Virus

About This Message Board
1

Just caught some kind of nasty virus from here. Fortunately, I didn’t lose anything important (at least I don’t think so, we’ll see… you don’t know how good your backups are until you try to use them) but my windows box is going to need a format and a re-install.

I know we’ve had problems with ads, but I’m a charter member. I shouldn’t be seeing advertisements. This shouldn’t have come from an ad.

Unfortunately, I can’t give much info. I unplugged the computer as soon as I realized what was going on. I don’t remember what forum I was in. Could have been GQ, IMHO, or MPSIMS.

I didn’t quite catch the name of the virus. It’s the one that pops up the little icon in your tray that looks like a windows security warning and says your computer is infected with malware. When I rebooted, a MS software removal tool (or something like that) popped up and looked like it was deleting all of my files. Fortunately it started with A and the folders it got to before I pulled the plug weren’t important.

I think I’ll be surfing the dope exclusively from my linux box from now on. Between being a charter member and having what is supposed to be a decent anti-virus (avast) I thought I was reasonably safe here. Guess not.

2

Just curious about two things(as a member and computer user, not as a moderator)–

What OS were you using?
Were you on the site using an administrator account on your computer, or with one that didn’t have administrative privileges?

My XP(8 yr old system) got the nasty a week or so ago. I stupidly was using an account I signed in with as admin. I knew better.

3

And how do you know that you caught it from here?

4

In this thread from a couple days ago, Fear Itself links to a site with good removal instructions. My daughter got it on her computer, and she forgot to mention that all her music, photo, video and documents had been turned invisible. Thanks to the other thread, we re-appeared them with ease.

5

This is a joke right?

6

Looks like a sincere question to me. A joke would start out something like, “A man with a duck on his head walks into a bar…”

7

My daughter didn’t catch it from here. Either did her friend whose computer I’ve been assigned to disinfect.

8

engineer_comp_geek were you up to date on avast program (home, pro) and data?

9

OS: Windows XP Pro
Antivirus - Avast, recently updated to latest version, fully up to date on virus definitions

I was running with admin privileges.

I was running firefox, not the latest version since something about the latest version causes videos on certain humour sites to run too slow to be usable. The only web site open was the straight dope. I was either on GQ, IMHO, or MPSIMS. I had played a game on it before then, and hadn’t accessed any other web site for several hours prior to this.

Nothing else was running on the computer.

Two other nearly identical systems on the same network were not affected at all. A random attack from the outside would have found other systems first, due to the way my network around my house is laid out.

I don’t see how it could have come from anywhere but here.

Thanks for the removal instructions, but I just formatted the disk and started over. Nuke 'em from orbit, I always say. It’s the only way to be sure.

10

No. Why would it be? The one thing he didn’t mention in his OP was what gave him the idea that it came from here. It is very common for malware to not alert you to its presence right away.

And he’s right. He shouldn’t be seeing ads here. I don’t, even with Adblock Plus and NoScript disabled. So, if he did see an ad here, it could very well be from a preexisting infection.

I really can’t find a script provider on this page that has a history of malware reports. That said, I run with all but googleanalytics and cdnlayer disabled. The only one is rubicon, which should not be showing any ads to a Charter Member.

11

Just to clarify, no, I did not see an ad on the page I was viewing. I only mentioned that because a lot of the past problems have been related to ads.

ETA: Adblock plus was also installed on firefox.

12

Why would you do that? I did it because no one ever explained to me that you give the virus the ability to shut down all your folders, keep you from opening task manager, even keeping you from running things in safe mode.

13

nevermind…

14

Eh, the last time I caught a virus was when Windows 2000 was the latest and greatest OS out there. I didn’t see any need to go through the pain of running windows as a limited user. I figured if it ain’t broke, don’t fix it.

Today it broke, so now I have to fix it. :stuck_out_tongue:

15

It’s pretty much the norm for how people run XP. I recently upgraded to Windows 7, but during the many years I ran XP, I always ran it as Admin. It’s just easier.

16

SuRun makes the burden a whole lot less, but it’s still a bit of a hack, and not something I feel comfortable putting on anyone else’s computer. My parents run it on theirs, but I’m always around to show them when a program won’t work right.

Without Surun, I would be running as an administrator. And, even with it, I have to allow some programs to run that way that I probably shouldn’t. Fortunately, I also run Processguard, so I know when any executable I don’t recognize tries to use the computer.

17

In case you really don’t know, this board has a history of malware and virus-laced advertising that The Powers That Be swears is an Internet-wide thing but only seems to happen to the users of this board when they’re browsing the SDMB.

To wit:

http://boards.straightdope.com/sdmb/showthread.php?t=603972&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=603112&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=590786&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=587490&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=567939&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=586697&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=586851&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=585734&highlight=virus

http://boards.straightdope.com/sdmb/showthread.php?t=574252&highlight=virus

18

Help me out here. I understand that clicking an external link in a post could lead to a virus. What I don’t get is how a virus can lurk on the board itself. I browse here every day with exactly the same setup as the OP(ie member, no ads, XP, Admin, Avast) so this is rather worrying. Is it just dumb luck that I didn’t get hit? Could it have been an internal link to a particular thread that was infected? What are the mechanics of these things?

19

The mechanics of it are a bit complicated.

When you access a page at the straightdope, you are getting data from the straight dope server (which I’m sure you expected) but the web pages are set up to get data from other servers as well. This is mostly advertising related stuff. The straight dope web page calls a script on an advertising broker’s server. This script generally ends up redirecting the request to the server of an advertiser who has paid the broker for this service.

So basically, the straight dope server itself could be corrupted, in which case you’d expect more users to have problems (especially charter members). Or, the advertising broker’s server could be corrupted, in which case you’d still expect more problems with charter members. And finally, you could have the advertising sites themselves corrupted, which is historically where we’ve had a huge problem around here.

It’s also possible that a DNS server anywhere upstream from an affected user could have a DNS cache poisoning problem. In this case, it’s an ISP level problem and not related at all to the straight dope, advertising brokers, or the advertising sites themselves. What happens is that the straight dope has a link for some advertiser. However, when your computer tries to go to that advertiser, your ISP instead directs you to a malware site.

Even though most of the problems have been at the advertisers level, the straightdope has the ultimate responsibility for all of it, since they are the ones who contracted with the advertising brokers. Other web sites are capable of displaying advertisements without constantly serving up malware, and the powers that be here at the dope have been a little too reluctant (IMHO) to accept responsibility for the problem and instead have been pointing to the advertisers. The advertisers wouldn’t be here if the straightdope hadn’t contracted with the particular brokers that they use. The administrators of the straight dope message board have ultimate control of what does and does not go into their web pages. If the straight dope serves up malware, it doesn’t matter if the malware actually came from someone who is essentially the sub-contractor of a sub-contractor. It’s the straight dope administrator’s fault for using those sub-contractors.

I can’t say for certain that this wasn’t a DNS cache poisoning incident, but I think that is fairly unlikely, especially when the straight dope is known to have malware issues.

This particular incident is a bit disturbing to me simply because so far it seems like all of the malware has come from advertisers, and that should not have been a factor here. I hope this gets some serious attention from the admins here. I don’t think they’ve gotten to the bottom of all of the malware issues around here, and I certainly no longer trust this site. I am basically treating this as a known malware site from now on and will be taking appropriate precautions when surfing here.

20

I would hope that means you’re no longer surfing the SDMB with Admin privileges enabled? Right?