I was surfing this site and got a virus notification from McAfee....
virus name was some trojan called vundo!grb
Virus?
Unkynd
Lord Of Blame
We use McAfee at work and I have Norton at home. So far I have not seen either report a virus or trojan.
This might be better in The Outer Circle forum.
This might be better in The Outer Circle forum.
Kanna Banrai
I just visited this thread, and got an automatic download request for a pdf file. =/
Carboplatin
same here, symantec caught it for me.
Sir Baddock
While you're at it make sure it's not one of the several variations of Conficker that's been going around, you can test if you have conficker at http://www.confickerworkinggroup.org...feyechart.html
Chthon
Hmmmm, nothing unusual for me. Don't tell Inde I said so, but maybe you should consider switching to firefox as using something to block giraffes.
skinnydarn
Nah nothing unusual for me either...
Fril Estelin
Good news: this is a low-profile malware, nothing like a virus.
Bad news: you're probably using Internet Explorer?
Kill the giraffes...
Bad news: you're probably using Internet Explorer?
Kill the giraffes...
Primus
Sounds like it could be a hijacker as well. I do agree with the above, switch to Firefox as well.
Oh by the way, I use Avast and Firefox, and have had zero issues with this site.
Oh by the way, I use Avast and Firefox, and have had zero issues with this site.
persuadu
If you are having virus/spyware issues, download malwarebytes (google it). I have Spybot S&D and Symantec antivirus. Malwarebytes found a ton of stuff that the other 2 didnt find. Oh and its FREE!
AsyaMordina
While browsing the riverside Symantec came up with the warning for Bloodhound.Exploit.196. There was also a request to download an Active X control which was denied.
kzap
i dont think this is the usual hacking, it could be an actual ad with a virus from our regular ad provider, if you could provide the whole virus report + a screenshot of the page with the ad that got the virus report
KZaske
Starting yesterday some forum links send me off to a site blocked by my AV software. The site I am redirected to is http://boqwez.info/rp/in.php. Has the guru server been hacked?
For kzap - Today, I was trying to access http://www.guildwarsguru.com/forum/s...php?t=10366819 when I got redirected. I am sure this is what the others were reporting. Attempting a second time I was able to access that thread with no problem.
For kzap - Today, I was trying to access http://www.guildwarsguru.com/forum/s...php?t=10366819 when I got redirected. I am sure this is what the others were reporting. Attempting a second time I was able to access that thread with no problem.
Shadowhaze
Quote:
Originally Posted by Kanna Banrai
I just visited this thread, and got an automatic download request for a pdf file. =/
I got the same thing today.
Sun Fired Blank
If you get asked to download pdfs from zeoztz.info and other sites, you should report exactly which ad is displayed when you get prompted. And obviously reject any suspicious downloads.
TheRaven
I just tried to visit the Riverside forum and Norton blocked a trojan download called Bloodhound.Exploit.196.
I rarely visit guru anymore at all and stuff like this makes me want to delete all bookmarks to the site.
Edit: With firefox, I re-visited Riverside. Again Norton caught the Bloodhound trojan and I was prompted to download a .pdf file which I blocked. The 2 ads showing were "The Millionaire League" at the top of the page and a JCPenney ad imbedded in the thread.
I rarely visit guru anymore at all and stuff like this makes me want to delete all bookmarks to the site.
Edit: With firefox, I re-visited Riverside. Again Norton caught the Bloodhound trojan and I was prompted to download a .pdf file which I blocked. The 2 ads showing were "The Millionaire League" at the top of the page and a JCPenney ad imbedded in the thread.
kzap
thanks for that ad info, im looking into it asap.
Shursh
i too have this vundo!grb trojan...how do we get rid of it??
AsyaMordina
Caught snapview.ocx. With all the other things going on, I have no idea if this is legit or not. 
AsyaMordina
And then on the very next click... Bloodhound
TheRaven
Today I was again prompted to open 7.pdf and Bloodhound.Exploit.196 was auto-downloaded when I opened the High End forum. Green.com was the ad at the top of the page.
What's going on with the site? It didn't used to be like this. For now, I'm warning all my guildmates to stay away from the site.
What's going on with the site? It didn't used to be like this. For now, I'm warning all my guildmates to stay away from the site.
Kattar
It's the ads, TheRaven. Blame Google.
szim
some days ago i got key logger called ardamax from gurus advertisment. my norton save me from that.
Sun Fired Blank
Snapview.ocx is a control that comes with Access. It used to silently download and automatically itself in the background, being a Microsoft-signed control. At which point, vulnerabilities in snapview.ocx would be used to exploit a user's machine.
This mode should outdated for these reasons:
1) the vulnerabilities are (in theory) fixed for any user with updates past mid-August 2008, or anyone who has XP SP3 or Vista
2) If your security settings for MIE are properly setup, you should be prompted to download the control
3) The average user has no use for it, so you don't have to download it when prompted.
Bloodhound.Exploit is a generic Symantec label for the file (or files) which downloads and open a pdf via the Adobe Reader. The pdf then loads a site which infects your computer; in this case, the malware in question is Vundo, a well-known and prolific trojan that, while not particularly dangerous, is extremely annoying, causes severe system degradation, and hard to remove.
I've included some basic protection and removal instructions here. For downloading most of the files mentioned in this post, you may wish to use Tarun's Anti-Malware Toolkit. His company's wiki at Lunarsoft has a lot of good advice on more in-depth cleanup and security. If this post doesn't help you remove Vundo from your system, head over to the Technician's Corner.
The best way to protect yourself is:
Internet Explorer (if you must...): SpywareBlaster, Spybot: S&D (use immunization, disable TeaTimer)
Other useful protection:
Internet Explorer (if you must...): ZonedOut w/ IE-SpyAd
Make sure that you have the latest Windows and Java updates. Windows Defender is decent Real-Time Protection.
Get an Anti-Virus program. There are several free AVs that are okay:
Avira
Avast!
AVG
Also make sure your security is properly configured for:
1) FireFox: Tools -> Options -> Security:
- Warn me when sites try to install add-ons: Yes (in particular)
2) Internet Explorer (if you must...): Tools -> Internet Options -> Security -> Internet:
- ActiveX: Disable Everything. Use Trusted Sites for ActiveX functionality.
To remove Vundo:
CCleaner
Malwarebytes' Anti-Malware
SuperAntiSpyware
Download and update each program. Restart into Safe Mode (F8).
Run CCleaner with these settings:
Cleaner -> Windows -> select everything except for:
- System -> select everything except Memory Dumps and Windows Log Files
- Advanced -> only select "Old Prefetch Data"
Note: selecting the Autocomplete Form history deletes your saved passwords.
Cleaner -> Applications -> select everything
You will need to close FireFox in order to clean its temporary files.
Registry -> select nothing
Tools -> ignore this part
Click "Run Cleaner."
Run SuperAntiSpyware, specifically with these settings under Preferences -> Scanning Control:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining
Note: These settings are targeted specifically for the removal of Vundo, not for more general scans.
Run a complete scan on your primary hard drive.
Run Anti-Malware, with every box enabled under Settings, including "Terminate Internet Explorer..."
Run a full scan on your primary hard drive.
If Anti-Malware prompts you to reboot to finish cleanup, do not reboot into Safe Mode; this will cause the next phase of cleanup to fail. Restart normally.
Finally, run a complete scan with your anti-virus program (using updated definitions).
This mode should outdated for these reasons:
1) the vulnerabilities are (in theory) fixed for any user with updates past mid-August 2008, or anyone who has XP SP3 or Vista
2) If your security settings for MIE are properly setup, you should be prompted to download the control
3) The average user has no use for it, so you don't have to download it when prompted.
Bloodhound.Exploit is a generic Symantec label for the file (or files) which downloads and open a pdf via the Adobe Reader. The pdf then loads a site which infects your computer; in this case, the malware in question is Vundo, a well-known and prolific trojan that, while not particularly dangerous, is extremely annoying, causes severe system degradation, and hard to remove.
I've included some basic protection and removal instructions here. For downloading most of the files mentioned in this post, you may wish to use Tarun's Anti-Malware Toolkit. His company's wiki at Lunarsoft has a lot of good advice on more in-depth cleanup and security. If this post doesn't help you remove Vundo from your system, head over to the Technician's Corner.
The best way to protect yourself is:
Internet Explorer (if you must...): SpywareBlaster, Spybot: S&D (use immunization, disable TeaTimer)
Other useful protection:
Internet Explorer (if you must...): ZonedOut w/ IE-SpyAd
Make sure that you have the latest Windows and Java updates. Windows Defender is decent Real-Time Protection.
Get an Anti-Virus program. There are several free AVs that are okay:
Avira
Avast!
AVG
Also make sure your security is properly configured for:
1) FireFox: Tools -> Options -> Security:
- Warn me when sites try to install add-ons: Yes (in particular)
2) Internet Explorer (if you must...): Tools -> Internet Options -> Security -> Internet:
- ActiveX: Disable Everything. Use Trusted Sites for ActiveX functionality.
To remove Vundo:
CCleaner
Malwarebytes' Anti-Malware
SuperAntiSpyware
Download and update each program. Restart into Safe Mode (F8).
Run CCleaner with these settings:
Cleaner -> Windows -> select everything except for:
- System -> select everything except Memory Dumps and Windows Log Files
- Advanced -> only select "Old Prefetch Data"
Note: selecting the Autocomplete Form history deletes your saved passwords.
Cleaner -> Applications -> select everything
You will need to close FireFox in order to clean its temporary files.
Registry -> select nothing
Tools -> ignore this part
Click "Run Cleaner."
Run SuperAntiSpyware, specifically with these settings under Preferences -> Scanning Control:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining
Note: These settings are targeted specifically for the removal of Vundo, not for more general scans.
Run a complete scan on your primary hard drive.
Run Anti-Malware, with every box enabled under Settings, including "Terminate Internet Explorer..."
Run a full scan on your primary hard drive.
If Anti-Malware prompts you to reboot to finish cleanup, do not reboot into Safe Mode; this will cause the next phase of cleanup to fail. Restart normally.
Finally, run a complete scan with your anti-virus program (using updated definitions).
Shursh
wow great information, that post should be sticky-ed if it isn't already.
I'll try out all those things you mentioned and see if it clears up the problem.
Thanks!
I'll try out all those things you mentioned and see if it clears up the problem.
Thanks!
kzap
ok aside from pictures i need the links, when you mouseover the banner, get the link pls.
AsyaMordina
The ads are flash based. Where would the link be, as they don't show up in the bottom status bar when moused over?
kzap
you can click on it to see where the ad brings you, in those cases a screenshot also helps us. i've banned a couple of specific sites from advertising on us.
Lishy
I've actually had Vundo once from somewhere and had to format. I'm guessing it was from GuildWarsGuru, judging from all the Vundo talk?
Either way, I really hope this matter is attended and we get more confirmation on GWG and viruses. While ads are important, none of them should be allowed to give out viruses.
Either way, I really hope this matter is attended and we get more confirmation on GWG and viruses. While ads are important, none of them should be allowed to give out viruses.
Enchanted Warrior
I'd make a public announcement, you're getting a fair amount of bad press.
http://www.google.com/search?q=guild...ient=firefox-a
I'm afraid as this is my work computer also, I cannot risk infection, I hope you get it fixed but I've got to0 say goodbye for now.
http://www.google.com/search?q=guild...ient=firefox-a
I'm afraid as this is my work computer also, I cannot risk infection, I hope you get it fixed but I've got to0 say goodbye for now.
Shana Something
AsyaMordina
Kattar
Quote:
Originally Posted by AsyaMordina
Clicking through to a site whos ad has tried to implant a virus may not be the prudent thing to do.
kzap isn't advising people click through. If you hovel your cursor over, it will give you the link in most cases. You really think a server admin would tell his user base to do something that dumb?
Why is it people always think we're trying to screw them over?
Why is it people always think we're trying to screw them over?
Sun Fired Blank
Why would they not consider it? We've selectively wiped out posts on software that is likely prevent infection, we've delayed on making announcements for a problem that is confirmed both internally and externally, and we've provided almost zero help or advice on removing the infection. This comes only two months after being spidered by google and listed as an attack site. The only good thing is that kzap has (so far as I can tell) removed most of the problem ads from the rotation.
kzap
we're not delaying making an announcement
we're dealing with an issue in one of our ad providers in one of their ads, something that is affecting big sites like yahoo also.
now not everyone is getting this, a lot are, but what we are asking for is your cooperation in tracking down these ads with viruses.
and yes I am asking you to click the ad if its flash based as thats the only way we will get the URL, but only do so if you're virus scanner stopped the virus, so you should be safe enough to check what the website is.
Advice about the infection? Get a good virus scanner and keep it up to date, you can never be too safe. Use a firewall too. Also stop using IE, use FireFox or anything else thats not as exploitable.
we're dealing with an issue in one of our ad providers in one of their ads, something that is affecting big sites like yahoo also.
now not everyone is getting this, a lot are, but what we are asking for is your cooperation in tracking down these ads with viruses.
and yes I am asking you to click the ad if its flash based as thats the only way we will get the URL, but only do so if you're virus scanner stopped the virus, so you should be safe enough to check what the website is.
Advice about the infection? Get a good virus scanner and keep it up to date, you can never be too safe. Use a firewall too. Also stop using IE, use FireFox or anything else thats not as exploitable.
AsyaMordina
Here's one with a URL. Bloodhound.
Inde
Thank you Asya!!!
kzap
k bloocked that ad, though when i went into tribal fusion and checked the ad in IE I was not getting a virus report
Borat X
kzap
ok i've deactivated CPX Interactive, please let me know if anyone is getting any more viruses