# Norton Blocked Virus message



## Fasttr

I use Norton 360 as virus protection both at home and at work, and over the past few days, and it has happened at home and at work, when I log into the Tug/Marriott Forum, I get a Norton message that pops up saying it blocked a malicious virus.  It doesn't happen all the time, but it has been fairly frequent over the past few days.

Anybody else having this issue?  Just wondering if TUG has a virus issue they need to deal with.

ps... I also posted this in the Marriott forum.


----------



## TUGBrian

can you forward me the details of the message?\

also, what os and browser are you using?


----------



## Fasttr

TUGBrian said:


> can you forward me the details of the message?\
> 
> also, what os and browser are you using?



Using Windows 7 and IE 11 at home.  Also Windows 7 at work, but will have to wait until tomorrow to let you know what IE version of a browser at work.  

The Norton notice said it was "Malicious Website Accessed 2" virus.

ETA:  I am using IE 9 at work.


----------



## JPD

I have win7 also, and IE11. No problems on my end with Norton 360. Please keep us updated.


----------



## Fasttr

TUGBrian said:


> can you forward me the details of the message?



More info Brian....Norton says the attacking computer is 69.64.46.68 if that helps any.


----------



## TUGBrian

any and all info is useful to tracking down what may be causing this.


----------



## DaveNV

Brian, I can't provide any extra information because I've already deleted everything, but yesterday afternoon when i clicked onto the Private Messages page, I was hit with spyware and a virus. I haven't had one in several years, but this one happened the instant I landed on that page. Not sure if that's any help.

Dave


----------



## TUGBrian

were you on a windows7 machine also?

hopefully your antivirus caught it?


----------



## mjkkb2

*virus/malware*

I believe I also got something from TUG.  It happened yesterday at my work computer. I had to have the IT person clean it up.  Today I got the same thing- very nasty malware that writes to the windows registry, disables all antivirus commands and installs bunch of junk.  
I had to go again and get it removed.  Now I am still uncertain if it came from TUG.  There was one other website I have visited both yesterday and today, however while searching in Google I haven't gotten any hits about virus issues like I got with tug.  For those interested, search your c drive for two files:
*r3a3n3a3*   and   *As2014*.

If you find those on your machine - you got infected.  Take appropriate precautions to fix your computer.  This thing rewrites the system registry so deleting them isn't enough.  it will run again if you restart the computer.  

good luck fixing it.  for now I am banned from accessing tug at work


----------



## csxjohn

I contacted a virus yesterday.  When I signed into tug window started popping up with some phony clean up site.  It turned out to be a scare ware virus that somehow my avast missed.  Our research showed that this virus usually comes from clicking on an on line video.

We got it cleaned up and did some avast updates but am not sure if it came from TUG or not.  Today avast blocked what they termed a dangerous virus as soon as I signed on to TUG.  I don't have any other details at this time.

I'm on a PC and think I'm using IE7.

Yesterday I checked TUG from another computer without signing in to see if there were any new threads about a virus.  There were none so I suspected that it came from somewhere else.  Today I saw this thread.

I am banned from accessing TUG on the wife's computer until we find out for sure what's happening.  She's the one that has to figure out what's wrong and how to fix it.


----------



## TUGBrian

Doug and I have been digging into this for the past few days and are coming up blank.

we are also working with our host to identify and cure the issue, but without any of us being able to trigger it...its like looking for a needle in a haystack.

I can suggest the following for those needing help to protect or clean their computers:

I personally use all of these.

1. malwarebytes antimalware:

http://downloads.malwarebytes.org/mbam-download.php


2. spybot search and destroy

http://download.cnet.com/Spybot-Search-Destroy/3000-8022_4-10122137.html

3. trendmicro online virus scanner

http://housecall.trendmicro.com/

4. kapersky has been a suggested virus scanner from our host...they appear to have a free online scanner and removal tool here

http://www.kaspersky.com/virus-scanner


----------



## Fasttr

TUGBrian said:


> Doug and I have been digging into this for the past few days and are coming up blank.
> 
> we are also working with our host to identify and cure the issue, but without any of us being able to trigger it...its like looking for a needle in a haystack.



Thanks Brian.  So far at work today, I have signed on a few times throughout the day and no Norton flags....so fingers crossed!!!!


----------



## csxjohn

Here is what Avast says it blocked earlier today when I logged on to TUG.

URL: http://jkljsegl.myftp.org/j3vb6n6gdo2q3zlpqzy5syhmji...

Infection: URL:Mal 

I don't know what it all means but hope it helps.


----------



## kalima

*virus*

yes I got a virus a few days ago when on the TUG site! Something popped up and I clicked 'later' instead of closing it out..I had to get our IT guy at work to get rid of it..it was one of those virus's that tells you you have a virus and you need to run a scan BUT if you do that it will get right in your system ...luckily as soon as I realized what had happened I shut my system right down.


----------



## DaveNV

TUGBrian said:


> were you on a windows7 machine also?
> 
> hopefully your antivirus caught it?




It is a Windows XP SP3 machine at my work.  It was one of those homepage redirect viruses, that disables everything, so you can't use normal processes to fix it.  I was able to get around it by doing a System Restore back to a date a week ago. Once it was clear enough to use the machine, I used the malwarebytes.org software to scan things.  It found ten viruses and spyware, and kille dthem all.  System is fine now.

Dave


----------



## TUGBrian

I am working to try to disable all redirects (willing or not) to that myftp.org site listed in the reports ive gotten.

while it wont get rid of the problem it will hopefully at least prevent anyone from downloading anything.


----------



## Passepartout

I just ran a full AVG scan and a Malwarebytes scan. Both came up clean. Win7/FF27Beta

Jim


----------



## Miss Marty

*Another Trojan quarantined by Eset*

1/16/2014 Went to Tug a few minutes ago and Eset found another
trojan threat and quarantined it.  Using Windows XP home and IE 

1/15/2014 5:07:22 PM HTTP filter file http:// www. tugbbs .com/class/help/defaults.php JS/Kryptik.AH trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

1/13/2014 11:29:36 AM HTTP filter file http:// www. tugbbs .com/forums JS/Kryptik.AH trojan connection terminated - quarantined  Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.


----------



## Fasttr

Norton just stopped another one the second I hit TUG at home this evening.  Using Windows 7 and IE 11.  

Here is the info....

Norton IPS Alert Name:  Malicious Website Accessed 2

Attacking Computer:  cbclyr.myftp.biz 69.64.46.68, 80 which is the same source address as yesterday.


----------



## TUGBrian

that is the first error that showed the file on the server...something to look at!


----------



## caneil

Same thing happened to me yesterday and just now with Norton blocking an attack. I think I will just wait a few days and see how it goes.


----------



## TUGBrian

I went ahead and hired a company that specializes in this sort of detection and cleaning...they said they can fix all this within 8 hours.

will keep you updated.


----------



## TUGBrian

anyone still getting the message by chance?


----------



## Sandy VDH

I too had message a few days ago, but nothing since then.


----------



## richardm

Just got the warning when I visited. 

Alert classifed it as Web Attack: Malicious Website Accessed
Attacking computer: 69.64.46.68
Attacker URL: knbryjjd.myftp.org


----------



## MuranoJo

Fasttr said:


> Using Windows 7 and IE 11 at home.  Also Windows 7 at work, but will have to wait until tomorrow to let you know what IE version of a browser at work.
> 
> The Norton notice said it was *"Malicious Website Accessed 2"* virus.
> 
> ETA:  I am using IE 9 at work.



Same message I've gotten several times, just within the past 2 days or so.



mjkkb2 said:


> I believe I also got something from TUG.  It happened yesterday at my work computer. I had to have the IT person clean it up.  Today I got the same thing- very nasty malware that writes to the windows registry, disables all antivirus commands and installs bunch of junk.
> I had to go again and get it removed.  Now I am still uncertain if it came from TUG.  There was one other website I have visited both yesterday and today, however while searching in Google I haven't gotten any hits about virus issues like I got with tug.  *For those interested, search your c drive for two files:
> r3a3n3a3   and   As2014.*
> If you find those on your machine - you got infected.  Take appropriate precautions to fix your computer.  This thing rewrites the system registry so deleting them isn't enough.  it will run again if you restart the computer.
> 
> good luck fixing it.  for now I am banned from accessing tug at work



I searched my c drive for both of the two files you listed and nothing was found.

I'm wondering if perhaps it might be a link in a post all of us might have accessed.  But who knows.

Edited to add:  Brian, I did get the message early evening today.  Not sure if I was signed into TUG yet, though, so I'm sorry, not a lot of help.


----------



## lalahe

Got infected with a variant of Win32/Kryptik.BSZZ Trojan from this site.  I highly recommend running the ESET online scanner as it will find and remove it. It is free and you can find it with a Google search.


----------



## TUGBrian

well, sofar that company seems to have done next to nothing in terms of fixing the site...what a joke.


----------



## lalahe

Brian have you tried running ESET online scanner on your server?


----------



## TUGBrian

doesnt quite work that way for things like this unfortunately.


----------



## Passepartout

lalahe said:


> Got infected with a variant of Win32/Kryptik.BSZZ Trojan from this site.  *I highly recommend running the ESET online scanner as it will find and remove it*. It is free and you can find it with a Google search.



Are we sure this isn't one of those 'free scan, and if (when) we find a bug, you have to pay $XXX for us to get rid of it' or sign up for periodic scans at $?? per month?

I hate those!

Jim


----------



## TUGBrian

have been contacted by said company and after an apology for the delay, they are now working on the issue.

we shall see.


----------



## TUGBrian

well that was fast, just got a note back saying they detected the "bad stuff" and cleaned it.

can anyone who was regularly getting the av message let me know if its truly gone?


----------



## csxjohn

Passepartout said:


> Are we sure this isn't one of those 'free scan, and if (when) we find a bug, you have to pay $XXX for us to get rid of it' or sign up for periodic scans at $?? per month?
> 
> I hate those!
> 
> Jim



This is what mine looked like but what the wife found by reading was that if you click to buy the "better" version it just got you deeper into it without even trying to get your money, just to scare you.  Crazy!  Again, I can't say it came from here on TUG.  

I know that today I have not gotten any virus alerts from avast.


----------



## TUGBrian

well, up until about 10 minutes ago...i dont believe anything had changed or been done on the server at all.

but the list of stuff they "found and cleaned" seems legit.


----------



## Rent_Share

Passepartout said:


> Are we sure this isn't one of those 'free scan, and if (when) we find a bug, you have to pay $XXX for us to get rid of it' or sign up for periodic scans at $?? per month?
> 
> I hate those!
> 
> Jim



My search is unclear, if it was them, or somebody posing as them, sending "extortion" emails


----------



## DaveNV

TUGBrian said:


> well, sofar that company seems to have done next to nothing in terms of fixing the site...what a joke.





Maybe you can pay them to help you get rid of your timeshare. :hysterical:

(Sorry, couldn't resist.)

Dave


----------



## pedro47

When I am login into Tug's using Internet Explorer I am receiving a message that I must update JAVA. 
Option: Update; Block & Cancel.

I am backing out of Internet Explorer and login to Tug's using  Google Chrome. No problems & no messages.

What up ?


----------



## TUGBrian

no idea, the TUGbbs forums do not use java.


----------



## queenofthehive

Lately when I log on my machine, it asks me if I would like to update Java but I always decline. When trying to access Tug2, I did get the message of from Norton saying that they blocked an attack from Malicious Website Accessed 2. I will close out and try using Chome instead.


----------



## Fasttr

Just had another Norton block .... here are the details....

Using Windows 7, IE 9

IPS Alert Name: Malicious Website Accessed 2
Atacking Computer: nvayxpco.serveftp.com (69.64.46.68, 80)

Its still out there.....


----------



## TUGBrian

please make sure you clear your cache and cookies before logging back in.


----------



## queenofthehive

I closed out Internet Explorer and used Google Chrome to access Tug2 and no messages..


----------



## TUGBrian

yes, we confirmed earlier this was only an IE issue.


----------



## TUGBrian

certainly appears they didnt get it all thats for sure....wow this is just terrible.


----------



## Fasttr

TUGBrian said:


> please make sure you clear your cache and cookies before logging back in.



First thing I did when I got home was to delete cookies, clear cache, history, etc, closed out of IE, fired it back up, went to TUG and up pops the Norton Virus Block flag again.


----------



## TUGBrian

well, they are claiming that the server is indeed clean, but your AV is just reporting the intrusion from cache or some other history (I dont buy this, but it appears they are going to insist that I prove otherwise).

if you dont mind, can you reboot your machine and come back in after clearing cache/history etc and tell me if it pops up again.

Thank you for helping troubleshoot this.


----------



## TUGBrian

also please anyone else keep reporting any antivirus warnings here with as much detail as you can provide.


----------



## Fasttr

TUGBrian said:


> well, they are claiming that the server is indeed clean, but your AV is just reporting the intrusion from cache or some other history (I dont buy this, but it appears they are going to insist that I prove otherwise).
> 
> if you dont mind, can you reboot your machine and come back in after clearing cache/history etc and tell me if it pops up again.
> 
> Thank you for helping troubleshoot this.



Did that...and up popped the flag again.  I am usually permanently signed in to TUG using the keep me signed in button, and after blanking out cache, etc, I had to resign in, and the moment I hit the bbs after signing in, up popped the flag.  

I have a hard time believing its a cache/history issue anyhow, as the attacker URL changes each time.  This time it was ysguhildm.myftp.biz/....  At home, it seems to always be XXX.myftp.biz where the XXX=an apparent random string of letters, but changing each time.  At work, it seems to be XXX.serveftp.com and I have seen one other post where it was XXX.myftp.org.  It seems like it is variable enough to be pesky to find and inoculate.


----------



## DaveNV

Fasttr said:


> Did that...and up popped the flag again.  I am usually permanently signed in to TUG using the keep me signed in button, and after blanking out cache, etc, I had to resign in, and the moment I hit the bbs after signing in, up popped the flag.



Try doing what I did - a System Restore to sometime before the popups started happening. For me, it was a week or so back. When it booted up clear, I did a malwarebytes full scan, and cleaned things out.  It found traces in my user profile folders. The popups were gone after that.

Dave


----------



## TUGBrian

any old users other than fastrr getting the warnings or notifications?


----------



## csxjohn

I did not get any warnings from my avast today or yesterday.


----------



## Makai Guy

Fasttr said:


> I have a hard time believing its a cache/history issue anyhow, as the attacker URL changes each time.  This time it was ysguhildm.myftp.biz/....  At home, it seems to always be XXX.myftp.biz where the XXX=an apparent random string of letters, but changing each time.  At work, it seems to be XXX.serveftp.com and I have seen one other post where it was XXX.myftp.org.  It seems like it is variable enough to be pesky to find and inoculate.



The. actual malware comes from a remote site.  If something in your cache sends you out to some server, and THAT server links you to a varying URL, then I can see how the cache could be involved.  I'm not saying that's what is happening, only that it is one possibility.


----------



## Fasttr

BMWguynw said:


> Try doing what I did - a System Restore to sometime before the popups started happening. For me, it was a week or so back. When it booted up clear, I did a malwarebytes full scan, and cleaned things out.  It found traces in my user profile folders. The popups were gone after that.
> 
> Dave



My computer is not infected...my anti-virus software keeps doing its job.  My Norton 360 keeps blocking the attack each time, and what I keep reporting are the Norton anti-virus system flags notifying me that they stopped the attack.  If my anti-virus was not doing its job, then I would get the pop ups that you are referring to.  I keep reporting the flags in an attempt to help Brian know they are still there.  

That said, so far this morning.....I have received no flags....so fingers crossed!!


----------



## TUGBrian

well thats certainly a good sign!


----------



## lalahe

I chanced it and brought this back up on my computer (I have been accessing TUG through my tapatalk on my phone after being infected) and so far so good.  No notifications or anything while on the site.


----------



## Fasttr

lalahe said:


> I chanced it and brought this back up on my computer (I have been accessing TUG through my tapatalk on my phone after being infected) and so far so good.  No notifications or anything while on the site.



Been clear for me all day as well.


----------



## pranas

Works fine for me also.


----------



## pedro47

No problem now. I am using Google Chrome.


----------



## jules54

*computer virus*

This happened to my computer also. Three days in a row last week. Once it started right in the middle of reading some resort reviews on TUG same messages other saw. What a mess it just went deeper and deeper. Finally hubby came home from work and had to call his IT guys to tell him what to do. I told him what happened, but I did not want to blame tug. Could someone infect the website just to be malicious?


----------

