Hooray Virus from guru's ads
stretchs
I would like to warn all that there are unfort virus' being transmitted from guru's ads. Thankfully I have some antivirus to have stopped them, there was indeed a trojan transmitted from one of them. I know guru doesnt have direct control over them as most of the time these ads are farmed out to outside companies, everyone be aware that this is an issue. ie.exe was placed onto my computer as well as a couple other files that were quarantined.
Dralspire
Thank you for your report. Could you please provide further details, e.g. which page, which ad, which virus.
stretchs
I know it was from guru, because I had only connected to that page today, and the popup happened then, BLAMO virus found. At that point, I shut down my net connection, went through and started a full system scan. I ended up getting 4 files quarantined for virus issues. I have my pc scan every morning at 2am as well as update defs.
If any of the staff would like to contact me more about the file names, I am more than welcome to assist.
PS hiding it here does no good for others to keep an eye out for it
If any of the staff would like to contact me more about the file names, I am more than welcome to assist.
PS hiding it here does no good for others to keep an eye out for it
stretchs
The actual ad locked up before it loaded. I have since cleaned out all my net history/cookie/temp files.
The files were id'd as
Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1]
The files were id'd as
Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1]
El Presidente
Quote:
Originally Posted by stretchs
The actual ad locked up before it loaded. I have since cleaned out all my net history/cookie/temp files.
The files were id'd as
Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1] Getting the same ones and not sure (yet) which ad it's from...but it's from this site as I'm on no other tonight.
The files were id'd as
Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1] Getting the same ones and not sure (yet) which ad it's from...but it's from this site as I'm on no other tonight.
Inde
Everyone, we need a url, or what the ad is... something. Anything. A screenshot. Looking into it ASAP but I haven't had the ad come up so I have no way of knowing which one exactly might be doing this.
madmax0877
Forbidden, this page (http://www.searchfeed.com/rd/Clk.jsp...87536&snid=143) is categorized as: Spyware. If you feel that access to this web site is necessary in the performance of you job duties please contact you IASO. Your IASO can request the DOIM unblock this site.
^^ Surfing at work on a government computer gave me this on a pop up window. (I know it says spyware, but I've never had a pop-up disabled before)
Hope it helps!
^^ Surfing at work on a government computer gave me this on a pop up window. (I know it says spyware, but I've never had a pop-up disabled before)
Hope it helps!
CE Devilman
nasty one...got NOD32 to stop it DL more spyware
and combofix to clean it out + (spyware Doctor)
http://www.bleepingcomputer.com/comb...o-use-combofix
it bypass my Ad-Aware 2008
and combofix to clean it out + (spyware Doctor)
http://www.bleepingcomputer.com/comb...o-use-combofix
it bypass my Ad-Aware 2008
Inde
We've notified the company that serves our ads of this. Thank you!
El Presidente
Inde (and all others)...if it helps, my anti-virus program blocked/healed the three I mentioned above; however, the Win32/PolyCrypt is also showing on several sites (I googled it) that it's a "false positive" and wasn't anything to worry about. I didn't have any more probs since posting and have since switched my AVP with none detected thusfar.
Roguish Seraph
Quote:
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1] Interesting that I finally found this now. I actually had a virus attack my computer the same day that the OP posted this thread. My computer is currently on lock down, and I honestly can't do anything with my computer because of this virus.
Very nasty thing.
It was kind of too late for me, but glad that this was brought attention to.
Inde
Well, considering that I can't find information on any of the supposed viruses (looked through db's and googled) and that Win32/PolyCrypt is a flase positive I really have to wonder if it even did anything. Spyware... probably. But I don't think any of these were actual viruses that infected anyone's computers to that degree Roguish Seraph.
Queen Kitiara
I have found the ones that have actually caused problems for me are ones that u don't find in google - as in- they are not a defined virus but rather a trojan that was with spyware (which i find them getting just as bad and annoying as viruses because they are still leeching and lagging my comp) it is those things that let the trojan slip in to become the backdoor to every random virus that can be detected and let them in...that's the annoying part - you can deal with the viruses but the onslaught of them is a major pain in the butt.
melissa b
Yeah its very bad malware trojan. Aquired from Guru Popups or Ads.
Its very bad and even operates in safe mode.
What it does...
Edits Registry to disable task manager
Edits Registry so the association for .exe is changed so any program that ends in exe activates the malicious program and cant use any exe program
Takes over Desktop with link to pretend fix
Takes over Taskbar with baloon icon for fake fix
Infects the wininet.dll
operates dll as exe
exlpoits system volume infromation folder to reinfect every hour or so
exploits language bar
tracks all key strokes
searches hard drive
opens internet explorer repeatedly
sends all information to criminals
VERY BAD BAD BAD BAD..............BAD BAD BAD
Solution is complicated but involves safemode manually editing registry
bringing certain files from a windows directory on a non infected pc to the infected one end tasks and running spyware removal programs
Its very bad and even operates in safe mode.
What it does...
Edits Registry to disable task manager
Edits Registry so the association for .exe is changed so any program that ends in exe activates the malicious program and cant use any exe program
Takes over Desktop with link to pretend fix
Takes over Taskbar with baloon icon for fake fix
Infects the wininet.dll
operates dll as exe
exlpoits system volume infromation folder to reinfect every hour or so
exploits language bar
tracks all key strokes
searches hard drive
opens internet explorer repeatedly
sends all information to criminals
VERY BAD BAD BAD BAD..............BAD BAD BAD
Solution is complicated but involves safemode manually editing registry
bringing certain files from a windows directory on a non infected pc to the infected one end tasks and running spyware removal programs
Inde
And as you can tell we dealt with it swiftly and there has been no incident of it happening again. And no, we don't even know if it actually infected anyone or what virus it may have been since some of them are coming up as false positives. If you could provide more information melissa on which particular virus you believe may have done this perhaps that would be more informative. But it definitely leads me to believe that the information you posted isn't really attributed to the above viruses considering that other users above you have said a simple scan with their anti-virus removed this and it has not popped up again. I really don't believe the viruses listed are anymore then spyware and certainly aren't doing what you detailed as I have been speaking thoroughly with people who know their systems and what was on it before this happened.
melissa b
My System was more vulnerable since I had nothing in place to protect it....no anti-virus or windows updates or anything except a firewall.
Ok here is some names listed by AVG
Trojan horse Generic 10.QTX
Trojan horse Downloader.Generic7.JLL
Trojan horse Generic 10.QGO
Trojan horse SHeur.BHLN
Adware Generic2.TQI
Trojan horse Generic 10.JEM
Virus Found Win32/Heur
Adware Generic2.STX
Virus Found Win32/PolyCrypt
Spybot Search and Destroy
Found a Smitfraud Variant but dont have the log
How I know it was caused by Guru popups.
I was navigating Guru when I changed pages suddenly my internet explorer closed and my firewall when crazy with tons of new programs I don't have were trying to access the internet. With each reset of my computer it just became more and more locked down.
At least it was an educational experience.
Ok here is some names listed by AVG
Trojan horse Generic 10.QTX
Trojan horse Downloader.Generic7.JLL
Trojan horse Generic 10.QGO
Trojan horse SHeur.BHLN
Adware Generic2.TQI
Trojan horse Generic 10.JEM
Virus Found Win32/Heur
Adware Generic2.STX
Virus Found Win32/PolyCrypt
Spybot Search and Destroy
Found a Smitfraud Variant but dont have the log
How I know it was caused by Guru popups.
I was navigating Guru when I changed pages suddenly my internet explorer closed and my firewall when crazy with tons of new programs I don't have were trying to access the internet. With each reset of my computer it just became more and more locked down.
At least it was an educational experience.
Snograt
Virus advice from somebody called Melissa?
Hmm...
Hmm...
Detis Zan
I'm Roguish's bf and I looked at her comp for over an hour and everything Melissa b explained is there. Given I'm not great handling virus's (my comp is free of them) I had a pain in an ass time dealing with it. I don't think anybody has 'proof' to the virus,spyware,trojans because those who have it they're infected right away and CAN'T tell if they're locked down or those with pop-up blockers and protected comps wouldn't even know the difference.
To note Roguish's comp is still down and locked up from internet, task manager, background desktop, and overall the IE pop ups (spamming a window per second) has made it really difficult to deal with.
Edit: Just did a System Restore about a week before the comp got lockdown and everything is up and running, now to use some programs to clean it up. (Do system restore in safe mode of course)
To note Roguish's comp is still down and locked up from internet, task manager, background desktop, and overall the IE pop ups (spamming a window per second) has made it really difficult to deal with.
Edit: Just did a System Restore about a week before the comp got lockdown and everything is up and running, now to use some programs to clean it up. (Do system restore in safe mode of course)
Malice Black
Just reformat. It's the only 100% way of getting rid of viruses.
Mr Greenjeans
Getting the same as the others above, as far as the popups go and at first were being blocked, gonna do virus scans after I post this.. Not sure what ones were being blocked as I don't pay them to much mind, that is, they were blocked, i close them out without checking to see what they were, but I did notice this one that was having a hard time loading.. cdn5.Tribalfusion.com when I logged into guru a few minutes ago. Hope this may be of some help.
Yes.. my scans came back clean.. and I have not had any ill effects on my comp, or in game. One ad that was being blocked everytime was http://adserving.cpxinteractive.com.. these start trying to load as soon as I log into guru, and try to reload everytime I move to a different section of your site here. I googled these and from what I saw in some of the links given by google they are bad and should be blocked.. there are other links/ads that try to load or do load, but are to fast for me to catch and write down. I hope this may be of more help, and I'll try and see what else is loading and send you any info i can find. Also, I have guru as my home page and am always logged into the site, and at first, I did get the popups, but now I am not, but I am getting an error message when I try to actually log out of guru, I've also noticed that some ads are now displaying gold selling sites.
Yes.. my scans came back clean.. and I have not had any ill effects on my comp, or in game. One ad that was being blocked everytime was http://adserving.cpxinteractive.com.. these start trying to load as soon as I log into guru, and try to reload everytime I move to a different section of your site here. I googled these and from what I saw in some of the links given by google they are bad and should be blocked.. there are other links/ads that try to load or do load, but are to fast for me to catch and write down. I hope this may be of more help, and I'll try and see what else is loading and send you any info i can find. Also, I have guru as my home page and am always logged into the site, and at first, I did get the popups, but now I am not, but I am getting an error message when I try to actually log out of guru, I've also noticed that some ads are now displaying gold selling sites.
Inde
Greenjeans, I can't tell from the information you have listed whether you were affected. An ad having a hard time loading doesn't really point to anything so let me know if something pops up but this doesn't sound related.
CE Devilman
still got a clean pc...
Malice Black
No problems here thanks to being a l33t guru 
sign up now!
Free advertising for ya, boss
sign up now!Free advertising for ya, boss
Cartoonhero
yeah just got rid of this on my comp, had to reformat. i had no virus problems until yesterday when i visited guru and got popups for the first time in a year (i've been out of the game for a bit), then all the things described in the earlier post happened to my computer. i wish i would have been more diligent in figuring out which popup it was...to prevent more people from having to reformat ><
Stuart444
Everytime I go to a new page on guru I get this
http://img225.imageshack.us/my.php?i...rusguruqw0.jpg
anyone else had something like this? A bit worried since it didn't show this earlier at all.
http://img225.imageshack.us/my.php?i...rusguruqw0.jpg
anyone else had something like this? A bit worried since it didn't show this earlier at all.
Traveller
Gonna bump this one. I've been getting a few "Threat detected" messages today from GWG site (using AVG 8.0). It's apparently in Opera's cache and threat name is "Virus found Exploit". I first thought it's something with Opera, but then again, this is the only site which gives the threat message, even after a new Opera version install.
Getting several of these messages now as I browse the site in Firefox & Opera.
Getting several of these messages now as I browse the site in Firefox & Opera.
Free Runner
Yeah i keep getting "Threat Detected" with AVG 8.0. It happens everytime i open something on Guru, be it threads or the main index page. A message also appears at the top telling me the site wants to run something.
Inde
Yes I know, me as well. Looking into it as we speak.
Inde
All right, it's been removed. Thank you for the screenshots and heads up.
Sable Wood
Looks like it's happening again. Every page I load, Avast warns me about the same trojan.
Malice Black
I just got hit with a trojan too, wasn't logged on so obviously one of the ads.
The address if it helps any - www.yilu777.com/down/index.htm
It was the flashing 999,999 visitor ad.
The address if it helps any - www.yilu777.com/down/index.htm
It was the flashing 999,999 visitor ad.
kzap
removed again, being hacked by Chinese hackers, happening to us and a lot of mmo sites.
AsyaMordina
I'm glad to see that this was taken care of; however, it was too late for me. The virus actually ended up disabling Symantic Antivirus, installing a root kit, which could not be removed by 3 different antivirus programs (according to the IT department). The solution was to reformat. I hope steps were taken to prevent this issue going forward, as Guru is of benefit to the community and I wouldn't want to see its image tarnished.
Age
Interesting I guess this is where my 2 trojons came from as the date matches the time.This is on my older machine by the way with windows now broken and I lost most of my admin rights as well as my drives.Tarun was trying helping try to fix it.Windows need to be rebuilt.My antivrus was set to run at 4am when my sytem is off.I now let it just run.
pop up ads are bad.
http://www.guildwarsguru.com/forum/s...php?t=10309805
pop up ads are bad.
http://www.guildwarsguru.com/forum/s...php?t=10309805
BabyJ
This is the exact reason I am now going to have to reformat. UGH! 
I've tried everything imaginable to get rid of it but nothing has worked so far.
On the plus side I will be taking measures to ensure I wont lose my comp to a reformat and its getting upgraded with Vista Ultimate. But at the moment its shut down for repairs and I'm back on my old comp.
I'm sure theres only so much that can be done but is there any way to keep these virus's from coming through the site? This is the 2nd time I've had to reformat because of a spyware/virus from this site.
I've tried everything imaginable to get rid of it but nothing has worked so far.
On the plus side I will be taking measures to ensure I wont lose my comp to a reformat and its getting upgraded with Vista Ultimate. But at the moment its shut down for repairs and I'm back on my old comp.
I'm sure theres only so much that can be done but is there any way to keep these virus's from coming through the site? This is the 2nd time I've had to reformat because of a spyware/virus from this site.
kzap
Hi, we've done our best to prevent them, but there are lots of ways viruses can get onto your computer and not only on our site. Its best to run a anti virus program that works well.
BabyJ
I do run an anti virus. I'm not a computer genius but i do know enough.
Age
Turn off pop up ads and let only google ads only display it is like the ad on top of the board.Most comp techs say avoid a pop up ad site even isp and web designers say this avoid them.
Unlucky Slayer
Kattar
No Age, they say don't CLICK on them or give them information, etc, etc, etc. Having them on the page isn't normally the problem.