Weird Code Trying To Install To My Computer!

Yesterday while I was browsing ATS, something weird happened. Internet Explorer gave me a warning message about snapview.ocx then a pdf file tried to open. Then my firewall warned me that e.exe needed permission to get on the net. I pulled my ethernet cable and proceded to remove all the trojans from my computer.

This happened again today when I came back to ATS. Has ATS been compromised by malicious code? Has anyone else noticed this?

After looking into it, e.exe is a trojan (benpao) and while I was able to detect it and remove it, I wondered how many people have been affected by this on ATS. There is a known vulnerability with snapview.ocx which can remotely run malicious code on your machine.

Since I am hoping that ATS is on the up and up, I am assuming that ATS has been compromised in some manner. I know that the Paris Hilton website, among others, had been hacked, malicious code had been installed and had been infecting visitors until the code was discovered and removed. It was not the fault of the site owners but the hackers.

I figured this would be the forum to find out if anyone else had seen this.

If this happens again, I will get some screenshots to put on this thread.

To the mods or ATS IT contact, I did get a log file of the stuff that was removed. Let me know if you would like a copy.





Thread title modified to reflect that the code or issue is not coming from ATS servers.

[edit on 8-3-2009 by SkepticOverlord]

reply to post by xman_in_blackx


maybe you can take screen shots when you get these?
give us a visual picture

First my suggestion to you is stop using IE and switch to firefox with the Noscript add-on.

Secondly, chances are, it was an ad that contained the code. It happens, I doubt ATS had anything to do with it.

.02

Originally posted by xman_in_blackx
Since I am hoping that ATS is on the up and up, I am assuming that ATS has been compromised in some manner.

No.

A third-party professional server security firm installed scanning software, and regularly monitors the twice-daily scans... I've just checked the results of today's scan, and none of our servers are reporting any "compromise" of any sort. In the 21 months we've been performing the daily scans, nothing has ever come up.

To the mods or ATS IT contact, I did get a log file of the stuff that was removed. Let me know if you would like a copy.

Please send it to me via U2U.

In nearly all the previously reported cases of similar problems, the actual source of the issue has been pre-existing malware on the user's computer.

Originally posted by xman_in_blackx


If this happens again, I will get some screenshots to put on this thread.

Why not take evidence the first time?

Sorry short post but I smell a rat

Only my opinion not a personal attack.

Upon further research, one of our ad "partners" was using content from what appears to be a potentially compromised web server. The firm is question was using the YieldManager ad server, and using content from another domain which was a Windows server that is showing extraneous material in HTTP headers. I'm not sure if this is the source, but it's certainly not appropriate.

That particular ad provider has been negated from delivery on ATS until the situation is fixed. It doesn't look like purposeful malware from an advertiser, simply an advertiser using a compromised server for their content.

Um...I clicked on this thread twice, and both times while I was reading it 10 windows just opened up of...ads..and porn things..

Originally posted by kuhl

Originally posted by xman_in_blackx


If this happens again, I will get some screenshots to put on this thread.

Why not take evidence the first time?

Sorry short post but I smell a rat

Only my opinion not a personal attack.

Kuhl,

Your "opinion" sure sounds like a personal attack.

I find it interesting that rather than asking for more information, you would rather smell a rat. Having been in the IT field for 12 plus years, I find your attitude odd for someone who should be getting to the bottom of the issue. Before making accusations, I would want a lot more data. I am not a troublemaker. I admit that I should have looked further into where the appropriate place to post this was, but that doesn't make me a rat.

SkepticOverlord,
I can assure you that I keep my machine free of bugs and I have the latest Antivirus defs.

After my computer flipped out when I was on ATS for the second time, I figured I should let someone know and I did just that. I thought about getting a screenshot only after I stopped it from downloading. It was then too late.

Also, you should be advised that when you try to stop it, the computer is doing something CPU intensive to where a CTRL-ALT-DEL takes about 1 minute to take affect.

As soon as I hit reply on this I will U2U you my MalwareBytes logfile of what was removed. If there is indeed a new exploit, it might be helpful.

If you need more info, just let me know.

reply to post by SkepticOverlord



Skeptic,

Thanks for taking the time to look into it and for taking me seriously. I appreciate that

reply to post by enjoies05


Sounds like a variant of the ever constant Vundo

The only thing good about that piece of malware is there are a number of solutions available for it.

Originally posted by enjoies05
10 windows just opened up

We have no code that launches pop-up windows. It's not from us.

reply to post by InSpiteOf



Vundo is what malwarebytes called it in the removal. Others called it benpao. I don't know if it is a variant or not.

Ive had this happen before also, it turned out to be just as SO claimed; from an ad that was hosted from an compromised server. As earlier posted it sounds like the Vundu trojan,

! recommendation, when cleaning your pc of trojans and other malware, turn off windows system restore untill everything is cleaned, after verifying that everything is good, then turn system restore back on; this will prevent reinstallation of unwanted malisciious code that was stored in a restore file.

I've seen the disinfectant log, and it is the Trojan.Vundo.H malware, which is typically used to display lots of pop-ups ads, and fool you into buying bogus malware removal tools which are actually malware themselves.

According to several sources, the most common method of infection is through email and compromised browser plug-in installers. The trojan can be installed through a couple IE browser exploits, and the most common method for that is through Java (we don't use any Java on ATS).

It's unlikely that the compromised asset server I discovered would have installed something like this... it needs more than HTTP headers to deliver its payload, it needs an executable file.

reply to post by xman_in_blackx


Vundo is a pain more than anything else. My Room mates computer gets hit with it easily once a month and he comes to me for removal. But thats what happens when you browse too many, ehem, "questionable" websites.

Skeptics right, from my experience, its dropped right in from a Java exploit, or an IE exploit.

Malwarebites is a wicked piece of freeware, but usually to nail Vundo, i use Combofix or Smitfraudfix.

More out of habbit than anything else, as from my experience, malwarebites usually nails vundo and its variants.

Just make sure those system restore points are cleaned too


Edit to add: A general item of importance when dealing with this, or any malware. You'd be suprised at how many people dont lock down their Administrative accounts with a good password. I cant tell you how annoying it is to try and remove Vundo without Admin privileges...

[edit on 8-3-2009 by InSpiteOf]

reply to post by xman_in_blackx


You might have the new facebook virus.

Start worrying when you detect the MoD trying to get into your computer ;-)

It probably would be wise to run a virus scan to catch any possible trojan's etc that could harm your computer.

im having a similar problem with internet explorer. fwlink.exe from microsoft.com

weird. I switched over to firefox.

I too have had something try to install when I visit ATS (about 5 times) , but my pop up blocker stops it. Haven't really paid any attention to it, something like "so and so needs to install something or another, will you allow it?" or something like that.

I think it's java?

Okay, I just got it again:

"An add on for this website failed to run. Check the security settings in Internet options for potential conflicts."

Oh course, this probably has nothing to do with your situation. But that's what I get, and I really haven't paid it much attention.