edriver opened this issue on Aug 26, 2000 ยท 43 posts
edriver posted Sat, 26 August 2000 at 9:25 PM
This will be my final posting here or at renderotica. I have narrowed down the carrier of the virus I have to keep removing from my system registry and it is coming from renderosity and renderotica. I have removed all of the stuff I have generously made available for free and am tired of having to disinfect my system everytime I visit either of these sites. Good luck to anyone who hasn't checked their registry for the STARTIE NOTEPAD QAZWSX.HSQ code in the run key.
wyrwulf posted Sat, 26 August 2000 at 9:43 PM
Sorry to see you go. I just opened REGEDIT, copied "STARTIE NOTEPAD QAZWSX.HSQ" from your post, pasted into "Find" and came up with nothing. What virus is it, and what does it do?
Kennef posted Sat, 26 August 2000 at 9:53 PM
so basically you are saying that visiting the site is giving you the virus? thats hefty accusation... perhaps you might tell us how the virus is transmitted, through java applets, or VBS scripting? and if so, wouldnt the correct answer be to update the security fixes to your browser, so that you dont have to be doing any of that clean up? oh, by the way... i just scanned my system with both regedit and with the latest norton DAT, and theres no trace of that virus on my machine? anyway... keep us informed... kenn
pendarian posted Sat, 26 August 2000 at 10:53 PM
I would also be very interested in what it does and how exactly you narrowed the search down to those sites....as was already stated that is a very hefty accusation and if that is in fact where you are picking it up from then we all need to know. I'm sorry that you are having these problems and am sorry to see you go also. I also did the search in my regedit and came up with nothing.
Jack D. Kammerer posted Sat, 26 August 2000 at 11:13 PM
First of all, there is NO VIRUS inputed into your system from Renderotica. NOR is there any infection... Checking MY registry on THREE SYSTEMS and there is NOTHING there from Renderotica OR Renderosity... so I don't know what it is that you are seeing and this is the FIRST you have mentioned it to anyone... That and I also run Black Ice, which would DEFINATELY alert me to any such "virus"... The ONLY thing that Renderotica or Renderosity places on your system is a COOKIE... it doesn't re-write your registry system... Personally, I think you are frustrated at the fact that things are not moving FAST enough for YOU. I am sorry about. Guess what?? THEY AREN'T FOR ME EITHER, Oh well... Nothing I can do about it!! Here I am sitting here, trying to run a FREE site and have over 30,000 people telling me how THEY think the program should work and each one different. Sorry I can't please you, I wish you the best and I am doing the best that I can do, if that isn't good enough... go someplace else where you are happy!! Jack
Jack D. Kammerer posted Sat, 26 August 2000 at 11:15 PM
Oh and some people asked me what Black Ice was on the other site, so I will post it here as well... Copied Black Ice Defender is the BEST program that I have had the pleasure of using in protecting myself against Computer viruses and Hackers. It runs on all my systems and let's me know who is trying to hack into my computers... it even gives me their IP Address so that you can track them down and confront them... evil grin ...a nice program. To learn more about it, here is the link for you :o) http://www.digitalriver.com/dr/v2/ec_MAIN.Entry10?SP=10023&PN=1&xid=26412&V1=253470 Jack
Dave posted Sat, 26 August 2000 at 11:18 PM
Jeez, Jack take a chill pill. :)
wyrwulf posted Sat, 26 August 2000 at 11:22 PM
Thanks for the info, Jack. I can understand the frustration of the situation. I have been in the same state lately.
ookami posted Sat, 26 August 2000 at 11:56 PM
Even being the anti-authoritarian that I am... I have to agree with Jack. I run two very rigorous virus scanners on both my system here at home and my one at work. I have not seen any infection whatsoever. I'm so careful, that even when the LOVELETTER virus struck work, I was one of the few people who WASN'T infected. I would look elsewhere for the infection. Especially since no one else can confirm that there is a virus here.
TheWolfWithin posted Sun, 27 August 2000 at 12:13 AM
i searched my registry for the alleged virus......i found the STARTIE NOTEPAD QAZWSX.HSQ file alright......under HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerDoc Find Spec MRU......is this the cookie that Jack was talking about, or is it actually harmful like that other dude was saying????? i haven't noticed any difference in my comptuter's performance lately, and i download at least one item a day from Renderosity........so what's up???????
Darth_Logice posted Sun, 27 August 2000 at 12:14 AM
See, Jack, now THIS is paranoia ;) -Darth_Logice
JeffH posted Sun, 27 August 2000 at 12:25 AM
..and does it have more to do with MS Explorer users? -JH.
wyrwulf posted Sun, 27 August 2000 at 12:36 AM
I just followed TheWolfWithin's path in Regedit, and that is where the MostRecentlyUsed (MRU) search parameters for the "Find" utility are kept. If you use "Windows/Find", and look for "STARTIE NOTEPAD QAZWSX.HSQ", it will show up in HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerDoc Find Spec MRU. So, every time you delete the key in Regedit, and then look for it again with "Find", it will come back again, and again, and again, and again... "Paranoia strikes deep. Into your life it will creep. It starts when you're always afraid. Step out of line, the man come and take you away"
JeffH posted Sun, 27 August 2000 at 12:40 AM
LOL, that's funny.
Famine posted Sun, 27 August 2000 at 12:49 AM
Ok, this is strait from Mcafee. I virus name is W32. What happens is that someone gets into your system 3 ways. hacking it,cookies, or e-mail.It replaces you notepad.exe with its own version. then Notepad runs in the background sending information to some place else. Mcafee just came out with the defanition so Jack if you have't updated as of late you mite do so. Maybe the redo cookies. Just a sugestion. No softwear that you get is full poof. Someone always finds a way. I got the virus from here when I was useing explorer. It didn't happen on netscape. The Ip gos through 2 proxys that I found so far. I havent been able to trace from there because #2 is a privet proxy and you have to contact them and then your luck if they keep logs witch isn't required.
JeffH posted Sun, 27 August 2000 at 12:57 AM
Another good reason not to use MS Explorer. -JH.
wyrwulf posted Sun, 27 August 2000 at 1:09 AM
Sorry, Famine, but a cookie won't do it. A cookie is just a text file. It doesn't matter if it is run by MS Exploder or Netscrape Anihilator. If you got the "virus", you didn't get it here.
casamerica posted Sun, 27 August 2000 at 1:23 AM
Actually, the "virus" is W32/QAZ and is more correctly defined as a worm than a virus. Also, it cannot, I repeat, cannot be installed via "cookies." It is installed and then listens on TCP port 7597 for activation from someone scanning for unprotected systems with this installed -- much like those trolling for BackOrifice. A sure sign of whether you have it is look at your notepad.exe file. It should be 52k in size. If it says it is 120,320 in size then you've been infected. You will also notice a new program called note.com. Also, if you use Black Ice, ZoneAlarm, Conseal or any of the other personal firewalls out there and have them configured correctly you will block just this type of invasion. If you don't use a personal firewall then you are just asking for something like this happen. A day does not go by where I do not see at least a 3 or 4 attempts to "talk" to my system. The bottom line, though, is if you have it you did not get it from here or Renderotica. Take care and Godspeed.
casamerica posted Sun, 27 August 2000 at 1:30 AM
One last word. As I stated, it cannot be installed via a cookie. However, it can be installed via an email attachment or by someone hacking into your system. If you're on DSL, cable, etc. you are at a greater risk since you are "on" 24 hours. However, even those using dialup can get attacked. There is no excuse not to be using both anti-virus programs AND firewalls. And this particular worm, W32/QAZ, will only get you if you let it through an improperly protected system. If I may paraphrase an old poem,"May YOUR FIREWALL protect you from harm in all the dark places you must SURF."
Jack D. Kammerer posted Sun, 27 August 2000 at 1:33 AM
I just did a whole search on all of my systems and checked the Registery folders you mentioned and I don't have it. I even ran the "Find" option on my systems, looking for "STARTIE NOTEPAD QAZWSX.HSQ" and came up with NADA... So my next question would be, what version of Explorer are you using? I know that their new version 5 update is supposed to fix a "leak" in your system that some hackers had managed to locate and exploit... perhaps that might be something for you to look into. However, since I don't get this file and don't have it on any of my systems... I am confident enough to say that it isn't the software that is causing this trouble... Now, I can't say that it isn't likely that you might not have downloaded this file while downloading something from the FreeStuff section (since I don't get time to download much from there), and if that is the case, it would be likely that someone put a file up in the FreeStuff section that could be "infected" or from something like GeoCities or some such which can be accessed through the FreeStuff section... of which neither of them do I have any control over and hopefully you have a Download Virus Scanner running when you do. All I know is it isn't the software or forum sections that are causing this. Jack
ghostboat posted Sun, 27 August 2000 at 1:38 AM
I probably come to this site 30 times a week and constantly D/l stuff from here and I do not have it.All I have is McAffe as a protection program, So Jack as far as I'm concerned "There just ain't no probbies comin from here" keep up the good work Jack!!
Stormrage posted Sun, 27 August 2000 at 2:24 AM
I use zonealarm and in fact AVN online did a study about firewalls and found Zonealarm is one of the best. for a free program it gives you the same amount of protection as many of the for sale protections. Storm go to http://grc.com/default.htm and run Shields up! and Port Probe to see how safe your computer is from internet hacking. With Zone Alarm i always run in stealth mode
Quikp51 posted Sun, 27 August 2000 at 4:16 AM
Well I know that Netscape users version 4.74 and earlier all have a backdoor glitch which allows people do execute whatever they want on your computer. Netscape is looking into it , they say just disable your javascript in the meantime. Also I must concur with the rest that I too have no viruses. Make sure there's no BackOrifice on your system or you'll get virus warnings all the time and altered files. Sorry to here this happening to you , though this thread is moot since you're not coming back.
Artist3D posted Sun, 27 August 2000 at 7:45 AM
ZoneAlarm in Stealth Mode Is THE BEST!I bought another program that was supposed to be the best but it has leaks!So much for my $50 bucks!ZoneAlarm is the BEST.The Price?.........FREE!Jack,I want you to know,I Trust You 100%....Artist3D :)I was here even before I had my Firewall and I NEVER had any trouble,nor do I now.Thanks Jack for the sights and your time man.(Renderosity and Renderotica!)
Jarek posted Sun, 27 August 2000 at 8:19 AM
Black Ice is a Trojan...and it's sending info about you and your system to Black Ice site...Use Zone Alarm... Just my 2 cents ;) And Netscape is not so secure too...it's sending every d-load to Netscape/AOL site..read it here: http://grc.com/downloaders.htm
Daramski posted Sun, 27 August 2000 at 10:49 AM
Hello everyone, I have just read threw this thread, and am quit suprissed, I have been visiting for a while, at least six months, in that time, I have downloaded, loads and loads from the free section, Most probably a gig or two : ) Bryce and Poser. I have mcafee Virus, use the zone alarms, and am also configiured to run in stealth. So far, I have had no problem what so ever. not one virus, nothing, Maybe it is yourself at error!!! Maybe you are being hacked from somewhere else, which I think is most probably the case. If you have worms, maybe you should go to the chemist, ha, ha, ha Or check out Mcaffe Virus scanner, Maybe check out zone alarms, Its free! If you want to go into stealth Mode, do a google search for steve Gibson, He will tell you how. I agree with Jack, Must be a job running this place and if you dont visit it is your hard luck, where else are you going to get so much quality Stuff for free???
Darth_Logice posted Sun, 27 August 2000 at 11:42 AM
he doesn't seem to have the honor to reply, so it sounds like he's accusation boy. Hit and run. Slanderer. If that's not his intention, then he's pretty thick. -Darth_Logice
Maz posted Sun, 27 August 2000 at 12:59 PM
Judging by his original post he hasn't been back to read the replies so don't criticise him too much for not responding. That aside, I feel he should have asked first rather than shooting first. Also, I'm just pleased to find that my notepad.exe is just 52kB in size.
Famine posted Sun, 27 August 2000 at 2:26 PM
Im not trying to be an ass orr anything like that. That is the story I got from mcAfee. I did get it here from useing IE 4.0. Its was not a problem and I plan on keeping comeing back. I normaly use netscape and I dont have any problems with it. I also use McAfee anti virus witch picks it up quickly. Im not an expert and I just posted What they told me. Good day all
Stormrage posted Sun, 27 August 2000 at 3:18 PM
Famine.. What did mcafee tell you it was precisely? Storm
lmacken posted Sun, 27 August 2000 at 6:02 PM
Everybody wants Artificial Intelligence, but nobody wants a virus. When Love Letter hit, I laughed. 'I wuv you' in the subject line = straight to the trash. Social Engineeering at it's finest.
Vethril posted Sun, 27 August 2000 at 7:44 PM
Hmm...I've scanned my system, checked my notepad.exe file. It's still at 52k in size. I have downloaded "every" item ever put on this site, and have uploaded images, hung out in chat, uploaded files, ect. Never a problem. Being a technoclutz, I don't understand much how these things work, but I schedule regular scans, store my files on CD's, not my HD, and format my system quite often. That's about all I can do. Jack, remember, any venture worth doing holds risk. Your disclaimer when one goes to download is quite clear. You use this site at your own risk. And it is well worth it. If my computer crashes because of something, well, ya pays ya money...ya takes ya chances. grin People must weigh what they get in return for that risk from here, and it's well worth it. Where else can one find such wonders and marvels for their art? Nowhere, that's where. laughs So, don't lose any sleep over this. What we have enjoyed here is so unique, the sharing of our talents, (umm..well, mine are not to outstanding, so I'll stand back on that one.=P ) and the knowledge that perhaps just one person finds something you've put here and smiled all the way to his Poser Interface. That makes it all worthwhile. =P Take care, stay safe, and enjoy the day. =) Ciao! Vethril
Legume posted Sun, 27 August 2000 at 7:49 PM
I wouldn't take edriver's word very seriously. Recently, when someone said they were going to post Poser 4 to the Poser newsgroup, he pulled this same melodramatic "I'm leaving" message there, saying that I wasn't doing my job as a moderator by stopping this guy from posting it. If he'd done an instant of research before posting, he'd have known that the newsgroup doesn't HAVE a moderator, and that there isn't SQUAT anyone could do but report the pirate to his ISP. This is another case of him jumping to conclusions without bothering to check facts first. The difference is, this time he's "punishing" us for it by removing the "stuff he has generously made available for free". I don't mean to sound like I'm coming out blasting the guy, but before you go placing blame on folks, especially concerning something as serious as a virus, you should make sure you have your facts straight. When/if you DO decide to grace us again, edriver, I believe an apology is in order.
cooler posted Sun, 27 August 2000 at 8:18 PM
In light of this & several other threads which have come & gone in the past few months (& most not quickly enough IMHO :-) I'd like to propose that the admins open a new dual purpose forum. We can either call it "The Chicken Little Memorial The-Sky-Is-Falling Forum" or the "Priscilla Drama Queen of the Desert Exit-Stage-Right Forum" That way we'll all know where to go look for this silliness instead of having to scour each & every forum just to get our daily dose of melancholia/paranoia.
DbS posted Sun, 27 August 2000 at 8:26 PM
Here's one of the places that a "Mark Thread Read" option would come in really handy, especially since edriver has been true to his/her word and not responded. :) ~Dave
Legume posted Sun, 27 August 2000 at 9:34 PM
I think we need BOTH of those forums here!
Famine posted Sun, 27 August 2000 at 11:13 PM
storm, Just what I wrote. I found why I was getting the virus from here. It was fixed. I for got to disable a proxy that set you up when you use it with the virus. my proxy admin found it and fixed it. The one I went throgh was merlin.edu.com. I did some testing to solve my problem so hopefuly that was it. Im sure it was. I dont use a proxy on netscape tthats why I didn't get it. Hadn't had a prob sence They fixed there proxy. I was just inquarying about it to Mcafee. because someone wanted to know what it was on an eirlyer post. Just as a note, I like it here. Im sure Jack runs a good site. and questions are answerd quickly. There is only one person here I dont like. Im not going to say any names. This is not the place for it. Thanks Famine
Wizzard posted Mon, 28 August 2000 at 12:29 AM
Sounds suspiciously like what was discussed in Jack's Musings at the sister site... hrmmmmm......
Darth_Logice posted Mon, 28 August 2000 at 2:04 AM
I would like a Renderosity Virus that makes my computer Renderiffic, if you have one, please send it to me or hide it in javascript. TIA. -Darth_Logice, snacking on his cookie
Stormrage posted Mon, 28 August 2000 at 2:30 AM
Keoto under the security area of zone alarm I usually keep my settings at med for local and high for internet. I also enable mailsafe.. Then go to that url I posted above and check your computer with Shields up. http://grc.com/default.htm You should be running in stealth mode. S Storm
Artist3D posted Mon, 28 August 2000 at 5:19 AM
ZoneAlarm and Shields Up are GREAT.The guy that runs Shields deserves a medal.As does Jack,and everyone else here and Renderotica for working for FREE and doing a GREAT job.
Dr Zik posted Mon, 28 August 2000 at 8:36 AM
Hi Fol--- (Dr Zik enters the room, takes a quick look around and beats a hasty retreat back to the door)
Hubert posted Mon, 28 August 2000 at 9:43 AM
Hi, so far, I never caught any virus here at Renderosity, either by file-download, html-code, Java , etc.! And I couldnt find that specific QAZWSX-entry in my MRU-section (btw: I am using IE5 at the moment). I frankly admit, that I once also fell for a similar gotcha-hit in that MRU-section, when I was searching my Registry for some stuff repeatedly. :-) Although, one always should consider viruses as possibility! There never will be a general protection, but there are good precautions, even using common sense does help. Below is some fun about NEW M-Viruses (I received this little piece of fun yesterday and just translated it for you), which even Jacks powerful engine might not recognize correctly!! Hope, it can cheer you up, Jack! ;-) Hubert A guy with paranoia only assumes, that everybody is trying to get at him. I, for sure, know!! ************** Hello, this is a manual virus! Its developer neither had the skills nor time to program a real one. Please, just select 50 addresses from your own mail-address-book and then forward this virus! Afterwards, delete some arbitrary files in your System-folder. In case it is Friday 13.th., then format your harddrive! Thanks for your assistance! ===================================== SYSTEM HALTED! HIT ANY USER TO CONTINUE =====================================
"All that we see or fear, is but a Sphere inside a Sphere." (E. A. Pryce -- Tuesday afternoon, 1845)