eset please check out 3dgpu.com forums.

3dgpu.com forums tried but failed to infect me with a variant of win32/exploit.wmf trojan and a html/exploit.ieslice trojan.
it is on the web page section for:

Monday - October 9th, 2006
i went to click the link: You can read more in our forums here.

i am unable to contact Adam at the bottom of the section.

 

must not try link... must not try link...

 

I don't think it was intentional. AFAIK 3DGPU is not a rogue site....

 

Yeah, they've been compromised. There's an iframe that loads hxxp://link removed which contains various exploits, the malware executable/infection starter is located at hxxp://link removed.

 

I checked out the forum page and it tried to download "www.trwyol.com" file, this is only detected by 3 AV's as 'suspicious'.

 

hi all

i did try to go to that forum and my nod32 went mad and warned me too

imon says infected 16 cleaned 6 and sent two files to the lab for analysis

does that mean nod32 caught all the infections it tried to give me

http://img291.imageshack.us/img291/9899/desktopfq6.jpg

The file 'link removed' has been sent to Eset's labs for analysis.

The file 'Matrix.class' has been sent to Eset's labs for analysis.

 

Weird, it didn't do the same thing to me. That name 'www.trwyol.com' looks like a typical gromozon symptom. Be very careful with this site, gromozon is unbelievably bad news...

 

I'm using firefox, didnt receive any warnings from NOD32 at all, I've got it zipped up and will send it to all AV vendors.

 

Yeah, the iframe just loads an empty page with Firefox. I tested it with wget and custom user agent...

 

Antivir blocked everything as expected

 

What version are you using, Classic or Premium? I guess there would not be a difference in the detection.

Thanks,
Jerry

 

I use Classic...yep...they both use the exact same scanning engine and definition database.

 

Yeah...same happens with opera.

 

All malware links were removed. Please do not post direct links to malware/infected files in your post.


tD

 

site seems down now. the formu section I mean.

 

Update on the file "www.trwyol.com", it sits harmlessly on the desktop till activated, then once executed, it adds a BHO (emog.dll) on hijackthis, then when you open internet explorer it tries to download all manner of crap including 4 different files BOClean stopped, a trojan downloader and a new variant of Spysherrif adware. Also, it blocks access to this site, castlecops, gladiator and tech-guy sites on both firefox and IE.

 

"I don't think it was intentional. AFAIK 3DGPU is not a rogue site...."

it was not intentional, that is why i asked eset to do the actual checking of the site's trojan link. they have isolated computers to check such a site without infecting an important work computer or lan. this is the first time i went unknowingly to an infected forum. nod32 stopped the trojans and IE crashed.

 

You were right, I tried everything to sort it even deleted hosts file etc but I still couldnt access security sites or run superantispyware, I temporarily changed the name of SAS.exe, ran it and it detected Gromozon rootkit in Windows directory, removed and all is fixed.
This rootkit was completely missed by Blacklight, Sophos anti-rootkit and sysinternals rootkitrevealer, additionally it blocks you from accessing prevx website to download removal tool.

 

Hello, attila posted over at 3dgpu.com and left a comment linking here. While it seems as though the consensus/understanding here is that we at 3dgpu.com were hacked by an outside source, as the owner of 3dgpu, I wanted to confirm and assure everyone that we had less than zero to do with this.

Unless of course you count having our IPB forum software down by one revision level (2.1.6 instead of the current 2.1.7).

We acted quickly once it became apparent that we had been hacked and fixed the problem.

My appologies to anyone affected by the hack.

 

Attila, besides chasing you around the 'net and making it clear that this isn't a problem anymore despite the fashion in which you are presenting it, you made the statement that you were unable to contact Adam, why would you try to contact Adam instead of me (BULL @ 3dgpu).

From my perspective, it seems as though you are taking a bit to much joy in posting this on different forums implying (intentional or otherwise) that our forums are still infected.

This hack was devestating to our members/readership and traffic, please try not to make a point of over emphasizing it, especially after the fact without letting it be known that it has been corrected.