While browsing the Org this afternoon, I was presented with a standard Windows message box, asking me if I wanted to load an Active X control. The only available button was OK. I instead chose to close the window using the X in the upper right corner.

This closed my browser (Explorer; I really don't want to hear all the blah about what browsers to use in this thread please ...), and I immediately got an AVG warning that it had detected a Trojan Horse. I quarantined it, and then snapped this screenshot so I could post it here.

https://img.photobucket.com/albums/v139/47Ronin/trojanpic.jpg

No other applications were open. When I came back to post this warning, it happened again. I thought it would be prudent for me to alert those who run this board as well as the other patrons here. Heads up.

***

EDIT: I should clarify my title here: It seems the virus originated from this site, but there are many possibilities. I do know that I was browsing here only, hadn't been bouncing around to other sites in a while, no other apps were running, and it happened twice.

Clear all cookies, temporary files (cache) and history from your web browser.

Download and install these programs:

AVG Anti Spyware Free: http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

Spybot S&D: http://www.safer-networking.org/en/download/index.html

And run full scans, fixing problems when finished. Note the problems you found and fixed, then post them here.

Next go here:

http://www.spywareinfo.com/~merijn/programs.php#hijackthis

Download Hijackthis, rename to "Hijackthismasamune.exe", move to a folder called c:\Hijackthismasamune\ and run it. Do a scan and save a logfile, post the contents of the logfile here inside code tags:


I'll check it out tomorrow. I'd stay off the net till then to be safe.

:bow:

p.s. you should also try using a different browser such as Firefox or Opera for better security.

I should have posted my (totally free) security suite: Sygate Firewall, AVG Antivirus, Spybot S&D, and Spyware Blaster--all are active at all times when I'm computing. I also use StartupMonitor, which catches a surprising number of things trying to write to my startup folder, or other areas where programs launch at start up.

I didn't know AVG had a free anti-spyware product. I'll check that out, thanks.

This is the first time since I've had this computer that I've had any problems. I tend to be pretty diligent about PC security.

Hmm ... sounds like a lot to do. I will try to fit in all of this without cutting in too much to my very precious time off this weekend. I don't seem to be having any problems now. I realize the information may help you troubleshoot. Right now, my dinner is almost ready.

Just completed a full Spybot scan--no problems found.

Also, I was hit by the same Active X control notification three times while trying to come back here to post this result. Each time, when I closed the dialog box, AVG caught the virus and allowed me to quarantine it. It did close Explorer, forcing me to try again. Obviously, I finally got through. It does seem to be associated with me coming here. It hasn't been happening anywhere else. FYI.

OK, Antivirus scan complete. No threats detected. A total of five identical copies of the trojan shown in my previous picture quarantined in my virus vault.

So that's why Opera doesn't support Active-X.~D

Thank you Masamune,

I'll see if I can find more about this.

Good thing I use Firefox.

Since this is a thread about strange things, I keep having a pop-up bloqued here. It appears every X mins.

May I know why?

we dont control the ads here, (if we did there would not be ANY)

we have seen a few unusual things happening ourselves,

we are asking our hosts to investigate (our hosts control the ads)

in the meantime keep blocking the popups

I do understand.


If you want to give any special info about those ads, contact me

An update:

By staff request, I've been using the dial-up skin for a few days. I've not encountered that nasty little "Run Active-X Control" dialog box.

I analyzed the results of my HijakThis log, and there was no indication of the Trojan. AVG seems to have effectively quarantined the five instances of the Generic4.YWK trojan I picked up that night.

I am now going to return to my normal skin. If I have any more problems that relate to this, I'll post again.

Thank you Masamune.

I do understand.


If you want to give any special info about those ads, contact me
Nothing to worry about, its some kind of pop up (which goes to the Guild main page) when I click the image in the RTW skin.

Nothing to worry about, its some kind of pop up (which goes to the Guild main page) when I click the image in the RTW skin.
Nevermind Tosa, its my Internet Explorer

Sad to say, this has happened again. Exactly the same as before, the same trojan, the same "Run Active X Control" dialog with an OK button. This is the first time it's happened since I lasted posted that it'd happened. I have been browsing here at the Org after work pretty much everyday for at least a few minutes.

I am using "The Guild" skin. I was reading the MTW/VI vs MTW2 thread in the Tournament Field subforum, and viewed Guyfawkes5 profile. When I exited his profile to return to the thread, I was presented with the troublesome dialog box. AVG caught the trojan (Generic4.YWK) and of course I quarantined it again. Now I have six copies in my vault, all from here.

Of course, I am not trying to point any fingers at Guyfawkes5. I'm just describing exactly what happened so that it might provide clues to those who investigate such things.

I will now repeat what I did and see what happens.

EDIT: Repeating the process did not reproduce the problem. I'll report any subsequent incidents. Oh: like before, after I close the dialog box it did close my browser and return me to my Desktop. No other ill effects that I've noticed.

EDIT2: Lol, as soon as I typed and saved the above edit, I get audio from god-knows-where, saying I've been selected to win a free iPod. Gah ... soon the internet will be more annoying that it's worth. I don't know if this silly message is related to the trojan or not. No visual effect accompanied the audio. My PC seems fine. Going to run a full barrage of tests now {sigh}.

Do you have the requested plug-in installed?

Plug in?

I am under the influence of serious Patron ... amazing, that I can type. I will forgo further embarrassment. Good night, ladies, and gentlemen.

Oh ... that damned trojan hit me first thing when I logged in, again. Fortunately, I have a lot of practice, so the fact that I am severely drunk doesn't matter--I have quarantined it. I should not be typingl but sleeping ...gnite, all . Gha ....

Sad to say, this has happened again. Exactly the same as before, the same trojan, the same "Run Active X Control" dialog with an OK button. This is the first time it's happened since I lasted posted that it'd happened. I have been browsing here at the Org after work pretty much everyday for at least a few minutes.

I am using "The Guild" skin. I was reading the MTW/VI vs MTW2 thread in the Tournament Field subforum, and viewed Guyfawkes5 profile. When I exited his profile to return to the thread, I was presented with the troublesome dialog box. AVG caught the trojan (Generic4.YWK) and of course I quarantined it again. Now I have six copies in my vault, all from here.

Of course, I am not trying to point any fingers at Guyfawkes5. I'm just describing exactly what happened so that it might provide clues to those who investigate such things.

I will now repeat what I did and see what happens.

EDIT: Repeating the process did not reproduce the problem. I'll report any subsequent incidents. Oh: like before, after I close the dialog box it did close my browser and return me to my Desktop. No other ill effects that I've noticed.

EDIT2: Lol, as soon as I typed and saved the above edit, I get audio from god-knows-where, saying I've been selected to win a free iPod. Gah ... soon the internet will be more annoying that it's worth. I don't know if this silly message is related to the trojan or not. No visual effect accompanied the audio. My PC seems fine. Going to run a full barrage of tests now {sigh}.

Hello Masamune,

This is nasty, good thing that you could quarantine the trojan. Not good that it bugs you, closes your browser and 'hijacks' it with a popup.

The host was sent an e-mail when you reported this previously, asking whether he could check the banners. There's no reply from that. Another e-mail is sent.

Hopefully, there will be a reply and fix soon.

IM getting the same thing Tosa

Did you manage to stop it Strike For The South?

Did you manage to stop it Strike For The South?

Yup its fixin to die a slow painfull death

Yup its fixin to die a slow painfull death

You mean every byte of it? Ones and zeros alike?

You mean every byte of it? Ones and zeros alike?
ALl I knwo is moy programmed qurantined it and Im bout to press delete.

ALl I knwo is moy programmed qurantined it and Im bout to press delete.

That's great.

Does anyone happen to have a screenshot or a description of the banner that was displayed at the time the trojan acted up?

I will take one the next time it happens. AVG pops up a warning dialog box and gives options as to what you want to do with it.

Thank you Masamune,

The forumbanner.

Just reporting that there are some ActiveX/popups trying to execute on my computer here at work through the browser when moving around on this site.
I have blockers up and are only notified that something got blocked.

Apparently the problems mentioned in this thread are at large.

Just wondering, maybe there is a connection, but like I said, Opera doesn't support ActiveX, but for quite some time I noticed that the browser often takes a long time to load the last picture of a page here, it will rocket up to say, 89 of 90 pictures and will then stay there for a while which can last from 1 second to forever, averaging at (wild guess) about a minute. I notice this because it won't jump to the new posts before the page has finished loading, however clicking on the appropriate button will do the jump instantly.

It's not a big deal but I thought it might be related since ads are pictures etc.

Hello Sigurd Fafnesbane,

Do you know what was blocked?

AAGGHHH

It has come to me, no matter what page i go to it comes!
https://img518.imageshack.us/img518/3231/aawe1.png

Hello Sigurd Fafnesbane,

Do you know what was blocked?

Sorry no...
I opened this site for temporary allowing popups, but have since not received a single popup.
I have Symantec Firewall (2006) and Symantec antivirus (2006) but they never scream wolf.

I am wondering about the popups that never show now that I have allowed them to appear though.

I also get a blocked popup message but now I don't dare open it.:sweatdrop:
Never payed any attention to it before but I think it's been there for a while.
*dances around in circles singing*
My Opera, my fortress...dum di da

Maybe giving this info to some antivirus software company would help, they should be able to find out about it and upgrade their software accordingly if it's not done yet.

Just an update: I haven't had this problem over the last week. My configuration hasn't changed. TosaInu, I will keep and eye out for any banner or advertisement that has loaded just prior to the Active X pop up dialog box, should it happen again.

I've also downloaded Firefox and will be making a transition to it as time allows. Of course, I'll report any incidents that occur using it as well.

AdBlocker Plus Masamune...

Not sure if this is relevant, but received a warning that a pop-up was blocked earlier today using Internet Explorer 7 (at work of course - I avoid IE like the plague when I can). Peculiarly, it was a problem which I have never seen before. At the time the advertisement displayed was for a program on the Discovery Channel although, sadly, I cannot remember what the program was. I'm not to sure if this is connected or not.

It appeared on my Firefox too just recently! Strangely, it happened once I exit this thread...anyway I managed to capture that "suspicious website" and here's the link:

http://ad.n2434.doubleclick.net

https://addons.mozilla.org/en-US/firefox/addon/1865

AdBlock Plus for Firefox

yes, i tried FireFox as well but it came up with the same install thing. went to a few different pages (gameroom, watchtower) but it went away...

At school now, this place doesnt have pop-up blockers....trojan for school?

I finally caught a popup coming here today.
If it is a result of a bot script or whathave you, I don't know. This is for Tosa to find out.

https://i6.photobucket.com/albums/y230/asleka/popup.jpg

I finally caught a popup coming here today.
If it is a result of a bot script or whathave you, I don't know. This is for Tosa to find out.

https://i6.photobucket.com/albums/y230/asleka/popup.jpg
I see an ad which is related to that. Its downside. In the forumbanner.

Hello Sigurd Fafnesbane,

That is not a foul one afaik.

On another computer that uses an old Internet Explorer I usually after some time see a "popup of some kind" bearing the title 'monitor'. It is no window at all really, it is just some... "minimized window" that sits there in the lower bar (where the applications reside). It is at least suspicious.