# Virus?



## Buzz (Jan 26, 2008)

Hi,
On a number of occaisions, when logging on to the forum, i have had a message appear at the top of the screen saying:

"this website wants to run the following add-on's: 'Remote Data Services data Control' from Microsoft Corporation. If you trust this website and tha add-on and want to allow it to run, click here...."

The forum then locks itself out for about 60sec.

I haven't clicked to run it.

If you google the name of the add-on, it appears to be a keylogger virus that installs itself on the forum server.

Has anyone else seen this?

Regards
Buzz


----------



## Noxx (Jan 26, 2008)

Try cleaning up your cookies.


----------



## Buzz (Jan 26, 2008)

I'll give it a go, must be my end if no one else is seeing the message.
Cheers Noxx
Buzz


----------



## aflacglobal (Jan 26, 2008)

Nope. Haven't seen that one.


----------



## allanwcoty (Jan 26, 2008)

I've had the same message but tend to ignore such things until I understand them, I try never to open something I don't understand. Seemed to show up on mine when the advertising for firefox showed up. allan


----------



## skyline27 (Jan 26, 2008)

I am getting a Firefox message on the top of the screen. I scroll down the page and it jumps back to the top. What's the deal?


----------



## loco (Jan 26, 2008)

no issues here


----------



## Noxx (Jan 26, 2008)

Well the ad is from me but I didn't implement any virus... It's maybe in the code...

Steve, do you have any idea how to «scan» the code of my overall_header page to see if there is any malicious code ?

Thanks


----------



## lazersteve (Jan 27, 2008)

The Firefox banner is all I've seen that's new. It's so big it's kind of obnoxious in my opinion.

I'm not getting any kind of threat alerts when I login to the forum.

Are you guys starting from 

http://goldrefiningforum.com 

or 

http://goldrefiningforum.com/phpBB3

The second link should skip the entry welcome page that in the past has set off my virus alerts (but not the last time I checked it).

If you guys have more details (screen shots, exact message screen, etc.) that would be helpful.

Steve


----------



## P_CARROLL (Jan 27, 2008)

Same thing happened to me. Ram goes to 100% usage which is 2 gig and computer locks up pain the but seems to come from didgitsandletters.com according to the info at the bottom of the page while it is attempting to load. already notified noxx about hope he can fix it.


----------



## Buzz (Jan 27, 2008)

Hi Steve,

My shortcut to the forum uses the:

http://goldrefiningforum.com/phpBB2 

Link.

Strange thing is, I'm only getting the message if I log on after being away for a few days.
It doesn't show up if i'm here each day.

Very odd!

Regards
Buzz


----------



## lazersteve (Jan 27, 2008)

All, 

I accidentally clicked on the Firefox banner at the top of the Forum and BAM!!! the virus showed up. 

Noxx you may want to check the banner you posted or it's associated download source.

Can anyone else verify the FF Banner produces a virus found and redirects you to Google's Toolbar page (expected).

Steve


----------



## Gotrek (Jan 28, 2008)

My Mcaffee vshield also flags a virus or bad code clicking on the firefox banner

1/25/2008	10:18:13 AM	Script execution blocked sbrowser.exe	Script executed by sbrowser.exe	VBS/Psyme (Trojan)

sbrowser being the web browser I'm using.


----------



## Noxx (Jan 28, 2008)

I'll look into the code... But it's strange because the code was given by google...


----------



## Gotrek (Jan 28, 2008)

The code may be fine and so may the link but the formulation of the code probably mimics the code of a known virus.


----------



## Gotrek (Jan 28, 2008)

I just got it again 3 times in a row just loading the forum. Two different code exploits.

1/28/2008	4:12:55 PM	Script execution blocked USER	sbrowser.exe	Script executed by sbrowser.exe	Exploit-MS06-014 (Trojan)
1/28/2008	4:12:55 PM	Script execution blocked USER sbrowser.exe	Script executed by sbrowser.exe	JS/Exploit-BO.gen (Trojan)


I think I remember reading about a bad piece of code in phbb generating false positives in some antiviruses.


----------



## Anonymous (Jan 28, 2008)

I have also gotten the message about wanting to run an add on. Also,
have had probs with my computer crashing lately when I access the forum but not every time. I just thaught it was my oldish computer.

Jim


----------



## P_CARROLL (Jan 28, 2008)

Here is a screen shot of of what happens when I get it, it sucks up almost all of my 2 gigs of ram. Its pn;y pn the main page and index page not in any of the individual topics sections


----------



## aflacglobal (Jan 28, 2008)

UPDATE. 

Aflac !!!!!!

I've been hit. Mayday Mayday. The ducks going down. Mayday Mayday. I've been hit.

Got me some how. :? 
I get a redirect to digitsndletter.com. I chased that dam virus around my system for 8 hours trying to get it out.

Thank god for reformatting. :wink: 

I'm all for killing the fox fire add on thingy. :evil:


----------



## Absolutsecurity (Jan 28, 2008)

I hit the firefox banner and downloaded firefox - I hope I didnt get a bug other than THE GOLD BUG!!!!!!!!!! LOL!

Gonna do a full sys scan anyway!

Glynn


----------



## AKDan (Jan 29, 2008)

It is a trojan called Downloader that everyone is seeing. It is a file that imbeds in your local computer, and then goes out to mapped sites and downloads others to install with it's self.

it locked up my machine a few minutes ago and my virus software removed 8 copies from my machine. The reason it locked up is that as one copy was being removed, another was being put on. Kind of a cycle of full CPU activity.

I had to shut the machine down and reboot to let it catch up and finally get rid of all instances.


----------



## aflacglobal (Jan 29, 2008)

If it binded and melted on install chances are it may have your AV disabled and you will never know it. Try going to this site and running an online scan. Once it loads a list of the known viruses it will tell you if you have one even before it scans to find the virus. It will tell you update has failed.

Then if it runs a scan it still will not find it but it is still there.

http://www.bitdefender.com/scan8/ie.html

They also have uninstallers for everything from a-z http://www.bitdefender.com/site/Downloads/browseFreeRemovalTool/


----------



## Platdigger (Jan 29, 2008)

So, what say Noxx? Would you remove the firefox thingy if we say "prettty please"?
Randy


----------



## lazersteve (Jan 29, 2008)

I vote to burn the blasted thing!!!

It froze my system while McAfee Enterprise cleaned the trojan and stopped the script.

The banner appears with a delay after the main Forum page loads, by the time I click on a forum link the banner appears where I was clicking and I click the banner instead, really annoying!!!


Steve


----------



## Shaul (Jan 29, 2008)

You've got my vote. I already have FireFox so I don't go near it. Besides, It's readily available elsewhere for whoever wants and furthermore, everyone's already seen the blasted thing... How could you not? No matter what I click on, the ad comes up first. It also does wierd things to my screen.

If we want/need advertising, then let's create an advertising section and confine it there.

Just my thoughts.

Shaul


----------



## Absolutsecurity (Jan 29, 2008)

My puters gone mad CPU is maxed out and HD is clicking away - cant seem to clean it up either! F&^%!!!!!!!!!!!!

G


----------



## Absolutsecurity (Jan 29, 2008)

How much gold is in a late model AMD?????????

Thats where this is going to end up! IN ACID!

LOL!

G


----------



## Noxx (Jan 29, 2008)

Alright then... 8) 

I'll remove the code tonight when I'll come back from school.


----------



## Irons (Jan 29, 2008)

My I book is purring away just fine.

I walked away from Microsoft several years ago.


----------



## Gotrek (Jan 29, 2008)

Yeah thevirus warning comes when the site

digitsndletters.com fetches the following /check/n14046.html (probably random numbering)

I don't think it's from the firefox add since that add had already loaded on my system.


----------



## skyline27 (Jan 29, 2008)

Can you get this virus without clicking on the ad? I never clicked on it. Both of my computers are going mental.

Why is this ad still here?!?!


----------



## Gotrek (Jan 29, 2008)

skyline27 said:


> Can you get this virus without clicking on the ad? I never clicked on it. Both of my computers are going mental.
> 
> Why is this ad still here?!?!



I'm still not sure it's the add and the answer is yes. Whe the forum loads, Randomly a connection is made to digitsndletters.co. That's where it's coming from.

Mind you looking at the source I see the script used is from explorerdestoryer.comwe block those guys at work because they use adsense and all sorts of crap comes through adsense.


----------



## Buzz (Jan 29, 2008)

If you google round the net about this problem, it all seems to point to the server that hosts the forum. It appears that the server itself has become infected.

Maybe someone ought to give those guys a shout?

Buzz


----------



## jimdoc (Jan 29, 2008)

I agree, because I was getting trojan horse downloader
warnings before the firefox banner. The address line said
itnotjoke.com when it was locking up my computer. Now
I am getting the same thing everybody else seems to be
getting.
Jim


----------



## aflacglobal (Jan 29, 2008)

Here's what the ad at the top of the page says >>>

We see you're using Internet Explorer. This website is optimised for Firefox.  ( Really )

· Firefox blocks pop-up windows. ( well if it did i would not be seeing that blasted banner add on top then )
· It stops viruses and spyware. (Nope they missed that one to )
· It is user friendly. ( Strike Three your out )
· Features like tabbed browsing make reading webpages easier. ( Well 1 out of 4 ain't bad i guess )


----------



## Noxx (Jan 29, 2008)

I removed the ad. It is ok now ?

I hope the server isn't infected but I think it's the case...


----------



## aflacglobal (Jan 29, 2008)

Ad freeeeeeeeeeeeeeeeeeeeeeee.

:wink: :wink: :wink:


----------



## Noxx (Jan 29, 2008)

OK fine... 

And now, what about the virus problem ?


----------



## AKDan (Jan 29, 2008)

Still seeing indications that there is an issue. Something tries to throw a window, and change the focus to the new window when logging on.


----------



## Buzz (Jan 30, 2008)

Hi Noxx,

I got it again this morning (UK Time).
That was after the ad had gone.

Buzz


----------



## Noxx (Jan 30, 2008)

Alright, I'll contact MaiaHost to ask them how to remove the virus.


----------



## markqf1 (Jan 31, 2008)

It seems to lock my machine up the first time I log on each day.
I never have clicked on the banner.


----------



## lazersteve (Jan 31, 2008)

All,

Try going to 

http://www.goldrefiningforum.com/phpBB3/index.php

instead of

http://www.goldrefiningforum.com/phpBB3

I've found that the virus won't show up if you bypass the base URL.

You'll need to replace any existing shortcuts/favorites to the second link with a new shortcut to the first link.

Let me know what happens.

Steve


----------



## ChucknC (Jan 31, 2008)

It got me today. I'll try the other url and see what happens.


----------



## jimdoc (Jan 31, 2008)

Steve,
I changed my favorite link like you suggested,
and it still locked up. It still says google syndicate
when opening, I think that may be the problem?
I also got the digits thing still also. 
Jim


----------



## Shaul (Jan 31, 2008)

If I try to log in through 'Internet Explorer' (IE) everything locks up, which is really aggravating especially if I have a couple other windows open at the same time. I need to X out of everything together.

What works for me is getting in through email. I clicked 'watch topic' for a couple of active threads, so that at any one time I'll receive one or more 'reply notification notices'. Clicking on the link within the email takes me directly to the login window and then into the forum.


Shaul


----------



## markqf1 (Jan 31, 2008)

It only does it the first time you try to log on everyday.


----------



## Ian_B (Jan 31, 2008)

does the same thing for me

the first time I came here yesturday and today it locked my computer up using all of my memory then pressing ctr alt delete makes a window with the forums name and (Not Responding) then if I dont end the task. (close the page with the forum on it) an error page comes up and asks me if I want to send a report or not with the option of restarting internet explorer

mind you I am using a POS computer running windows 98 that should be in the Acid bath lol

yesturday it happend on the domains index page goldrefingingforum.com 

and today on the phpbb2 extention

definatly time to use your technical support claus


----------



## AKDan (Feb 1, 2008)

Discovered: June 8, 2001
Updated: February 13, 2007 11:50:11 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP



Downloader connects to the Internet and downloads other Trojan horses or components.

Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan. 
ProtectionInitial Rapid Release version June 11, 2001 
Latest Rapid Release version January 18, 2008 revision 040 
Initial Daily Certified version June 11, 2001 revision 007 
Latest Daily Certified version January 31, 2008 revision 023 
Initial Weekly Certified release date June 13, 2001 
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat AssessmentWildWild Level: Low 
Number of Infections: 0 - 49 
Number of Sites: 0 - 2 
Geographical Distribution: Low 
Threat Containment: Easy 
Removal: Easy 
DamageDamage Level: Low 
DistributionDistribution Level: Low 

Writeup By: Gor Nazaryan


----------



## Noxx (Feb 1, 2008)

Yes, I've contacted Maiahost.
They are currently trying to find a way to remove the trojan horse.


----------



## aflacglobal (Feb 1, 2008)

Dam @%%##%#%^&&*&^

Had to re formatt again. Well it's time for kitty to play this game to.

I am going to set my laptop up again and this time with no A.V. / No firewall / No service packs. I'm going to throw the dam thing a fish.

Here kitty kitty, here kitty kitty. 

I'm going to zip a file and call it something good. Like maybe credit card numbers or bank info, something like that. Something that might draw attention.

Inside the file will be a copy of a file that will kill the hard drive and erase the bios. See how the sucker likes that one. once you run it, it's to late. :shock: 

I found a key logger in mine so everyone might want to change passwords to be safe till we figure where this thing is comming from or who ????

Oh, and by the way i won't be using my Aflac account to surf the forum with, so if you are watching, well good luck.

I'm going to go thru here picking up viruses like a flea on a duck.

Bring it on.


----------



## Noxx (Feb 1, 2008)

Hello guys,
The bad code is supposed to be removed.
Anyone experience any more problems ?


----------



## Buzz (Feb 1, 2008)

Hi Noxx,

Haven't seen it for 24Hrs now
So far, so good

Buzz


----------



## jimdoc (Feb 1, 2008)

Noxx,
Looks good so far.
Thanks for fixing the problem,
it was really getting bad.
Jim


----------



## aflacglobal (Feb 1, 2008)

Just my luck. I get a chance to play and they take it away.


----------



## markqf1 (Feb 2, 2008)

It seems to be back to normal.
Thanks!


----------



## aflacglobal (Feb 2, 2008)

Yes ! Normal again.


----------



## Noxx (Feb 2, 2008)

That's great 8)


----------

