Gday...

I experienced this twice earlier this arvo whenever I returned to 'main page' after viewing a sub -forum.

Not the same as you had Ian ... and it hasn't appeared since I have been back on.

Judging that the 'source/target' of the 'virus' was the "*gif" file,  I assume it was within one of the ads on the top of the forum.

[edit: had to stop the server converting the 'virus' path (of that *gif file) to an active website - which had the HTML/Framer virus still active ]

Cheers - John

-- Edited by rockylizard on Sunday 21st of February 2016 07:40:09 PM

Gday...

I PM'd Cindy (Webmaster) with advice of my encounter with that 'virus'.

Unfortunately I could not insert a photo/pic into a PM so I just had to explain it.

Perhaps you should PM Cindy and explain what you have been encountering.

Cheers - John

Gday...

Unfortunately, kandagal, if you click on, or enter it into a browser, that WWW site ending in 200x100.gif you will find the 'virus' is still active.

My Virus Scanner identified it again when I accidently clicked on that WWW site before.

I have PM'd Cindy and included the link to this thread so she can see the photos/pics of Ian's and mine.

Cheers - John

iana wrote:

---

Thankyou John, its a persistent little bugger, glad to know I am not the only one getting treatment.
P.S. I am getting really p---ssed off with w10, can feel an apple coming on.

---

 Joined the fruit company 6 months ago, best thing ever, no more bugs or virus now and even better no more windoz updates.

Hi All

I have been receiving notice from Nortons that it has blocked an attack for the past three days.

Sometimes it disappears after rebooting but eventually returns. Surely there must be a lot of members with this problem.

I have Microsoft 7.

 

Lets all keep our fingers crossed.

 

Dave

Stopped running Norton years ago - it slows down your system, not that great at the job, takes up a lot of memory and generates rubbish like this.

Many professional IT'ers don't use Norton for the same reasons.

I use Trend Micro - its fast, doesn't take up a heap of space and originally developed in Australia (although now USA based - but with an Aussie office and greeks still working there). It will auto up-date and check your drives without you being aware of it at all - if that's what you want and it doesn't slow you down as it works in the background. Has lots of other features in it as well that Norton doesn't have

Anyone remember the Peter Paul and Mary song "Where Have All the Flowers Gone"

Oh When will they ever learn

Oh When will they ever learn.

Forget Norton, Trend Micro, AVG and Avast. Load Linux Mint 17 and never have a virus again.

Oh When will they ever learn.

 

The Phantom

Bruce and Bev wrote:

---

Stopped running Norton years ago - it slows down your system, not that great at the job, takes up a lot of memory and generates rubbish like this.

Many professional IT'ers don't use Norton for the same reasons.

I use Trend Micro - its fast, doesn't take up a heap of space and originally developed in Australia (although now USA based - but with an Aussie office and greeks still working there). It will auto up-date and check your drives without you being aware of it at all - if that's what you want and it doesn't slow you down as it works in the background. Has lots of other features in it as well that Norton doesn't have

---

Same here Bruce, Norton is a resource hogging nightmare, have not used it for years.

Uninstalling it is also a drama, Unfortunately Norton products tend to install themselves deep down into the critical parts of your system and if the product becomes damaged in some way you have a big problem.

After using Norton, AVG, Trend Micro, Mcafee and Bit Defender over a long period of time, I now use the security software included in the cost of Windows 10,Windows Defender, unobtrusive and works like a charm.

As a bonus I don't have security software companies pestering me to renew every12 months.

I also use an Ad blocker and have not seen any sign of "Nuclear Exploit Kit Re-direct 4"

 

Hi all,
We have contacted our web developers to report this problem and hopefully sort it out.  They, and another company, have scanned our website and could not find any evidence of any virus or malware.  It seemed to have been fixed last week but we note that the message has come up again. We have now employed a specialist security company who say they will be able to fix this.  Please bear with us ... we're hoping all will be sorted out soon.

Webmaster wrote:

---

Hi all,
We have contacted our web developers to report this problem and hopefully sort it out.  They, and another company, have scanned our website and could not find any evidence of any virus or malware.  It seemed to have been fixed last week but we note that the message has come up again. We have now employed a specialist security company who say they will be able to fix this.  Please bear with us ... we're hoping all will be sorted out soon.

---

 Must be a nightmare trying to stay on top of these issues Cindy.

I don't get it.

I downloaded the "GIF" file to my HDD. It was in fact a HTML file in disguise.

I then uploaded this HTML file to VirusTotal where it was scanned by 52 AV software products.

These are the results:

www.virustotal.com/en/file/df0e8f049f064f614d17ae646963ac40fccd23079700c05eb99bcc71cf1d236c/analysis/1456096642/

TrendMicro and TrendMicro-HouseCall found "Mal_Hifrm-2" but all other AV software reported that the file was clean. Previously TrendMicro's online URL scanner reported that the URL was not infected.

If we examine the source for the page we are looking at now, we find that the GIF file's URL is located within a DIV block whose attribute is "display:none;". I'm not a HTML programmer, but presumably this means that the problematic content is not displayed. (In Firefox select View -> Page Source.)

When we examine the "GIF" file in a text editor, we see typical HTML header information followed by a data block disguised as hexadecimal ASCII. This data block is really a block of HTML code.

This is how it appears in its encoded form (only a small excerpt at the beginning is shown):

(function(){var retkknhb="";var fsyiyeee="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528

This is what the encoded part (7769...) looks like when it is decoded:

window.onload = function(){function x22bq(a,b,c){if(c){var d = new Date();d.setDate(d.getDate()+c);}if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');else return false;}function x33bq(a)

If we look further into this encoded block we find the URL of an ad server:

http colon // js dot ogromnuezadnicu dot info / megaadvertize / ?blah-blah-blah

ISTM that this block of code is a devious, convoluted mechanism for evading ad blockers in one's browser. It appears that its function is to serve up an ad, whether we like it or not.

The server's domain name resolves to an IP address of 188.166.149.17 which is owned by Digital Ocean, Inc.

https://apps.db.ripe.net/search/query.html?form_type=simple&full_query_string=&searchtext=188.166.149.17&do_search=Search

Interestingly, in several Slavic languages "ogromnuezadnicu" translates as "enormous backside". Where else would ads come from?

After we get past the initial ad, the GIF/HTML file just serves up regular Grey Nomad content.

If you are one of the growing army of grey nomads discovering, or hoping to discover, the joys of the open road in this wonderful country, then this site is for you.

Thank you Cindy a job well done as we have come to expect. I believe you are under paid.

 

 

Dave 

Linux is simply not a practical solution for most users.

Top Ten Disadvantages of Linux

http://www.brighthub.com/computing/linux/articles/12838.aspx