• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      UPDATE on Upgrade   02/07/2017

      We were somewhat delayed on getting the upgrade done, but it looks like it will now be done in the next few days or possibly even later today.   There is one change coming with the new upgrade that may affect people when they log in. There will no longer be separate Usernames and Display Names. Your Display Name will now be the only name you have for the forum and, if you used your Username to log in, you will now need to use your Display Name. It is likely that everyone who visits after the upgrade will need to log in again, so please keep this in mind.   Update again - Feb 7 - We have completed the main part of the upgrade and we are working to tweak settings for the site.  It will probably take us a while, but we will eventually settle down to the way we want it.  In the meanwhile, your posts should be secure, but the look of the forum and some functions may change over time.
    • cnm

      We backup daily at 9:00 PM Pacific Time   02/13/2017

      You may notice the forum being unresponsive for a few minutes around 9:00 PM PST (11:00 PM CST, 5:00 AM GMT) while we back up the database.
    • cnm

      Notifications blocked by Outlook.com, Hotmail, Live, etc   02/14/2017

      Our notifications are blocked by those mail servers. If you have email address at Hotmail, Hotmail.uk, etc etc then you will not get notifications and need to manually check for new replies. We recommend Gmail.   The notifications won't even be in your Spam folder - they just go down a black hole.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Ballyboy

which section to post please

11 posts in this topic

Hi. Since this is my first post, I dont want to post it in the wrong section.
My favourite forum seems to have been compromised. It now has hidden iframes on it. Sometimes it takes a minute to load. The firefox console shows javascrips redirecting to all sorts of ad sites, and known malware sites.
Now I have scanned my computer and it does not have any trojans or virus downloaded. But would like some advice.
Please let me know which section to post my question.
Thanks

Share this post


Link to post
Share on other sites

Hello Ballyboy. Welcome to SWI!

If you just want to post a question about the compromised forum, or info or a warning then this Open forum is an appropriate place to post.

If you would like us to check your PC, in case your scan missed something, then please read the Instructions and post the requested logs (MBAM, DDS, Security Check) in the Malware Removal section.

Share this post


Link to post
Share on other sites

Thanks for the quick reply cnm.

Well I'm certain I dont have a trojan. I have scanned with everything from malwarebytes to avg.

The problem is this. A fellow member of our forum pm'd me, telling me the forum was compromised, and to be careful, He had scanned the website with securi site check.That reported suspicious hidden iframes with javascript. It seems this javascript downloads lots of (hidden) adverts, from a known malware site, and gives clicks to blogs, fb pages etc, and of course cookies.

So, it seems to have hacked the forum to make money from this, rather than from downloading trojans.

So, apart from the slowness in opening pages now, it does not seem to be doing any actual harm.

But it has occured to me that the remote files could be changed from ads to trojans at any time. Is this possible with java? Or would the site have to be hacked a second time to accomplish this? On doing a google, it seems some other forums have been infected also. http://forums.firemonkeys.com.au

I post in my forum daily, so really hate to avoid it completely now.

Edited by Ballyboy

Share this post


Link to post
Share on other sites

This would most likely be happening at your server. You should enter a support ticket with your forum's server host.

 

What software runs your forum (Invision, MyBB, vBulletin, SMF, phpBB, or....)? It's important to install any security patches that are available. The admin of your forum would do that.

 

When you browse your infected forum, make sure you are well protected. Check for out of date software with the free FileHippo Update Checker

Share this post


Link to post
Share on other sites

The software for forum is VBulletin. When I pm'd admin they said they were trying to get it sorted. It must not be too easy, because it has been like this for a few days now.

I have downloaded the filehippo, and will scan shortly.

And yes I will make sure to scan with avg after each session on the forum.

Thanks again

Share this post


Link to post
Share on other sites

If admin is working on it already, about all you can do now is hope that they succeed.

 

AVG may not be very effective at cleaning up the adverts etc. that appear to be the main threat.

AdwCleaner is good at removing junk.

 

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner

Share this post


Link to post
Share on other sites

I thought that this iframe on the forum only secretly opened pads, so as to give clicks on the ads. But not download them to my computer.

But is see a couple of suspicious toolbars on this scan. Also I uninstalled bit torrent months ago, but there is a reference to that also.

Here is the log:

 

# AdwCleaner v3.003 - Report created 09/09/2013 at 00:14:11
# Updated 07/09/2013 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)
# Username : Tom -Tom-PC
# Running from : C:\Users\Tom\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Windows\system32\conduitEngine.tmp
Folder Found C:\Program Files\BitTorrentControl_v12
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Users\Tom\AppData\Local\Conduit
Folder Found C:\Users\Tom\AppData\LocalLow\BitTorrentControl_v12
Folder Found C:\Users\Tom\AppData\LocalLow\Conduit
Folder Found C:\Users\Tom\AppData\LocalLow\PriceGong
Folder Found C:\Users\Tom\AppData\LocalLow\Toolbar4

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\BitTorrentControl_v12
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\BitTorrentControl_v12
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3225826
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0186FA27-B052-4ABD-9178-A36536A09156}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6EA6916D-E210-4EAD-AEC5-30BA56D3E4DF}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentControl_v12 Toolbar
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [start Page] - hxxp://www.bigseekpro.com/burn4free/{0FDAEA92-3C49-4065-9355-33047073106B}

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\5p2g48t2.default\prefs.js ]

-\\ Google Chrome v29.0.1547.66

[ File : C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [7439 octets] - [08/09/2013 23:51:09]
AdwCleaner[R1].txt - [7359 octets] - [09/09/2013 00:14:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [7419 octets] ##########

Share this post


Link to post
Share on other sites

Good. All those can go.

If you didn't already do the Clean, Run AdwCleaner again

  • Click on the Clean button and follow the prompts.
  • A log file will automatically open after the cleaning has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner

Share this post


Link to post
Share on other sites

Well cleaned all those. Scanned a few times today. Nothing showing up now in adwcleaner.

I will stay off that forum untill I get an email from admin that it has been sorted out.

Many thanks for all your help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now