Hooray Virus from guru's ads

I would like to warn all that there are unfort virus' being transmitted from guru's ads. Thankfully I have some antivirus to have stopped them, there was indeed a trojan transmitted from one of them. I know guru doesnt have direct control over them as most of the time these ads are farmed out to outside companies, everyone be aware that this is an issue. ie.exe was placed onto my computer as well as a couple other files that were quarantined.

Thank you for your report. Could you please provide further details, e.g. which page, which ad, which virus.

I know it was from guru, because I had only connected to that page today, and the popup happened then, BLAMO virus found. At that point, I shut down my net connection, went through and started a full system scan. I ended up getting 4 files quarantined for virus issues. I have my pc scan every morning at 2am as well as update defs.

If any of the staff would like to contact me more about the file names, I am more than welcome to assist.

PS hiding it here does no good for others to keep an eye out for it

The actual ad locked up before it loaded. I have since cleaned out all my net history/cookie/temp files.

The files were id'd as
Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1]

Quote: Originally Posted by stretchs

Everyone, we need a url, or what the ad is... something. Anything. A screenshot. Looking into it ASAP but I haven't had the ad come up so I have no way of knowing which one exactly might be doing this.

Forbidden, this page (http://www.searchfeed.com/rd/Clk.jsp...87536&snid=143) is categorized as: Spyware. If you feel that access to this web site is necessary in the performance of you job duties please contact you IASO. Your IASO can request the DOIM unblock this site.

^^ Surfing at work on a government computer gave me this on a pop up window. (I know it says spyware, but I've never had a pop-up disabled before)

Hope it helps!

nasty one...got NOD32 to stop it DL more spyware
and combofix to clean it out + (spyware Doctor)
http://www.bleepingcomputer.com/comb...o-use-combofix


it bypass my Ad-Aware 2008

We've notified the company that serves our ads of this. Thank you!

Inde (and all others)...if it helps, my anti-virus program blocked/healed the three I mentioned above; however, the Win32/PolyCrypt is also showing on several sites (I googled it) that it's a "false positive" and wasn't anything to worry about. I didn't have any more probs since posting and have since switched my AVP with none detected thusfar.

Quote: Trojan horse BackDoor.Generic9.AHXS - clbdriver.sys
Trojan horse Generic10.JEM - ie.exe
Win32/PolyCrypt - index[1] Interesting that I finally found this now. I actually had a virus attack my computer the same day that the OP posted this thread. My computer is currently on lock down, and I honestly can't do anything with my computer because of this virus.

Very nasty thing.

It was kind of too late for me, but glad that this was brought attention to.

Well, considering that I can't find information on any of the supposed viruses (looked through db's and googled) and that Win32/PolyCrypt is a flase positive I really have to wonder if it even did anything. Spyware... probably. But I don't think any of these were actual viruses that infected anyone's computers to that degree Roguish Seraph.

I have found the ones that have actually caused problems for me are ones that u don't find in google - as in- they are not a defined virus but rather a trojan that was with spyware (which i find them getting just as bad and annoying as viruses because they are still leeching and lagging my comp) it is those things that let the trojan slip in to become the backdoor to every random virus that can be detected and let them in...that's the annoying part - you can deal with the viruses but the onslaught of them is a major pain in the butt.

Yeah its very bad malware trojan. Aquired from Guru Popups or Ads.
Its very bad and even operates in safe mode.

What it does...
Edits Registry to disable task manager
Edits Registry so the association for .exe is changed so any program that ends in exe activates the malicious program and cant use any exe program
Takes over Desktop with link to pretend fix
Takes over Taskbar with baloon icon for fake fix
Infects the wininet.dll
operates dll as exe
exlpoits system volume infromation folder to reinfect every hour or so
exploits language bar
tracks all key strokes
searches hard drive
opens internet explorer repeatedly
sends all information to criminals
VERY BAD BAD BAD BAD..............BAD BAD BAD

Solution is complicated but involves safemode manually editing registry
bringing certain files from a windows directory on a non infected pc to the infected one end tasks and running spyware removal programs

And as you can tell we dealt with it swiftly and there has been no incident of it happening again. And no, we don't even know if it actually infected anyone or what virus it may have been since some of them are coming up as false positives. If you could provide more information melissa on which particular virus you believe may have done this perhaps that would be more informative. But it definitely leads me to believe that the information you posted isn't really attributed to the above viruses considering that other users above you have said a simple scan with their anti-virus removed this and it has not popped up again. I really don't believe the viruses listed are anymore then spyware and certainly aren't doing what you detailed as I have been speaking thoroughly with people who know their systems and what was on it before this happened.

My System was more vulnerable since I had nothing in place to protect it....no anti-virus or windows updates or anything except a firewall.

Ok here is some names listed by AVG

Trojan horse Generic 10.QTX
Trojan horse Downloader.Generic7.JLL
Trojan horse Generic 10.QGO
Trojan horse SHeur.BHLN
Adware Generic2.TQI
Trojan horse Generic 10.JEM
Virus Found Win32/Heur
Adware Generic2.STX
Virus Found Win32/PolyCrypt

Spybot Search and Destroy

Found a Smitfraud Variant but dont have the log


How I know it was caused by Guru popups.
I was navigating Guru when I changed pages suddenly my internet explorer closed and my firewall when crazy with tons of new programs I don't have were trying to access the internet. With each reset of my computer it just became more and more locked down.

At least it was an educational experience.

Virus advice from somebody called Melissa?

Hmm...

I'm Roguish's bf and I looked at her comp for over an hour and everything Melissa b explained is there. Given I'm not great handling virus's (my comp is free of them) I had a pain in an ass time dealing with it. I don't think anybody has 'proof' to the virus,spyware,trojans because those who have it they're infected right away and CAN'T tell if they're locked down or those with pop-up blockers and protected comps wouldn't even know the difference.

To note Roguish's comp is still down and locked up from internet, task manager, background desktop, and overall the IE pop ups (spamming a window per second) has made it really difficult to deal with.

Edit: Just did a System Restore about a week before the comp got lockdown and everything is up and running, now to use some programs to clean it up. (Do system restore in safe mode of course)

Just reformat. It's the only 100% way of getting rid of viruses.

Getting the same as the others above, as far as the popups go and at first were being blocked, gonna do virus scans after I post this.. Not sure what ones were being blocked as I don't pay them to much mind, that is, they were blocked, i close them out without checking to see what they were, but I did notice this one that was having a hard time loading.. cdn5.Tribalfusion.com when I logged into guru a few minutes ago. Hope this may be of some help.

Yes.. my scans came back clean.. and I have not had any ill effects on my comp, or in game. One ad that was being blocked everytime was http://adserving.cpxinteractive.com.. these start trying to load as soon as I log into guru, and try to reload everytime I move to a different section of your site here. I googled these and from what I saw in some of the links given by google they are bad and should be blocked.. there are other links/ads that try to load or do load, but are to fast for me to catch and write down. I hope this may be of more help, and I'll try and see what else is loading and send you any info i can find. Also, I have guru as my home page and am always logged into the site, and at first, I did get the popups, but now I am not, but I am getting an error message when I try to actually log out of guru, I've also noticed that some ads are now displaying gold selling sites.