Virus from guru ads/attack site

Belicosos Finos

Ascalonian Squire

Join Date: Apr 2006

UK

Heros of the Rose [HotR]

W/

Have just had some popups from antivirus software (sophos in this case) with some virus warnings as Ive been reading through guru

virus identified is Mal/Iframe-G and the ad (or at least the site generating it) is
www.fun6677.com/ js / index.htm (without spaces)

Yang Whirlwind

Yang Whirlwind

~ Retired ~

Join Date: Nov 2005

Copenhagen, Denmark (GMT +1)

E/

Thank you for bringing this to our attention.
I have forwarded your information and the link containing the virus should be removed shortly.

Raven Wing

Jungle Guide

Join Date: Nov 2005

The Imperial Guards of Istan [TIGI]

N/

I' ll just mention I had the same.

Raven Wing

Jungle Guide

Join Date: Nov 2005

The Imperial Guards of Istan [TIGI]

N/

and another:
http://adserver.mmoguru.com/defaulta...eaderboard.php
In this case its avast! discovering it.

Fates

Wilds Pathfinder

Join Date: Jul 2005

Kanuckistan

Mirror of Reason [SNOW]

R/

Warning: Visiting this site may harm your computer!
The website at www.guildwarsguru.com contains elements from the site www.fun6677.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for www.fun6677.com.

Painbringer

Painbringer

Furnace Stoker

Join Date: Jun 2006

Minnesota

Black Widows of Death

W/Mo

1 Before locked

Report to site feedback or moderator 1st before causing mass panic.

There is also a snapview.ock that keeps tring to load. BTW

P.S. clean your browsing history

Misa

Misa

Krytan Explorer

Join Date: Jul 2005

Right next to the armor crafter.

Mo/

same here
avast blocked the same thing from guru (http://www.fun6677.com/)

stretchs

stretchs

Jungle Guide

Join Date: Sep 2007

Untimely Demise [Err了] - SOHK

This is unfortunately a common occurrence here, be sure to have script stopping/blocking on your browser can/will help, but as anyone knows anywhere you go on the net could lead to bad places

Jensy

Jensy

Site Contributor

Join Date: Apr 2007

Phoenix, Arizona

Blinkie Ponie Armie [bpa]

N/Mo

Yeah, I have FF with noscript and I'm not getting any warnings O_o

Feathermoore Rep

Feathermoore Rep

Krytan Explorer

Join Date: Nov 2006

PM me for JACT Invite

Feathermoore Clan

R/Mo

Thats a message generated by Google Chrome. I actually just received the same message. It automatically checks the websites against its own database of reported malware/spyware/harmful websites and automatically lets you know when your browser directs to one, stops you, and asks if you wish to proceed.

I just accepted the warning and went on browsing. W/ith the ads its really no surprise that its registers as malware.

Neez

Neez

Lion's Arch Merchant

Join Date: Dec 2008

Portugal

Sweet Valley High [Girl]

W/

Malware is found by Avira everytime I open a thread, whichever it is.


Quote:
13-01-2009 22:14 Malware found
Virus or unwanted program 'HTML/Dldr.Iframe.JI [virus]'
detected in file 'C:\Documents and Settings\n"\Local Settings\Temporary Internet Files\Content.IE5\35SGBZRM\index[1].htm.

Inde

Site Contributor

Join Date: Dec 2004

Thanks everyone. Resolved.

KZaske

KZaske

Jungle Guide

Join Date: Jun 2006

Boise Idaho

Druids Of Old (DOO)

R/Mo

I have warning from Avira concering malware and redirects from not one but two different web sites along with two pop-unders are from yieldmanager.com (cpxinteractive.com) and quizrocket.com. The site seems to reset itself about once every two minutes

Neez

Neez

Lion's Arch Merchant

Join Date: Dec 2008

Portugal

Sweet Valley High [Girl]

W/

Looks like it has been solved.

KZaske

KZaske

Jungle Guide

Join Date: Jun 2006

Boise Idaho

Druids Of Old (DOO)

R/Mo

Everything seems to be fine now. Thanks Inde for getting this taken care of so quickly.

cosyfiep

cosyfiep

are we there yet?

Join Date: Dec 2005

in a land far far away

guild? I am supposed to have a guild?

Rt/

I just got a very strange warning from avg (yea I have it paid for for the next 2 years not going to change now)....I have attached a screen shot of the warning...its really late so my brain is not computing what it means other than I should just go to bed now----(and maybe I should not us chrome).

bsoltan

bsoltan

Site Contributor

Join Date: Dec 2005

UK

[SoF]

I'm getting this today:



Whenever I visit any page on Guru.

Edit: Yep same one cosyfiep. Chrome + Nod32.

Lord of kryta

Lord of kryta

Academy Page

Join Date: Mar 2006

Australia

So I Herd U Liek Hallskipz [ORLY]

W/Mo

I'm getting it as well, using eset.

baltazar knight

baltazar knight

Frost Gate Guardian

Join Date: Oct 2007

Belgium

The Myth of Phoenix [Myth]

W/



ESET NOD32 and Avira Premium found it, so probaly no false positive.
It tries to acces your computer without your permission. Everyone without antivirus will have troubles.

Description as it isn't clear:

Contains recognition pattern of the ''HTML/Dldr.Lframe.JL'' HTML script virus.

Metatail

Metatail

Frost Gate Guardian

Join Date: Jul 2006

That's a cool pic you got there sir.

Malice Black

Site Legend

Join Date: Oct 2005

It's a running issue. It's due to goggle ads and not Inde trying to haxxor your computer. PM the details to Inde/kzap and they'll get it removed.

dan_dv

Krytan Explorer

Join Date: Aug 2007

When i browse to Guildwarsguru with IE, I get two warnings from Norton Internet Security about infected file beeing removed.

code1101

Frost Gate Guardian

Join Date: Jan 2007

I just got it on my free avg antivirus ... its true guys.

a yellow bar apears on the top of the windows asking to run a realplayer activex ... when i clicked it a virus tried to enter my PC

thig

Academy Page

Join Date: Oct 2005

S??by, Denmark

A Few Good Men

Mo/

Well theres a simple solution to it all...don't use a insecure browser like Internet Explore. Switch to Firefox and install the no script plugin.

papryk

Jungle Guide

Join Date: Feb 2006

Nancy

The Autonomy[?????????]

Quote:
Originally Posted by code1101
View Post
I just got it on my free avg antivirus ... its true guys.

a yellow bar apears on the top of the windows asking to run a realplayer activex ... when i clicked it a virus tried to enter my PC
same here...it's true

CE Devilman

CE Devilman

Wilds Pathfinder

Join Date: Jul 2006

hell

Do U Trust Anet

N/Mo



just on guru webpage..

thral

Lion's Arch Merchant

Join Date: May 2007

W/

Avast keeps blockng something for me so yeah...

Schmerdro

Schmerdro

Krytan Explorer

Join Date: Apr 2006

Canada

N/

I use Firefox with the NoScript extension and I never got any kind of warning from my AVG anti-virus.

Lesson: Don't use shitty web-browsers.

ag3ntblak

ag3ntblak

Academy Page

Join Date: Nov 2005

Team Flash

E/

http://i8.photobucket.com/albums/a8/...gurutrojan.jpg

http://s8.photobucket.com/albums/a8/...consistent.jpg

Almost every thread I goto in guru is downloading this trojan into my computer. Is this why this forum is always so laggy?

baltazar knight

baltazar knight

Frost Gate Guardian

Join Date: Oct 2007

Belgium

The Myth of Phoenix [Myth]

W/

http://www.guildwarsguru.com/forum/s...=1#post4485326

h**p://www.safe6699.com/js/index.htm

Avira detected it.
I'm using Firefox.

IattackU

Frost Gate Guardian

Join Date: May 2007

NJ, America

The Eternal Night Vanguard [TEN]

E/Mo

Quote:
Originally Posted by Schmerdro
View Post
I use Firefox with the NoScript extension and I never got any kind of warning from my AVG anti-virus.

Lesson: Don't use shitty web-browsers. Same here except I use Avast and not AVG.

Haven't gotten a message at all and I actually just installed NoScript after I read this.

just call me jimmy

Frost Gate Guardian

Join Date: Dec 2005

just call me jimmy

W/Mo

Call me crazy but shouldn't the Moderators of Guru be informing their members of Trojans on their website? Regardless of who is at fault, the fact is people are at risk by just loading your website. I would say you have an obligation too inform people, of any risk loading Guru, what you are doing to fix it, and what your community should do if they receive these Trojan messages.

To the people that said "I use Firefox so no worries" I am sorry to say this, but you all have the IQ of a pea. Please uninstall the internet immediately, as you are a risk to it not blowing up.

Here is what my AVG picked up.

Trojan Horse Downloader Generic c .ACM - count29.51yes.com

hope you get it fixed

Inde

Site Contributor

Join Date: Dec 2004

We're aware everyone and taking care of it (and to Jimmy, sometimes we sleep. It's a bad habit I know. So when it takes us an hour or two to know of an issue it's just because my IV of caffeine hadn't started yet to wake me up). Thank you for the updates.

The Rift

The Rift

Lion's Arch Merchant

Join Date: Sep 2005

Netherlands

N/

I get the same message from my avg as most people here do.
my question is tough : should we ingnore it or rather leave guru off for the moment till it is fixed by you?

just call me jimmy

Frost Gate Guardian

Join Date: Dec 2005

just call me jimmy

W/Mo



http://www.youtube.com/watch?v=yo3uxqwTxk0

Hopefully makes you laugh Inde, while having what will probably be an annoying day!!!

Necro Quink

Lion's Arch Merchant

Join Date: Aug 2007

Belgium

Trinity Of The Ascended [ToA]

N/

Well, i have been on guru the whole day (using IE7) and didnt had any problem.

bsoltan

bsoltan

Site Contributor

Join Date: Dec 2005

UK

[SoF]

FYI: Getting this now as soon as I visit the forums

seut

seut

Wilds Pathfinder

Join Date: Jun 2005

Europa

firefox / google

Dmitri3

Dmitri3

Wilds Pathfinder

Join Date: Jul 2005

Canada, almost got to see a polar bear... :P

http://safebrowsing.clients.google.c...rum/usercp.php

Quote:
Site is listed as suspicious - visiting this web site may harm your computer.
Quote:
Of the 25 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-02-08, and the last time suspicious content was found on this site was on 2009-02-08.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 12 new processes on the target machine.

Malicious software is hosted on 1 domain(s), including safe6699.com/.

This site was hosted on 1 network(s) including AS33070 (RMH). EDIT: Had to disable safe browsing just to post this. I'd expect a drop in traffic from people who use Firefox or Google Chrome if this isn't fixed soon.