Solved

Is The Webmaster's Ultimate Reseller Package 2010 a scam that contains virus?

Posted on 2010-09-15
44
718 Views
Last Modified: 2014-03-11
Yesterday, I purchased The Webmaster's Ultimate Reseller Package 2010 from this site:

http://www.webresell.net/?hop=idickson

I first found this "Reseller Package" as a link on this site:

http://www.quackit.com/ (which seems like a non-scam site).

It seemed to be no scam, as I also searched on google, using "scam" and the title of the download, and searched on the author's name, but no warnings at all.

I paid for the package with credit card by secure payment and started downloading everything yesterday. The first zip-files were no problem, no virus warning from my Eset Smart Security.

But then, when downloaded 99 % of ebooks.zip CPU run up to 100 % constantly, I received the message that "The connection with the server was reset" and Eset Smart Security quarantined the file, labelling it has containing "several threats".

The same thing happened with the file scripts.zip, it's even staying all the time on 99 % and CPU on 100 % all the time for ten minutes now, and ... finally "download complete"-message (Eset Smart Security didn't quarantine this, but CPU on 100 % constantly for 7-10 minutes!).

I am not 100 % sure about Eset's warning though, because when I earlier installed a software (Brilliant Database), it said it contained virus (but it was false alarm).

I sent an e-mail yesterday to [somename]@yahoo.com (this e-mail appeared on the Thank-you-page), but still no response.
0
Comment
Question by:hermesalpha
  • 30
  • 10
  • 2
  • +1
44 Comments
 

Author Comment

by:hermesalpha
ID: 33688819
The zip files has been downloaded to my external HDD. Is my laptop and my external HDD safe as long as I don't open any of the zip files? Should I use Media Viper and completely wipe them away, all the zip files? And stand the loss of this The Webmaster's Ultimate Reseller Package 2010?
0
 
LVL 65

Assisted Solution

by:rockiroads
rockiroads earned 325 total points
ID: 33688868
I looked for reviews on this site and couldnt find anything really.

to be honest the first place doesn't look right. rather than having an extremely long page one would think they would have multiple pages instead of trying to give out all their info on one page. even the blurb looks like those infomercials.

since you paid by credit card you could maybe talk to them. credit card companies will reimburse you since you fail to get your goods. You could say you tried and was unable to get the goods.

you could have false positives though reported by eset.

wait for a response, doesnt sound too promising but hopefully you get one and prove me wrong.

I checked whois but didnt get much out of that http://www.whois.net/whois/webresell.net

In the meantime, run a full scan as well as malware scan (if u dont have s/w then use malware bytes)

0
 

Author Comment

by:hermesalpha
ID: 33688955
My feeling was that it was scam from the look of the web site, but after searching everywhere (on the product title, the seller, the company) I didn't find any warnings. Also, Quackit seemed to be a non-scam site, and the link was placed on that site. But now, I begin to suspect that Quackit perhaps is not outright scam but perhaps not reliable when it comes to placing the link on its site in the first place.

I had CPU running up to 100 % for a third zip file, but this time it happened in the middle of the download, not when 99 % had been downloaded like with the first two files. And this file was also completely downloaded (not put in quarantine by Eset). But now, I have CPU running high quite often, even when not downloading.
0
 

Author Comment

by:hermesalpha
ID: 33689176
Malwarebytes found 249 infiltrations and I removed them all. But most of them were related to Sogou (a Chinese IME for writing Chinese), none of what I could see was related to the downloaded zip-files.

Now, Eset Smart Security is searching and has found 6 infiltrations, but there is no red marked infiltrations when I browse through the search results (always earlier the found infiltrations have been red-marked, now there is noone red-marked even though Eset says it has found 6 infiltrations).

Can I choose to search my external HDD with Malwarebytes? Or can I only search internal drive with Malwarebytes?
0
 

Author Comment

by:hermesalpha
ID: 33689193
Ok, now I found this one red-marked in Eset:

autorun.cdd, zip, password-protected file.

It's located in C:\Documents and Settings\Myname\Local Settings\Temp\RarSFX0\autorun.cdd
0
 

Author Comment

by:hermesalpha
ID: 33689212
More search results from Eset:

Win32/PSW.Agent.NISPYNT tr
WIN32/PSW.LdPinch.KNRLSYV trojan
0
 

Author Comment

by:hermesalpha
ID: 33689215
My CPU is constantly on 100 % during a long-time (2 hours).
0
 

Author Comment

by:hermesalpha
ID: 33689250
I have to avoid a reinstall to every cost, it would be a catastrophe! I think this trojan registers my keystrokes and steals passwords, right? When I type now, the cursor is moving slowly, more slow than normal.

What should I do? Use ComboFix? I just have to get rid of this trojan immediately!
0
 

Author Comment

by:hermesalpha
ID: 33689268
The first zip file I downloaded to my external HDD should be no problem because Eset detected and quarantined it. But the other two files were not detected: scripts.zip and I think Stock Photos.zip also was infected because CPU run to 100 % during a long-time in the middle of downloading.

0
 

Author Comment

by:hermesalpha
ID: 33689279
I suppose one thing I shouldn't do now is to login to any site, using my username and password
0
 

Author Comment

by:hermesalpha
ID: 33689988
CPU is constantly on 100 %, what is happening! Cursor is slow. Is the trojan searching all my files for passwords and login details now? Should I turn off the computer?
0
 
LVL 3

Assisted Solution

by:Johndo58
Johndo58 earned 75 total points
ID: 33690474
Just had a look at the site mentioned and to be honest would not touch it with a very large pole.  The first link I tried on the site

www.SeanBluestone.com

Immediately  came up with a Malware alert.  
0
 

Author Comment

by:hermesalpha
ID: 33690782
SuperAntiSpyware (free edition) found 18 (!!!) of this (so far...):

Trojan.Agent/Gen-Nullo[Short]
0
 

Author Comment

by:hermesalpha
ID: 33690844
The damage is already done, so the most urgent is to find everything that has been infected.
I'm really getting anxious about this: searching on google, I found several other similar cases and they all seem to have no option than to reinstall. I have important translation jobs I must get done tomorrow and the next few days.

Do you think there is any, small chance I can find all infections and avoid a reinstall? For instance, first eliminate all infections found by SuperAntiSpyware, then use Combofix?

My cursor is so slow when I type so probably Mr. Paul J. Meyer sits somewhere and reads my keystrokes. Is there any risk that the trojan already have found login information that is stored on my laptop? So far, I have not logged in to any site with my user-id:s and passwords.

Second thing, IF all infections are found, is it possible to use the downloaded zip-files if I search them through several times with all possible AV-tools and Spyware tools?
0
 

Author Comment

by:hermesalpha
ID: 33690850
Both my cursor and the whole system is very very slow now.
0
 

Author Comment

by:hermesalpha
ID: 33690862
Should I stop the scanning now that SuperAntiSpyware is doing and remove the 18 Trojans? And then resume scanning with SuperAntiSpyware?
0
 
LVL 65

Accepted Solution

by:
rockiroads earned 325 total points
ID: 33691849
I went to bed soon after I posted so missed all your posts.

try get hold of the following tools

hijackthis - http://www.hijackthis.de/downloads/HJTInstall.exe - scan, fix anything, perhaps post log here for people to see
combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
tddskiller - http://support.kaspersky.com/viruses/solutions?qid=208280684
rootalyzer - http://forums.spybot.info/showthread.php?t=24185

see if you can run these

also try malwarebytes and antivirus in safe mode

do not connect any external disks to it. if u already did with the hard disk then leave alone for the time being. fix your pc laptop first

see if u can disconnect laptop from internet before running scans

Regarding the zip files u downloaded, hard to say if they are the actual cause but does sound like when visiting that site and allowing a download it might of done other things or that zip file might be dodgy.
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 100 total points
ID: 33694983
Sounds like this project should have been a no-go from the start, but like you said, the damage is already done.

In any crisis, you need to get back to the basics first.  If it were a car/boat/ship, you need to get CONTROL.  Then you need to ISOLATE the problem.  You need to ACCOUNT for important assets. Then you can start emergency REPAIR that are primary to getting your job done.  GET THE JOB DONE.  Then you can start SALVAGE of less important assets.

CONTROL: Disconnect the computer from the internet.

ISOLATE: Get a replacement hard drive or computer.

ACCOUNT: Backup important data (twice).  Gather necessary installation discs/downloads.

REPAIR: install from scratch.  Should take 2-4 hours tops to get you back in business.

GET THE JOB DONE: For you, make the deadline.  In a vehicle, navigate to safety.

SALVAGE: After you get emergency work done, start installing updates/patches, secondary software, restoring data files, forensic analysis of the infection, recovering money from the scam, etc.

That's just off the cuff.  Others might have different opinions, but a crisis is a crisis, even if it's "just" a computer.  For some people, that's their means to putting food on the table.
0
 

Author Comment

by:hermesalpha
ID: 33698611
I actually received a reply from [Some Name] (the email that was on the Thank You page), and he said he will have a look at it as the material "should not have contained any virus". Anyway, I sent a reply and am waiting for his second reply to see what explanation I get.
0
 
LVL 65

Expert Comment

by:rockiroads
ID: 33698669
Thats good news indeed that you got a reply. Fingers crossed that this was not at fault but you still got some issues to resolve. How is that going.
0
 

Author Comment

by:hermesalpha
ID: 33698961
Still no second reply but it has only passed an hour since I sent my second e-mail.

If this [Some Name] is sincere and somebody else has placed the virus at that site, still what could he do to resolve this? Essentially, with the seller there are two issues: Can I even use the purchased software securely, how can I trust that if they tell me they've removed the Trojans and then use it? And two, the seller can hardly help me with the current infection already present on my system, can they?
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 100 total points
ID: 33701850
>the seller can hardly help me with the current infection already present on my system, can they?

No.  You need to take care of your system first.  Worry about refunds and replacements last.  They are low priority.

The only relevance it would have is if the author/supplier knows exactly what the infection is, and has magic software that will fix everything 100%.  That never happens...unless it's a deliberate payload used for holding your files hostage to force payment.  In this case, looks like you have a broad spectrum of malware, not a targeted attack.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:hermesalpha
ID: 33706690
I just received a reply from Webresell.net and [Some Name]:

Hello hermesalpha,

I've done Microsoft Forefront scans of those files and found absolutely nothing.

I also checked out seanbluestone.com and found nothing. I don't have Eset. Maybe you can send me the scan logs?

Could it be possible that your malaware is coming from another source? Did you download anything else recently?

[Some Name]
Webresell.net

This is my reply that I just returned to him:

Hi [Some Name],

I think there has to be one of two things that must have happened:

1. The files were infected (which might not be the case now that you tell me the results of your scans)
2. Something happened during the download at the download location

I am absolutely sure it come from no other location, I was working on a translation at the same time as I downloaded all the zip files from the Thank you page. The first zip files went fine, no problems.

Then, ebooks.zip after 99 % had been downloaded CPU run up to 100 % constantly and after a while Eset Smart Security told me the ebooks.zip contained several threats (which perhaps were being transferred to my computer when I accepted download and maybe are not in the zip files themselves).

Exactly the same thing with scripts.zip as with ebooks.zip.

Stock Photos.zip: Was completely downloaded without Eset stopping it, but CPU run up to 100 % in the middle of the download, and very long time when downloaded 99 % before it actually was completed. I still haven't the scripts.zip and ebooks.zip, impossible for me to download. Wonder if you could e-mail these to me, using VPN? Or upload on a server I have access to? Or use the service www.sendthisfile.com?

Regarding this infection I have now (now, my CPU is going up and down each 20 second and the cursor have started to be slow again so probably there is a keylogger in my computer), what should I do? I am 100 % certain my computer was infected when I downloaded from the Thank you page. Can you give me some ideas about what possibly could have happened?

Regards,

hermesalpha

In the event that [Some Name] and the people behind Webresell.net are not the ones that has caused this infection, who could it else have been? I was working on a translation job at the same time as I downloaded the many zip files from the Thank you page. Is it possible that the people at the hotel here in China are the ones who have something with this to do? Many people here don't like Westerners (I live in the old area of Guangzhou) and I've experienced many pecularities with my internet connection, when I can't connect for some reason I phone to the reception and within 5-10 minutes (or immediately) I can connect again. The local police here wanted to have better control of which web sites the hotel guests visited so each hotel guests now have a login userid and password (this was not the case earlier when I lived here). For example, what do they do after I've called the reception and tell them I can't connect?

aleqhart, after reading the reply from [Some Name], do you think it's more probable that the current infection is not a targeted attack but a broad spectrum of malware? Would this be "less evil" damage to my system than a targeted attack?

Should I send the log files to him, from my Combofix and Hijackthis scans?
0
 

Author Comment

by:hermesalpha
ID: 33706710
If I send the scan logs to [Some Name], is there any risk with doing this?

I mean, if he would be the person behind the infection and already has a degree of control over my computer via the planted virus, would I give him more control if I send him the Combofix and Hijackthis scan logs?
0
 

Author Comment

by:hermesalpha
ID: 33706729
Is this problem related to the infection?:

I logged in to My account at SDL Trados (https://oos.sdl.com/asp/products/ssl/account/default.asp).
That worked fine.

I then chose "Submit your technical query" because I needed support with my CAT-tool. Whereupon I received this error message (I have never received this error message before and I have always been able to submit my technical queries without problems):

"Caught exception: Access denied!".
0
 
LVL 65

Assisted Solution

by:rockiroads
rockiroads earned 325 total points
ID: 33706751
Sending the logs shouldnt do no harm. You can always look at them to see no personal stuff in there (highly unlikely)
the fact that he is responding doesnt sound dodgy. if it was dodgy I doubt very much they would of reploed.

you might of caught something inadvertently or something lying hidden and just came about. its hard to tell.

Regarding your last post, that message does seem weird. Any decent web site would capture errors.

Does eset have a virtual keyboard (or use ms). You can use that to type things so a keylogger shouldnt pick up on those things.

Is your PC clean yet?
0
 

Author Comment

by:hermesalpha
ID: 33707041
To confuse the keylogger, I open Notepad and type letters and numbers randomly, then copy and paste one or two letters and numbers at a time into my login fields. Will this deceive the keylogger?

No, every 20 second the CPU runs to 100 %, then pause for 20 seconds, run to 100 % again (have done this since morning, 7 hours, but I have to wait for replies on my postings this morning about what to do, I also have to finish a translation job before Monday so I will try a system restore after I've scanned in safe mode).

The cursor was fine when I started the computer this morning, then for about an hour it was very slow again, after that the cursor is fine, it's quick, only the CPU running to 100 % every 20 second, quite irritating because I hear the sound of it all the time.
0
 
LVL 65

Assisted Solution

by:rockiroads
rockiroads earned 325 total points
ID: 33707104
have u tried working in safe mode?. did u run malwarebytes/eset in safe mode?
and the other tools like hitman pro/combofix/tddskiller
0
 

Author Comment

by:hermesalpha
ID: 33707366
I run these six tools yesterday (not in safe mode though, because I don't know how to switch off Eset Smart Security in safe mode: ComboFix keeps telling me Eset is turned on when in safe mode even when I have turned it off!).

When I am in safe mode, can I use msconfig and choose Services/Disable all? Is there any risk with doing this?

Haven't tried Hitman Pro yet, should I use that also?

Can I use them in any order? For example, first Combofix, then Malwarebytes then Superantispyware?
0
 
LVL 65

Assisted Solution

by:rockiroads
rockiroads earned 325 total points
ID: 33707910
order doesnt matter
read up on hitman pro first http://www.surfright.nl/en/hitmanpro

do you need to disable eset? if so then this is how u can temp disable it (in case you didnt try this route0 http://kb.eset.com/esetkb/index?page=content&id=SOLN548

in terms of services, thats a no no. instead you can run hijack this http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html and examine the log produced, can upload here as well if u want
0
 

Author Comment

by:hermesalpha
ID: 33710466
Unfortunately I didn't read your last posting until too late: I turned off services in safe mode and didn't succeed to turn off Eset Smart Security while ComboFix was scanning. So I had to reinstall everything, I am still downloading and installing all updates (takes ages..., each reboot Windows Update finds new updates).

To avoid this ever happen again (I will need to work 24 hours now to get the translations handed in before deadline tomorrow Monday), I will install as much as I can and then use Acronis True Image Home 2011 (their latest version, will purchase it when I've finished the installations).

To your knowledge, is the best idea to save the image to D:? What about if I ever would get the same kind of infection? Is there any risk that it can spread onto D: and the image, making it useless? Or if the internal HDD would get damaged?

Also, can I make a first image quite soon and later I make a new image that will replace the first one on D:? I tried that a long time ago with Symantec's Ghost, but each image was saved separately so for each new image I made it didn't replace the old one but just added this new alongside the old one. Which, of course, took a lot of unnecessary space.
0
 

Author Comment

by:hermesalpha
ID: 33710590
Can the virus have survived? Still CPU goes up and down each 20 second like before! I used White Canyon's WipeDrive and chose the most secure alternative: wipe with confirmation three times.

Is it really possible the virus still is there?
0
 

Author Comment

by:hermesalpha
ID: 33711122
And I can't access this website: http://www.proz.com/
0
 

Author Comment

by:hermesalpha
ID: 33711204
The cursor and the laptop is very quick, but I really wonder when CPU follows exactly the same pattern as when I had virus before the reinstallation this morning: running up to 100 % each 20 second.
0
 

Author Comment

by:hermesalpha
ID: 33711673
Ok, I think it's time to leave China!:

Just reinstalled the whole operative system, then installed new software again. Installed the Chinese IM software QQ (the international version that is in English). And now I got the explanation why the laptop immediately was behaving a bit strange: a Trojan.Dropper in C:\Program Files\Tencent\QQIntl\Bin\Selfupdate.exe (the QQ installation!).
0
 
LVL 65

Expert Comment

by:rockiroads
ID: 33712033
Could be a false positive. But after reinstall (did u do a format before reinstall?) it could be a real problem.
0
 

Author Comment

by:hermesalpha
ID: 33714180
I have this seller's all products: www.whitecanyon.com

I used their WipeDrive to completely remove anything on my internal HDD. I used the most secure alternative: 3 overwrites with 3 confirmations. And then reinstalled everything on the wiped HDD.

No, it's not false alarm, something is very wrong. I will list all small issues I have now below, please have a look and see if you can see any pattern that definitely will be related to the same virus I had before:

1. A strange "do-re-mi"-sound, not very often but it plays through my laptop's speakers. This is exactly the same sound as I had before I wiped the HDD and reinstalled!
2. CPU runs up to 100 % every 20 second, just like before reinstallation (not yet today though, but yesterday even after the reinstallation, although without any decrease in performance: both changing windows and the cursor movements were very quick all the time).
3. I can not access www.proz.com (a site for translators that I really need access to). I received the message that "The server closed the connection". The same regardless of which browser I use.
4. I can't use Skype, can't login. Also regardless of which browser I use. I need Skype to communicate with my British customer.
5. I don't know if I dare to use the Chinese IM QQ anymore (I recall now that on an earlier occasion, it found a Trojan also in the download). This is one means of communication with a third potential Chinese customer, but I'm not sure I will dare to use it if I risk virus infections.

Actually, one thing I consider is that the second CD-ROM I use from HP, perhaps I install the wrong stuff from it. There are three sections with a lot of checkboxes on when I use that CD-ROM (immediately after I've installed Windows XP), a lot of drivers.

I've just ridden out the first storm (managed to get the finished translation to the customer, but an hour late), but now this week I really don't know how to manage because the laptop and the internet connection are as inpredictable as they possibly can be. I only have two steady customers (one Chinese and one British) and they are the backbone in my business now, without them I can't expand my business and I would revert the business to nothing without them, they have to be able to trust I can use internet and return jobs in time.
I'm really fighting to survive, but the odds have turned really really bad...

In the long run, I will purchase a new laptop with Intel Core 2 Duo processor and larger RAM (some of the problem is probably related to the slow processor I have). But for now, I need to find a solution and to find all viruses.

I was planning of making a backup image once I've reinstalled but now it seems like I already have virus! So, I can't continue reinstalling all the time, I get nowhere!

I e-mailed my logs from Hijackthis and Combofix to [Some Name] yesterday, still no reply.
0
 

Author Comment

by:hermesalpha
ID: 33714330
A sixth issue:

6. It takes ages to install Google Chrome (it says on the download page it should take a few seconds, have taken at least 5 minutes now!). The internet connection is slow here in China and perhaps the hotel's firewall and other settings for this network makes it even slower. I have a login so I don't know how and what the hotel management and police filter what web sites I can go to. But really strange that I couldn't access www.proz.com today (have never happened before), which is a website for translators.
0
 
LVL 65

Assisted Solution

by:rockiroads
rockiroads earned 325 total points
ID: 33717369
have u tried using any proxies? I guess google and china don't see eye to eye much. Just try using alternative browsers like IE or firefox, whatever it takes to get your job done.
0
 

Author Comment

by:hermesalpha
ID: 33721992
rockiroads,

What do you mean with "did u do a format before reinstall"?

I never did any system restore, nor did I format anything, only used WipeDrive to wipe three times and confirm three times, the hard disk should have been like a desert after that, nothing left on it. After that, I just installed the Windows XP Pro.
0
 
LVL 65

Expert Comment

by:rockiroads
ID: 33722030
format meaning just a clean install, which is what you did with wipedrive. just wondering if that s/w was clean then there couldnt be any other virus/spyware crept in so thinking it might of been a false positive but your still having issues.
0
 

Author Closing Comment

by:hermesalpha
ID: 33865917
I tried everything that was suggested but made a mistake so I had to reinstall everything. After the reinstall I still have problems with high CPU (but performance is not affected). So I suspect there must be an issue either with the local (filtered) network here at the hotel in China, or an issue with drivers or hardware on my laptop.
0
 
LVL 3

Expert Comment

by:Johndo58
ID: 33866118
There may very well be an issue with the Chinese servers, both in the hotel and also at ISP level.  If memory serve me right, there are some rather interesting issues emanating from the direction of China and to be honest with you nothing would really surprise me about China.

You may like to take a look at this :

http://news.bbc.co.uk/2/hi/8455712.stm

http://www.redherring.com/home/26359

Wishing you all the best
0
 
LVL 65

Expert Comment

by:rockiroads
ID: 33868328
like the article from the been. funny how google like to spy on people themselves lol and they have the cheek to complain about china. still can't be surprised this stuff happens in china, being a communist state they dont like critics!

do you still get high cpu usage in safemode?

maybe have a look at a utility like filemon to see whats going on http://en.wikipedia.org/wiki/FileMon
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now