Just a heads up. I went to Tasty Vapor and was attacked by some vicious malware. The 2nd time I went there it did not pop up. It redirected me to a "system scan" website, and tried to start a download for their "removal tool". The same thing happened to a friend that I referred there.
Tastyvapor.us malware?
- Thread starter HexKrak
- Start date
- th_trl_thread_readers 0
- Status
Geoff,
I got two different trojans when I visited the site about 20 minutes ago, let me know if you need me to send over any information from running Avast Home Edition that might help you out.
I got two different trojans when I visited the site about 20 minutes ago, let me know if you need me to send over any information from running Avast Home Edition that might help you out.
confirmed. Trojan.JS.redirector.cq (Kaspersky). Happens on ALL pages. It's in the html. Third line from the bottom of each page: <script src="hp://lost????rana.com/js.php"></script> (mangled purposely)
Geoff, your web provider has been hacked.
The problem is that the bad guys are writing new "bugs" faster than the good guys can keep up. Add to that the problem of hapless home users with un-patched systems and there's a lot of money in it.
Geoff, your web provider has been hacked.
The problem is that the bad guys are writing new "bugs" faster than the good guys can keep up. Add to that the problem of hapless home users with un-patched systems and there's a lot of money in it.
Last edited:
ok this happened to me and totally freaked me out. I thought I was on a fake site or something. Glad to hear I am not alone, I guess someone is trying to mess with them bigtime. 
Happened to me too... I've cleaned too much of this crap off other folks systems lately....didn't click on crap to close the page, just hit the off button and held it for a hard reboot. I've got SuperAntispyware running a complete scan right now, hasn't found anything more than tracking cookies so far.
I have a VM of XP that is fully patched and snapshotted. I am going to see if I can "get" this bug and then figure out how to clean it off for others.
- Update one -
OK. It's definitely "scareware". I let it run the fake scan and I downloaded the file but did not execute it yet. Rebooted and am running SAS (SuperAntiSpyware) portable on it now. I want to see if it implanted itself prior to running the download. The goal of these criminals is to dupe someone into spending money on "fake" antivirus software. They get $60 or so bucks off your credit card and then when they have collected 10000 CC numbers they sell that info to other criminals...
- Update 2 -
Well SAS didn't find a thing including not identifying the download. I downloaded, updated and ran a quick scan with MalwareBytes Antimalware and it identified the download as a generic trojan downloader (it itself will download bad crap when run). Now I am going to run it to see what kind of crap I get... packupdate_build107_2045.exe is the filename of the download that the bad site served up to me.
- Update 3 -
running packupdate_build107_2045.exe starts "My Security Engine Setup" which then opens My Security Engine, a very cute and convincing software that runs a fake scan which purports to find tons of malware. When you click Remove Now it takes you to an activation page where they will steal between $49.95 and $89.95 of your money. OK. So worst case scenario is that you have this on your machine. Now let me see if there is any easy way to get it off.... This could take me awhile...
- update 4 -
So I ran MalwareBytes Antimalware on the system and it found 768 instances of crap. Files, registry entries, etc. Did not find the bug in memory. When I attempted a remove all, it blue screened on me. This means that if anyone got to the point where they saw My Security Engine Setup then they are probably going to need some professional help cleaning it off... and I don't mean me. I hate this part of my job and it keeps me pretty darn busy. I was hoping for an easy fix here... Still looking...
Going to try the Kaspersky Rescue CD, which is a free download. Downloading it now...
- update 5 -
Well, after the blue screen, VMWare rolled the Virtual Machine (VM) back to it's uninfected state. And of course the web site is down for fixing so I cant get it reinfected.
I think if anyone got the full infection where you have My Security Engine in your face nagging you, the best chance of a successfull DIY cleanup is going to be an offline tool (bootable CD) from one of the AV vendors. These are known as rescue CD's. Kaspersky makes one and its a free download. Hopefully no one got to this very painful state of affairs.
Last edited:
Unless you're running IE, hard-rebooting your PC will probably cause more damage than visiting a malware site.
If it happens, just ctrl+alt+del force close your browser, and run a spy/malware/virus scan.
Did anyone get to the point where they have My Security Engine Setup running and nagging them to buy or activate it?
No thank goodness, I just kept hitting the little x on the top corner to close whatever window popped up. But I gotta say I really appreciate you going through the whole thing and explaining what you have found. You have reassured me I didn't download something when I was afraid I might have.
Kudos!
No thank goodness, I just kept hitting the little x on the top corner to close whatever window popped up. But I gotta say I really appreciate you going through the whole thing and explaining what you have found. You have reassured me I didn't download something when I was afraid I might have.
Kudos!
Glad to hear it. Alt-F4 also works well for rapidly closing windows/
Yes if windows is hard booted or losses power, then it may run much slower after that. Windows has marked the NTFS filesystem as being "dirty" and accesses things in a slower manner. The fix for that is running chkdsk. On XP, you right click on My Computer, click Open, right-click on the C drive, select Properties, select the Tools tab, select Check Now, check the top checkbox, click OK, click yes to the question about scheduling it for the next reboot, then reboot the computer. When it does the disk check, at the end of stage three, if you pay very close attention you may see the phrase "Windows made corrections to the file system"... Then you will know there was a problem that got fixed. It flys off the screen pretty darn fast though.
Anyway, taking off my IT hat and putting the vaping hat back on.
To our concerned patrons:
Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:
Compromised Website Update 5/20/10 - An attack impacting less than 200 accounts happened this morning.
Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here - http://www.godaddy.com/securityissue.
Thank you, Todd Redfoot, Chief Information Security Officer
Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:
Compromised Website Update 5/20/10 - An attack impacting less than 200 accounts happened this morning.
Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here - http://www.godaddy.com/securityissue.
Thank you, Todd Redfoot, Chief Information Security Officer
hint..... boot to safe mode with networking, Search on yahoo "combofix" , download from bleepingcomputer.com only! http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Run in safe mode. disregard the prompt for the boot to dos setup. If it asks to reboot then go back to safe mode with networking and finish.
Download Malwarebytes from Filehippo.com while in safe mode and install , run a malwarebytes scan while in safe mode. reboot. run Malwarebytes in regular mode. If anything shows up in reg. mode then call your favorite computer geek. You have been hosed! Tell your geek what you did and he can continue from there.
Trust me I do this for a living.
Added: Combofix only works on 32bit computers. Malwarebytes will run on both 32 and 64bit.
Run in safe mode. disregard the prompt for the boot to dos setup. If it asks to reboot then go back to safe mode with networking and finish.
Download Malwarebytes from Filehippo.com while in safe mode and install , run a malwarebytes scan while in safe mode. reboot. run Malwarebytes in regular mode. If anything shows up in reg. mode then call your favorite computer geek. You have been hosed! Tell your geek what you did and he can continue from there.
Trust me I do this for a living.
Added: Combofix only works on 32bit computers. Malwarebytes will run on both 32 and 64bit.
Last edited:
- Status
Similar threads
