Gathering Data for Website Intrusion Detections

[Munsch]

Please make sure you only vote on the poll if you had the problem.

I am aware many people have more than one computer so you will be able to choose more than one selection up above. Also if you can copy the error message given into this post. Please include the detail report given by your Anti-Virus of this message or as much as you are technically capable of. Anything else could be deleted to help keep this post clean and less confusing. If you see something not above in the poll post it and wait for it to be updated to vote. I will update it asap and then delete your post as indication of being updated. Once you see it deleted you may vote in the correct place and give your report details.

[Munsch]

The banners are hosted by google, so it's possible that Google is allowin an intrusion. I highly doubt it, but it's a possibility.

Everyone can try this:

Scan for malicous iframes: http://www.novirusthanks.org/services/scan-websites-for-iframes/

Scan for parasties: http://unmaskparasites.com/security-report/

scan with norton: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fdinarvets.com&x=0&y=0

scan with avg: http://www.avg.com.au/resources/web-page-scanner/

As you will see, scanning with all of these top notch services reports DinarVets.com as being 100% clean.

[Munsch]

Here are the log details from Avast:

7/8/2010 2:27:06 PM SYSTEM 1428 Sign of "HTML:Downloader-F [Trj]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\213ZY6A5\exemple[1].htm" file.

7/10/2010 1:24:36 PM SYSTEM 1428 Sign of "HTML:Downloader-F [Trj]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\P09ONV9R\exemple[1].htm" file.

Something else I noticed. When I opened the website and after getting this notice I see down in the left-hand corner the "Done, but with errors on this page." notification. When I open that the details say this:

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Timestamp: Sat, 10 Jul 2010 18:25:36 UTC

Message: Object expected

Line: 1

Char: 1

Code: 0

URI: http://74.81.73.126:81/exemple.com/

----------------------------------------------------------------------------------------------------------------

Seperate report on a different machine and time:

Log details:

Filename: exemple[1].htm Bloodhound.Exploit.337

exemple[2].htm Bloodhound.Exploit.337

After it prompted the warning and kicked me out it popped up the Command Prompt and Windows Help. I closed both of them immediately and checked tasked manager for Bloodhound.Exploit.337 or anything elses out of normal which it did not have.

[Jac]

Please make sure you only vote on the poll if you had the problem.

I am aware many people have more than one computer so you will be able to choose more than one selection up above. Also if you can copy the error message given into this post. Please include the detail report given by your Anti-Virus of this message or as much as you are technically capable of. Anything else could be deleted to help keep this post clean and less confusing. If you see something not above in the poll post it and wait for it to be updated to vote. I will update it asap and then delete your post as indication of being updated. Once you see it deleted you may vote in the correct place and give your report details.

My message says; malcous URL Blocked. Have you all tested pages for viral problems and malware problems. This is what son claims may be the problem sometimes malcious people leave bug. I haven't been able to log in since Monday with this. I have done everything inlcuding refreshing the configuration on my own system. Nothing works. But yours is not the only site doing this. I went to vistaprint to order cards and I couldn't even get in there. Perhaps there is an ad with some configuration problem or some glitch. All I can tell you is what my very loud warnings say. Also with my security program phlishing sites are blocked.

We even put my computer through Viral and Malware tests to check to see if it had been compromised. . It is clear and clean therefore it obvious something on your site is

is i nconflict with our computer systems. Please advise us by email as I cannot access with allt lhe bells going off with warning, warning, warning malcious software blocked. I do wish to ask is this site collecting info on visitors or phlising . If so that could cause a lot this.

Thank you. Please, Administrator send out emails to advise when this is repaired or a solution is found until then I cannot access DV and listen to all my bells whistles go off screaming warning, warning. Please, keep us informed.

My browser if Explorerer 8.

Thank you.

[lambert]

You're still blaming the wrong thing (stop with the operator error excuse already bro). It's coming from this site. It did not appear today so far and it may be gone. one of them was mal/jafuzzo-A

[breatheasy]

Hi Munsch. Thanks for your interest in helping to resolve the issues as best you can - so far, I've seen more posted from you than anyone in trying to get to the bottom of it, though I know there are probably several behind the scenes working on it.

I didn't take the poll b/c I have IE8 128-bit, least that's what my "about" page says - and that's not an option listed on the poll. Also, I have XP Pro 32-bit & I run PCTools - Spyware Dr. (which is Antivirus Software). This is the same company I believe Adam either uses or recommended - I'm going from memory here on that though - based on the initial thread that started the red flags. I also run Spybot as an added security. I have not been on much today at all, but yesterday I was hit again immediately upon accessing the site. I wrote everything down I could - including an IP address it looks like. The block was for HeurEngine Malicious Exploit - my "access was blocked due to the detection of potentially maliscious exploits". I have also in the past, before I started recording them, received the Trojan notices as well.

Mine started about the same time I believe Denbo (again - unsure as I'm going from memory here) struck up the 1st post. It had been happening to me out of nowhere for a couple days prior to that posting. At that time, I had been logged in for days, so it did not necessarily happen upon log-in like some. It would happen either upon 1st accessing the site, or upon hitting one of the tabs. I'd had no issues before & I've been visiting the site as a member since June, as a visitor since April. I've had no software or operating system changes on my system since my visits to DV, or even well before. Nor in my settings to those softwares.

Again, I didn't worry about it excessively b/c my software does an admirable job of catching it, but it is still a concern. I'd actually hoped this was all cleared up until I got hit yesterday. I'd gone for several straight days with no issue. But then yesterday, it did happen, so... Anyway, hope this is helpful - if I get any more messages, I will pass them along - thanks again .

[Munsch]

You're still blaming the wrong thing (stop with the operator error excuse already bro). It's coming from this site. It did not appear today so far and it may be gone. one of them was mal/jafuzzo-A

I am not blaming the operator??? I am blaming maybe the operating system Microsoft though.

Hi Munsch. Thanks for your interest in helping to resolve the issues as best you can - so far, I've seen more posted from you than anyone in trying to get to the bottom of it, though I know there are probably several behind the scenes working on it.

I didn't take the poll b/c I have IE8 128-bit, least that's what my "about" page says - and that's not an option listed on the poll. Also, I have XP Pro 32-bit & I run PCTools - Spyware Dr. (which is Antivirus Software). .

Thanks ... And the 128 bit is a little different from up above. That is the cipher strength. What you have is IE 32 bit due to having XP 32 bit. (Example of IE 64 bit .... I have VIsta Ultimate 64 bit Operating System ... It comes with normal IE (seen as 32 bit edition) and IE 64 bit edition too.

[breatheasy]

Thanks ... And the 128 bit is a little different from up above. That is the cipher strength. What you have is IE 32 bit due to having XP 32 bit. (Example of IE 64 bit .... I have VIsta Ultimate 64 bit Operating System ... It comes with normal IE (seen as 32 bit edition) and IE 64 bit edition too.

I don't know if this matters, but this is not the IE that came w/ the system. I downloaded (upgraded) to IE8 w/ Yahoo toolbar right after I got this computer. Been running it ever since. You could be right, I do consider myself a little more knowledgeable than the average person about computers, but am certainly not an expert. What I reported to you was in the "About" section of the "Help" tab within the IE I'm running. Didn't know if this upgrade early on made a difference in the info or not, so fyi .

[Munsch]

I don't know if this matters, but this is not the IE that came w/ the system. I downloaded (upgraded) to IE8 w/ Yahoo toolbar right after I got this computer. Been running it ever since. You could be right, I do consider myself a little more knowledgeable than the average person about computers, but am certainly not an expert. What I reported to you was in the "About" section of the "Help" tab within the IE I'm running. Didn't know if this upgrade early on made a difference in the info or not, so fyi .

No it makes no difference. On this machine I run IE 8 and it is 256-bit cipher strength. You are still running a 32 bit program (IE) on a 32 bit OS (XP) ... this is different than the cipher strength. Cipher strength is the encryption it uses to send data over the net while 32 bit and 64 bit is the way it is programmed to build the software or hardware. If you need any more help please feel free to PM me.

[Linda]

Please make sure you only vote on the poll if you had the problem.

I am aware many people have more than one computer so you will be able to choose more than one selection up above. Also if you can copy the error message given into this post. Please include the detail report given by your Anti-Virus of this message or as much as you are technically capable of. Anything else could be deleted to help keep this post clean and less confusing. If you see something not above in the poll post it and wait for it to be updated to vote. I will update it asap and then delete your post as indication of being updated. Once you see it deleted you may vote in the correct place and give your report details.

Munsch....thank you....I have been having the problem since last Thursday or Friday....had a few time that my antivirus popped up with and malicious/trojan etc.etc...on Saturday/Sunday? I was not able to get into the system at all...I would come into site and as soon as I clicked on a tab I was immediately kicked off the internet...this is the only site I am having a problem with...I am using my husbands computer to convey this info to you....he is rarely on the site and does not seem to have a problem...appears as though something happened the end of last week and have had a problem since then...my husband has not been on in a few weeks, perhaps this is why his computer has not been affected....Thank you for your help...Linda

p.s. I will try to get further into on just what my notice says next time I go on...

[Adam Montana]

The only way we can get to the bottom of this is to get a lot of feedback from the members who are having the problems.

I don't see ANY errors, and I've tried several ways from several computers to find what everyone is talking about - I can't find it.

I've had the host scan the server 4 times - no viruses.

I've ran multiple third party tests - DinarVets comes up clean on all of them.

How about this - can someone please take some screenshots or video of the trojan or virus warnings you are getting?

http://www.wikihow.com/Take-a-Screenshot-in-Microsoft-Windows

Thanks.

I take this very seriously and I'm doing everything I can to get this issue solved once and for all.

[mehsjh]

I've attached a screen shot. As I've indicated before, I only get these warnings on this site. The viruses/malware attempt to shut down my Desktop Firewall as well. Thankfully WebRoot quarantines these and I'm able to delte the files. THanks for your efforts in trying to determine the problem. It seems to also start loading Java....not sure if that will help.

[Bumper64]

7/15/2010 4:02:40 PM Detected: Trojan.JS.Agent.bmh Internet Explorer http://74.81.73.126:81/exemple.com/

Adam, my Kaspersky virus protector grabbed this as a hit that I took on here today!! I am not a computer person but this is what my protector logged!! Hope it helps!

[Adam Montana]

I heard about a koobface virus coming from facebook - if you're getting this virus notice, please confirm or deny that you have a facebook account.

[mehsjh]

I heard about a koobface virus coming from facebook - if you're getting this virus notice, please confirm or deny that you have a facebook account.

don't have a facebook account...not sure why would that only give me warnings when I visit this site?

[swlsal]

Hey guys.....YEA!!!! I too was getting that stupid virus deal everytime I logged onto DV and nowhere else. I cleared all history/cashes and re-started my computer and I no longer get that virus message. Worth a try. Only takes a few minutes and the worst thing that could happen would be that it doesn't work like it did for me:0

[Munsch]

7/15/2010 4:02:40 PM Detected: Trojan.JS.Agent.bmh Internet Explorer http://74.81.73.126:81/exemple.com/

Adam, my Kaspersky virus protector grabbed this as a hit that I took on here today!! I am not a computer person but this is what my protector logged!! Hope it helps!

Same location I got and the file name was exemple. What is this 74.81.73.126 address anyway??? This could be where the issue is coming from? I was able to trace it back to some company called GNAX which seems to be a data storage center. ARIN: WHOIS Database Search Results - http://ws.arin.net/whois/?queryinput=74.81.73.126

[pokerplayer]

The only way we can get to the bottom of this is to get a lot of feedback from the members who are having the problems.

I don't see ANY errors, and I've tried several ways from several computers to find what everyone is talking about - I can't find it.

I've had the host scan the server 4 times - no viruses.

I've ran multiple third party tests - DinarVets comes up clean on all of them.

How about this - can someone please take some screenshots or video of the trojan or virus warnings you are getting?

http://www.wikihow.com/Take-a-Screenshot-in-Microsoft-Windows

Thanks.

I take this very seriously and I'm doing everything I can to get this issue solved once and for all.

I as well have checked and scanned numerous times, as this issue makes me nervous, so far ...nothing, zero, bumpkis, and know what? I'm glad.

pp

[Bumper64]

Same location I got and the file name was exemple. What is this 74.81.73.126 address anyway??? This could be where the issue is coming from? I was able to trace it back to some company called GNAX which seems to be a data storage center. ARIN: WHOIS Database Search Results - http://ws.arin.net/whois/?queryinput=74.81.73.126

74.81.73.126 my guess is that it is there ip address but............ I could be wrong! lol Like I said this is not a strong point for me but I can lift heavy objects!!!

[Jimmyreno]

I read DV on my iPhone, my laptop w/ firefox and windows 7, and on my work pc w/ windows vista and ie7. I have had no problems to date. I run Norton on both computers with no problems or messages.

[EagleEye]

The notice ONLY come up on the Computer running Avast for security. I have tried all the suggestions: clearing cache even tried to exclude DV from the scan. Results still the same: I just now read how to get screenshot (tried but failed last night) after coffee ( lol ) I will try this again.

The error is always the same site blocked malicious malware : www.dinarvets.com/forum/(gzip) script-inf file detected.

Must be a pain for your techs. Thanks for all that you do.

Be back later.

Eagle Eye

[EagleEye]

The notice ONLY come up on the Computer running Avast for security. I have tried all the suggestions: clearing cache even tried to exclude DV from the scan. Results still the same: I just now read how to get screenshot (tried but failed last night) after coffee ( lol ) I will try this again.

The error is always the same site blocked malicious malware : www.dinarvets.com/forum/(gzip) script-inf file detected.

Must be a pain for your techs. Thanks for all that you do.

Be back later.

Eagle Eye

OK This is the warning I get every time no matter what I try. The only way around it so far is turning off Avast. If I cannot be fixed and it is as it seems to be an Avast issue. Let me know and I will get some other anti-virus SW...Thanks again

[MoraMora]

I too have been getting strange errors from this site....bloodhound.exe...which norton has blocked on several of the threads I have tried to open. I've never had any problems until this week. I hope Admin can find the source of this problem..because it does make you a little uneasy to even log-in and open any threads for fear of getting some type of bad virus.

[Adam Montana]

i made some changes to the code and recached some old files that might have been prompting Antivirus warnings.

Please delete cache, close your browser, run your AV, clean any infected files.

Then re-open dinarvets and tell me if you still get the warning.

[Adam Montana]

Apparently the issue is fixed, since nobody is complaining anymore.

Glad everyone is ok now! Sorry for the annoyance. Apparently there was a glitch or a bug in one of the Microsoft updates that conflicted with Java and threw a false warning at everyone who has Norton or the other AV that was giving the warning. As a precaution, I'd recommend everyone scan and clean their system. If you don't have a good AV, you can download a free malware remover called "Malwarebytes" by going to this site: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html