login

Author Topic: virus alert  (Read 10461 times)

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« on: April 22, 2008, 12:02:48 PM »
Hi,
For a couple of weeks now I get ( both at work and at home) a virus alert (trojan horse found and removed) everytime I visit the board.....
Chris H. (only 9 weeks to go..........)

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
virus alert
« Reply #1 on: April 22, 2008, 03:22:34 PM »
Chris,

Do you have any other info on the Trojan?  (eg: W32-gobbledegook-BD)

Which AV tool is reporting it?

On the basis that I'm paranoid and haven't had any (recent) problems, nor has anybody else reported a problem, I'd suspect you are getting a "false positive".
Chas



Stupidity is its own reward.

Offline George

  • Regulars
  • Hero Member
  • *****
  • Posts: 1375
    • View Profile
    • Email
virus alert
« Reply #2 on: April 23, 2008, 08:18:25 AM »
This problem came up some time ago and there is a message stream about it somewhere on this board. I think Paul knows about it so don't panic.  

george g...

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« Reply #3 on: April 23, 2008, 11:28:06 AM »
Chas,
This is what it says under name:
prf329.tmpPRF329.TMP
Chris H.

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« Reply #4 on: April 23, 2008, 11:32:19 AM »
Chas,
sorry, you asked what AV tool detected it
uhh, dunnoh......
other information:
under detected:
Exploit-ByteVerify
and also:
VBS/Psyme
hope this helps

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
virus alert
« Reply #5 on: April 23, 2008, 01:55:14 PM »
George - the past problem was with some "naughty" scripts that had been hacked onto the Invision servers.

Chris H - after a quick bit of digging, the "Exploit-ByteVerify" is an old trojan/exploit which Microsoft fixed several years ago see this Microsoft Security Bulletin.

I will assume you have a legal version of Windows and have been very good and got all the monthly patches and fixes from the Windows Update (from the "Start" button or Internet Explorer <Tools> dropdown).

"VBS/Psyme" is another oldie that should already be blocked.

If you have Mcafee (as I suspect), it has a track-record of getting false-positives for several scumware items.

Just for a quick-fix, try clearing ALL your temporary / Internet files (Internet Explorer <Tools> <Internet Options> on the "General" tab, centre block) - the PRF329.TMP file causing the warning is probably sat in the cache and wakes up whenever you come here.

Chas



Stupidity is its own reward.

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« Reply #6 on: April 23, 2008, 08:38:00 PM »
Chas,
Okidoki, thanks a lot:)

Offline Noopsy

  • Sponsors
  • Sr. Member
  • ****
  • Posts: 497
    • View Profile
    • Email
virus alert
« Reply #7 on: April 29, 2008, 10:29:57 PM »
Over the last few weeks when on this site I 've been bombarded with viruses and other problems.  A particularly troublesome one was W32/Small.EA.  I've managed to get on top of it all now (but I can't get rid of a relic in the form of a message which keeps popping up every time I switch the computer on which says: "Error loading i.Security.cpl.  The specified module could not be found.").  Today, in addition to the usual virus stream, I've lost web functionality, and have had to switch the computer off completely in order to be able to move on to another part of the forum.  It seems that this website has somehow become a conduit for various nasties.  Has anyone else experienced any problems of this nature (apart from Chris H.)?

Noopsy  

       

Ελευθερία ή θάνατος

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« Reply #8 on: April 30, 2008, 09:50:24 AM »
Quote from: Noopsy 500
Over the last few weeks when on this site I 've been bombarded with viruses and other problems.  A particularly troublesome one was W32/Small.EA.  I've managed to get on top of it all now (but I can't get rid of a relic in the form of a message which keeps popping up every time I switch the computer on which says: "Error loading i.Security.cpl.  The specified module could not be found.").  Today, in addition to the usual virus stream, I've lost web functionality, and have had to switch the computer off completely in order to be able to move on to another part of the forum.  It seems that this website has somehow become a conduit for various nasties.  Has anyone else experienced any problems of this nature (apart from Chris H.)?

Noopsy

Yep, me too, every now and again lately my explorer gets stuck when I am at this site. I have to close down explorer and start it up again to be able to go on.
Chris H.
(I'd love to get stuck in Plak though)

Offline Robin Young

  • Newbie
  • *
  • Posts: 28
    • View Profile
    • http://
    • Email
virus alert
« Reply #9 on: April 30, 2008, 11:02:38 AM »
Quote from: Chris H.
Quote from: Noopsy 500
Over the last few weeks when on this site I 've been bombarded with viruses and other problems.  A particularly troublesome one was W32/Small.EA.  I've managed to get on top of it all now (but I can't get rid of a relic in the form of a message which keeps popping up every time I switch the computer on which says: "Error loading i.Security.cpl.  The specified module could not be found.").  Today, in addition to the usual virus stream, I've lost web functionality, and have had to switch the computer off completely in order to be able to move on to another part of the forum.  It seems that this website has somehow become a conduit for various nasties.  Has anyone else experienced any problems of this nature (apart from Chris H.)?

Noopsy

Yep, me too, every now and again lately my explorer gets stuck when I am at this site. I have to close down explorer and start it up again to be able to go on.
Chris H.
(I'd love to get stuck in Plak though)
For some time now I have been getting an alert from my Zone Alarm spy site module stating that access has been blocked to "bot.gribokk.com/setup.php?aff_id=6080". I wonder what this is about. This only occurs when visiting this forum.
Robin Young
« Last Edit: April 30, 2008, 01:53:14 PM by Robin Young »

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
virus alert
« Reply #10 on: April 30, 2008, 09:20:32 PM »
I've taken a look and there were some suspicious files that appeared on the 6th of April.

I have now deleted these. Can you let me know how you get on now.

I'll be sure to keep a closer eye out now :-(

Apologies for any trouble caused.

Cheers,

Paul

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
virus alert
« Reply #11 on: May 01, 2008, 05:52:14 PM »
Noopsy, Chris H, Robin Young,

In view of the low number of reports (and the fact I've had no problems), I reckon you may have something nasty stuck behind the scenes on your PCs ..... Try This Link for help with identifying what's there (that shouldn't be) AND how to get rid of it.

Start off by reading "Viruses/Spyware/Malware, preliminary removal instructions." - you'll soon work out if you need more help.  The "boss", Howard Hopkins, is very helpful and understanding ..... he's also very busy, so don't expect immediate replies (but you may well get them).

I can be smug now but it was a different story a few years back

Good luck with your clean ups
Chas



Stupidity is its own reward.

Offline Robin Young

  • Newbie
  • *
  • Posts: 28
    • View Profile
    • http://
    • Email
virus alert
« Reply #12 on: May 02, 2008, 02:29:08 PM »
Quote from: Ploppy
I've taken a look and there were some suspicious files that appeared on the 6th of April.

I have now deleted these. Can you let me know how you get on now.

I'll be sure to keep a closer eye out now :-(

Apologies for any trouble caused.

Cheers,

Paul
I am no longer getting the Zone Alarm spy site alerts.
Robin Young

Offline Chris H.

  • Regulars
  • Jr. Member
  • **
  • Posts: 86
    • View Profile
    • Email
virus alert
« Reply #13 on: May 02, 2008, 06:39:52 PM »
Ok for the home pc but I have the same problem at work and they have hundreds of computers running and all very well protected so.....?
Chris H.

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
virus alert
« Reply #14 on: May 03, 2008, 01:50:28 PM »
Robin - Glad it seems to have been resolved now.

Noopsy - How is it for you now?

Chris - So you are ok at home but your work PC still has a problem? Did your anti-virus find and attempt to fix anything at work?

Has anyone else had aproblem?

I haven't on a number of PCs I have used though of course it will be dependent on which parts of the site you visited in relation to those suspicious files I removed.


From a security standpoint I ensure that all FTP account are secure and protected by a strong password. (FTP accounts are used to upload files to the web server. The web server then sends/executes these files when you visit the website)

I will also now do daily checks on new files that appear on the site. As this site is fairly static, i.e it is not constantlay updated like the BBC News website, then it should be fairly easy to spot nasties.

New files should only appear on the webserver if someone uploads something, i.e a picture, or if I make any changes.

All posts and topics are not held as discrete files at the Operating System level but in a database.

Please feel free to PM or e-mail me if you need any assitance.

Regards,

Paul