Jump to content


Photo

which section to post please


  • Please log in to reply
10 replies to this topic

#1 Ballyboy

Ballyboy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 September 2013 - 08:13 AM

Hi. Since this is my first post, I dont want to post it in the wrong section.
My favourite forum seems to have been compromised. It now has hidden iframes on it. Sometimes it takes a minute to load. The firefox console shows javascrips redirecting to all sorts of ad sites, and known malware sites.
Now I have scanned my computer and it does not have any trojans or virus downloaded. But would like some advice.
Please let me know which section to post my question.
Thanks



#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 07 September 2013 - 10:21 AM

Hello Ballyboy.  Welcome to SWI!
 
If you just want to post a question about the compromised forum, or info or a warning then this Open forum is an appropriate place to post.
 
If you would like us to check your PC, in case your scan missed something, then please read the Instructions and post the requested logs (MBAM, DDS, Security Check) in the Malware Removal section. 


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 Ballyboy

Ballyboy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 September 2013 - 08:46 AM

Thanks for the quick reply cnm.

Well I'm certain I dont have a trojan. I have scanned with everything from malwarebytes to avg.

The problem is this. A fellow member of our forum pm'd me, telling me the forum was compromised, and to be careful, He had scanned the website with securi site check.That reported suspicious hidden iframes with javascript. It seems this javascript downloads lots of (hidden) adverts, from a known malware site, and gives clicks to blogs, fb pages etc, and of course cookies.

So, it seems to have hacked the forum to make money from this, rather than from downloading trojans.

So, apart from the slowness in opening pages now, it does not seem to be doing any actual harm.

But it has occured to me that the remote files could be changed from ads to trojans at any time. Is this possible with java? Or would the site have to be hacked a second time to accomplish this? On doing a google, it seems some other forums have been infected also. http://forums.firemonkeys.com.au

I post in my forum daily, so really hate to avoid it completely now.


Edited by Ballyboy, 08 September 2013 - 08:46 AM.


#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 September 2013 - 10:59 AM

This would most likely be happening at your server.  You should enter a support ticket with your forum's server host.  

 

What software runs your forum (Invision, MyBBvBulletinSMFphpBB, or....)?  It's important to install any security patches that are available.  The admin of your forum would do that.

 

When you browse your infected forum, make sure you are well protected.  Check for out of date software with the free FileHippo Update Checker


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#5 Ballyboy

Ballyboy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 September 2013 - 02:50 PM

The software for forum is VBulletin. When I pm'd admin they said they were trying to get it sorted. It must not be too easy, because it has been like this for a few days now. 

I have downloaded the filehippo, and will scan shortly.

And yes I will make sure to scan with avg after each session on the forum.

Thanks again



#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 September 2013 - 03:27 PM

If admin is working on it already, about all you can do now is hope that they succeed.

 

AVG may not be very effective at cleaning up the adverts etc. that appear to be the main threat.

AdwCleaner is good at removing junk.

 

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found.  Exit from AdwCleaner.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#7 Ballyboy

Ballyboy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 September 2013 - 06:25 PM

I thought that this iframe on the forum only secretly opened pads, so as to give clicks on the ads. But not download them to my computer.

But is see a couple of suspicious toolbars on this scan. Also I uninstalled bit torrent months ago, but there is a reference to that also.

Here is the log:

 

# AdwCleaner v3.003 - Report created 09/09/2013 at 00:14:11
# Updated 07/09/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Tom -Tom-PC
# Running from : C:\Users\Tom\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Windows\system32\conduitEngine.tmp
Folder Found C:\Program Files\BitTorrentControl_v12
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Users\Tom\AppData\Local\Conduit
Folder Found C:\Users\Tom\AppData\LocalLow\BitTorrentControl_v12
Folder Found C:\Users\Tom\AppData\LocalLow\Conduit
Folder Found C:\Users\Tom\AppData\LocalLow\PriceGong
Folder Found C:\Users\Tom\AppData\LocalLow\Toolbar4

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\BitTorrentControl_v12
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\BitTorrentControl_v12
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3225826
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0186FA27-B052-4ABD-9178-A36536A09156}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6EA6916D-E210-4EAD-AEC5-30BA56D3E4DF}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentControl_v12 Toolbar
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://www.bigseekpro.com/burn4free/{0FDAEA92-3C49-4065-9355-33047073106B}

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\5p2g48t2.default\prefs.js ]

-\\ Google Chrome v29.0.1547.66

[ File : C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [7439 octets] - [08/09/2013 23:51:09]
AdwCleaner[R1].txt - [7359 octets] - [09/09/2013 00:14:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [7419 octets] ##########



#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 September 2013 - 06:30 PM

Good.  All those can go.

If you didn't already do the Clean, Run AdwCleaner again

  • Click on the Clean button and follow the prompts.
  • A log file will automatically open after the cleaning has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#9 Ballyboy

Ballyboy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 September 2013 - 03:12 PM

Well cleaned all those. Scanned a few times today. Nothing showing up now in adwcleaner.

I will stay off that forum untill I get an email from admin that it has been sorted out.

Many thanks for all your help.



#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 09 September 2013 - 03:13 PM

You're welcome.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 15 September 2013 - 02:17 PM

Let me know.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!