Possible Malware through MMO's ads

[Narcuru]

Earlier today (9:30ish CST) I got infected on my work computer with a fake antivirus (called itself Win 7 Antivirus 2011 but that's pretty irrelevant). I was browsing MMO-Champion and my university's private work pages in Firefox (without an ad blocker like I do at home) when I got a "notification" that my computer was "at risk." Considering I work at the university in the IT department cleaning student's machines of this exact issue I know I wasn't actually at risk and that it was fake.

The virus did what it does eventually blocking me out of FF, IE and not allowing me to install Malwarebytes. Since that particular computer is normally just for testing I just dbaned it and reinstalled the image again, but I figured I should contact someone here to see if they could track it through their ads or do something to stop it from infecting other users computers. I'd rather not have someone less computer-savy get infected and think its a legit program. Unfortunately, since I was at work all day and I couldn't remember my password I couldn't get this to you guys sooner; hopefully you can look into this (if that's even possible) before anyone else gets infected.

[Alvito]

I have had several fake you computer are infected pop ups from this site on my older comp. I have also talked to several ppl that dont or wont use the site because of issues like this in the past. Not sure what does it but odd things happen here time to time on computers without good safety programs running.

[zlygork]

FOR ANYONE GETTING THIS VIRUS: my sister got one such virus in her pc, I fixed it doing the following:

1- when prompted for 'validation' of the 'antivirus', I searched a fake serial on the internets (and yes, I found some)
2- entered the serial
3- it unblocked all the important things like IE,firefox and Regedit.exe
4-deleted the virus' registry (with the help of an internet guide because I would oviously have been lost for hours)
5- manually deleted the remains of the virus (random exe in my documents if memory serves)

[Narcuru]

Usually it's bad javascript (ie outdated) that when a bad ad comes in it'll just auto download using some exploit. I can't honestly be sure if that particular computer's javascript was fully updated (as I mentioned its mainly used for testing. I'm a student working over the summer so I get the crap computer for when I'm wasting time :P), but since it happened to me and I know how to fix it I figured I send the info along in case it helps them find the culprit if possible. This particular variant is rather nasty as it locks down your browsers so you can search or go anywhere with out running a scan and also even has window's alert center tell you it needs to be turned on so that it can protect you. All very official looking and easy to scare people who wouldn't know better.

FOR ANYONE GETTING THIS VIRUS: my sister got one such virus in her pc, I fixed it doing the following:

1- when prompted for 'validation' of the 'antivirus', I searched a fake serial on the internets (and yes, I found some)
2- entered the serial
3- it unblocked all the important things like IE,firefox and Regedit.exe
4-deleted the virus' registry (with the help of an internet guide because I would oviously have been lost for hours)
5- manually deleted the remains of the virus (random exe in my documents if memory serves)

If you're scared of messing with the registry (which can be a huge issue if you mess up) alternatively you can try starting in safe mode with networking downloading Malwarebytes (or getting MBAM from a different computer and transferring it over), and trying to install it and run it then. Sometimes that will work other times it wont depending on the variant. If not then you either have to try the registry or wipe of the drive and reinstall.

[zlygork]

Usually it's bad javascript (ie outdated) that when a bad ad comes in it'll just auto download using some exploit. I can't honestly be sure if that particular computer's javascript was fully updated (as I mentioned its mainly used for testing. I'm a student working over the summer so I get the crap computer for when I'm wasting time :P), but since it happened to me and I know how to fix it I figured I send the info along in case it helps them find the culprit if possible. This particular variant is rather nasty as it locks down your browsers so you can search or go anywhere with out running a scan and also even has window's alert center tell you it needs to be turned on so that it can protect you. All very official looking and easy to scare people who wouldn't know better.

a friend of mine got it even worst, it appears that if you let the virus run for a long period, it fucks up your whole registry, I wanted to do the methods I said above on his pc but it seems his computer didn't know how the f to run an exe program. Not being a real expert when it comes to registry and such, I really couldn't help in that case.

[Iosif]

Virus distribution through Flash/Java Ads are common...

Many sites including many of the most popular war-craft related websites (Including Curse/wow-head) have been victims of flash/java adds with embedded code. Bear in mind that these sites are not responsible for the content of the adds they are victims as much as you.

I strongly suggest you run Anti-Virus (updated regularly) and use a Web Browser with and effective Ad-Blocking Plug-In. Personally I have never been hacked nor infected with a Virus. I use AVG (Free Edition) for my Virus Scanner and I use Firefox with Adblocker Plus/NoScript plug-ins for my Web Browser. (All Free ware)

[Narcuru]

Bear in mind that these sites are not responsible for the content of the adds they are victims as much as you.

I strongly suggest you run Anti-Virus (updated regularly) and use a Web Browser with and effective Ad-Blocking Plug-In. Personally I have never been hacked nor infected with a Virus. I use AVG (Free Edition) for my Virus Scanner and I use Firefox with Adblocker Plus/NoScript plug-ins for my Web Browser. (All Free ware)

I'm well aware of the issues with flash and Java (hence why I run Adblock Plus on my home computer).

I'm not sure what you mean by the them being responsible part though. I'm not blaming anyone (in reality I was laughing with a colleague of mine since we fix people's computers with this exact problem all the time, and it's kind of a useful thing to see what it does in practice so I can better help the other students), this thread is more about seeing if the MMO people can look and see if there was any particular part in the ads they are serving out that they could see that would have caused this. If its impossible for them (since it comes via a third party) then its impossible not a big deal.

Also AVG (which I use on my home computer) and the like generally do not find these fake antivirus programs (the uni has a deal with McAfee which even with the most updated dats at the time didn't find anything on that computer (not that McAfee is amazing by any stretch of the imagination though)). So far our standard operating procedure in the university is to boot off a bootable disk we have that then scans the computer with MBAM which pretty much always finds it and gets rid of it. When it doesn't we have to wipe the machine but only as a last resort.

[Deleted]

A few weeks back my laptop unfortunatly got infected :/ had to go without WoW for a week XD
Not sure if it is the same thing but it was a fake mailware system that tried to get me to pay them :P
Stopped all programs from running, lucky for me my friend had a windows 7 copy he lent me to wipe my compte :P im not to tech savvy so i figured why not get rid of all my other crap too.

I was thinking it was because of weak protection on my comp, if it is mmo champ i gota say im worried =/

[Narcuru]

A few weeks back my laptop unfortunatly got infected :/ had to go without WoW for a week XD
Not sure if it is the same thing but it was a fake mailware system that tried to get me to pay them :P
Stopped all programs from running, lucky for me my friend had a windows 7 copy he lent me to wipe my compte :P im not to tech savvy so i figured why not get rid of all my other crap too.

I was thinking it was because of weak protection on my comp, if it is mmo champ i gota say im worried =/

Really it can be any website (or at least any website that has ads).

Iosif does have good advice though. Get an antivirus program (AVG, Microsoft Security Essentials, Kaspersky all of them free and pretty good) and download Malwarebytes.

Make sure you set the antivirus software to auto update and auto run scans (at home mine scans every night but that's probably overkill for the typical user). I don't remember if Malwarebytes can auto update (might have to pay for that feature), but make sure you update and scan regularly with it too. I can and will find things a normal antivirus program won't find (including trojans and key loggers).

Use adblock plus in FF (or equivalents, I'm not sure if IE has one yet or not but I'm guessing no) which will not only block ads but also leave you considerably safer to these drive by attacks (ones that involve not even having to click on anything to download the virus). No script can be useful as well but know that it can sometimes leave legit websites that rely on javascript unusable.

[llDemonll]

Just to put in my two cents:
I've been using Chrome for the past 9 months as my only means of travel to mmo-champion, and my computer is set to automatically update stuff (windows, flash, java, etc) and running XP and symantec antivirus. I've yet to encounter one warning from MMO-Champion in those 9 months. My other computer running windows 7 has seen one or two warnings but i've seen them on a few different sites (same warning) before i reformatted so i wasn't terrible concerned that it was an mmo-champion specific incident (for some of you it may be, who knows)

[noteworthynerd]

FOR ANYONE GETTING THIS VIRUS: my sister got one such virus in her pc, I fixed it doing the following:

1- when prompted for 'validation' of the 'antivirus', I searched a fake serial on the internets (and yes, I found some)
2- entered the serial
3- it unblocked all the important things like IE,firefox and Regedit.exe
4-deleted the virus' registry (with the help of an internet guide because I would oviously have been lost for hours)
5- manually deleted the remains of the virus (random exe in my documents if memory serves)

You can also just run Malwarebytes in "Safe Mode w/ Networking" and it will do the same thing (including the fixing of registry errors)...

OT: Yeah, rarely an ad here will be a malicious one that takes advantage of a Flash or Java vunerability, it is best to keep your Flash/Java updated and to download a decent antivirus (I recommend Microsoft Security Essentials or Malwarebytes Anti-Malware) and run it every now and then, those fake antiviruses are pretty simple to get rid of.

You can download an ad blocker (they're available on both Firefox and Chrome). For a long time, I was adamant about not getting one (because ads are a significant source of income for MMO-C), but I just couldn't take the FULL PAGE Rift ads anymore. They also have the additional benefit of (mostly) stopping those malicious ads from getting through.

Edit: I just noticed that you say you use an ad blocker at home, disregard then. Tbh, I'm not sure what the purpose of this thread is now, to inform us? Most of us are aware of the issue, unfortunately, there's not much Bibi can do because he doesn't specifically choose what ads show up (to my knowledge).

[Deleted]

We're able to prevent certain ads from showing up in the ad rotation, but to do that, we need information as outlined here.

[Darsithis]

Earlier today (9:30ish CST) I got infected on my work computer with a fake antivirus (called itself Win 7 Antivirus 2011 but that's pretty irrelevant). I was browsing MMO-Champion and my university's private work pages in Firefox (without an ad blocker like I do at home) when I got a "notification" that my computer was "at risk." Considering I work at the university in the IT department cleaning student's machines of this exact issue I know I wasn't actually at risk and that it was fake.

The virus did what it does eventually blocking me out of FF, IE and not allowing me to install Malwarebytes. Since that particular computer is normally just for testing I just dbaned it and reinstalled the image again, but I figured I should contact someone here to see if they could track it through their ads or do something to stop it from infecting other users computers. I'd rather not have someone less computer-savy get infected and think its a legit program. Unfortunately, since I was at work all day and I couldn't remember my password I couldn't get this to you guys sooner; hopefully you can look into this (if that's even possible) before anyone else gets infected.

That is what happened to me yesterday, as well. It's not a virus - it's a Trojan. In my case, it was called UUO.exe. Within a moment it deleted Microsoft Security Essentials and Avast Anti-Virus and replaced the .exe extension in the registry to execute the application every time a program was run. This gave it the opportunity to prevent me from installing or using common repair utilities (like regedit)

The easiest way to clear it is this:

- Use the task manager to locate the running program. They will usually be a very oddly-named application you may not be familiar with. Right click and select Properties and you will see where it is located (my two were called rio.exe and uuo.exe)
- Restart the computer in safe mode
- Delete the offending file and any other instances you find
- Go to Start > Run, and type "command"
- Type regedit
- Repair the .exe file association: http://support.microsoft.com/kb/555067

Problem solved. Took me maybe 10 minutes.

[brirrspliff]

FOR ANYONE GETTING THIS VIRUS: my sister got one such virus in her pc, I fixed it doing the following:

1- when prompted for 'validation' of the 'antivirus', I searched a fake serial on the internets (and yes, I found some)
2- entered the serial
3- it unblocked all the important things like IE,firefox and Regedit.exe
4-deleted the virus' registry (with the help of an internet guide because I would oviously have been lost for hours)
5- manually deleted the remains of the virus (random exe in my documents if memory serves)

you entered a fake serial into a fake antivirus to get rid of it? hahahahaha.

[Darsithis]

a friend of mine got it even worst, it appears that if you let the virus run for a long period, it fucks up your whole registry, I wanted to do the methods I said above on his pc but it seems his computer didn't know how the f to run an exe program. Not being a real expert when it comes to registry and such, I really couldn't help in that case.

My earlier post has the fix for that if he still needs help: http://support.microsoft.com/kb/555067

[Him]

I got that once, found the .exe in my processes, searched it up, deleted it, and everything went back to normal.

[Lidd]

Combofix is a good last resort for the fake AV's and for the exe problem:

http://www.dougknox.com/xp/file_assoc.htm