Admin, please scan this sites file for virus

[Tev]

Everytime I come to this website my computer suddenly detects a virus on the frontpage, and I have to run a complte scan, it picks up a trojan everytime. Is this a misinformed virus detector of a script you are running? or could this site possibly have a script running that is effecting my machine?
Thanks for your time.

[Juntao]

Hrm, well that's not very cool, is it =/

This is a hosted site and I do not have direct access to the machine where the site is located. I will contact my provider and see if there is anything they can do.

I am really not very knowledgeable about that sort of thing, but I'm really unaware of possible viruses from just visiting a web site.

My site does use cookies and some of the advertisements use javascript which could be tripping a very sensitive scanner I suppose.

Anyone out there more knowledgeable about this sort of thing? Can you give any more info? Screenshots or anything?

[Tev]

I have done the research. It is not a virus, but actualy a type of trojan, two are being delivered to my computer every time I enter the homepage of www.swgcreatures.com he first trojan is dropper.inor.S This is a basic trojan delivery program, after this file is in the temporary internet files and I reopen my webbrowser it launches it's own page and downloads the complete version. All a dropper is is a program that \"drops\" another program into the homepage. The full trojan is called Startpage.inor.S What this does basically is everytime the user gets this in their temp files it rewrites a few simples lines of code in the registry and changes the homepage of the users computer. It then points the homepage to some advertisment website and creates a few pop up adds to other places.

This trojan in and of itself is not harmful, it's just an unethical way to advertise, and is considered a type of virus do to the fact that it works like a virus to enter the machine. This is most likely coming from an add or cookie that is set up on this page.

[Caaz D'Fey]

I would bet it comes from the Javascript behind that \"Ads by Google\" banner up top. My Norton AV catches it and says it stops the script, but I still get the payload delivered to my desktop and get my start page rewritten. If the culprit is indeed that banner, you might want to look into other ways of funding the site :?

[Juntao]

Well, this is disturbing to say the least.

What Virus scanner are you using? I am going to try to track this down ASAP.

Thank you for your time and efforts!

[Caaz D'Fey]

I'm using an old (2002) version of Norton Antivirus, which just identifies a \"malicious script\". Sounds like Tev is using somethin newer that's able to identify the specific Trojan.

[Tev]

I use AVG, it's a free virus scanner. I do not think it is the google banner, cause I go to plenty of sites that googles advertises on in the same way. I think it is the banner at the top of the screen, the one that actualy covers the sites banner up with it's add, tries to get you to go to earthlink, and others. Their privacy policy is pretty interesting, and not only does this rewrite your startpage, it also transfers information about the websites you visit back to them, they get this info so they know where to offer their advertisments to. I will continue to come here... I cannot keep away from this site any longer. however it is really annoying to have to scan and remove these files every time I visit here.

[Lantyssa]

I had lots of trouble with timing out on the ascension links myself, so I made it so my browser ignores their adds.

As I was never forwarded or had my homepage reset, I'm wondering if it isn't more going on, like the banner triggering another running program. Have you tried downloading ad-aware and running it?

A possible work-around (Juntao, feel free to edit this if it violates the terms of your hosting agreement):

1) Find the file called \"hosts\". On Win2k/XP it is located in the path \"C:\\windows\\system32\\drivers\\etc\\hosts\".

2) At the bottom on a new line, add in the entry \"127.0.0.1 premium.ascensionweb.com\". You may need to do a similar thing with \"www.ascensionweb.com\", but I think it is the premium addy that is causing the problem.

3) Save the file. You may need to reboot or wait a significant amount of time before the hosts file is read again. (Reboot is easiest)

What this change does is direct your machine to itself instead of these sites, so it will act like a broken link. As the page doesn't rely on these to function, your browser simply skips the information and behaves properly.

You will not be able to access these sites by name address however, so if you actually plan on using them, this solution will not work for you. If you want to revert the changes, delete the line and reboot.

(As a side note, you can use this for ad-servers. A lot of garbage can be blocked this way. Or if you have kids, you can block other undesirable sites as well.)

[Caaz D'Fey]

Tev - you're right, I didn't look closely enough at the banners up top.

Lantyssa - that's great advice for folks who are comforatable going under the hood and editing system files. The only thing I would add is that folks should make a backup copy of a file (\"hosts.bak\" for example) before doing something like that.

FWIW, I just downloaded and installed ADA-ware (Ad-Aware) and highly recommend it. Very quick download, very slick software, and it works just as.. er.. advertised. [url]www.adaware.com[/url]

[Juntao]

So here's the problem I am having. I currently run Panda anti virus. I went ahead and downloaded trial version of Norton and full verson of AVG. I never once got any kind of notification that anything was trying to load when I was visiting the site.

The only thing I can figure out is that there is something with javascript in that you already have something installed on your machine maybe? And something is triggering it to load up when you visit parts of the site?

I'm going to keep looking, but as of right now, I can't find anything, even using the virus scanners you guys mention.



Tev -
[quote:207a4b038c]Their privacy policy is pretty interesting, and not only does this rewrite your startpage, it also transfers information about the websites you visit back to them, they get this info so they know where to offer their advertisments to[/quote:207a4b038c]

Where did you see this? Could you possibly point me in the right direction? I'm trying very hard to see if this is any kind of vulnerability on the site rather than something 3rd party.