/ Register

Warning: EntropiaForum - Marked as unsafe

Discussion in 'About EntropiaPlanets' started by NotAdmin, Mar 20, 2010.

Page 1 of 4
  1. Mar 20, 2010 #1
    NotAdmin

    NotAdmin Administrator

    No, not trying to discredit EF in any way, but when visiting the site earlier, I got warnings from MS the site has been marked as unsafe. I was dumb enough to click through, and now found my puter to be acting weird.

    Apparently, I'm not the only one either. There's a few threads up on EF.

    Symptoms on my end: Win7 using IE8. In the folder C:\Users\<username>\AppData\Local\Temp\Low I found a few .exes running, some of which had also been started (as visible in the task manager).

    IE completely is fucked up under 32 bit mode. I am using 64 bit mode now, and will not click through after the warning this time.

    Just a heads up.
     
  2. Mar 20, 2010 #2
    Steve Saber

    Steve Saber

    Yeah got it on my xp pc. It installed a bunch of crap...

    removed it with malwarebytes, and trend online scanner...

    also lost connectivity after i "cleaned" it...found a proxy running...

    deleted it and seems to be back to normal..

    just what I found on my end.

    My win7 machine catches it and allows me to block it. Definetly IE though, don't get it on Firefox. And only on EF.

    [​IMG]

    [​IMG]
     
  3. Mar 20, 2010 #3
    NotAdmin

    NotAdmin Administrator

    I found soe files named afk.exe or similarly named running as well as in the folder above. There's also a dll in there.
     
  4. Mar 20, 2010 #4
    Predden

    Predden -= SHS =-

    Its trying to install some java addon.... dont trust java :/
     
  5. Mar 20, 2010 #5
    NotAdmin

    NotAdmin Administrator

    I got rid of it by killing the rundll32.exe process in my task manager, and then cleaning out the above mentioned folder. I wiped the exes and dll, and a .pak file that was had the same timestamp as those files.

    My AVG did not pick it up for some reason. :(
     
  6. Mar 20, 2010 #6
    Steve Saber

    Steve Saber

    Ya Avast didn't catch it either.

    Here's my log from malwarebytes....there are some reg keys too...

    Malwarebytes' Anti-Malware 1.44
    Database version: 3865
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    3/20/2010 11:33:49 AM
    mbam-log-2010-03-20 (11-33-49).txt

    Scan type: Quick Scan
    Objects scanned: 113224
    Time elapsed: 6 minute(s), 20 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    C:\Documents and Settings\Steve\Local Settings\Application Data\vaqbwc\qlousftav.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udkkukxx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udkkukxx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Steve\Local Settings\Application Data\vaqbwc\qlousftav.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Steve\Local Settings\Temp\waXB.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\02TWZCBZ\n002106201r0409Re90de064Xd13e86dcY9a9ae8b1Z0100f080316P000000070[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  7. Mar 20, 2010 #7
    RAZER

    RAZER Custom title ... uh ...

    here you go:

    [​IMG]

    No problems with Firefox

    I have Sophos running, but just don't wanna take the risk, maybe I'll try with a virtual machine.

    [edit]
    when going to EF with a virtual Windows XP the virtual machine went haywire so something is defiantly wrong there, BE CAREFULL !!!!
    [/edit]
     
  8. Mar 20, 2010 #8
    Wed

    Wed The one and only...

    I get the same on windows 7 and IE :handjob:

    :jump:
     
  9. Mar 20, 2010 #9
    RAZER

    RAZER Custom title ... uh ...

    before I went to EF:

    [​IMG]

    after I went to EF:
    [​IMG]

    notice Nhf.exe and Nzamya.exe

    some info on Nhf.exe:
    http://www.prevx.com/filenames/2247802099186956637-X1/NHF.EXE.html

    can't find anything on Nzamua.exe

    Got this message as well:
    [​IMG]

    They both keep my processor busy as well

    offtopic:
    nice to have a virtual machine so you can test these things out a bit :)

    ---------- Post added at 19:39 ---------- Previous post was at 19:33 ----------

    tried it again and now got Nhd.exe and Nzamya.exe

    [​IMG]

    I think 711 should take the site offline asap
     
  10. Mar 20, 2010 #10
    NotAdmin

    NotAdmin Administrator

    Aye, that's why I put the thread up here, to ensure people are aware something's not right. It might make the difference between updating virus definitions or something nasty happening.

    I remember an incident at work with the Slammer worm, where one colleague apparently discovered he had it, patched, and continued working.

    A few hours later, it hit the rest of the company, basically shutting it down. If the guy had alerted helpdesk, we all would have been patched, and hundreds of thousands of dollars would have been saved.
     
  11. Mar 20, 2010 #11
    Stave

    Stave Guest

    Yes reports of people getting intruisions and viruses on there, last i read was someone got a key logger on the latest Firefox, and now ive read that i dont think ill be going anywhare near it any time soon...
     
  12. Mar 20, 2010 #12
    RAZER

    RAZER Custom title ... uh ...

    Installed Sophos anti virus on the virtual machine and got this from it:

    [​IMG]

    and a crashing IE6
     
  13. Mar 20, 2010 #13
    Faye

    Faye

    Psst ie6 may not be used anymore even Microsoft said so

    Recap. IE explore is affect only or also firefox ? Second somebody tried a linux system ?
     
  14. Mar 20, 2010 #14
    RAZER

    RAZER Custom title ... uh ...

    yeah I know, but it is only on a virtual machine, using Firefox in real life and so far no problems with that.
     
  15. Mar 20, 2010 #15
    Faye

    Faye

    btw running iptraf on linux and now outgoing unknown connections so linux is clear for now ... hell linux is always clear of malware ..
     
  16. Mar 20, 2010 #16
    Steve Saber

    Steve Saber

    After I cleaned it, IE8 was crashing and showed blank no connection page.

    I found a proxy server turned on under:
    Internet options, connection, LAN settings.....deleted it and working fine since...

    just fyi. :)
     
  17. Mar 20, 2010 #17
    RAZER

    RAZER Custom title ... uh ...

    This is what 711 writes ion EF.

    Looks like all is well again on EF
     
  18. Mar 20, 2010 #18
    TheMZ

    TheMZ

    Using latest Firefox and sitting behind NOD32, found nothing irregular.
    I think it has become a cliche to tell people to move on to Firefox, but really,
    this is one thing you really SHOULD do. Heads up. <:
     
  19. Mar 20, 2010 #19
    RAZER

    RAZER Custom title ... uh ...

  20. Mar 20, 2010 #20
    narfi

    narfi Lost

    Yep... Im pretty sure IE is from the devil :( though i did close the ef tab on my firefox browser for the day, i dont mind being cautious. narfi
     
Page 1 of 4
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...