file ans scan it, no problem was detected but after unziping the files and place it on the right folders Avast just go crazy with warnings of the PC trying to connect to a dangerous URL, seconds later the screen background just turn black, all the icons on my desktop dissapear one by one and a pop-up window warning my HDD have damage and that there was some I/O errors on the unit and again avast just go crazy stoping the attemps of the sistem to connect to the URL.... all happend so fast that I was unable to even see what the avast notification pop-up was showing.

My sistem crash and reeebot... when windows end up loading back on, all was crap, no icons, black background, clear taskbar, some files were missing (I'm guessing deleted) I try to run Avast but as soon as I try the HDD crap come out and generate many dialog windows (SMART HDD) and a error happend and avast was force close.

As I have a backup image of my HDD from 3/25/12 and really don't want to spend hours trying to clear the sistem, I made a total clear of the HDD and restore, I run a full scan on the sistem after the restore and nothing was detected!

Did some one have any idea  of what virus was this? I will really like to know so I can let the people on the Orbiter site that the linked site is malicious, and avoid to spread the virus (If Avast wasn't able to stop the damage on my sistem I will hate to see what will do on other sistems running weaker antivirus).

adotd

  • Guest
Re: Information knowing what virus could have being the one....
« Reply #1 on: April 02, 2012, 05:13:36 PM »
Hello Mrfus.

Welcome to the avast!WEBforum.

Can you upload the file you downloaded to:

https://www.virustotal.com/

if you dont have the file scan the url you got it from

and post the results bellow 8)

can you visit the following page:http://forum.avast.com/index.php?topic=53253.0

and post the logs for the scans as well

this helps our malware expert to help you quicker

Anthony  ;)
« Last Edit: April 02, 2012, 05:26:45 PM by adotd »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37331
  • Not a avast user
Re: Information knowing what virus could have being the one....
« Reply #2 on: April 02, 2012, 05:47:46 PM »
Seems You are infected with a Rogue called smart HDD


Remove smart HDD uninstall guide
http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd


If this does not Work, Follow this guide and attach logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Mrfus

  • Guest
Re: Information knowing what virus could have being the one....
« Reply #3 on: April 03, 2012, 04:41:00 AM »
Thanks... I'm going to scan the URL, the file was deleted when the sistem was restored, I learn on the hard way to keep backups... first I use to do it on DVD's but was too slow and hard to keep with "Please insert DVD 3 of 15..." now I use a external HDD that is connected only when the backup is done, no other files than the generated by the sistem are keep on the drive and it's stored with the Restore DVD on a fireproof safe box.

Avast has keep my sistem clean for 4 years now with only two incidents, this one and like a year ago with some nasty bug acting like it was an antivirus that has detected a infection on my computer, shut down the antivirus and the malware software that you are running and redirect the internet browser to a site asking money to remove the virus...

I scan the URL from I get the file and the direct link to the file (hxxp://downloadorbitersim.com/wp-content/plugins/download-monitor/download.php?id=59) the sistem report:

SHA256: 9976c4ca5e1d5e58fc81c506bd3afef4211f2f066e6db575d2967b8115674690
SHA1: 7cef3a90f6ab8deec206f6c0761644816d6ecef9
MD5: 9597650ca10a499be6bdd9e9307149d7
File size: 7.1 MB ( 7456071 bytes ) 
File name: download.php?id=59
File type: ZIP
Detection ratio: 0 / 42
Analysis date: 2012-04-03 02:13:26 UTC ( 5 minutes ago )

Looks like nothing is there... but I know that what ever get on my PC came from that file, that was the only window open on my browser at the time that was new to me, the other app open was the windows explorer from where I was moving the files from the zip to the destination folder, the software (orbiter 2010) was installed the day before and I run it like 8 or 9 times with no problems or sign of infection (I just scan the URL and nothing strange come back, but it was unable to scan the installation file because of size limit, 136mb file).

I want to reinstall the software but i'm not sure now if i want to take my chanses and get infected again...
« Last Edit: April 03, 2012, 03:20:01 PM by igor »

true indian

  • Guest
Re: Information knowing what virus could have being the one....
« Reply #4 on: April 03, 2012, 06:10:25 AM »
thankyou for the URL mrfus...file reported at virus@avast.com and uploaded from chest to virus lab ;)
« Last Edit: April 03, 2012, 07:00:51 AM by true indian »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Information knowing what virus could have being the one....
« Reply #5 on: April 03, 2012, 02:51:30 PM »
"File type: ZIP "
There is also a high possibility that the file(s) was not detected because it was encrypted in a zip when scanned.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33807
  • malware fighter
Re: Information knowing what virus could have being the one....
« Reply #6 on: April 03, 2012, 03:35:26 PM »
Hi Mrfus,

What virus this could be, more likely than not a trojan of some sort!
Make that link non-click-through with hxtp or wXw. We do not want anyone accidentally to click a live link to probably suspicious or malicious code.
WOT does not like many of these torrent downloads.
Users should know these downloads are being frowned upon and more often than not come with attached malcode.
So refrain from using these kind of  download sites.
The domain IP is listed as a PHISHING SITE.
See Anubis analysis: htxp://anubis.iseclab.org/?action=result&task_id=1dc41f651ffe60f3485ceef07cdfeaa3f&format=html
The request is redirected to GET /files/oslandsat/Earth/OrbiterSimLandSAT061219_Earth_L8.zip
IP 184.168.167.1,  is blacklisted for having Trojan.JS.Downloader.BSR, Trojan-Dropper.Win32.Daws.alza, Trojan.Iframe.ADA, Trojan-Downloader.HTML.Agent.xn,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mrfus

  • Guest
Re: Information knowing what virus could have being the one....
« Reply #7 on: April 04, 2012, 04:34:52 PM »
thank you...

I should have stop when I saw that some of the links are to torrent downloads... I think the Orbiter project is good and entretaining but I don't think that I wil take my chanses of getting infected again.