RMS is Infected

yC · Apr 05, 2010, 01:53 AM

Then your school could possibly have all the info I need to track it down. Mind to share? Actually I'd think school comp are setup so that users are not able to install anything keep the computer clean for every users.

Mewi or those that claimed they see/get IT, can I know your country? pm me if you need to. I am not finding or seeing anything bad yet ... but I rarely use IE.

Mewi · Apr 06, 2010, 04:13 PM

Quote from: yC on Apr 05, 2010, 01:53 AM
Then your school could possibly have all the info I need to track it down. Mind to share? Actually I'd think school comp are setup so that users are not able to install anything keep the computer clean for every users.

Mewi or those that claimed they see/get IT, can I know your country? pm me if you need to. I am not finding or seeing anything bad yet ... but I rarely use IE.

The browsers involved were IE8 and FireFox 2.0 with Java Run Time 6 update 13, and Adobe reader 9.1.0

Location: United States Vermont
Operating System: Windows XP Professional

Kiyoshiro · Apr 06, 2010, 07:15 PM

I just got IE8 to work again lol XD ~~(but MSN is being an idiot now)~~ got it fixed.
I'm in the U.S. specifically, Colorado.

Nerim · Apr 13, 2010, 11:47 PM

I'm also getting this bs malware. It only happens while searching through the item database.

yC · Apr 14, 2010, 02:06 AM

I have checked a few times with US proxies in the last few days and Riotblade browsing from the US doesn't get anything. Still on the issue.

Spyware just love American

It's best that I get all these info if anyone run into it again,

URL of the ad as show on the RMS page? (right click to 'view page info', go to media tag and get the list of urls there if you are using firefox)
What is the size of the ad (square, horizontal rectangle, veritical rectangle, small rectangle).
What country are you browsing from? (mostly US now that we know.)

Pandora · Apr 14, 2010, 12:46 PM

I didn't get the other info back when it happened, but I live in Canada. I recall the banner to be rectangle and around the top of the page.

Nerim · Apr 14, 2010, 02:22 PM

Don't remember seeing a specific banner, but the site that tried to inject the stuff came from an IP address starting with 88.something. If that helps at all.

Mushu · Apr 24, 2010, 08:40 PM

I have the directory the virus sits in:

LocalSettings\temp\WYye.exe

Comodo identifies the virus as:

TrojWare.Win32.Trojan.Agent@105222719

Caught it earlier today as I was surfing RMS. Only 3 things I had up was vent, RO and Firefox and RMS as my only tab.

Watchy · Apr 25, 2010, 12:41 AM

I don't experience this kind of problem

Majinken Souga · Apr 25, 2010, 02:45 AM

I just got a virus warning from my antivirus while reading a thread. It was something with google.analytics.something in the web address, and it was while loading an ad. Fortunately, Avast! intercepted it. It was a trojan horse. I'll see if I can find it again and take a screen shot.

EDIT- Found it, thank god for program logs.

4/24/2010 11:34:45 PM SYSTEM 1688 Sign of "JS:Prontexi-AP [Trj]" has been found in "google(dot)analytics(dot)com(dot)sbpbjxiqsfix(dot)info/kav/KAV4(dot)html" file.

That's what Avast! says.

yC · Apr 25, 2010, 02:58 AM

Quote from: Mushu on Apr 24, 2010, 08:40 PM
I have the directory the virus sits in:

LocalSettings\temp\WYye.exe

Comodo identifies the virus as:

TrojWare.Win32.Trojan.Agent@105222719

Caught it earlier today as I was surfing RMS. Only 3 things I had up was vent, RO and Firefox and RMS as my only tab.

That I wouldn't be worried. exe "virus" in temp folder usually are downloaded some time ago and won't activate until some day/week/hour later or until you restart your computer. It could come from websites or from installations. If you didn't remove its registry entry it will recreate itself after you removed it. You need some kind of real-time protection if you are getting those.

Quote from: Majinken Souga on Apr 25, 2010, 02:45 AM
I just got a virus warning from my antivirus while reading a thread. It was something with google.analytics.something in the web address, and it was while loading an ad. Fortunately, Avast! intercepted it. It was a trojan horse. I'll see if I can find it again and take a screen shot.

Which thread was it?

Few days ago I turned off some networks that I suspect they are causing the problem, still observing the effect.

Majinken Souga · Apr 25, 2010, 03:00 AM

Read above and thank god for Avast!, yC.

Relics · Apr 25, 2010, 06:50 AM

To those who have think they've gotten infected.

Run Hijackthis
http://go.trendmicro.com/free-tools/hijackthis/HiJackThis.exe

Run the .exe, click scan in the lower left, wait for it to finish then click save log (should be in the same place as scan)
save the log somewhere, and it should open.. copy those contents here.

yC · Apr 25, 2010, 03:07 PM

Reading this, http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/

hmm if more than 50% of the internet ad servers are knowingly or unknowingly serving malwares. I don't think we can even escape -.-

Just have to make sure computer has real time anti-virus & anti-spyware installed before going online. I'll keep looking to see what else can be done ...

LemonCrosswalk · Apr 25, 2010, 04:25 PM

Solution: Take off ads 8D