Fortress Forever

Go Back   Fortress Forever > Off Topic > Tech

Reply
 
Thread Tools Display Modes
Old 07-14-2010, 03:37 AM   #1
Bridget
Banned
 
Bridget's Avatar
 
Join Date: Sep 2008
Class/Position: Soldier
Gametype: AVD
Affiliations: TALOS
Posts Rated Helpful 5 Times
Exclamation FPSBanana Infected Again

This isn't that surprising. I've been infected from browsing FPSB before. I even made a thread here. I figured the problem had been resolved, but apparently it hasn't.

Quote:
The site is currently infected with the 'Black Internet' trojan.

It's embedded in the site itself somehow, which means all you have to do is go there-- you don't have to download anything, and you'll be infected. All the following programs did not detect the trojan AVG, Ad-Aware and Windows Defender.

If you've been to FPSBanana in the last day or less, check your task manager. Look for iexplore.exe running-- or multiple instances of it if you are surfing with internet explorer, of course. You might also be hearing audio advertisements and/or multiple weird noises and mouseclicks.

Apparently this trojan infects the MBR, to fix the virus problem make all folders viewable in the control panel -> large icons -> folder options -> view -> show hidden files, folders and drives, then reboot in Safe Mode and go here:

C:\Users\YOURUSERNAME\Appdata\Local\Temp

and deleting these two files:

Loader.exe
Smss.exe

And until further notice I strongly suggest that you avoid going to the website.
Quote:
The new FPSBanana virus is a Rootkit virus known as "Black Internet". It is extremely dangerous to your system and security on your computer. A Rootkit virus buries itself into your Master Boot Record which forces the virus to load upon startup. You cannot disable the virus through safe-mode or "msconfig".
!NOTE!
VIRUS SCANNERS WILL NOT DETECT OR FIND THIS VIRUS! ONLY REAL-TIME VIRUS PROTECTION CAN DETECT AND STOP THIS VIRUS FROM BEING INSTALLED.

As of right now, the only working real-time detection and stopping of this virus is Kaspersky. Kaspersky will NOT remove the virus if you already have it.
The virus is obtained through a Java exploit from the advertisements on FPSBanana. Adblock will NOT stop you from getting this virus. Even if you have Ripe, you can still get this virus.

What does it do?
First, the virus buries itself into your Master Boot Record to keep you from detecting and removing the virus easily with any type of virus protection software. Afterwards, it loads up an application that will keep Internet Explorer open and showing you ads in the background or hidden voice ads. There are also reports of this being a Backdoor virus also which can transfer your sensitive information to the creators.

Symptoms
- Internet Explorer opens with ads randomly
- Windows keep minimizing
- Your computer sound will keep turning up and down randomly
- You will hear the clicks of pages being browsed in the background
- Visiting websites might not work

Do I have the Virus?
Even if you think you do not have the virus, you could still be infected!
There is an easy way to test if you have the virus. Follow these steps...

Step 1)
Press CTRL+ALT+DEL on your keyboard. Click "Open Task Manager".

Step 2)
On the Task Manger, click the "Processes" tabs.

Step 3)
Look through your processes for "loader.exe". If you have that file running, there will also be one or multiple instances of "iexplorer.exe". If so, You are infected!

Image

Removing the Virus
To remove this virus, you are REQUIRED to have a Windows disk corresponding to your version of Windows OR a recovery drive that came from factory. If you do not, you are pretty much screwed... There are other ways but they have a 10% chance of working.

So now, insert your Windows disk into your CD/DVD drive and restart your computer. When it says to "Press any key to continue..." do so. If you have a recovery drive, you will either have to press a key that is defined on the Bios screen or press F8 before Windows loads. Choose to recover your Windows installation.

After you choose the option to recover your Windows Installation, you can choose to use Command Prompt to do so. Once the Command Prompt opens, type the following...

Windows XP: fixmbr
Vista or 7: bootrec.exe /FixMbr

After the process completes, you can then close command prompt and Restart your computer. When the computer loads up again, the Virus has been disabled. You just need to delete the file.

You can either use CCleaner to delete all over your Windows Temporary Files or goto your temp folder in the following location...
Windows XP: C:\Documents and Settings\Application Data\temp
Vista or 7: C:\Users\[YOUR USERNAME]\AppData\Local\Temp

Find the file "loader.exe" and delete it.

You should be all set now and the infection should be gone. Double check by following the the steps to check for the virus above.
Bridget is offline   Reply With Quote


Old 07-14-2010, 04:04 AM   #2
Bridget
Banned
 
Bridget's Avatar
 
Join Date: Sep 2008
Class/Position: Soldier
Gametype: AVD
Affiliations: TALOS
Posts Rated Helpful 5 Times
Apparently, you can prevent this using Adblock. Put the following into your Adblock filters:

Quote:
*lau9.cn*
*o9Ji.cn*
(Adblock is a free Firefox plugin that removes advertisements. It's highly recommended.)
Bridget is offline   Reply With Quote


Old 07-14-2010, 04:54 AM   #3
Pixel
if(0>1){printf("broked");}
Beta Tester
 
Pixel's Avatar
 
Join Date: Mar 2007
Location: Amerika
Class/Position: O
Posts Rated Helpful 3 Times
Or Run NoScript

Quote:
The virus is obtained through a Java exploit from the advertisements

Last edited by Pixel; 07-14-2010 at 04:55 AM.
Pixel is offline   Reply With Quote


Old 07-14-2010, 06:14 AM   #4
Paft
Beta Tester
 
Paft's Avatar
 
Join Date: Mar 2007
Location: UK - http://forums.fortress-forever.com
Class/Position: [O] Med
Gametype: CTF/Skills
Posts Rated Helpful 67 Times
Visited just a couple of hours ago if that. Was linking someone on Steam forums.

I don't have loader.exe or iexplorer.exe running.

I use Addblock Plus (with fanboy's and that default list), Microsfoft Seurity Essentials and Peerblock...

Edit:
Quote:
Originally Posted by Pixel
The virus is obtained through a Java exploit from the advertisements
Guess that's why I'm OK then. Or not..

Last edited by Paft; 07-14-2010 at 06:25 AM.
Paft is offline   Reply With Quote


Old 07-14-2010, 12:52 PM   #5
moosh
WhenNailGrenWillOut?
Beta Tester
 
moosh's Avatar
 
Join Date: May 2009
Gametype: mp_prematch
Affiliations: [:)] - Frag Happy, babe|
Posts Rated Helpful 29 Times
FPSBanana is slow as fuck too. Sometimes I can barely get stuff to work. Thanks for informing me ,I have a few maps uploaded there.
__________________
[[ ff_hotfudge - bhop_theonlyone ]]
"As the the new year approaches I await for it like an case of explosive fecalomania otherwise know as diareha or the massive shits. I am gripping the sides of the toilet as my stomach produces the first hollow thud out of the anus of the year to come." DarkeN_HellspawN
moosh is offline   Reply With Quote


Old 07-14-2010, 02:43 PM   #6
EquilibriuM
G9-
D&A Member
 
EquilibriuM's Avatar
 
Join Date: Sep 2007
Location: Florida
Class/Position: D Solly,Engy
Gametype: ALL
Posts Rated Helpful 0 Times
Quote:
Originally Posted by Pixel View Post
Or Run NoScript
Thats what i been using for sometime now its great it blocks alot of bs scripting/advertising/etc.
__________________
EquilibriuM is offline   Reply With Quote


Old 07-14-2010, 06:13 PM   #7
Lost
Fear teh crowbar.
Retired FF Staff
 
Lost's Avatar
 
Join Date: Jan 2005
Location: Oklahoma
Gametype: CTF ftw, yeh
Posts Rated Helpful 6 Times
Send a message via Yahoo to Lost
Is No Script a Firefox plugin?
__________________
Do what you want cuz a pirate is free!

You are a pirate!
Lost is offline   Reply With Quote


Old 07-14-2010, 06:54 PM   #8
Gwarsbane
Slayer of humans
D&A Member
 
Gwarsbane's Avatar
 
Join Date: Sep 2007
Location: Mostly on earth though in some alt dimensions
Class/Position: I'm an Offensive Defensive person
Gametype: Fortress Forever
Affiliations: I'm a merc, only thing that talks is money
Posts Rated Helpful 3 Times
Yes

Having AdBlock Plus and No Script active is a good idea.

NoScript

Adblock Plus


In all the years since I first started using firefox with noscript and adblock I have not had one infection.

I still scan everything I download first before running it, and I still do scans on my system now and then but every scan has been clean.
Gwarsbane is offline   Reply With Quote


Old 07-15-2010, 12:39 AM   #9
Lost
Fear teh crowbar.
Retired FF Staff
 
Lost's Avatar
 
Join Date: Jan 2005
Location: Oklahoma
Gametype: CTF ftw, yeh
Posts Rated Helpful 6 Times
Send a message via Yahoo to Lost
I haven't had any infections since I started using Firefox to be honest. But I do like a good popup blocker, thanks!
__________________
Do what you want cuz a pirate is free!

You are a pirate!
Lost is offline   Reply With Quote


Old 07-15-2010, 01:19 AM   #10
GenghisTron
AKA LittleAndroidMan
D&A Member
Beta Tester
 
GenghisTron's Avatar
 
Join Date: Sep 2007
Location: Dystopia
Class/Position: Demo/Medic
Gametype: CTF
Affiliations: [TALOS] [SR]
Posts Rated Helpful 11 Times
Haven't had a single malicious file pop up in Malwarebytes in months. I have UAC and al the Windows safety precautions turned off. The trick is to only browse legit sites and torrent from trusted uploaders. I am however considering using AdBlock, cuz more and more websites are moving towards advertisements with audio/video that always autostart, and they piss me off.
__________________
GenghisTron is offline   Reply With Quote


Old 07-15-2010, 05:01 AM   #11
Etzell
D&A Member
 
Etzell's Avatar
 
Join Date: Mar 2007
Posts Rated Helpful 0 Times
Quote:
Originally Posted by GenghisTron View Post
Haven't had a single malicious file pop up in Malwarebytes in months. I have UAC and al the Windows safety precautions turned off. The trick is to only browse legit sites and torrent from trusted uploaders. I am however considering using AdBlock, cuz more and more websites are moving towards advertisements with audio/video that always autostart, and they piss me off.
But how will you know if you won?
Etzell is offline   Reply With Quote


Old 07-15-2010, 09:31 AM   #12
moosh
WhenNailGrenWillOut?
Beta Tester
 
moosh's Avatar
 
Join Date: May 2009
Gametype: mp_prematch
Affiliations: [:)] - Frag Happy, babe|
Posts Rated Helpful 29 Times
Quote:
Originally Posted by Etzell View Post
But how will you know if you won?
Intuition.
__________________
[[ ff_hotfudge - bhop_theonlyone ]]
"As the the new year approaches I await for it like an case of explosive fecalomania otherwise know as diareha or the massive shits. I am gripping the sides of the toilet as my stomach produces the first hollow thud out of the anus of the year to come." DarkeN_HellspawN
moosh is offline   Reply With Quote


Old 07-16-2010, 12:15 PM   #13
Innoc
Hitman 2 1 Actual
 
Innoc's Avatar
 
Join Date: Mar 2007
Location: "Oscar Mike"
Gametype: FPS or RTS (just say NO to MMO)
Affiliations: Your Mom
Posts Rated Helpful 8 Times
Send a message via ICQ to Innoc Send a message via AIM to Innoc Send a message via MSN to Innoc Send a message via Yahoo to Innoc
Guys, this is one area in which you might consider virtualization. Virtual box is free...run your Windows guest with a baseline snapshot. If your guest gets nailed....roll back to the snapshot. I use Firefox with a number of plugins...including noscript and adblockplus...I'm also not on sketchy sites. But if you are...virtualization is a surefire way to ensure your system stays safe.
__________________
Mooga on Obama: He can cut taxes. Actually do something useful. Punch Nancy Pelosi in the face. Just to name a few.

You eventually run out of other people's money to spend.
Innoc is offline   Reply With Quote


Old 07-16-2010, 08:43 PM   #14
moosh
WhenNailGrenWillOut?
Beta Tester
 
moosh's Avatar
 
Join Date: May 2009
Gametype: mp_prematch
Affiliations: [:)] - Frag Happy, babe|
Posts Rated Helpful 29 Times
Is it still infected? I need to visit the site.
__________________
[[ ff_hotfudge - bhop_theonlyone ]]
"As the the new year approaches I await for it like an case of explosive fecalomania otherwise know as diareha or the massive shits. I am gripping the sides of the toilet as my stomach produces the first hollow thud out of the anus of the year to come." DarkeN_HellspawN
moosh is offline   Reply With Quote


Old 07-17-2010, 12:14 AM   #15
Anshinritsumai
°_o
 
Anshinritsumai's Avatar
 
Join Date: Mar 2007
Location: 127.0.0.1
Class/Position: Medic & Engy
Gametype: AvD
Affiliations: DM, OC, -[CfH]-
Posts Rated Helpful 0 Times
Quote:
Originally Posted by moosh View Post
Is it still infected? I need to visit the site.
This, bscly. I was on there just a few days before all this started too.
__________________
Anshinritsumai is offline   Reply With Quote


Old 07-17-2010, 06:34 AM   #16
Bridget
Banned
 
Bridget's Avatar
 
Join Date: Sep 2008
Class/Position: Soldier
Gametype: AVD
Affiliations: TALOS
Posts Rated Helpful 5 Times
I don't know.
Bridget is offline   Reply With Quote


Old 07-17-2010, 08:03 PM   #17
Paft
Beta Tester
 
Paft's Avatar
 
Join Date: Mar 2007
Location: UK - http://forums.fortress-forever.com
Class/Position: [O] Med
Gametype: CTF/Skills
Posts Rated Helpful 67 Times
Do what Innoc said
Or
Try http://www.sandboxie.com/
Or
If your're feeling brave use noscript, addblock as suggested.

I visited without noscript and as far as I know I am not infected.
Paft is offline   Reply With Quote


Old 07-20-2010, 11:33 PM   #18
NeonLight
NeoNL
Wiki Team
Beta Tester
 
Join Date: Oct 2008
Location: Boston, Mass
Class/Position: Soldier, Medic
Gametype: AvD
Affiliations: +M|M+ -RS
Posts Rated Helpful 170 Times
Safe yet?
NeonLight is offline   Reply With Quote


Old 07-21-2010, 12:29 AM   #19
Bridget
Banned
 
Bridget's Avatar
 
Join Date: Sep 2008
Class/Position: Soldier
Gametype: AVD
Affiliations: TALOS
Posts Rated Helpful 5 Times
Just get adblock plus and noscript.
Bridget is offline   Reply With Quote


Old 07-23-2010, 06:19 PM   #20
D-Moone
 
D-Moone's Avatar
 
Join Date: Dec 2008
Location: Eindhoven
Class/Position: Engineer/Demoman (D) | scout (O)
Gametype: ctf/ fun
Affiliations: [OAf] / LSD|
Posts Rated Helpful 0 Times
there are 2 iexplore.exe in my processes tab but no loader.exe does this mean im infected?
D-Moone is offline   Reply With Quote


Reply

Tags
fpsbanana, hacked, infection, rootkit, virus


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:51 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.