dupa

Author Topic: Virus alert.  (Read 18981 times)

freddy888

  • Hero Member
  • *****
  • Posts: 1693
    • View Profile
    • AiDreams
Virus alert.
« on: January 23, 2008, 06:10:36 pm »
Just wanted to warn people that I picked up at least 2 viruses here today.  One of them was JS/Psyme.NR, not sure what that does.  Also I keep getting the file ~tmp1174.exe which is another virus related file.  I repeated my surfing and narrowed it down to the Zabaware site.  I believe the viruses downloaded themselves when I I went to the forum page here, or possibly when I clicked on 'Active Topics'.  Hard to tell, but they were definatetly from here as I was watching my documents and settings folder as I navigated.  Soon as I came here I got the viruses again.

One or both might be trojans.  Symptoms are that at least one of them hijacks Internet Explorer and tries to make changes to the shell.  I keep getting redirected to dodgy pages and unrelated search pages or results.  This makes surfing a pain as the browser just takes you anywhere it feels like.

I can't seem to shift them as they reappear after a reboot.  AVG doesn't even spot the #tmp1174.exe so it can do nothing about it.
These virus's are a real pain so watch out.

Perhaps this has something to do with the forum code being switched off ?
« Last Edit: January 23, 2008, 06:15:21 pm by freddy888 »

markofkane

  • Hero Member
  • *****
  • Posts: 5275
  • Crazy Man
    • View Profile
    • http://www.soundspectrum.com
Virus alert.
« Reply #1 on: January 23, 2008, 06:24:58 pm »
Possibly. I use Firefox with NoScript, and so far had no warnings of any kind here.

Maybe this is why forum code is off. But html isn't.

I hope Robert won't have to disable posting pics, just disable certain tags, like .exe, .js,  etc, like other forums can.

But if he has to, I will understand for security reasons.

It may be coming from google-analytics.com, which I block.[?][?][?][?][?][?]

My theory is why they reappear after reboot, is there is a new program starting up with your computer. If you can identify the program, and stop it from starting up, that may solve it.

But best bet is to run an online scan with Trend Micro.

And download and scan with a program called "Hijack this" and post it on a tech forum for those that are good at analyzing it. Just some ideas.
« Last Edit: January 23, 2008, 06:36:18 pm by markofkane »
Mark: I'll think about it
Laura: Don't think about it too long or I'll throw you out on your ***king a**.
"Political correctness is censorship"

Bill819

  • Hero Member
  • *****
  • Posts: 1483
    • View Profile
Virus alert.
« Reply #2 on: January 23, 2008, 07:51:41 pm »
Hi Freddy
I just bought and installed the latest anti virus software last week and I get no warnings of any kind for this site. I did not try to download in pictures though so maybe there might be something attached to one of them.
Bill
 

tedathome

  • Hero Member
  • *****
  • Posts: 2775
    • View Profile
Virus alert.
« Reply #3 on: January 23, 2008, 10:45:19 pm »
My Norton Symantec blocks this. It happens every time I try to log on.
It says it is trying to install an update to Adobe flash or shockwave player. I don't remember which. It wants you to enable an active x control so if you get that far, x it out.
 Be safe friends and do what it takes to protect yourself and your computer.
ted

onthecuttingedge2005

  • Guest
Virus alert.
« Reply #4 on: January 23, 2008, 10:49:00 pm »
Hi Freddy.

here is some info about that file:

http://www.prevx.com/filenames/X9262996960045788-X1/~TMP1174.EXE.html

hope it helps.
Jerry[8D]

dgher1

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Virus alert.
« Reply #5 on: January 24, 2008, 03:04:25 am »
when i chick on forum at zabaware home page when it give a warning i click yes itgo to the all forum . but if i click back on the down arrow get http:/ www.yourxxxblog.blog/js_go_f1.php. if this help you guys. i been a great fan. i didn't put the second / in so it did'nt get on this message.may can delet
 

freddy888

  • Hero Member
  • *****
  • Posts: 1693
    • View Profile
    • AiDreams
Virus alert.
« Reply #6 on: January 24, 2008, 10:37:23 am »
Thanks for the help guys, it's much appreciated [:)]

Just so you know I managed to remove ~tmp1174.exe but when I came back here just now I got it again, so the virus is still active here.  I noticed it downloaded as I entered the forum and it froze my pc for a bit.  I managed to stop it altering Internet Explorer this time though as I have installed SpyBot Search and Destroy.  I'm not so sure now if they do reappear after reboot, but I'll give 'Hijack This' a go too, thanks Mark.  

IE still isn't working properly though, so I may just reinstall everything and update my virus software.

dgher1, yes I think I got that too, it looks familiar.  Mostly it seems to be hijacking search engine results like yahoo and then redirecting to some dodgy looking search pages when you click on the results.  This renders the main search engines useless.

TedAtHome, yes I have had that Active X request too, I denied it though too, which I think was wise.

Seems to me that some idiot has dropped a few viruses here.  Pain in the Royal A** !
« Last Edit: January 24, 2008, 10:53:37 am by freddy888 »

freddy888

  • Hero Member
  • *****
  • Posts: 1693
    • View Profile
    • AiDreams
Virus alert.
« Reply #7 on: January 24, 2008, 10:40:07 am »
quote:
Originally posted by onthecuttingedge2005

Hi Freddy.

here is some info about that file:

http://www.prevx.com/filenames/X9262996960045788-X1/~TMP1174.EXE.html

hope it helps.
Jerry[8D]



Certainly does Jerry - I can't do any web searchs at the moment so I would never of found it.  Looks like a pretty new Virus too...and nasty.

I didn't like this bit :

"The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents."
« Last Edit: January 24, 2008, 11:22:05 am by freddy888 »

onthecuttingedge2005

  • Guest
Virus alert.
« Reply #8 on: January 24, 2008, 11:32:01 am »
Hi Freddy.

Some viruses and trojans are persistant and will cripple the ability to delete them, they can also cripple anti-virus installations to prevent a person from installing anything that would compromise the virus or trojan.

if you know what folder the applications are running in you could use a little vbs code I wrote and paste the code into a text file and save it as DeleteFiles.vbs and place it in your startup folder so every time you reboot the vbs file will look for those apps and delete them as your computer starts.

I have used this trick on some computers that were infected which gave me time to install anti-virus software to get rid of the rest of the application in memory.

Set FileSys = CreateObject("Scripting.FileSystemObject")

'Write the file or application name with extension to be deleted here between the quotes
'with the exact root directory
DelFile1 = "C:\Downloads\Some_Unwanted_File1.exe"
DelFile2 = "C:\Downloads\Some_Unwanted_File2.exe"
DelFile3 = "C:\Downloads\Some_Unwanted_File3.exe"


anArray = array(DelFile1,DelFile2,DelFile3)
For Each arrayElement In anArray
If FileSys.FileExists(arrayElement) = True Then FileSys.DeleteFile arrayElement
Next


the above code when activated doesn't ask for permission to delete a file on windows 2000 or below but winXP or Windows vista may prevent it from running so you might have to give the vbs file permission to run.

becareful not to delete any important system files.

I hope it helps.
Jerry[8D]
« Last Edit: January 24, 2008, 04:00:45 pm by onthecuttingedge2005 »

freddy888

  • Hero Member
  • *****
  • Posts: 1693
    • View Profile
    • AiDreams
Virus alert.
« Reply #9 on: January 24, 2008, 11:35:25 am »
Thanks Jerry, I will bear that in mind, but past experience of removing viruses has left me thinking it is easier and quicker to just reinstall windows and update my virus s/w.  There's not much I want to keep on this machine at the moment so it's probably my best option.  But I will take note of your code, it's certainly a cunning way to deal with it.
« Last Edit: January 24, 2008, 11:37:15 am by freddy888 »

Medeksza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1476
    • View Profile
    • http://www.zabaware.com
Virus alert.
« Reply #10 on: January 24, 2008, 01:27:55 pm »
I've made sure the virus checker on the Zabaware server is up to date and ran a full system scan. I can't seem to find anything. Can you give me exact URL's where you are getting the virus alert? If there is something wrong it should be visible in the HTML page source itself.
Robert Medeksza

Medeksza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1476
    • View Profile
    • http://www.zabaware.com
Virus alert.
« Reply #11 on: January 24, 2008, 01:31:13 pm »
Hmmm, I haven't found a virus yet, but the forum config has definetely been tampered with to turn off forum code and allow HTML. I put the settings back in place.
Robert Medeksza

onthecuttingedge2005

  • Guest
Virus alert.
« Reply #12 on: January 24, 2008, 04:08:51 pm »
quote:
Originally posted by Medeksza

Hmmm, I haven't found a virus yet, but the forum config has definetely been tampered with to turn off forum code and allow HTML. I put the settings back in place.



Hi Rob.

It could of been a hacker, it might be safe to change the servers password to a password that is much stronger, upper, lower case with numbers and at least 12 characters or more long.

a password of 12 or more in length even for a brute force program would take a very long time to crack.

it would take a brute force program about a month to crack, so it might be even safer to change the password every couple of weeks or so.

Jerry[8D]

jackgephart

  • Hero Member
  • *****
  • Posts: 1696
    • View Profile
Virus alert.
« Reply #13 on: January 24, 2008, 05:26:20 pm »
I've got the Norton Internet Security 2008 and even if some cookie or anything gives a little hickup it let's me know, I saw nothing from this site. That should make you feel good Rob. If anything gets blocked or spoken of about this site from my Norton system, I will tell you imediately. I love this site and hope you keep it on for a long long time.
 

markofkane

  • Hero Member
  • *****
  • Posts: 5275
  • Crazy Man
    • View Profile
    • http://www.soundspectrum.com
Virus alert.
« Reply #14 on: January 24, 2008, 06:07:45 pm »
I hope everything we be alright from now on.[:D][:D][:D]
Mark: I'll think about it
Laura: Don't think about it too long or I'll throw you out on your ***king a**.
"Political correctness is censorship"