The forum of the forums
Welcome to the Official Support Forum of Forumotion!

To take full advantage of everything offered by our forum, please log in if you are already a member, or join our community if you've not yet.



Create a free forum like this one.

Trojan:JS/Redirector.E

View previous topic View next topic Go down

In progress Trojan:JS/Redirector.E

Post by peter59 on January 17th 2012, 10:36 pm

Edit kirk.
This has been passed on to the Godfather and a request has also put in for a tech to look into. For the safety of others i have removed the link to your forum.
Please do not post the link to your forum until this problem is resolved. I have sent your forum link to the Godfather in the request message as well.
Thank you



Can anyone advise?

I posted this early Jan the image below is what members were getting. We thought we had solved the problem. but its reappered. Its goe's away if smart filter is turned off, but a lot of members don't like turning smart filter off. It only happen to those using EI.


I have been intouch with microsoft ( No Easy Task( and received this today they are saying. "Thank you for contacting Safety Filter Support. The site in question, currently appears to be hosting the Malware threat Trojan:JS/Redirector.E.
For more information concerning this threat:"

Trojan:JS/Redirector.E (?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Mar 20, 2008

Aliases
Win32/Spy.Bancos.U (ESET) Trojan-Spy.Win32.Bancos.ha (Kaspersky)
PWS-Banker.gen.h (McAfee)

Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.117.2303.0
Released: Jan 05, 2012 Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


They also sent this "The following is an example of a file download that has this Malware threat:
www.1879zuluwar.com/users/2911/13/13/79/smiles/573335.gif"

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by SLGray on January 17th 2012, 10:51 pm

@peter59 wrote:They also sent this "The following is an example of a file download that has this Malware threat:
www.1879zuluwar.com/users/2911/13/13/79/smiles/573335.gif"

I believe that is a link to a smiley. Have you tried to delete that smiley?

SLGray
Administrator
Administrator

Male Posts : 36663
Reputation : 2444
Language : English
Location : United States

http://ztwds.forumotion.com/

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 17th 2012, 11:02 pm

I have deleted about 8. that had simular codes to the example. I have only 6 smilies left and the codes are nothing like the example.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by Guest on January 17th 2012, 11:40 pm

Your "harmless" smiley contains the following code:

Code:
<IFRAME SRC="http://www.ciudad.com.ar/ar/popunder/p_submit.asp?site=personales.ciudad.com.ar" width=1 height=1></IFRAME>
<SCRIPT LANGUAGE="JavaScript"><!--
for (var i=1; i<15; i++){setTimeout('self.focus();',i*30);}
--></SCRIPT>
That code can be inserted into the DOM on forumotion boards since they use phpBB2 server scripts. Whether the code works or not, I do not know...I'm certainly not going to attempt to use the smiley on a board of mine!

If I were you, I would never, EVER again use a smiley from where you obtained it. And for the benefit of people here, it would be great if you let us know where you found that smiley.

Guest
Guest


Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 17th 2012, 11:44 pm

Dion. You say "Your "harmless" smiley contains the following code:" Sorry which smiley are you talking about.


peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 17th 2012, 11:52 pm

The only smilies i have left contain code like this.
http://illiweb.com/fa/i/smiles/icon_smile.gif?t=1326840650

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 17th 2012, 11:53 pm

I will not even go there, you all know what happened to me last time i went there and tried to help for this problem.

If i was you i would change your forum version to another forum version, then go back to the one you have now, and re-do all your forums appearances and stuff. Delete any custom.
templates and turn off the html for starts.

You obliviously have some bad corrupt coding something on your site that is infected with this.

It could be that the members their self are already have this virus and are not aware of it?

But it's fake message and not even from microsoft.

http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/ie8-blocked-message-this-website-has-been-reported/f4534ece-019a-47e1-91e0-a5a1c2bac702

http://www.2-viruses.com/remove-fake-warning-this-site-has-been-reported-as-unsafe

http://www.2-spyware.com/remove-this-website-has-been-reported-as-unsafe-browser-warning.html


I am going to send a message to Mario to see if he can request a tech to go to your forum and investigate on where it is, what it's from and how to remove it.

But in the mean time i have removed your forum link, Please do not post your forum link here. I do not want other people going to your site that may use IE and end up getting infected as i did.

@dion wrote:Your "harmless" smiley contains the following code:

Code:
<IFRAME SRC="http://www.ciudad.com.ar/ar/popunder/p_submit.asp?site=personales.ciudad.com.ar" width=1 height=1></IFRAME>
<SCRIPT LANGUAGE="JavaScript"><!--
for (var i=1; i<15; i++){setTimeout('self.focus();',i*30);}
--></SCRIPT>
That code can be inserted into the DOM on forumotion boards since they use phpBB2 server scripts. Whether the code works or not, I do not know...I'm certainly not going to attempt to use the smiley on a board of mine!

If I were you, I would never, EVER again use a smiley from where you obtained it. And for the benefit of people here, it would be great if you let us know where you found that smiley.

I guess Dion is saying that's the corrupt code?
I will try and see if we can get a tech to check your site out,

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 12:01 am

I thinks Dion was using the one sent by Mirosoft

"The following is an example of a file download that has this Malware threat:
www.1879zuluwar.com/users/2911/13/13/79/smiles/573335.gif".

Shall i just leave things alone until you get back to me.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 12:15 am

"turn off the html for starts" How do I do this

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 18th 2012, 1:07 am

@peter59 wrote:I thinks Dion was using the one sent by Mirosoft

"The following is an example of a file download that has this Malware threat:
www.1879zuluwar.com/users/2911/13/13/79/smiles/573335.gif".

Shall i just leave things alone until you get back to me.

I am not sure what you mean, are you saying that's the corrupt file? If so remove it?

@peter59 wrote:"turn off the html for starts" How do I do this
To disable the html for the forum go to

Admin panel>General>Messages and Email>configuration

Scroll down to Allow HTML,select no and hit save.

This will only effect html that may be in post, If you have other coding in forums descriptions,Templates,homepage messages,widgets or java pages, then it will not effect that.

Other then that, you will have to wait for the godfather to receive the message and give him time to look in to the problem.Do you know what newer coding has been added recently???

Ask your self what kind of coding you have been adding where, and remove things to see if the problem goes away, you can always save the coding in a text file to add the ones back that you know are ok


If it was me i would not even care about anything custom and delete all templates etc.
But that's just me.

Well see what other staff and members may be able to request?



kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 12:05 pm

This was the complete e-mail. The link i posted above, was just being used at an example to show what to look for. HTML is already turned off i dont have any templates that i know of. And don't used Java Scripts.

Here the whole e-mail.. It may help to get a better understanding.

Thank you for contacting Safety Filter Support. The site in question, currently appears to be hosting the Malware threat Trojan:JS/Redirector.E.
For more information concerning this threat: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3AJS%2FRedirector.E.

The following is an example of a file download that has this Malware threat:
www.1879zuluwar.com/users/2911/13/13/79/smiles/573335.gif

In order to dispute the rating for your application, please fill out and submit the form available at: http://www.microsoft.com/security/portal/Shared/VendorDispute.aspx
At the present time, this is the most expedient method to dispute programs that are believed to be incorrectly classified as malicious or potentially unwanted software.

While there is no single security solution to address all potential threats, please refer to the following links and security tips for information concerning the SmartScreen® Filter as well as best practices:
The following best practices are recommended when developing a website:
- For sites asking users for personal information, the use of Secure Sockets Layer (SSL) certification is highly recommended.
- To increase a website’s protection from security threats, it is recommended to maintain updated firewalls and install all required security updates. Additionally, it is recommended to keep virus detection software current and to schedule regular virus scans.
- The reliability of external or third-party hosted content should be verified. This includes verifying that the content is secure and from a known or trusted source.
- It is recommend to use a reputable domain name and avoid using IP addresses for a website’s URL address.
- It is recommended to develop web content using the most recent version of Internet Explorer 8.
- We recommend the following links for information concerning Cross-Site Scripting, including information for defending websites and servers from cross-site scripting attacks:
Overview of Cross-Site Scripting:
http://technet.microsoft.com/en-us/library/cc722904.aspx
Cross Site Scripting (XSS) FAQ:
http://technet.microsoft.com/en-us/library/cc722905.aspx
Information on preventing Cross-site Scripting:
http://support.microsoft.com/kb/252985
http://weblogs.asp.net/Varad/archive/2005/02/16/374977.aspx
The following links contain additional information that may be of assistance:
Microsoft Safety home page:
http://www.microsoft.com/mscorp/safety/default.mspx
Overview of the Microsoft SmartScreen® Filter:
http://www.microsoft.com/windows/internet-explorer/beta/features/stay-safer-online.aspx
For information concerning Malware threats:
http://www.microsoft.com/security/portal/encyclopedia.aspx
Internet Explorer 8 web-developers Readiness Toolkit:
http://www.microsoft.com/windows/internet-explorer/beta/readiness/developers.aspx
IE8 Security Blog:
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iii-smartscreen-filter.aspx
Site owners are encouraged to use their sites with IE8 and to report false warnings to us via the built-in, online reporting tool. At the present time, this is the most expedient way to report false warnings or Phishing and Malware sites to us.
Thank you,
Microsoft SmartScreen® Filter Support


peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 12:27 pm

Kirk. I deleted all the smilies (All 8 of them) And for some reason a whole new load as appeared. Help!!!!!!

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 18th 2012, 12:49 pm

what smiles where?
You going to have to get screen shots of what you doing and what you mean?

i don't understand how a image /smile/emotion would have a virus?

All i keep coming across is how to get rid of it if you get hit with the virus.
And none of that worked for me, i had no choice but to re-install my operating system.

Anyway with that a side. I have no clue where or how this is on your site
But if you are saying it is coming from a emotion/smile image.. Then i do not know what you mean, You must not be talking about the forum smiles.

Please explain what they are,

Every time i search for information on trying to find how it's on a site or where it's on a site i come up with nothing.
All i come up with is information like this.

http://remove-malware.net/how-to-remove-this-website-has-been-reported-as-unsafe-browser-warning/

So i really do not understand it,

Please explain more and get some screen shots of what your doing and what you mean.

Have you thought about doing a full forum back up/restore to a date before this start happening. (Through your forum utilities tool)

I mean you lose new post, but so what. If you can restore your forum back to a week before this start happening or you added whatever, Then it should be gong and you can put this behind you and move on.. And be sure not to do or use what ever you used that caused this.

Info added

what site did you get the smiles from, I am assuming you did not upload these images your self and used links that where provided?

We need to know where these smiles came from and or if there is any additional instructions on how ever you added them into your site.. wherever you have them.

It's all just raising more questions, I don't get it... Rolling Eyes



Last edited by kirk on January 18th 2012, 1:00 pm; edited 1 time in total

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 12:55 pm

I deleted all smilies. I only had 8 to start with but more keep appearing.



peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 1:16 pm

Kirk. I don't recall ever creating a portal. Is it done automatically?


peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 1:19 pm

Gent's Fingers cross i this i have solved the problem. Could someone please confirm the warning message has gone.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 18th 2012, 1:29 pm

Yeah i don't think those smiles could be the problem.
These are the forums default smiles and you have a few pages of them.

What keeps mixing my brain up is.

First i am thinking the members that have this message pooping up already have the virus with IE8.

But the problem with that is that it's only happening on your site and nowhere else.

So it's telling me there is something on the site AND WHY IE8 is detecting it.

I just went to a neighbors house and tried on his old junk/test computer with IE7.. and nothing is coming up.. And i bet if you tried it with IE9 it would not come up either.

But why only IE8, and why are your handful of IE8 users only having this problem on your site.

So really am a lil baffled at this point, We will have to give it time for the god father to receive the message and hopefully get some info on what it is and how to fix, But we have t try to be patient because he takes things as he receives them and there is no telling what else he has lined up right now..

If we do not hear from him today i will have to bump it up again.

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 1:32 pm

I have just had confirmation that the warning message has stopped by some members using EI.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 18th 2012, 1:36 pm

Please don't double/triple post. Your post need to be separated by 24 hours before bumping, replying or adding more information. Please use the edit button instead!
@peter59 wrote:Kirk. I don't recall ever creating a portal. Is it done automatically?


@peter59 wrote:Gent's Fingers cross i this i have solved the problem. Could someone please confirm the warning message has gone.

Well no they are not created automatically, It might be possible where the problem was coming from if you had something with what was causing it in a portal widget or page.

But the problem with that is, the portal only shows when in the portal, Portal widgets are not shown through the whole forum. And that message for me came up on the home page index?

But i did notice you had regular widgets showing through the whole forum. If there is something corrupt in them i do not know, Try disabling them

And you may be better of getting one of your IE8 members to let you know if it is still showing or not? I don't think anyone here wants to chance it.. lol
@peter59 wrote:I have just had confirmation that the warning message has stopped by some members using EI.

Ok then lest hope it's gone this time Smile

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 1:40 pm

Kirk. The only thing i can think of that stop the message was deleting the forum header image. However i'm not sure it was that, as i always use photobucket to obatain the image code. Do you think that was the cause??

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 18th 2012, 1:49 pm

haha at this point i really cant be sure, If it is completely gone. For all i know it could have been a forumotion tech fixed it if the godfather sent it off to them.

If that is the case he will respond back saying so.. But i don't want to assume anything until you are 100% sure it's gone.

Oh and i have been using photobucket for years and never had any problems.

so give it some time to be sure first Smile

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 2:03 pm

forumotion tech fixed
that's what i'm thinking.

Lets hope its fixed, Thanks for all your help and to those working in the back ground. Keep up the excellent work.. I will wait to see if i hear from the God Father.....

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by MrMario on January 18th 2012, 5:39 pm

Hello,

What did you install recently on your forum?

MrMario
Helper
Helper

Male Posts : 22186
Reputation : 1830
Language : test

http://test.com

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 18th 2012, 6:04 pm

Hi Mr Mario. Firstly thanks for your help.

I renewed my forum image on thevhome page, early Jan. I restore my original image and that seems to have sorted the problem, some of those members using IE have confirmed the warning message as gone. So I'm assuming it was something in that new forum image, however I did put it through Photobucket to obtain the image code.

Regards
Peter.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by Guest on January 19th 2012, 6:13 am


Guest
Guest


Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by peter59 on January 19th 2012, 9:16 am

Hi Dion.
The smiley you mention, was never on my forum. It was sent as an example of what to look for. To give me a better understanding of what to look for. I deleted the smilies that had a simular code to the example microsoft sent, after that I deleted the forum home page image. After which the warning sign disappeared. Hope this makes sense.

peter59
Forumember

Male Posts : 106
Reputation : 0
Language : English
Location : Kent

Back to top Go down

In progress Re: Trojan:JS/Redirector.E

Post by kirk on January 19th 2012, 12:01 pm

Yeah the smiles he had where all forumotion default smiles.

I dont know what your forum homepage image was but my guess if it is gone now then that was the problem

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum