If you get hit by malware on the SDMB

If you believe you have been victimized by malware while visiting the SDMB, please post a report to About This Message Board so we can investigate. For best results, malware reports should include the following:

  1. Tell us specifically what happened, not just “I got hit by malware.” For example: (a) my antivirus software notified me it had blocked an attack and gave me the following report (and then post the report); (b) I got a popup saying [whatever]; © my system locked up and the screen turned blue, etc. It’s especially helpful for us to know the name of the suspected item of malware.

  2. Time/date of occurrence, your geographic location, and browser/operating system you are using.

  3. Whether you were looking at an SDMB page or a column archive page. These are hosted on different servers and see different ads.

  4. If possible, provide a screen shot of the page you were on when the incident occurred. With WinXP this can be done with Alt-PrintScreen and with Win7 you can use the Snipping Tool. If you can’t do this, please describe any ads or popups that were visible.

If you get hit more than once, are at least moderately tech savvy, spend a lot of time on our site, and are willing to run bug tracker software in the background, we’d be grateful if you did so - this has proven to be an effective way to identify the source of rogue software. Let me know if interested.

Removed so that I can make a separate thread.

Each time, I was on this site. The last time, maybe a half hour ago, I was composing a new thread in Cafe Society and hit ‘enter’, then my IE session closed I got the ‘XP Security 2012’ fake ‘virus removal’ instructions. I have Symantic endpoint security and part of the business IE security. I also had MalwareBytes running. I was able to get IE back up but cannot get Malwarebytes to open now .

it put an executable (this one called epu.exe) in C:\Documents and Settings\user name\Local Settings\Application Data. I renamed the .exe then was able to end that task. I am still hosed.

XP exploits are really bad.

Running under an Admiistrative account, or as a user? If as a user, you can probably recover. Running as an Admin, you’re probably in big trouble.

My apologies. We are trying to get to the bottom of this. Will advise of any developments.

Try renaming the malwarebytes executable from mbam.exe to mbam.scr and double click on it. It might throw up an error dialogue, but it should still run and get you cleaned up.

I was surfing SD on Friday, 1/6/12, about 11 AM central time. Geographic location = central Minnesota. Browser = Internet Explorer 8, 64 bit edition. Operating system = Windows 7. I would have been in one of the forums at the time. I had Microsoft Security Essentials running, updated and actively monitoring the computer.

I started getting popups that tried to look like an antivirus program…Windows 7 Antivirus, something like that. Sorry I didn’t get the exact names. It was a bugger to remove. It disassociated file types with the program that runs them. Any attempt at running malware removal programs would actually erase the program I tried to run.

I finally managed to run ComboFix from a CD that got rid of it, after two runs. Then I was able to do a system restore. In hindsight, I think this has happend two other times in the last three months or so. Never quite so bad, but similiar circumstances.

Hope this helps.

Sorry to hear you had problems. Since you may have had this happen more than once, you’re a good candidate for running the Fiddler debugger in the background and capturing a log if this happens again. Would you be willing to do this? Logs are the one proven method we have of tracing malware. Let me know - you can reply by e-mail to edzotti at aol dot com. Thanks.

I was surfing a few pages in MPSIMS, and when I clicked to go to a ‘last post’ in a thread, I got a strange redirect. Come to find out it was a ‘Scour Redirect’ which also hijacked my google searches. Symantec Endpoint keeps blocking/quarantining a Bloodhound.Exploit.346 trojan (apparently).

I cannot guarantee I picked it up here, but it only first appeared when I went to go to a ‘last post’.

I run Symantec Endpoint antivirus, and Malwarebytes’ Anti-Malware, both of which I’m running with a barrage of other programs to isolate and kill this particularly sticky little bastard of a virus.

Tripler
I may need to nuke it from orbit.

I’m gonna post this in a new thread. . .

Tripler
Sorry for the double post. It’s early, no coffee at the time.:smiley:

res://ieframe.dll/acr_error.htm#worryprocessesdefender.info, http:// worryprocessesdefender.info /2395ccc009752c4a /1/

from the main forum page

gets a pop op windows dialog box spawned by the ie frame.

I use task manager to shut down all instances of IE so it doesnt get further, and I don’t click the box. This time IE threw an error that gave me the above frame url. I’ll add it to my hosts blacklist. But it IS spawning from SDMB.

I’ll pass this on. Sorry you had a problem.

Do you know what ad was displaying at the time this popped up?

That might help us track the culprit – if it’s a rogue ad, which is possible.

No, the pop up blocked me from scrolling up to the ad display. I assume that’s where it’s coming from as well.

Again, our apologies.

No worries, I know it isn’t really the board.

more info:

looks like the banner was “ads by pulse 360”

this time hijacked the page to vulnerabilitytaskstesting. info

and pops a windows dialog box “windows antivirus 2012 has found critical process activity on your PC and will perform fast scan of system files”

this time I X’d out the dialog box, figuring I can clean up any mess, and it landed on the .info page and started a ‘scan’

I was able to use the back button to view the banner ad at the top to gather this. Hope that helps.

Reported.

I just got the fake virus messages from the straight dope, about two minutes before this post. It was not an archive

It was a pop-up and it mimicked the look of Microsoft Security Essentials. I’m sorry I did not get a screen shot, but my ahbit is to close the window as soon as this happens lest I accidentally click on something that will really infect my machine.

I am running Vista SP2 and IE 9.

For my location, please PM.

Just got a re-direct to a porn site when reading the game room, on my ipad (pretty sure I hadn’t touched anything on the screen). It sounds like the same redirect that these guys are discussing on another forum (same dodgy site):

http://forums.digitalspy.co.uk/showthread.php?t=1722515&page=4

My ipad is as pure as the driven snow, in internet browsing terms. Something to do with the SD ads?

Reported to Ed and Jerry.