Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Fuzzy Avatars Solved! Please re-upload your avatar if it was fuzzy!

Malware?

2»

Comments

  • RohnRohn Saint Peters, MOPosts: 3,740Member Uncommon
    Had the same thing happen to me today as well.  First time ever.

    Hell hath no fury like an MMORPG player scorned.

  • MeddleMeddle Kamuela, HIPosts: 696Administrator Uncommon

    We are aware of the issue and are working diligently to track down the source and correct it.

    - MMORPG.COM Staff -

  • MeddleMeddle Kamuela, HIPosts: 696Administrator Uncommon
    It looks to be completely random.  All of our servers look clean.  If anyone get's the redirect on a specific link every single time they visit it please post the link.  At this time we're looking at a malicious ad being served from one of our 3rd party ad servers.

    - MMORPG.COM Staff -

  • botrytisbotrytis In Flux, MIPosts: 2,567Member
    Originally posted by Barrikor

     


    Originally posted by botrytis
    Google ads use java and java script for the ads. Java is one big virus waiting to happen. There is no write once, run anywhere system. If you have older versions of JAVA, just uninstall them (keep java up to date) or do what I did, uninstall java and never look back.

     

     

    There is a lot of spoofing, etc that can be done in JAVA script so that is what is happening. I had this on other forums I belong to. Not the forums fault, it is Google that is not doing it's job.


     


    Java and JavaScript are 100% unrelated to each other. It's only the names that are similar.


    Judging from your post, it's Java that you have a problem with, not Javascript.

    Actually, it was both. You see many ads (such as Google ads) do use javascript which can be used for nefarious reasons - like calling on a java program to download a payload - this happens when you get the redirection virus.

     

    So, it is both actually.

    image

    "In 50 years, when I talk to my grandchildren about these days, I'll make sure to mention what an accomplished MMO player I was. They are going to be so proud ..."
    by Naqaj - 7/17/2013 MMORPG.com forum

  • cnutempcnutemp Fairfax, VAPosts: 229Member Uncommon
    The iPumper file is distributed by a guy named Mart, here's his info - be sure to thank him for his virus! (info from Network Solutions lookup)
     

    Admin Name: Mart Vajda

    Admin Organization: 

    Admin Street: Hodoninska 15

    Admin City: Holic

    Admin State/Province: 

    Admin Postal Code: 90851

    Admin Country: Slovak Republic

    Admin Phone: +421.901234567

    Admin Fax: 

    Admin Email: *** Email address is removed for privacy ***

    Tech Name: Mart Vajda

    Tech Organization: 

    Tech Street: Hodoninska 15

    Tech City: Holic

    Tech State/Province: 

    Tech Postal Code: 90851

    Tech Country: Slovak Republic

    Tech Phone: +421.901234567

    Tech Fax: 

    Tech Email: *** Email address is removed for privacy ***

     

    His site redirects to www.anyfiledownloader.com - don't go there!  It's a company in Panama:

     

    Technical Contact

        Fundacion Private Whois

        Domain Administrator

        Email:*** Email address is removed for privacy ***

        Attn: anyfiledownloader.com

        Aptds. 0850-00056

        Zona 15 Panama

        Panama

        Tel: +507.65995877

     

    (you _could_ phone them but it's gonna be a long-distance call)

    The software was written by Escolade Solutions LTD.  Be sure to thank them too!

    You're welcome.  :-)
  • RidelynnRidelynn Fresno, CAPosts: 4,176Member Uncommon

    It's something in one of the ads, but I can't tell which one yet.

    Some information:

    You will only infect your PC if you
    a) allow the download of the file api_Downloader.exe
    ~and~
    b) allow the file api_Downloader.exe to run

    That will infect your system. As far as I can tell right now, the malicious ad will attempt to auto-download the file, but i don't think it is able to run the file remotely - you would actually have to click on it to run it.

    I did come across this if anyone should need it:
    http://saviourforcomputer.blogspot.com/2013/03/how-to-remove-anyfiledownloadercom.html

    It's not great, but gives you some additional information if anyone should accidently run the file.

  • Sunnyguy46Sunnyguy46 Santa Rosa, CAPosts: 89Member Uncommon
    Originally posted by psychobgr
    I'm using Kaspersky Internet Security and it keeps blocking some malware on mmorpg.com I gather its a dodgy advert or something has got onto the site. Kasperky stops it straight away as it happens each time I open any page from mmorpg.com.

     

    Same..with almost every re-fresh.

  • PerramasPerramas TanelornPosts: 83Member Uncommon
    Originally posted by Meddle
      At this time we're looking at a malicious ad being served from one of our 3rd party ad servers.

     

    And this is why I always use ad block plus and no script.

    FUncom putting the FU in fun since 1993.

  • MeddleMeddle Kamuela, HIPosts: 696Administrator Uncommon
    Are the folks running adblock seeing this issue at all or not?

    - MMORPG.COM Staff -

  • cnutempcnutemp Fairfax, VAPosts: 229Member Uncommon
    running google chrome with adblock, havent seen it yet. keep in mind using default setup, havent right click blocked any add yet.
  • cnutempcnutemp Fairfax, VAPosts: 229Member Uncommon
    Originally posted by Meddle
    Are the folks running adblock seeing this issue at all or not?

    You could always have your team brute force to find it.

     

    Firefox with noscript, start with nothing blocked, check scripts on the page and click stuff till you get redirected.

     

    Block one script, keep clicking links till you get redirected, if you dont get redirected after 5-10 mins you found the script, if it happens again block another.

  • PerramasPerramas TanelornPosts: 83Member Uncommon
    I have had no problems with firefox while running adblock plus and noscript.

    FUncom putting the FU in fun since 1993.

  • FrankVLucasFrankVLucas HornbaekPosts: 31Member Uncommon
    Haven't seen this. Running chrome with adblock+ without a problem.
  • piquetpiquet OdensePosts: 202Member
    Originally posted by Meddle
    Are the folks running adblock seeing this issue at all or not?

    I can confirm that this does not happen with AdBlock turned on. I get it as soon as I turn it off again, so it's definitely caused by one of the ads.

  • JacxolopeJacxolope Jackson, MIPosts: 924Member

    -Also confirming.

    Adblock Plus on chrome is stopping the problem. Turning it off and.... Its back.

  • maplestonemaplestone Ottawa, ONPosts: 3,099Member
    Originally posted by Meddle
    It looks to be completely random.  All of our servers look clean.  If anyone get's the redirect on a specific link every single time they visit it please post the link.  At this time we're looking at a malicious ad being served from one of our 3rd party ad servers.

    I was consistently getting it when trying to check this thread earlier today if that helps.

  • AdminAdmin Santa Fe, NMPosts: 5,037Administrator Common

    Hello all,

    Thank you for the reports.  We think we narrowed it down to the 200x200 ad on the left side of the forums that pretty much only ran through a network - meaning we don't have direct control of the ads.  We have removed the ad entirely.

     

    If you see this redirect anymore please let us know ASAP - feel free to email  me directly at admin(at)mmorpg.com

    Thank you,

    - MMORPG.COM Staff -

  • GruntyGrunty TexasPosts: 7,058Member Uncommon
    The automatic redirect to PCKeeper only happened to me once so far 2 days ago. I'm using an up-to-date Chrome version without any blocking applets.
  • Sunnyguy46Sunnyguy46 Santa Rosa, CAPosts: 89Member Uncommon
    Please give the lovable staff a raise! /hug
  • GruntyGrunty TexasPosts: 7,058Member Uncommon

    Since you turned those ads off this site is as fast as Speedy Gonzalez when downloading/updating.

     

     

2»
Sign In or Register to comment.