Question Something's triggering a virus threat

Discussion in 'Site Support & News' started by cboath, Dec 10, 2011.

  1. cboath

    cboath Master Member

    Trophy Points:
    3,276
    I've gone to the three sections now - replica props, OT, and Movie and each time the page loads i'm getting a virus warning on 910.8207.exe being a possible trojan. Not happening on any other site, just here.

    My guess is it's a false positive, but thought you should know either way.

    FWIW, i'm running an updated AVG 2012
     
  2. Mr_Creepy

    Mr_Creepy Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    1,341
    Been noticing that tonight as well (Norton) :unsure
     
  3. Wolfie

    Wolfie Sr Member

    Trophy Points:
    1,046
    I got hammered with a windows update virus last time this happened :(
     
  4. Wes R

    Wes R Legendary Member

    Trophy Points:
    6,750
    my norton isn't going off which i guess is a good sign. I wonder if it's one of the ads on the site.
     
  5. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    Looking into it, but not seeing it so far.
     
  6. tictoc

    tictoc Well-Known Member

    Trophy Points:
    746
    happened this morning too...I was trying to open a pic in the prop section
     
  7. cboath

    cboath Master Member

    Trophy Points:
    3,276
    I just came in for the first time this morning and got 4, seriously, as the first screen even loaded.

    one was a {something}.com/img.php, something else ARF.exe
     
  8. LeoFirebrand

    LeoFirebrand Active Member

    Trophy Points:
    331
    I got the windows vista virus alert 2012 virus last night trying to view an image. Virus blocker cleaned it but it still broke .exe associations so I had to modify registry too. Was quite the pain. If it helps it was in the junkyard. Think I was looking at mecha01's portal turret pics. Not sure if the virus can attach that way.
     
  9. cboath

    cboath Master Member

    Trophy Points:
    3,276
    Exact same thing happened to me just after posting my last post in this thread.

    Running spybot said that it foud Fraud.InternetSecurity2011. Files listed were ARF.exe and two very long asdfad435tdsafasd90asd type files. In program data and appdata\local and appdata\local\microsoft\windows\templates. (Those asdasdf things aren't the actual files names, just showing that they were 20+ characters long and random alphanumeric names with no extensions).

    Extremely uncool.

    I know it's not the staff fault, but someone needs a butt kicking for letting this stuff through. My guess is an adserver.
     
  10. cboath

    cboath Master Member

    Trophy Points:
    3,276
    As soon as I posted the above, I went to the OT and got yet another one.

    Changed browsers and now running with adblock and have gone to 5 different RPF sections and checked out threads. Haven't seen an ad and haven't gotten any virus warnings.
     
  11. jango5204

    jango5204 Active Member

    Trophy Points:
    361
    I got hit with the windows antivirus scans yesterday on the Toughbook in my cruiser. Had to turn it to I.T.
     
  12. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    Do you know the junkyard page you were looking at when you saw this?
     
  13. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    Can you give us a link to what you were looking at?
     
  14. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    Was this while surfing the RPF?
     
  15. jango5204

    jango5204 Active Member

    Trophy Points:
    361

    Yes. You know, traffic isn't too heavy on Saturday mornings, so I was looking around on RPF in between speeders. Don't remember what thread it was.
     
  16. LeoFirebrand

    LeoFirebrand Active Member

    Trophy Points:
    331
  17. cboath

    cboath Master Member

    Trophy Points:
    3,276
    Just happened to me, yet again, simply by going to the OT. I forgot and used the wrong browser and got hit immediately. Killed it, switched and seems OK with adblock on.
     
  18. cboath

    cboath Master Member

    Trophy Points:
    3,276
    Here's the log I have from AVG. Odd thing is it flagged 3-5 things when I first encountered it, but only logged 1 it seems. Hope they help. Times are central time, too.

    The three AVG has listed in it's history - since yesterday are:

    Virus found Win32/Cryptor
    "c:\Users\<username.\AppData\Local\Temp\335.8026.exe"
    12/12/2011, 5:13:18 PM
    file C:\Program Files (x86)\Java\jre6\bin\java.exe


    Trojan horse Generic_r.JU
    c:\Windows\System32\consrv.dll
    12/11/2011, 11:14:04 AM
    file C:\Windows\System32\csrss.exe

    Trojan horse Generic_r.JU
    c:\Windows\System32\consrv.dll
    12/11/2011, 11:05:47 AM
    file C:\Windows\System32\csrss.exe
     
  19. pennausamike

    pennausamike Sr Member

    Trophy Points:
    1,046
    I got a virus while on the RPF a couple of days ago.
    Had my Kaspersky off at the time.
    Turned it back on to an infection:
    HEUR:Trojan.Win32.Generic
    which I cannot quarantine because it imbedded in the operating system:
    c:\WINDOWS\system32\drivers\i8042prt.sys

    It happened again today, but I was on our newer computer and the Kaspersky caught it.
    I'm not sure where I was when I got the hit,
    because I closed the window when it happened.

    This trojan opens another window; the other one was a pretend virus protection program.
    Sorry if that isn't a helpful description,
    my computer powers are rather minimal.

    Mike
     
  20. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    We are trying our best to track this down but haven't been able to replicate it.
     
  21. Mr_Creepy

    Mr_Creepy Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    1,341
    I haven't had anything more pop up since I posted :confused
     
  22. tictoc

    tictoc Well-Known Member

    Trophy Points:
    746
    I am not sure if this is the same one but this virus attack happened when I was looking at the DL-19 blueprints by Wizard of Flight in a resurrected thread in the prop section.

    Norton listed these in the attack(s):
    ursair.com
    malicious toolkit website 9

    mckeld.com
     
  23. The Death Curse

    The Death Curse Well-Known Member

    Trophy Points:
    510
    Not even 10 minutes ago, our other computer was infected with a trojan while I was performing an RPF Search through various sub-forums and checking out random topics. The trojan infection was instantaneous, closing my Mozilla browser and replacing it with a fake virus scan program. Every time I attempted to access Mozilla, the fake scanning program blocked all windows from opening...

    For weeks prior to this, I have been getting Avast pop-ups on this computer while trying to browse any random page on the RPF. I just deny the program from opening and continue about my business. To my knowledge, I have not yet been infected on this PC.

    This is reeeeeeeeally bad, though. I hope you guys can get it fixed quickly.

    Thanks for your time,

    Ryan
     
  24. cboath

    cboath Master Member

    Trophy Points:
    3,276
    I'd seen it a couple times in the past over the last 3ish months. Happened maybe 2 or 3 times, but they were isolated and figure false positive or something. I always closed and returned and nothing ever happened. This last instance though has been about 5 straight days.

    My solution so far has worked, use Firefox and Adblock. With adblock running i haven't seen a warning at all.

    Member see fewer ads, right? I think it's worth noting that no one in this thread who's been affected seems to be a paying member. I'm not implying anything mind you, just my belief that it's related to the ad system somehow.
     
  25. brivette007

    brivette007 Active Member

    Trophy Points:
    341
    Two days in a row now, I got hit with a Trojan from this site. Took me over an hour both times to get it cleaned off.
    Like what The Death Curse said, what happened was my antivirus (Avast) popped up that a threat has been blocked. The a few minutes later my browser and any open window closed, and a screen that looks just like the Windows Action Center opened up. But it wasn't real--right away it launched a fake antivirus program called Win7 Security 2012, and blocked me from doing anything on the computer. You can't open the start menu or browsers---unless you pay for the 'full version' of the 'antivirus'.
    ....A pathetic scam for money!

    Anyway, I googled the name of the fake antivirus from my phone, and found removal instructions on bleepingcomputer. Just kinda sucked that I had it happen two days in a row.
     
  26. HellsPlumber

    HellsPlumber New Member

    Trophy Points:
    2
    If it helps, after reading though this it seems the viruses are coming from whoever provides the ad's to RPF via their img.php file (the file which loads the ad's from their server to the forum).

    Best plan of action would be dependant on who provides the ads;

    If the site accepts ad's from different content suppliers:
    Block ad providers one by one to find out which one is sending the virus out.

    If the ads are provided by one website/supplier then:
    Temporarily disable ad's on the site while the ad provider is informed that they are distributing malicious software and wait for them to fix it.


    Hope this gets sorted soon, a little worrying considering how often I'm here :p
     
  27. Wes R

    Wes R Legendary Member

    Trophy Points:
    6,750
    Sounds like adblockers are the best protection against wherever these are coming from.
     
  28. Clutch

    Clutch Master Member

    Trophy Points:
    3,336
    Or become a paying member.
     
  29. cboath

    cboath Master Member

    Trophy Points:
    3,276
    I figured that would have garnered a comment from above when I mentioned it (paying members not having an issue apparently) before. Even though I know it's not intentional at all.

    Seems clear it's ad related and not the site's fault. However, i find it hard to believe we're the only ones using this ad service that's affected and that no one else seems to be complaining - and by that I mean other sites.
     
  30. Montagar

    Montagar Legendary Member Community Staff

    Trophy Points:
    5,325
    It has to be totally random because we have been hammering away, trying to get something to trigger what some of you are experiencing, and it's just not happening. The links that have been posted do not generate any suspicious behavior, so it could be a combination of things. If it is, it's going to be almost impossible to track down unless we just happen to hit on that exact combination. Believe me when I say that we are extremely frustrated with this, and are continuing our attempts to track this down.
     
  31. cboath

    cboath Master Member

    Trophy Points:
    3,276
    Thanks for the feedback.

    If it helps i get it running Win7, 64bit Ultimate, ie9, all updates current with an updated AVG 2012.

    Been completely free of it using FF and adblock.

    Are you trying to get it as non-paying members? I'm assuming that staff get full paid privileges (and rightfully so). No one with pay status has reportedly seen anything.

    Perhaps an announcement should be put in the OT or something? I saw it a couple times over the past couple months and didn't post about it til last weekend. At the time I was 80% sure the flags I got were from here put couldn't prove it and didn't want to say so until I was sure. Perhaps alerting the masses more directly can stir up more reports?
     
  32. Mr_Creepy

    Mr_Creepy Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    1,341
    I hadn't had anything pop up recently until this afternoon, and then it was a double hit! I can't remember what thread seemed to trigger it, maybe the OT "funny pics" thread... :unsure
     
  33. IEDBOUNTYHUNTER

    IEDBOUNTYHUNTER Sr Member

    Trophy Points:
    1,355
    Im still getting hit at work. Was just viewing a thread.

    Al
     
  34. Funky

    Funky Master Member RPF PREMIUM MEMBER

    Trophy Points:
    3,840
    Yup. It took out both my laptops and now I can't access the internet on either one. I'm posting this from my phone. Can anybody help me fix this? Both my computers are pretty worthless right now!
     
  35. Wes R

    Wes R Legendary Member

    Trophy Points:
    6,750
    It's not just us, deviantart is spreading trojans like all get out and they're getting past antivirus programs and adblocks.
     
  36. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    Yup, we are trying to work with Google on this, but it certainly isn't an issue that is limited to us. It is a general issue spread throughout the internet. Please make sure your AV program is up to date, but even that isn't protecting everyone!
     
  37. Art Andrews

    Art Andrews Community Owner Community Staff

    Trophy Points:
    5,550
    One thing that would help is if you see a virus threat pop up, don't leave the page, but snap a screen cap of the ad at the top and bottom of the page. This might help Google nail this down more quickly.
     
  38. Wes R

    Wes R Legendary Member

    Trophy Points:
    6,750
    My friend just dropped AVG as it didn't stop anything and these viruses seem to love Firefox. I'm running maintenance on all our comps again tomorrow to be safe but so far Norton's doing a good job.
     
  39. Mr_Creepy

    Mr_Creepy Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    1,341
    I just spent the last hour sorting out a winupd.exe file; all the info I could find was older, but I eventually ran Malwarebytes and it cleaned up (as far as I can tell :unsure).
     
  40. Roland

    Roland Master Member RPF PREMIUM MEMBER

    Trophy Points:
    2,516
    Running a antivirus software in the background while surfing, is always a good idea. But why do you, guys, surf the internet without beeing in a sandbox with your browser? If you don't know what it is, look here: http://en.wikipedia.org/wiki/Sandbox_(computer_security).

    Install such a program and you will always sleep well in the future. It's safer than any antivirus program. A possible virus always infects your current sandbox and never your real system. You just have to delete the sandbox and start a new one and your system is clean again. Sure, downloading files is a bit awkward in a sandbox, because after a download you have to copy manually any downloaded file from the sandbox folder into your real folder. You have to do it outside the sandbox with your Windows Explorer and you have to do it before you delete the current sandbox next time. But it's worth it, believe me!

    I've running the program "Sandboxie".
     
  41. brivette007

    brivette007 Active Member

    Trophy Points:
    341
    When yours got hit, did it bring up a fake antivirus called 'win7 security' or something like that? That's what happened to me. I followed these instructions from my phone:
    Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)

    After you do this, I recommend keeping malwarebytes installed, as everytime I visit the forum (and some other forums), those ads try to infect my computer again. Malwarebytes seems like it is keeping everything at bay.
     
  42. Funky

    Funky Master Member RPF PREMIUM MEMBER

    Trophy Points:
    3,840
    Okay, that fix worked! So when is it safe to normally climb back on the RPF?
     
  43. cboath

    cboath Master Member

    Trophy Points:
    3,276
    Use an ad-blocker. I've not seen anything since switching to FF and using adblock.
     
  44. Mr_Creepy

    Mr_Creepy Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    1,341
    Oh goody; last night and tonight I'm getting new messages...info bar pops up saying that IE has "modifed the page to prevent cross-scripting". :confused

    Only getting it here, and just occasionally. I usually have several tabs open at once, and once I get that message in a tab, it comes up every time I go to another page with that tab. Other tabs are normal :rolleyes
     
  45. Gary Weaver II

    Gary Weaver II Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    2,000
    Our home PC just got nailed with this goofy thing while I was surfing the rpf.. Malware bytes and a system restore, here I come.

    Gary
     
  46. Wes R

    Wes R Legendary Member

    Trophy Points:
    6,750
    Is there a way to shut the ads down until google gets this fixed?
     
  47. jcoffman99

    jcoffman99 Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    2,466
    Anybody else getting hit with viruses from the ads?

    I keep getting Norton messages about viruses from the various ads that pop up from the top of the forum. It will let me know it blocked it and then the ad box at the top of the forum stays blank. My home pc is blocking them, but I got hit at work the other day with a Google hijack and it took me two days to fix it. Can we please ditch them? Thanks,
    John
     
  48. StevenRogers84

    StevenRogers84 Sr Member

    Trophy Points:
    1,830
    Re: Anybody else getting hit with viruses from the ads?

    Jedified there is a two page thread about this very issue.:)


    Odd...was this thread combined with the other one?
     
    Last edited: Dec 26, 2011
  49. Gary Weaver II

    Gary Weaver II Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    2,000
    I'm just going to surf the rpf from my iPad now. This is the second or third time I've had this happen on the rpf since they started with revenue ads. Visiting this site shouldn't have to be a crap shoot.
     
  50. jcoffman99

    jcoffman99 Sr Member RPF PREMIUM MEMBER

    Trophy Points:
    2,466
    Re: Anybody else getting hit with viruses from the ads?

    Can I use my eight week old as an excuse? Just this once? :). Thanks.
     

Share This Page