A little while ago I was reading an article by Paula Sanders on the Renderosity front page. She has a link to her site at the end of the article so I clicked on it and immediately McAfee popped up and said a trojan virus was detected and couldn't be deleted or quarantined. I think I finally have it under control, but I would think twice before clicking on that link. Just thought ya'll might like to know.

I can't stand McAfee virus scanner. It gives so many false positives.

I went there without a problem, and my virus scanner has never failed me yet. I use eTrust Antivirus.

Message edited on: 12/20/2005 19:19

Attached Link: http://www.blackcode.com/trojanscanner/

You can get a free trojan scan there.

I've had false positives like that before...a similar thing happened to me but it didn't happen to anyone else, so it was obviously not a virus or I wouldn't be the only one with warnings...it's possible it's the same scenario here...maybe send a message to the mods to check this out, I'd hate to see people shy away from clicking on the link to her site if there's no reason to...

Thanks Rockets. I ran into something similar several months ago on something on Daz. I appreciate the heads up, those things can be nasty.

I was just there, it works fine.

Message edited on: 12/20/2005 19:21

Acadia, did you click on the link to her site?

If you encrypt your site's html some virus programs don't know what it is and automatically say it's a trojan virus. That gives visitors the false idea that you have a virus on your website and you are trying to give it to them. And since it calls it a "Trojan" people think you are trying get their private information....grrrrr

If she has rotating ad banners, I could have gotten one that had a virus attached which doesn't mean everybody would get that same one. I don't even know if she has ad banners. I wasn't able to stay on her site. I had to do control alt delete to even close the page out.

although trojans and viruses are different things, I tried acadia's blackcode link, and it gave me a 404 error.

Attached Link: http://www.windowsecurity.com/trojanscan/

> Quote - Acadia, did you click on the link to her site?

Yes, I did click the link at the bottom of the tutorial. It seems Blackcode is no longer online. Try this scanner.

Yep. Sadly for Paula it's a nasty. see screenshot for where it's come from. The trojan drops 32wu5eil.exe into your windows directory . Both are varinats of the W32 trojan. As I type it's literally creating a copys of itself and these files.... b6n4tcbc.exe ejrxylx8.exe loadnew.exe It will write startup entrys in the registry so once you kill it once it comes back. All typical behaviour of the W32 family. http://sandbox.norman.no/live_2.html?logfile=437547 shows a typical behaviour of this type of nasty. Before Paula gets a public flaming, it might not be her fault, looking at the page code before the browser crashed, theres nothing to indicate any form of active X dropper. So the infestaion is most likley on her hosts server and they need to fix that. Please remember it's easily removed with the right tools. It might take a few hours. Rosity can also take some preventive action by removing the link from Paulas article until it's been cured.

The link above that Acadia gave requires you to have IE running with ActivX enabled. That alone would turn me off right from the start. Am I being paranoid?

"Am I being paranoid?" At a glance, thats seems like a safe link. But it reported nothing on this machine and I can actually see the little b*ggers are replicating like rabbits and outward traffic is increasing, but I'm not using the net. I'm going to have to log off and fix this in safe mode. It's 2.48am here now will post a bug fix when I find one.

Are you sure it came from ther? Like I said, I went there through the link at the bottom of the tutorial and didn't have a problem. I looked in my history and don't have anything from "perpetualvisions", and I searched my computer for 32wu5eil.exe
and I don't have that either.

Also, I used Firefox/Mozilla, not sure if that was a factor or not.

Message edited on: 12/20/2005 20:55

Oh, for anyone concerned about the last trojan scan link I gave here, don't be. It was one that my ISP gave me to use and I have the link saved in a notepad file.

Acadia...I use Firefox as well and when I went to Paula's site, it froze Firefox bigtime and I had to reboot my puter to get out of it.

I find that if a site is full of java, Firefox doesn't do well. My computer was sluggish at the site, but it is at lots of sites, but nothing untoward happened. I was able to close my browser. I forgot to add that I'm behind a router too, so maybe that's why I didn't have problems? Don't know. But I would hate to see a site maligned needlessly.

Attached Link: http://www.mozilla.com/firefox/

"I forgot to add that I'm behind a router too, so maybe that's why I didn't have problems? " ----------- I forgot to mention that for me as well. :) At this point, Carol...I highly recommend that you switch to Firefox and get off of IE. http://www.mozilla.com/firefox/

Yep! Love Mozilla. During my last reformat I was going to just go with IE as my browser. I think I lasted 5 minutes. LOL I've become so used to the nifty little extensions such as tabbed browsing, that I couldn't install Firefox-Mozilla fast enough, hehe I find I still have to use IE for some sites, but I just right click and pick view in IE, so it's not much of a hassel. So it seems that Mozilla and a router might have saved us?

" So it seems that Mozilla and a router might have saved us?" ------------- I'm sure they did, Acadia...I'm sure they did. :) Altho, I'm also sure that Firefox, in and of itself, could have saved alot of worries.

...which is why, if you can afford it, it is a good idea to get a real cheap computer for the internet alone. For once, prefereably a brand one with a start up cdrom (I have a compaq with a celeron 500 and 128MBRam, 150Euro). Install a good anti virus that is updated daily, adaware and spybotSD. And install your applications on your "real" puter that is not connected to the Internet. In case you get cd's, sticks or floppy's (granddad, what's a floppy?) from someone else, enter them in the internet puter and get them scanned first. Serious problem? Enter the startup disk, reinstall and that's it.

Attached Link: http://www.knoppix.org/

If you can't afford a whole other computer, use a bootable "live" Linux CD, like Knoppix - I got mine on a magazine cover-mount, but you can download it free from the link. Unless you install the appropriate drivers, it can't understand NTFS, so my hard drive isn't touched. It's very useful for repair work since you can get a machine up and running no matter what state its OS is in. I used mine recently to browse for information when I thought I had a virus.

It looks like Renderosity took Paula's entire article down instead of just removing the link. Too bad...she had some good tips there, but guess some just couldn't resist tempting fate. Just for the record, I was not flaming Paula, but just trying to spare others the hassle of dealing with a virus. I know sites can become infected without the owner's knowledge.

Quote - I was not flaming Paula, but just trying to spare others the hassle of dealing with a virus.

I know :) Did you get your computer fixed?

Rockets - You did the right thing here. Well done. You stopped that site from infecting lots of other peoples machines. I IM'd Clint with the problem and SUGGESTED pulling that link to save everyone from any hassles. And yep sites can become infected without the owners knowledge, Most websites don't live on a single pc. They reside on 'rack mounts' (a loose term there). Think of a box the size of a VCR and that contains lots of sites, imagine a site in every folder on your pc. Some hosting (and not just the cheap ones) companys don't bother with any form of anti-virus protection. One site gets done all the machines on that mount can get done. Acadia - yes firefox/router most likley saved you. I'm sure Paula is fixing the problem now as well. Removal instructions for anyone that needs them below this post.

I don't know if my computer is still infected or not. I did a complete scan (which I do every night anyway) and it said it found 2 files so I deleted them, but don't know if this got rid of it or not. I know some of these things you don't even know you have until you reboot and that will trigger it. So now I'm scared to death of turning off my computer.

Btw mrsparky, I don't see any removal instructions. ???

This one was easy to kill. !! ONLY DO THIS IF YOU HAVE BEEN INFECTED !! !! BE VERY WHEN KILLING THINGS IN THIS WAY YOU CAN STOP YOUR PC OR PROGRAMMES FROM WORKING!!! !!--YOU DO THIS AT YOUR OWN RISK--!! Go into safe mode. Start -> Run - > type "msconfig". Check theres nothing out of place. If there is untick it. Ctrl-alt-delte ONCE. All versions of windows. See whats running, if something is out of place, stop it. Load explorer of file manager. Goto the windows directory. View by list then date. See the 5 or 6 .EXE files with todays date, very small ones 15-150k ? Delete them. BE CAREFULL WHAT YOU DELETE IN HERE. Exit explorer start -> run- type regedit. Press F3 and search using the following word: runonce Check the entrys are OK, if in doubt phone a friend and google the item using another machine. Some stuff for example: mdac_runonce.exe is safe. If it's unsafe delete that entry, (see sample screenshot), but NOT the folder it's in. If shows a file or folder thats obviously bad delete that, in this instance I had to delete a folder called msdownload.tmp from the window directory. Exit regedit, empty your browsers cache. aka temporary internet files in IE. Finally run your anti-virus scanner and any anti-trojan/spyware tools. PLEASE REMEMBER YOU DO THIS AT YOUR OWN RISK!! I won't take or accept any responsibility if you break your PC.

"Btw mrsparky, I don't see any removal instructions. ???" I can't type that fast yet :)

Ooops, jumped the gun...sorry.

"Ooops, jumped the gun...sorry." Don't worry - that'll teach me to type something before I post a message :) Just saw your other post as well. "I did a complete scan ...found 2 files so I deleted them". What anti-virus do you use ? Most like AVG or norton will solve the problem, so you should be OK. "but don't know if this got rid of it or not" empty your browsers cache and run a full system anti-virus scan. Not just a selected area scan. Run Spybot and Ad-aware as well. "I know some of these things you don't even know you have until you reboot and that will trigger it." Thats right. Some nastys will make a duplicate copy and write a command to the registry, so if you delete the original a copy remains and you go around and around in circles. Windows XP makes this worse, by using XP's group management security systems against you so you can't delete or stop the files. You won't have this problem but if you ever do... Force Delete http://www.pcworld.com/downloads/file_description/0,fid,25367,00.asp You can also use Who Lock Me [castlecops.com/check129018previous.html] to get the name of a troublesome file and post it here or an anti-virus forum to get some help with removal. "So now I'm scared to death of turning off my computer" From want you've posted, it's sounds like you'll be fine. Just watch out for any odd behaviour in the next few days. Things like more banners or popups, or redirected search engine results than usual. Pc techie is my 'day job' and removing these is a big part of it. It's never as bad as it seems, just keep backing things up as you go along and you'll be OK.

Just for the record this was the trojan that McAfee found: Exploit-ByteVerify...2 of them. Then this morning I was running Spy Sweeper and McAfee pops up another warning about Exploit-ANIfile trojan in my temporary internet stuff. I don't know if SpySweeper came across it and McAfee saw it as a threat or what, but deleted it as well as emptying all the temporary files in that folder. At the moment I'm running McAfee again. This takes a loooooooooong time because it's scanning 2 harddrives.

I received information about this from Renderosity. I can understand your concern.I use Norton Anti-Virus and manually update the definitions daily. I also run adaware and spybot. This weekend I did whole system scans for Norton and the other two programs. I have never had any problems on this machine or any of my other machines. After getting the e-mail from Renderosity, I downloaded windowsecurity.com/trojanscan and ran it on my computer. It came up clean. I also searched for the trojan you named and it was not there. I have sent an e-mail to the company that hosts my web site asking them to run a check. They have hosted all my websites for many years. I also called the computer store that makes my systems and the consensus is that if it is anywhere, it has to be on the hosting server which I doubt. I'll let everybody know when I hear from my hosting company. Paula

As I mentioned before Paula, I'm in no way flaming or blaming you. All I know is that when I clicked the link to your site, McAfee immediately popped up the warning and I had to do Control alt delete to get off the site. Do you possibly have rotating ads or ads of any kind on your website?

Paula, whatever it is seems to be coming only from your main page. I was able to view your other pages just fine doing a search for them via Google.

Fer my fellow IE haters; NetScape 8 has a IE emulation mode fer when ya "gotta" use IE (Windoze Update, fer example). It also has tabbed browsin' & lotsa other features us Mozilla fans have come to know & love.

Paula, Rockets is correct, and sadly your site is still infected today. Norton is NOT the most reliable scanner on the market, and just because your scanner says it's not there, it doesn't mean you are safe or any of us. Looking at todays nasty file, one featured is shown as loadnew.exe Which as I guessed last night is indicitive of the W32 series of nastys. This link gives additional removal information. http://www.kephyr.com/spywarescanner/library/coolwebsearch.loadnew/index.phtml Like Rockets says, no ones flaming you, and do I understand it's hard to accept that your server can catch a cold. But please trust us your site has a genuine problem. I did look again today to see where the problems lies, but the browser crashes when accessing and I'm not risking the other machines here. If you need some help please ask - I'm happy to assist, sure lot of other people will as well.

My business site has this at teh botom of each page: 'This site is developed to be W3C compliant. This allows this site to be viewed by the majority of browsers. Unfortunately Internet Explorer is not W3C compliant and you may experience a degraded viewing experience. Here at Optimum Health we like to use Firefox but there are many other W3C compliant browsers you could use.' As a basic measure, if you have to use IE, switch off all Active X elements you can. If a site relies on it - tough! My machine has AA software, AdAware, SpybotSD and 2 firewalls, including a hardware one in the router - IE still makes me vulnerable if I ever have to use it, so I choose not to.

If it is on her server then wouldn't every website they host have it?

I was just going to update everyone. I will first address Rachel's question. it turns out that my web sites are all on different servers. We did an IP address check. I spoke to the comapny and their Linux people don't come in until 4 Central time. Believe me, I am not thrilled. I cleaned out the IE temp files on a machine that was not in use today and went on my site. Norton caught the trojan. But it is not on any of my machines. I have gone over them with a fine tooth comb. Thus, it has to be on their server especially since Norton caught it before it downloaded anything. It is Downloader.trojan. I am not sure why the trojans were downloaded to various machines since non were downloaded to mine. I spoke to somebody who hosts sites about taking that page down, but if I do, he felt they could not check it. I am terribly upset, believe me. I am glad I was alerted. This must have just happened because I was on the site just the other day from a clean cache. I am doing all I can and will keep everybody updated. Paula

Thank you Paula for the update. 'Tis a shame this had to happen to such a lovely and giving lady.

Rachel: Yep. But only the websites on that particular machine, another machine in the same mount would be fine. So Paula's other sites are fine. Paula: "I am terribly upset, believe me" Don't be. These things happens and your dealing with it. Be proud your doing a Good Job of sorting it out. If their people don't come in until the afternoon and their servers are catching colds, I'd say it's time to move to a new host :) As for why some folks got caught and some didn't. Thats mostly a browser issue, IE users will get natched and some firefox users won't. Youe friend is correct about removing the page, they might not be able to check things if theres no index document. But the longer it's up, the more people get hit. Catch 22. Remove the index so the site wouldn't load from your URL. Then use Ardiva's idea and use Google to access the other pages.

I have removed the index page from my site since I do not want anyone else to be infected. I have not heard from the hosting company which boggles my mind especially since I just renewed my other website this week. I am now actively looking for a new hosting comany where there is a phone contact if necessary. I find it hard to believe that this is not a priority. I was told that the Linux people were coming in at 4:00 my time and that was through an open web contact. At 4:00, the open web contact was shut down and one had to leave an e-mail. I have left 5 e-mails and not heard from them. I am so sorry about this. Paula

It's not your fault Paula. It could happen to any of us with websites. That's why I'm really curious to know what the server says and does about it. Thanks for keeping us updated!

Paula - stop apologising :) Seriously you've done the best you can, you can't do any more. Be proud of what you've achived. Like Rachel says it could happen of any of us. And good luck with your hosting company. Al

Yes, keep us updated, Paula....we're all anxious to hear what your host said.

This has become a nightmare. What I suspected would happen did. They denied all responsibility and miraculously when I uploaded the index file again just to see what it would do with the knowledge that I might have to remove it, all was OK. If anyone tries it, clean out your temporary internet files first or you will bring up the old infected file. They claimed the problem was mine, but the same Norton that caught the problem when we accessed the site would have caught it on one of my machines. All the machines came out squeaky clean. I even searched all my registries. I used multiple tools all day to check. I am looking for a new host. If there are any more problems, please let me know, but don't go on it without cleaning your temp IE files. I'll contact renderosity tomorrow and have the article back, but I'll still leave out the site name for a while.

THE SKY IS FALLING... THE SKY IS FALLING! THE SKY IS FALLING! THE SKY IS FALLING! THE SKY IS FALLING!

Paula, thank you for being so responsible in resolving this issue and I'm really happy that you're putting the article back up. Great tips and I want to try it out! Merry Christmas! Carol

Paula..I just went onto your websites main page with my Firefox and it went well this time. No "freezup" like before. Many thanks for all you are trying to do to solve this problem. Ditch the host...I'm on Dreamhost.com and love them. I've been with them for many many years now and being an ex-web designer, I can vouch for them. My clients love them as well. (no pressure, just some other place I recommend -smile)