# Virus/Trojan Issue



## jeff (May 31, 2012)

Folks I am seeing some odd behavior from my AVG virus scanner when accessing the site. 

Is anyone who is NOT running AVG seeing any issues?

Thanks


----------



## Carl Fisher (May 31, 2012)

Security Essentials here and nothing reported so far.


----------



## Johnny westbrook (May 31, 2012)

i just had one to pop up my Avast stoped it.


----------



## jeff (May 31, 2012)

Any additional details you could provide me via PM would help.


----------



## randyrls (May 31, 2012)

Nothing shown on ZoneAlarm.


----------



## ALA (May 31, 2012)

Johnny westbrook said:


> i just had one to pop up my Avast stoped it.


 
Same here. Does it each time I open the site.


----------



## mredburn (May 31, 2012)

I have the malicious url warning on IE and FireFox  but not Google Chrome


----------



## jeff (May 31, 2012)

I am seeing it on IE and FF too, but inconsistently. I have the host admins looking into it.

My apologies for any inconvenience.


----------



## keithbyrd (May 31, 2012)

Norton has no alerts


----------



## penmaker1967 (May 31, 2012)

i use essentials and no problems on my end


----------



## hewunch (May 31, 2012)

I get an alert too in Avast. The alert is about the following url http://defjowelt.org/?ae615302ca6c39dd71... I don't know if it will help you, but that is all I could get out of it.


----------



## Andrew_K99 (May 31, 2012)

I just got the following alert from my companies software.


----------



## Carl Fisher (May 31, 2012)

Interesting.  I'm inside the WellsFargo network and for as locked down and AV software loaded up as we are, I don't have any issues from here either.  My post earlier was from home with no issues.

Using Chrome with Symantec Endpoint here and MS Security Essentials at home.


----------



## BRobbins629 (May 31, 2012)

Got an AVG Exploit Blackhole threat stopped with Firefox and IE at home.  Kindle Fire got in.  IE at work ok now.


----------



## PTsideshow (May 31, 2012)

Just checked avast and it shows nothing flagged or in the chest. Running Firefox.
:clown:


----------



## tbroye (May 31, 2012)

Nothing on mine with McAfee.  Only problem I have is the little 18 month old grandson push key to me the computer make noise.  That and he thinks I have a touch screen on my laptop.  Little worm.


----------



## Andrew_K99 (May 31, 2012)

My computer at work is infected with something.  It's behind firewalls and AV software.

It's been prompting for unknown updates and hard drive failure.  My desktop is also gone (it's actually all been hidden based on what I've found)

Microsoft Forefront has scanned and found two things, then was clear, then everything started again! 

Not sure if it came from here but whatever it is it's nasty!

FYI this has been sent from my iPhone.

AK


----------



## The Penguin (May 31, 2012)

I use Kaspersky and it blocked the site from home.

work computer - no problem, but I don't know what we use here.


----------



## RichB (May 31, 2012)

Got a AVG Expolit Black Hole.  I loaded IAP through google typing in Penturnners.org and it was ok until I click on the IAP logo then AVG Exploit Black Hole came up again.  I am now on the IAP through Google.


----------



## gandsande (May 31, 2012)

I have the AVG warning of Blocked Site Due to Exploit Backhole type 2170.  I am only able to get in from Work system which is behind Many Protections and very limited on what on theinternet i am allowed to get to.  Seems very Strange.


----------



## underdog (May 31, 2012)

Malware Bytes blocked the website three times from doing something over here..



> 2012/05/31 09:39:54 -0400 JIM Jim Underwood IP-BLOCK 188.72.213.72 (Type: outgoing)


 
Something is up...


----------



## Akula (May 31, 2012)

Xp pro, google chrome w/adblock and avast allows access without problems or warnings.

Online URL scans by Comodo and Avg threatlabs will not run the site


----------



## Finatic (May 31, 2012)

I got hit this morning while reading this trhead. Had cox tech support fix it for me. took 2 hours. I think I was using google chrome at the time.


----------



## Akula (May 31, 2012)

URLQuery no problems detected


----------



## penmaker1967 (May 31, 2012)

this may not help but i have ms esstienals ( not spelleds right) an di have not had any trouble but when i was using avg i had all kinds of trouble not just with iap but just about eveery site that i went on.


----------



## thewishman (May 31, 2012)

*Infection Details*

                                              URL:http://ghijowelt.org/?91be29002741ceeaaa...                                   Process:C:\Program Files (x86)\Mozilla Firefox\f...                                   Infection:URL:Mal


----------



## InvisibleMan (May 31, 2012)

got a popup that Norton caught something, but it was a quick popup and I didn't really see much other than it stopped a malicious something or other.

here it is from my history -

Web Attack: Malicious Toolkit Website 14
Risk High
Attacking Computer 37.59.198.61, 80
Attacker URL ghijowelt.org/?91be29002741ceea...

I'm running firefox.


----------



## dexter0606 (May 31, 2012)

Not much help to you but our company "websense" blocked the "malicious website"


----------



## jeff (May 31, 2012)

There should be no issues now.

We did in fact have 3 files which were compromised.

I think I have eradicated the problem.

*Please let me know if you have any issues.*


----------



## Andrew_K99 (May 31, 2012)

Do you know the names of the viruses/Trojans?

AK


----------



## jeff (May 31, 2012)

Andrew_K99 said:


> Do you know the names of the viruses/Trojans?
> 
> AK



No, I only have snippets of malicious code.


----------



## Holz Mechaniker (May 31, 2012)

just curious, who of you were running Internet Explorer, Goggle Chrome or Mozilla Firefox.

I use Firefox and have NONE of the issues as described here


----------



## Andrew_K99 (May 31, 2012)

My computer is infected with Win32/fakesysdef

I'm behind fire walls and am using Microsoft Forefront Security (administered by our IT department).  I use Internet Explorer 9.

My computer is currently in the (remote) hands of IT to clean it up.

No idea if it originated here, but the timing of this thread would suggest that it did.

AK


----------



## jeff (May 31, 2012)

Andrew_K99 said:


> My computer is infected with Win32/fakesysdef
> 
> I'm behind fire walls and am using Microsoft Forefront Security (administered by our IT department).  I use Internet Explorer 9.
> 
> ...



Certainly that's possible, but I hope not. Hackers are a rotten bunch, aren't they?


----------



## Andrew_K99 (May 31, 2012)

jeff said:


> Certainly that's possible, but I hope not. Hackers are a rotten bunch, aren't they?


That's being WAY too polite Jeff!

I'm still surprised it got through on my work computer, our IT department shuts us off from everything and some.

It seems to be fixed now, it was embedded in 4 locations.

Hopefully it didn't originate here and no one else has had to go through this today.

AK


----------



## OKLAHOMAN (May 31, 2012)

Well, seems that there is a thing going on against any forum about pens, The Fountain Pen Network has been down  also.


----------



## underdog (May 31, 2012)

Using XP and IE8 here with all the latest updates, and NO toolbars.

No infection that I can see...


----------



## Zulu (May 31, 2012)

*Malware Warning*

The warning from AVG comes only when I go to “Home” (root) part of the site. It does not when going to other directories. It must be something in the root of the site that triggers the warning. BTW this comes only on Opera and not other browsers. All the browsers are the latest ones, with all the patches applied.


----------



## Xander (May 31, 2012)

Nothing showing on my AVG (not free edition)


----------



## Zulu (May 31, 2012)

*Browser's fault*

I've forgotten that this is a work machine and I do not have AVG at all on this. I have Trend Micro OfficeScan on this computer. Must be something to do with Opera...


----------



## PenPal (May 31, 2012)

Jeff,

Peter here in Australia last evening our Thursday from about 10 pm from memory until I quit about 1/2 an hour into Friday (today) 


Using Avast Pro---Roboform click----Penturners--- Warning message came up to prevent access only to Penturners---HTML/Afreimer.AHtml Script Virus.

Tried every now and then same result dialing Penturners no prob getting in.

Seems ok no flags etc 9 am our Friday.

Kind regards Peter.


----------



## Zulu (May 31, 2012)

Sorry to brag about this, but it bugs me.


On further investigation I found out that Opera uses an AVG server to check the visited sites and that is why it comes with AVG warning, on my computer at least. 

“…Disabling/Enabling Fraud and Malware Protection

 Disabled or enabled Opera's Fraud and Malware Protection from Settings > Preferences > Advanced > Security by checking or unchecking “Enable Fraud and Malware Protection”. 

 Note: Once disabled, the browser does not make any contact with the server used for Opera's Fraud and Malware Protection….”


Taken from Guide to security and privacy in Opera: Fraud and Malware Protection


----------



## Smitty37 (May 31, 2012)

*no problem*

No problems and shown as a safe site when I do a search.  I'm using Nortons.


----------



## MikeG (May 31, 2012)

I got this report from Norton this morning:



Thanks,
Mike


----------



## jeff (Jun 1, 2012)

OK folks, after some analysis and head scratching, I've determined that the hacker compromised a member account to gain enough privileges to launch an attack.

If you have a weak password like your name or 123 or the like, please consider changing it to something stronger. A strong password has at least 8 characters, mixed case, numbers, and a special character. If you do change it, please write it down!

Weak member passwords put our community at risk from the dirty rotten hackers surfing the internet looking for easy targets.


----------



## Knucklefish (Jun 1, 2012)

The Penguin said:


> I use Kaspersky and it blocked the site from home.
> 
> work computer - no problem, but I don't know what we use here.


 

Same here.
John


----------



## gimpy (Jun 1, 2012)

I got nailed, I lost the hard drives on two computers. had a tech at the house and both hard drives are gone !!!!!!I lost everything. I had to go out and purchase a new computer last night........OUCH !!!!!! right before vac time.........I pick it up some time late next week............

currently i'm using an old computer annd will continue using while on such sites as this.......I hope everyone else had better luck than me......had was ussing advast as my virius protection...........thanks for listening


----------



## WWAtty (Jun 1, 2012)

jeff said:


> OK folks, after some analysis and head scratching, I've determined that the hacker compromised a member account to gain enough privileges to launch an attack.
> 
> If you have a weak password like your name or 123 or the like, please consider changing it to something stronger. A strong password has at least 8 characters, mixed case, numbers, and a special character. If you do change it, please write it down!
> 
> Weak member passwords put our community at risk from the dirty rotten hackers surfing the internet looking for easy targets.




Good idea.  I need to be better at changing passwords from time to time.


----------



## greenmtnguy (Jun 1, 2012)

Zone Alarm just warned me. Only comes up when I go to front page. Distributing malware it warns. Old warning?


----------



## PenPal (Jun 1, 2012)

Gimpy,

There are two versions of Avira one free the other pro, which version were you using my pro version absolutely prevented me from access during the recent problem. Most of the free programs are moderate in protection Comprehensive is the key with paid pro programs. Reason for the question is if it was a pro program that reputable company should be advised in depth of your situation together with proof of the source of your recent loss.

One thing I never stint on is timber quality, tools and Computer protection  with constant updates.

Have success in determining a solution for the future felt your losses.

Kind regards Peter.


----------



## underdog (Jun 1, 2012)

Jeff,

I'm assuming you've contacted the member and rectified the situation?


----------



## ctubbs (Jun 2, 2012)

Thank you Jeff for all your work.  Password changed


----------



## gimpy (Jun 2, 2012)

It was the free verison.......my "new" will definetaly have some thing that I pay for.......I'm leaving this up to the folks I'm buying the computer from.......just upsets me that I lost everything, very few back ups......lesson learned, and yes, I will be making my passwoord stronger....thank yo all


----------



## Leatherman1998 (Jun 2, 2012)

Jeff I want to thank you for working on this I have done a little computer programming and I know what this can be like for you as the admin.


----------



## Akula (Jun 2, 2012)

What could a member post to contain code?  I can see a link but someone would need to click on it to be directed to another site.  ppt pptx psd txt xls zip infected?


----------



## chriselle (Jun 5, 2012)

This is a weird coincidence.  My yahoo email got hacked and someone was sending out "something" in my name.  If some of you got an unexpected email from me...delete it please.  I changed all my passwords but it's hard to know if I'm safe to others being as I am on a Mac.


----------

