I was surfing this site and got a virus notification from McAfee....

virus name was some trojan called vundo!grb

We use McAfee at work and I have Norton at home. So far I have not seen either report a virus or trojan.

This might be better in The Outer Circle forum.

I just visited this thread, and got an automatic download request for a pdf file. =/

same here, symantec caught it for me.

While you're at it make sure it's not one of the several variations of Conficker that's been going around, you can test if you have conficker at http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Hmmmm, nothing unusual for me. Don't tell Inde I said so, but maybe you should consider switching to firefox as using something to block giraffes.

Nah nothing unusual for me either...

Good news: this is a low-profile malware, nothing like a virus.

Bad news: you're probably using Internet Explorer?

Kill the giraffes...

Sounds like it could be a hijacker as well. I do agree with the above, switch to Firefox as well.

Oh by the way, I use Avast and Firefox, and have had zero issues with this site.

If you are having virus/spyware issues, download malwarebytes (google it). I have Spybot S&D and Symantec antivirus. Malwarebytes found a ton of stuff that the other 2 didnt find. Oh and its FREE!

While browsing the riverside Symantec came up with the warning for Bloodhound.Exploit.196. There was also a request to download an Active X control which was denied.

i dont think this is the usual hacking, it could be an actual ad with a virus from our regular ad provider, if you could provide the whole virus report + a screenshot of the page with the ad that got the virus report

Starting yesterday some forum links send me off to a site blocked by my AV software. The site I am redirected to is http://boqwez.info/rp/in.php. Has the guru server been hacked?

For kzap - Today, I was trying to access http://www.guildwarsguru.com/forum/showthread.php?t=10366819 when I got redirected. I am sure this is what the others were reporting. Attempting a second time I was able to access that thread with no problem.

I just visited this thread, and got an automatic download request for a pdf file. =/

I got the same thing today.

If you get asked to download pdfs from zeoztz.info and other sites, you should report exactly which ad is displayed when you get prompted. And obviously reject any suspicious downloads.

I just tried to visit the Riverside forum and Norton blocked a trojan download called Bloodhound.Exploit.196.

I rarely visit guru anymore at all and stuff like this makes me want to delete all bookmarks to the site.

Edit: With firefox, I re-visited Riverside. Again Norton caught the Bloodhound trojan and I was prompted to download a .pdf file which I blocked. The 2 ads showing were "The Millionaire League" at the top of the page and a JCPenney ad imbedded in the thread.

thanks for that ad info, im looking into it asap.

i too have this vundo!grb trojan...how do we get rid of it??

Caught snapview.ocx. With all the other things going on, I have no idea if this is legit or not. http://farm4.static.flickr.com/3617/3444152403_6bc557cf3f_o.jpg

And then on the very next click... Bloodhound
http://farm4.static.flickr.com/3382/3444994780_21f679a4c1_o.jpg

Today I was again prompted to open 7.pdf and Bloodhound.Exploit.196 was auto-downloaded when I opened the High End forum. Green.com was the ad at the top of the page.

What's going on with the site? It didn't used to be like this. For now, I'm warning all my guildmates to stay away from the site.

It's the ads, TheRaven. Blame Google.

some days ago i got key logger called ardamax from gurus advertisment. my norton save me from that.

Snapview.ocx is a control that comes with Access. It used to silently download and automatically itself in the background, being a Microsoft-signed control. At which point, vulnerabilities in snapview.ocx would be used to exploit a user's machine.

This mode should outdated for these reasons:

1) the vulnerabilities are (in theory) fixed for any user with updates past mid-August 2008, or anyone who has XP SP3 or Vista
2) If your security settings for MIE are properly setup, you should be prompted to download the control
3) The average user has no use for it, so you don't have to download it when prompted.

Bloodhound.Exploit is a generic Symantec label for the file (or files) which downloads and open a pdf via the Adobe Reader. The pdf then loads a site which infects your computer; in this case, the malware in question is Vundo, a well-known and prolific trojan that, while not particularly dangerous, is extremely annoying, causes severe system degradation, and hard to remove.

I've included some basic protection and removal instructions here. For downloading most of the files mentioned in this post, you may wish to use Tarun's Anti-Malware Toolkit (http://guildwarsguru.com/forum/showthread.php?t=10302726). His company's wiki at Lunarsoft (http://wiki.lunarsoft.net/wiki/Main_Page) has a lot of good advice on more in-depth cleanup and security. If this post doesn't help you remove Vundo from your system, head over to the Technician's Corner (http://guildwarsguru.com/forum/forumdisplay.php?f=16).

The best way to protect yourself is:

Internet Explorer (if you must...): SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html), Spybot: S&D (http://www.safer-networking.org/en/download/index.html) (use immunization, disable TeaTimer)

Other useful protection:

Internet Explorer (if you must...): ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) w/ IE-SpyAd (http://www.spywarewarrior.com/uiuc/resource.htm)

Make sure that you have the latest Windows and Java updates. Windows Defender (http://www.microsoft.com/windows/products/winfamily/defender/default.mspx) is decent Real-Time Protection.

Get an Anti-Virus program. There are several free AVs that are okay:

Avira (http://www.avira.com/en/download/index.html)
Avast! (http://www.avast.com/eng/download.html)
AVG (http://free.avg.com/download-avg-anti-virus-free-edition)

Also make sure your security is properly configured for:

1) FireFox: Tools -> Options -> Security:
- Warn me when sites try to install add-ons: Yes (in particular)
2) Internet Explorer (if you must...): Tools -> Internet Options -> Security -> Internet:
- ActiveX: Disable Everything. Use Trusted Sites for ActiveX functionality.

To remove Vundo:

CCleaner (http://www.ccleaner.com/)
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
SuperAntiSpyware (http://www.superantispyware.com/)

Download and update each program. Restart into Safe Mode (F8).

Run CCleaner with these settings:

Cleaner -> Windows -> select everything except for:
- System -> select everything except Memory Dumps and Windows Log Files
- Advanced -> only select "Old Prefetch Data"

Note: selecting the Autocomplete Form history deletes your saved passwords.

Cleaner -> Applications -> select everything

You will need to close FireFox in order to clean its temporary files.

Registry -> select nothing
Tools -> ignore this part

Click "Run Cleaner."

Run SuperAntiSpyware, specifically with these settings under Preferences -> Scanning Control:

- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining

Note: These settings are targeted specifically for the removal of Vundo, not for more general scans.

Run a complete scan on your primary hard drive.

Run Anti-Malware, with every box enabled under Settings, including "Terminate Internet Explorer..."

Run a full scan on your primary hard drive.

If Anti-Malware prompts you to reboot to finish cleanup, do not reboot into Safe Mode; this will cause the next phase of cleanup to fail. Restart normally.

Finally, run a complete scan with your anti-virus program (using updated definitions).

wow great information, that post should be sticky-ed if it isn't already.

I'll try out all those things you mentioned and see if it clears up the problem.

Thanks!

ok aside from pictures i need the links, when you mouseover the banner, get the link pls.

The ads are flash based. Where would the link be, as they don't show up in the bottom status bar when moused over?

you can click on it to see where the ad brings you, in those cases a screenshot also helps us. i've banned a couple of specific sites from advertising on us.

I've actually had Vundo once from somewhere and had to format. I'm guessing it was from GuildWarsGuru, judging from all the Vundo talk?
Either way, I really hope this matter is attended and we get more confirmation on GWG and viruses. While ads are important, none of them should be allowed to give out viruses.

I'd make a public announcement, you're getting a fair amount of bad press.

http://www.google.com/search?q=guildwarsguru.com+viruses&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

I'm afraid as this is my work computer also, I cannot risk infection, I hope you get it fixed but I've got to0 say goodbye for now.

i too have this vundo!grb trojan...how do we get rid of it??

I took the advice of a previous poster and found Malwarebytes FREE trial spyware removal program. It picked up several things, including the trojans and other baddie files mentioned in this thread. My McAfee did NOT. Malwarebytes deleted the offending culprits and my computer is a happy camper now. I'm considering paying for the full version... that's how happy "I" am now.

you can click on it to see where the ad brings you, in those cases a screenshot also helps us. i've banned a couple of specific sites from advertising on us.

Clicking through to a site whos ad has tried to implant a virus may not be the prudent thing to do.

Clicking through to a site whos ad has tried to implant a virus may not be the prudent thing to do.
kzap isn't advising people click through. If you hovel your cursor over, it will give you the link in most cases. You really think a server admin would tell his user base to do something that dumb?

Why is it people always think we're trying to screw them over?

Why would they not consider it? We've selectively wiped out posts on software that is likely prevent infection, we've delayed on making announcements for a problem that is confirmed both internally and externally, and we've provided almost zero help or advice on removing the infection. This comes only two months after being spidered by google and listed as an attack site (http://www.guildwarsguru.com/forum/showthread.php?t=10349340). The only good thing is that kzap has (so far as I can tell) removed most of the problem ads from the rotation.

we're not delaying making an announcement
we're dealing with an issue in one of our ad providers in one of their ads, something that is affecting big sites like yahoo also.
now not everyone is getting this, a lot are, but what we are asking for is your cooperation in tracking down these ads with viruses.
and yes I am asking you to click the ad if its flash based as thats the only way we will get the URL, but only do so if you're virus scanner stopped the virus, so you should be safe enough to check what the website is.
Advice about the infection? Get a good virus scanner and keep it up to date, you can never be too safe. Use a firewall too. Also stop using IE, use FireFox or anything else thats not as exploitable.

Here's one with a URL. Bloodhound.

http://farm4.static.flickr.com/3331/3486427911_c3c2ddef9d_o.jpg

Thank you Asya!!!

k bloocked that ad, though when i went into tribal fusion and checked the ad in IE I was not getting a virus report

I just visited this thread, and got an automatic download request for a pdf file. =/

This happened to me and I scanned a Win32.trojan.Agent


There is something going on for sure......

ok i've deactivated CPX Interactive, please let me know if anyone is getting any more viruses

Ok avast has been warning me all day about a virus/worm on guru O_o
any of you guys getting anything?

http://www.shrani.si/f/14/fy/1EjSPFRq/1/gwguru.png

yep that was today.

every time i try to load gwguru site i got communicate that some trojan whats to download on my pc. guru is infected again, please do somethign with it.


'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '


try to fix your main index.php and look for it in sql database.

quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.

Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...

Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner."

every time i try to load gwguru site i got communicate that some trojan whats to download on my pc. guru is infected again, please do somethign with it.


'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '


try to fix your main index.php and look for it in sql database.

quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.

Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...

Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner."

Same here, pages are loading very slow, and kaspersky is going crazy.

http://img24.imageshack.us/my.php?image=kasperskyo.jpg

Theres a link to the screenshot (I didn't post it in this post because 1 scripts are failing, instead of the actual page im seing scripts "vbphrase["enter_link_text"] = "Enter the text to be displayed for the link (optional):"; vbphrase["enter_list_type"] = "What type of list do you want? Enter '1' for a numbered list, enter 'a' for an alphabetical list, or leave blank for a list with bullet" Thats just a short list of what im sering right now.)

Had this enter itself into the text field automatically when doing a quote reply to threads You can see that a few people didn't notice it and posted it on the following thread: http://www.guildwarsguru.com/forum/showthread.php?t=10369450&page=43

I've noticed that in Riverside as well. Either something isn't parsing correctly in the jscript, the stylesheet has gone goofy, or there's something else more malicious at work here.

Please post what browsers you're using. I'm in Firefox and can post without the code being inserted.

Getting whole day Avast warning about virus....its annoying,btw with using Chrome as browser

I'm using Opera 9.64

This is probably what is breaking the wysiwyg editor as well (Wall of text above the text editing options).

http://www.google.com/safebrowsing/diagnostic?site=cgi35.plala.or.jp/bto/

Google seems to know something about it.

I'm also using FF3. I am getting no virus warnings though. Perhaps due to my NoScript/Adblock settings not allowing it to run.

FF3.0.10
Avast!
I hope this message gets posted.

I've noticed that in Riverside as well. Either something isn't parsing correctly in the jscript, the stylesheet has gone goofy, or there's something else more malicious at work here.

Please post what browsers you're using. I'm in Firefox and can post without the code being inserted.

Im in firefox and i just spotted my post up a few ahead of this one, has got that script i didn't notice insert itself into it.

Firefox 3.0.10

I did notice however, in this post theres no script inserting itself, and im not seeing random scripts all over the place as i did 20 minutes ago.

EDIT: Just noticed i got the same warning in chrome.
IE also gets the same problem, and a big white header with;

"Parse error: syntax error, unexpected '<' in /home/guildwarsguru.com/public_html/global.php(231) : eval()'d code on line 12"

FF,kaspersky goin crazy here aswell,had toblock scripts

please let me know if you are still getting this

please let me know if you are still getting this


yep still,and look up to this link appears in my posts.

I'm in Firefox and can post without the code being inserted.

I'm in Firefox and do get the code inserted (see?). This box I'm typing in right now also doesn't work other than text; smiley buttons, bold, links, etc. do not work.

Edit: you caught me, Vista. So if there's a problem on Vista but not on Mac/Linux, I'm infected again! Hooray!

I'm in Firefox and do get the code inserted (see?)
I'd assume you're in Windows as well?

Cause I'm not.

I'm using FF and Windows and I have no problems.

Yeah, the script appears to still be there. NoScript is still forbidding plala.or.jp

It's all over the source...

Here at the office i'm not having any problems but back at home, Firefox had the popup blocked dialog/warning going off in a lot of threads.

It's all over the source...
Yep. We're having to manually delete it from every page. Good times.

Yep. We're having to manually delete it from every page. Good times.

Yeah, I was looking to see how pervasive it was. You guys have your hands full.

On a side note: It appears that the code only posts when you try to quote something with the quote button. Dunno if that helps at all.

http://img29.picoodle.com/img/img29/2/5/14/redvex/f_Snap1m_4dd718b.jpg (http://www.picoodle.com/view.php?img=/2/5/14/redvex/f_Snap1m_4dd718b.jpg&srv=img29)

Oh dear :( The reference to the file occurs over 700 times on the homepage alone. You might consider drastic action like disabling access to the site until this is resolved. Third World Internet Users (Windows+IE) are likely going to get eaten up by this in a lot of cases.

I got Kaspersky Internet Security and Firefox, and I endlessly get this message:

detected: Trojan program Trojan-Downloader.JS.Iframe.akw

Kaspersky keeps blocking it which makes the site run extremely slow.

And now. Is anyone else getting instances of this?

It's still all over the source.

This site is runing quite an old version of vBulletin, here is an example of a SQL injection vulnerability in vBulletin:

http://securityreason.com/wlb_show/WLB-2008110035

This particular one would require admin access to the site to exploit, but doubtless there are others. It could also be a vulnerability in an add-on if this site uses any. If the original vulnerability is not patched a clean-up will be a waste of time because the bad guys will be right back in.

I would again recommend closing access to the site to protect novice users with poor internet security, until the site can be upgraded/fixed or whatever you plan to do :)

Firefox is displaying the skinless version of the site (I'm assuming this is deliberate?) - so I thought I'd double check with the brand new, shiny IE8.

http://img10.imageshack.us/img10/958/remotewotsit.jpg
Is that benign?

Yeah, we know Snog, Inde did it. I was just about to post it to make sure no one's crapping their pants.

Snog,

I can confirm, on my screen, that my view is skinless as well. I'd assume it's being done purposely. Looks almost like a "safe Mode".

To add to personal info:
I'm running Vista 32-Bit and Avant Browser. I've received no issues from visits - clean so far. I do, however, see the script text in posts.

All right, this should be resolved now. Please send me a PM if you experience anything else.

We had someone do an Sql Injection if you are curious as to the cause. I really appreciate all the help you gave us to track this down. The problem has been fixed, we're fully upgraded and we'll monitor closely the rest of the day.

Hooray I can successfully quote without without plala or jp junk in my quotes! Well done to Inde, Kat, and whoever else had to manually delete this crap.

PS Snoggy, delete some PM's already :p

Does anybody know what the virus is capable of doing to those with vulnerable systems?

do i need to scan my computer?

Well one would always recommend doing regular scans of your computer for virus', spyware, etc..

Looking at google you can see that this particular site has previously infected 240 domains. Lucky us.

I scanned my computer (you can see above that one of my posts was affected) and found nothing.

That said, all the bad that it could possibly do would be take up your resources for an hour, so you really should just to be on the safe side.

All right, more updates... yes we're still working on seeing how this happened and more. There were a lot of files modified with holes in them, we cleared that out. We also put measures in place to prevent the commands that were run. Once again, thank you for all the PM's, emails, IRC messages and more. Funny enough this is the same sql injection that hit Symantec earlier this year, producers of Norton AntiVirus.

And I see I disabled gwbbcode in the process as well. I'll see about getting that back up and running today.

I'm using NOD32 and not getting any warnings.

I haven't read all the thread, just the first few posts, but just wanted to say well done/thanks to the admin people :)

I was getting a virus warning too yesterday from Avast, something about 'html:script-inf'. I chose to 'abort connection' when it popped up, and consequently couldn't load this site. I emailed them, and already it seems to be fixed, so thanks again.

:D

Uh oh, looks like GWO is having problems now as well. I wouldn't recommend going to the site at incgamers as it's currently marked as a reported attack site and the virus is still there but it seems that Guru is not alone in these attacks. Really sucks that people do this.

GWO has had as many problems as we have. Some days you're the zombie, some days the zombies get you.