RMS is Infected

[Mewi]

Okay,  lately everytime I visit this website,  I have become infected with a Rogue Antivirus,  and it only happens on this website.   It used an exploit through an out dated Adobe Reader.

I found this out after keeping it in the back of my mind, that my main PC became infected only when I visited RMS pages,  this is probably due to an advertisement provider that is infected that RMS runs.

I know for a fact that where I am getting this, seems to be from RateMyServer.net  because now it happened on my Netbook,  while browsing only one website... RMS.  In the past I have received weird fake anti virus popups from RMS,  so without a doubt this Rogue Antivirus is coming from here.

Also I know it is exploiting my adobe reader ( which is now uninstalled )  Because it was the first thing to load just before I became infected.

What is a Rogue Antivirus?   "Antivirus XP Pro"   "Antivirus 2009"  etc,   it pretends to be an antivirus in order to trick you into purchasing it.

Operating System:  Windows XP Professional 32 bit
Adobe Reader:  9.1.0

[Relics]

mmm notified yC..

does it happen on the main page btw?

[Mewi]

mmm notified yC..

does it happen on the main page btw?

It seemed to have happened only when I was browsing items/monsters.  My best guess is that RMS has been using an infected advertiser/has been infected themselves for a couple years now.

Edit:  I am now downloading 9.1.0 adobe acrobat reader on my secondary system,  I will intentionally try to infect my computer while browsing RMS with 9.1.0 installed,  this computer is never used and has a clean install.

[DeePee]

*looks at date*

[yC]

We are not using a shared hosting, the chance of the files being infected is low.

I can only think that it could be some advertisement but when I browse on the site I see the dell ad from google most of the time so i can't tell.  We don't serve popups or virus obviously.

The one time I got fake anti-virus "worm" infected to my computer lately was when I visited a site of a certain server OR when I installed an ro client of a certain server.  I can't tell which was it because I did those around the same time and got infected.

[Pandora]

I got it once too while using explorer (because I was lazy and didn't want to open firefox which I had closed with a ton of tabs), pretty sure it came from the flash advertisement at the top of a search item page. I'm sure rms doesn't intend for this, it's the ads.

[yC]

If you still have the problem, please try to get the URL of the ads on the page so I can look into them or contact the network about it.

[Pandora]

Will do ^^

[LemonCrosswalk]

RMS has a fever, and the only cure is more cow bell.



Or using an adblocker.  May I recommend adblock plus for firefox. If you want to really be safe from flash while browsing you can use flashblock. It blocks flash automatically, but if you want to play it, all you have to do is click on the box. It's sort of like using a condom, better safe than sorry.

[Relics]

RMS has a fever, and the only cure is more cow bell.



Or using an adblocker.  May I recommend adblock plus for firefox. If you want to really be safe from flash while browsing you can use flashblock. It blocks flash automatically, but if you want to play it, all you have to do is click on the box. It's sort of like using a condom, better safe than sorry.

I second this motion, adblock is godly, and almost a necessity nowadays.

[Revenant]

Adblock Plus
Adblock Plus: Element Hiding Helper
Flashblock
NoScript

No website will be allowed even take a fart without express permission from you in advance.

[LemonCrosswalk]

RMS has a fever, and the only cure is more cow bell.



Or using an adblocker.  May I recommend adblock plus for firefox. If you want to really be safe from flash while browsing you can use flashblock. It blocks flash automatically, but if you want to play it, all you have to do is click on the box. It's sort of like using a condom, better safe than sorry.

I second this motion, adblock is godly, and almost a necessity nowadays.

You know he's right because his name is purple.

[Kiyoshiro]

Agh -_- my computer just got flooded by a crapload of fake antivirus software crap which ended up making IE useless to use now.
RMS IS infected...o_o
I think I might've gotten rid of it though. I'm not sure.

[Mewi]

So I monster searched for "Orc"  on my secondary ( my secondary's IE8 crashed ) ,  It took me a few refreshes then suddenly my harddrive was on full work,  something about "crackle"  on the link,  it was a reloading add on the lower left side of the website

Agh -_- my computer just got flooded by a crapload of fake antivirus software crap which ended up making IE useless to use now.
RMS IS infected...o_o
I think I might've gotten rid of it though. I'm not sure.

If you need any help, I have removed enough of these to fix it for Windows XP anyway.  Somewhat for Vista.

[Mushu]

This is no lie. I've been infected with the same virus and so have 3 of my other friends. My school even blocks this website for being a known virus host LOL.

[yC]

Then your school could possibly have all the info I need to track it down.  Mind to share?  Actually I'd think school comp are setup so that users are not able to install anything keep the computer clean for every users.

Mewi or those that claimed they see/get IT, can I know your country?  pm me if you need to.  I am not finding or seeing anything bad yet ... but I rarely use IE.

[Mewi]

Then your school could possibly have all the info I need to track it down.  Mind to share?  Actually I'd think school comp are setup so that users are not able to install anything keep the computer clean for every users.

Mewi or those that claimed they see/get IT, can I know your country?  pm me if you need to.  I am not finding or seeing anything bad yet ... but I rarely use IE.

The browsers involved were IE8 and FireFox 2.0   with Java Run Time 6 update 13, and Adobe reader 9.1.0

Location:  United States Vermont
Operating System:  Windows XP Professional

[Kiyoshiro]

I just got IE8 to work again lol XD (but MSN is being an idiot now) got it fixed.
I'm in the U.S. specifically, Colorado.

[Nerim]

I'm also getting this bs malware. It only happens while searching through the item database.

[yC]

I have checked a few times with US proxies in the last few days and Riotblade browsing from the US doesn't get anything.  Still on the issue.

Spyware just love American  

It's best that I get all these info if anyone run into it again,

URL of the ad as show on the RMS page? (right click to 'view page info', go to media tag and get the list of urls there if you are using firefox)
What is the size of the ad (square, horizontal rectangle, veritical rectangle, small rectangle).
What country are you browsing from? (mostly US now that we know.)

[Pandora]

I didn't get the other info back when it happened, but I live in Canada. I recall the banner to be rectangle and around the top of the page.

[Nerim]

Don't remember seeing a specific banner, but the site that tried to inject the stuff came from an IP address starting with 88.something. If that helps at all.

[Mushu]

I have the directory the virus sits in:

LocalSettings\temp\WYye.exe

Comodo identifies the virus as:

TrojWare.Win32.Trojan.Agent@105222719

Caught it earlier today as I was surfing RMS. Only 3 things I had up was vent, RO and Firefox and RMS as my only tab.

[Watchy]

I don't experience this kind of problem 

[Majinken Souga]

I just got a virus warning from my antivirus while reading a thread. It was something with google.analytics.something in the web address, and it was while loading an ad. Fortunately, Avast! intercepted it. It was a trojan horse. I'll see if I can find it again and take a screen shot.

EDIT- Found it, thank god for program logs.

4/24/2010 11:34:45 PM   SYSTEM   1688   Sign of "JS:Prontexi-AP [Trj]" has been found in "google(dot)analytics(dot)com(dot)sbpbjxiqsfix(dot)info/kav/KAV4(dot)html" file.

That's what Avast! says.

[yC]

I have the directory the virus sits in:

LocalSettings\temp\WYye.exe

Comodo identifies the virus as:

TrojWare.Win32.Trojan.Agent@105222719

Caught it earlier today as I was surfing RMS. Only 3 things I had up was vent, RO and Firefox and RMS as my only tab.

That I wouldn't be worried.  exe "virus" in temp folder usually are downloaded some time ago and won't activate until some day/week/hour later or until you restart your computer.  It could come from websites or from installations.  If you didn't remove its registry entry it will recreate itself after you removed it.  You need some kind of real-time protection if you are getting those.

I just got a virus warning from my antivirus while reading a thread. It was something with google.analytics.something in the web address, and it was while loading an ad. Fortunately, Avast! intercepted it. It was a trojan horse. I'll see if I can find it again and take a screen shot.

Which thread was it?


Few days ago I turned off some networks that I suspect they are causing the problem, still observing the effect.

[Majinken Souga]

Read above and thank god for Avast!, yC.

[Relics]

To those who have think they've gotten infected.

Run Hijackthis
http://go.trendmicro.com/free-tools/hijackthis/HiJackThis.exe

Run the .exe, click scan in the lower left, wait for it to finish then click save log (should be in the same place as scan)
save the log somewhere, and it should open.. copy those contents here.

[yC]

Reading this, http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/

hmm if more than 50% of the internet ad servers are knowingly or unknowingly serving malwares.  I don't think we can even escape -.-

Just have to make sure computer has real time anti-virus & anti-spyware installed before going online.  I'll keep looking to see what else can be done ...

[LemonCrosswalk]

Solution: Take off ads 8D

[aerogaming]

This virus thingy poping out only for internet, but in fire fox you won't get any.

[Habuka]

Everyone that got a virus should riot the ads and get some justice.