# Strange happenings



## csxjohn (Sep 5, 2012)

Something strange is happening.

When I click on "quick links" on the blue bar I do not get my usual options.  Instead the bar changes.

"New posts" and "search" switch places, "quick links" disappears and "mark forums read" takes its place.  Also "open buddy list" appears then the normal "log out" is last in line.

Also the spell check is un clickable now.

What do you think is wrong with my computer to make this happen?


----------



## Passepartout (Sep 6, 2012)

Doing similar stuff here too. I'm of the opinion that it is TUGs servers, not our 'puters that are bugged. Hope Doug and the other volunteers can get the thing straightened out. I still can't use any of the format options in Firefox. Seemed to work OK using Chrome, but AVG still notifies of badnasties lurking about.

Jim


----------



## easyrider (Sep 6, 2012)

Things are working fine for me.  

Bill


----------



## Beaglemom3 (Sep 6, 2012)

I had difficulties in sending PMs last night. They would not appear in my "sent" folder after having been sent. Strange brew.


----------



## TUGBrian (Sep 6, 2012)

over the past few days we have been making changes to files and running lots of scans to figure out both the "redirect" error, and the trojan/virus warning some are receiving (thread in the lounge)...so if we were doing those things at the times you experienced the issues...it would explain that.

these items above (other than the slowness during off peak hours which can be contributed to backups, or us running malware scans) should not be a recurring thing.

best thing you can do with odd things in the toolbar etc, is to delete temp internet files, remove your cookies for TUGBBS.COM and reload the site to see if it corrects the issue!


----------



## csxjohn (Sep 6, 2012)

*Still won't work*



TUGBrian said:


> best thing you can do with odd things in the toolbar etc, is to delete temp internet files, remove your cookies for TUGBBS.COM and reload the site to see if it corrects the issue!



In my case none of this corrected the problem.  I went to my wife's computer and I'm having the same issues there so I'll wait and see what happens.

I know that "quick links" is what I use the most and of course without the spell check working, I'm in big trouble.  I also just discovered that I can't insert smiles. I was going to use the one smashing the computer with a hammer here.


----------



## b2bailey (Sep 6, 2012)

*Just received this Virus message while on TUG --*

Exploit Phoenix Exploit Kit Type 769


----------



## b2bailey (Sep 6, 2012)

*I keep getting the following message from my AVG...*

File Name - www.tugbbs.com/forums/clientscript/v bulletin global.jbZ v=364

(This isn't a cut and paste so it may have some typos.)
B.


----------



## TUGBrian (Sep 6, 2012)

yes, is an existing thread in the lounge aruond the virus/trojan item....i think we may have identified something just recently...ill keep everyone updated.


----------



## TUGBrian (Sep 6, 2012)

this issue may indeed be related to the most recent java update thats also being discussed in the virus thread in the lounge.

can those of you having these strange problems check your java versions on your local computers to see if they were updated within the past few days?  (ie before the problems started?)


----------



## rschallig (Sep 6, 2012)

TUGBrian said:


> this issue may indeed be related to the most recent java update thats also being discussed in the virus thread in the lounge.
> 
> can those of you having these strange problems check your java versions on your local computers to see if they were updated within the past few days?  (ie before the problems started?)



TUGBrian - I received the same notification of the threat block by AVG. This threat notification shows up constantly. I did not update the recent java version update invitation.
Bob


----------



## Passepartout (Sep 6, 2012)

After I did a System Restore back 48 hours, all the weird alerts and inabilities to use formatting or Quick Links hijinks stopped and TUG went back to operating correctly. All I can see that happened in the interim was the Java update. Ymmv. Good Luck with it, but a System Restore is a good place to start.

Jim


----------



## csxjohn (Sep 6, 2012)

TUGBrian said:


> can those of you having these strange problems check your java versions on your local computers to see if they were updated within the past few days?  (ie before the problems started?)



My computer says I have Java 6 update 5.  My wife's has Java 6 update 32.  I think the newest version is Java 7.  I can't tell the last time mine was updated but apprears to be an older version.

I'm off to Tropic Shores Resort in Daytona Beach Shores in the morning so I'll be checking in here in a few days.


----------



## pittle (Sep 7, 2012)

We have gotten Warnings off and on for the past 2 days.

I use Avast and got the following Trojan Horse warnings yesterday when I logged in.  Just a few minutes ago, I logged in and got

URL:	http://yeare.pro/nwuvgyzxwwipadc/
Process:	C:\Program Files\Internet Explorer\iexpl...
Infection:	URL:Mal


I logged in using Firefox and got the same thing.

URL:	http://yeare.pro/nwuvgyzxwwipadc/
Process:	C:\Program Files (x86)\Mozilla Firefox\f...
Infection:	URL:Mal


----------



## TUGBrian (Sep 7, 2012)

can i get some more information on those messages from your antivirus software?


----------



## davidvel (Sep 8, 2012)

Brian, 

I also have been receiving alerts from Microsoft Security essentials, that various java-based trojans, etc have infiltrated my computer (one as I type now.) I suspected it was from this site but didn't want to post as I was unsure. Seeing this thread it is confirmed. 

The particular trojan executable on my ssystem is: 036DFF8E696693A2C8C08545F875F020.exe

Has something infiltrated vbulletin? 

This is what MSE found as I typed this:

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.
DETAILS

Rogue:Win32/Winwebsec

Encyclopedia entry
 Updated: Aug 23, 2012  |  Published: Aug 17, 2010 

Aliases

System Security (other) Security Shield (other) 
SecurityShieldFraud (Symantec) 
SystemSecurity2009 (other) 
Total Security (other) 
Troj/FakeVir-LB (Sophos) 
Trojan:Win32/Winwebsec (other) 
TrojanDropper:Win32/Winwebsec (other) 
W32/AntiVirus2008.AYO (Norman) 
Win32/Adware.SystemSecurity (ESET) 
Win32/Adware.WinWebSecurity (ESET) 
Winweb Security (other) 
Essential Cleaner (other) 
Personal Shield Pro (other) 
Security Shield 2012 (other) 
Security Sphere 2012 (other) 
Smart Protection 2012 (other) 
Security Shield 2012 (other) 
Smart Fortress 2012 (other) 
Advanced PC Shield 2012 (other) 
Win 8 Security System (other) 
Adware/AntiSpywarePro2009 (Panda) 
Adware/UltimateCleaner (Panda) 
Adware/Xpantivirus2008 (Panda) 
AntiSpyware Pro 2009 (other) 
AntiVirus2008 (Symantec) 
FakeAlert-AntiSpywarePro (McAfee) 
FakeAlert-WinwebSecurity.gen (McAfee) 
Live Security Platinum (other) 
Mal/FakeAV-AK (Sophos) 
MS Removal Tool (other) 
Security Tool (other) 
SecurityRisk.Downldr (Symantec) 

Alert Level
 Severe


----------



## dioxide45 (Sep 8, 2012)

I had something very similar. 036DFF85030E158B02ABE9FA2F3B707C folder was created in my Program Data folder. It had an executable Trojan in it. The Trojan did execute and attempted to get me to "scan" my system for a virus.



davidvel said:


> Brian,
> 
> I also have been receiving alerts from Microsoft Security essentials, that various java-based trojans, etc have infiltrated my computer (one as I type now.) I suspected it was from this site but didn't want to post as I was unsure. Seeing this thread it is confirmed.
> 
> ...


----------



## timeos2 (Sep 8, 2012)

Those are the classic signs of a local infestation by the infamous SmitFraud that has been around in many variants since 2006 or even earlier. It is contacted from any number of locations, changes settings within the OS that can be virtually impossible to undo without a total system reload. Far too many antivirus / anti malwares still allow it to activate itself despite it's long standing nature. It is extremely convincing is getting the end user to override whatever protections they may have in place by answering a question that seems all too legitimate and play on the real product names or close facsimiles as you see on that list. 

Usually the actual software does not come from the host such as tugbbs but rather  redirect, allowed by a compromised client, to a rogue third party site. 

The idea that Java or Javascript by themselves are the cause is incorrect. That is clear as we have many running various versions as well as different browsers & protectins some of which ar seeing the problem and others aren't. IF you are getting the messages than more than likely it is your computer that, totally unknown to you, has been compromised at some point. Now that breech is being exploited by malware and although your security product(s) may report it they cannot remove it in normal operation (by design of the malware).  

You can run the cleaners all you want - they may say your computer is OK but in fact it is not. Take it to a pro that may be abke to clean it completely OR tell you it must be reloaded. While the tug site may be a potential gateway the ultimate issue is a local one IMO.


----------



## Passepartout (Sep 8, 2012)

timeos2 said:


> You can run the cleaners all you want - they may say your computer is OK but in fact it is not. Take it to a pro that may be abke to clean it completely OR tell you it must be reloaded. While the tug site may be a potential gateway the ultimate issue is a local one IMO.



This is not the outcome I was anxious to hear. 

Jim


----------



## Passepartout (Sep 8, 2012)

For what it's worth (likely nothing), I searched my machine for .exe files created over the last 4 days. The search came up empty of anything suspicious. Obviously it showed the new installs of the suggested Antimalwarebytes and a new AVG, but nothing with all the numbers in the file name as shown above by davidvel or Dioxide45.

Jim


----------



## Jaybee (Sep 8, 2012)

I've been having the same problem for the past 3 days. I got my son-in-law involved, and he's thinking maybe it's an issue between Firefox & AVG. ?? At least I can get in through Chrome.  Don't like weird stuff.   I missed my TUG fix.  




Passepartout said:


> Doing similar stuff here too. I'm of the opinion that it is TUGs servers, not our 'puters that are bugged. Hope Doug and the other volunteers can get the thing straightened out. I still can't use any of the format options in Firefox. Seemed to work OK using Chrome, but AVG still notifies of badnasties lurking about.
> 
> Jim


----------



## b2bailey (Sep 8, 2012)

*I am still receiving "threat was blocked" message from AVG.*

I'm a Firefox user but tried entering using Internet Explorer this time. I still get the 'threat was blocked' message. Glad to know AVG is working for me. But it would be nice if it stopped. TUG is the only site that shows this problem.


----------



## TUGBrian (Sep 8, 2012)

I dont think its a "javascript" issue either...i do however think its triggered on the number of machines getting the av warnings by one of the items in vbulletin that uses javascript.

or in laymans terms, this issue exists somewhere in the vbulletin code that contains the javascript tools (the menubar at the top, smileys, etc) and thus is manifesting itself on different computers in different ways.

at least now that we have confirmed from more than one person that was getting the error that disabling javascript within IE/FIREFOX gets the antivirus message to cease...now we just need to figure out where on the server side the issue exists.


----------



## kalua (Sep 8, 2012)

*virus*

a couple of months ago i was reading a post from someone here on tug ,i thought the post was wierd since i had never seen a post listing for sale everthing from beans to bullets,immediately there after my computer started telling  me there was a virus, it started freezing up, operating very slow, i never brought the subject up until now for reasons no one would have believed it,so i stayed off the site for awhile after i had to completely reload my computer nothing i did would get rid of it.don't know how this helps just thought i'd tell it,or maybe someone can possibly find that posting and check it out,i tried afterwards to find it but couldn't.


----------



## csxjohn (Sep 9, 2012)

*OK today*

We checked into Tropic Shores this afternoon and I am still up enjoying the ocean waves from up here on the eleventh floor.

We brought my wife's computer and the issues we had are no longer existent.

I get the proper drop downs when I click on quick links, the spell check is working and  the smiles work.

I doubt this was a problem with our computer since it happened on both of them and we did nothing between the time we left home and now, and it is now working fine.

I never did get the warnings others have reported and I did not take my computer to an "expert" or do anything to it.

Thank you to who ever was able to fix the problem.


----------



## LisaRex (Sep 9, 2012)

The bulletin board is acting normal, but there is an odd header up top:

[comment line removed so as not to tip our hand to the bad guys]


----------



## Rent_Share (Sep 9, 2012)

Which is why I sent it to Doug in a PM  
​


----------



## LisaRex (Sep 16, 2012)

LisaRex said:


> The bulletin board is acting normal, but there is an odd header up top:
> 
> [comment line removed so as not to tip our hand to the bad guys]



Oops.  Sorry.  Didn't realize it was not to be shared!


----------

