Here we go again

[TV-VCR 14]

My computer is, not attacking itself, but attacking sending a request to adw95.com....

Digging into it, adw95.com is affiliated with banner82.com and google.info (Ring a bell? Of not, remember when ST got hacked?) I don't like this one bit. I actually bet it's trying to send some kind of info Durr it is, it's trying to download some kind of malware. What the hell is going on here? This is a new install of Vista too. I did a full system scan on the drive not too long ago and it came back clean.

Edit edit: I read around some more (here). Quote, "...Today, drive-by downloads (malware being installed on a users systems without you having to do anything) from mainstream sites are increasing on a daily basis.  Many of the sites that have been affected by sql injection attacks, hosting malicious toolkits such as NeoSploit, or injected i-frames that lead to malicious sites, may trigger this alert..." I looked through my history and the alert came up immediatly at the time I loaded a simtropolis page (specifically https://www.simtropolis.com/forum/messageview.cfm?catid=36&threadid=82349&STARTPAGE=4&FTVAR_FORUMVIEWTMP=Linearlastunread). And I know ST was hacked a few months ago from that big injection attack (again, those sites banner82.com and google.info come to mind). And I also remember that on my older install of vista, those alerts only came up when I was browsing ST. This raises some concerns.

[coolotter88 2]

They dumped some turds on simtropolis after the attack?

and now those turds are spawning baby turds onto our computers?

[TV-VCR 14]

Originally posted by: coolotter88 They dumped some turds on simtropolis after the attack?

and now those turds are spawning baby turds onto our computers?quote>

I don't know. I did do an online scan with ESET and it didn't find anything. Doubt that I'm infected...

Is anyone else getting this kind of stuff?

[Voar Tok 4]

Never trust an online scan.

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.

EDIT: From the looks of the security log there, your computer is already a carrier.  The deal though is that this thing is a remote trojan downloader.  Those things won't show up on a virus scan until after you're already infected.

[belfastuniguy 18]

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.quote>

Same.....firefox is rather glorious isn't it

[TV-VCR 14]

Originally posted by: Voar Tok Never trust an online scan.

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.

EDIT: From the looks of the security log there, your computer is already a carrier.  The deal though is that this thing is a remote trojan downloader.  Those things won't show up on a virus scan until after you're already infected.quote>

I'm using firefox too, although without no script. I found it annoying.

And I'm infected? This is the second install I've had this happen on. I haven't downloaded anything shady, I've had the latest virus definitions, I've been using firefox, I've been using common sense... I don't see how I could be infected/part of a botnet/etc. etc. Don't mean to sound ignorant or anything.

[Voar Tok 4]

Originally posted by: TV-VCR

Originally posted by: Voar Tok Never trust an online scan.

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.

EDIT: From the looks of the security log there, your computer is already a carrier.  The deal though is that this thing is a remote trojan downloader.  Those things won't show up on a virus scan until after you're already infected.quote>

I'm using firefox too, although without no script. I found it annoying.

And I'm infected? This is the second install I've had this happen on. I haven't downloaded anything shady, I've had the latest virus definitions, I've been using firefox, I've been using common sense... I don't see how I could be infected/part of a botnet/etc. etc. Don't mean to sound ignorant or anything.quote>

Without NoScript, Firefox is just as vulnerable.

And all the common sense, virus definitions, and honest downloading in the world won't protect someone from a remote trojan downloader.  Virus definitions won't find it until after it has already downloaded the remote file.  Until it does, it doesn't look like anything malicious.

[TV-VCR 14]

Originally posted by: Voar Tok

Originally posted by: TV-VCR

Originally posted by: Voar Tok Never trust an online scan.

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.

EDIT: From the looks of the security log there, your computer is already a carrier.  The deal though is that this thing is a remote trojan downloader.  Those things won't show up on a virus scan until after you're already infected.quote>

I'm using firefox too, although without no script. I found it annoying.

And I'm infected? This is the second install I've had this happen on. I haven't downloaded anything shady, I've had the latest virus definitions, I've been using firefox, I've been using common sense... I don't see how I could be infected/part of a botnet/etc. etc. Don't mean to sound ignorant or anything.quote>

Without NoScript, Firefox is just as vulnerable.

And all the common sense, virus definitions, and honest downloading in the world won't protect someone from a remote trojan downloader.  Virus definitions won't find it until after it has already downloaded the remote file.  Until it does, it doesn't look like anything malicious.quote>

Well how do I get rid of it?

EDIT: Voar Tok: http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=4843&jump=true#M4843

[Duke87 1,070]

Kids, this is why NoScript is awesome.

[Patricius Maximus 236]

I have McAffee Total Protection installed on  my computer. I also have the default Windows Defender enabled. So, I think I have a good defense against malware.

I don't know how you get rid of it. Unless you have anti-virus software on your computer, I haven't got a clue.

I also have that annoying User Account Control disabled (that thing tries to usurp control of your computer!).

It is eerie how it's connected to the same sites that were connected to the ST Outage.

Disturbing .

[TV-VCR 14]

Patricius, disabling UAC isn't the brightest idea in the world.

Duke: I don't use NoScript because it's very annoying. I have to keep telling it to allow scripts for sites I go to, it messes up page loads for many sites, if I go to site I was directed to, say to get something, it would mess everything up, and then again I couldn't just go around setting it to allow scripts from sites like ST which may not be 100% safe even though they have no intention of being dangerous. I ended up just disabling it.

EDIT: Someone on the NIS forums wrote this:

Thanks for the post, as Jody mentioned, this is definitely a drive-by download being blocked by NIS.  You have been protected by NIS when you visited a certain website. The domain you included (please do NOT visit or go to that domain) is one that is directly involved with SQL injection/drive-by download attacks.  Also, I would recommend NOT visiting the site where you received the alert from either until they get it cleaned up.

It looks like we still have the issue with the attack direction being switched and will be providing an update via LiveUpdate.  You are being protected from the attack, NOT the other way around. Sorry this is causing confusion.

Edit - I want to add that this explanation is for the "HTTP Malicious Toolkit Download Request" attack.  We do have protection in the product where we are looking for malware, spyware, or misleading applications making outbound calls and is our post-infection protection.  We prevent this from occuring and in this cause your computer WOULD be the 'attacker'. 

Man, I'm confused.

[smstevenms 7]

I haven't seen anything on my computer or my wifes.

[Voar Tok 4]

Originally posted by: TV-VCR

Originally posted by: Voar Tok

Originally posted by: TV-VCR

Originally posted by: Voar Tok Never trust an online scan.

And no, I haven't had this problem. Partially because I use Firefox and run the "NoScript" add-on. All the scripting from the SQL injection wouldn't even run in my browser no matter how desperately it tried.

EDIT: From the looks of the security log there, your computer is already a carrier.  The deal though is that this thing is a remote trojan downloader.  Those things won't show up on a virus scan until after you're already infected.quote>

I'm using firefox too, although without no script. I found it annoying.

And I'm infected? This is the second install I've had this happen on. I haven't downloaded anything shady, I've had the latest virus definitions, I've been using firefox, I've been using common sense... I don't see how I could be infected/part of a botnet/etc. etc. Don't mean to sound ignorant or anything.quote>

Without NoScript, Firefox is just as vulnerable.

And all the common sense, virus definitions, and honest downloading in the world won't protect someone from a remote trojan downloader.  Virus definitions won't find it until after it has already downloaded the remote file.  Until it does, it doesn't look like anything malicious.quote>

Well how do I get rid of it?

EDIT: Voar Tok: http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=4843&jump=true#M4843quote>

How do you erase a remote trojan downloader?  It depends.  If you're infected, you run a virus scan and get rid of it.  If you're just a carrier and the thing is phoning home but not getting a response, then you don't get rid of it.  Only good way to get rid of the thing is to wipe out Vista and reformat the drive.  Either that or you can hope that Norton figures out to a way to find it in an anti-virus sweep.  To better explain what happened to you, I'll reiterate what jgibney said to your post on the Norton website.  Your computer was hit with a small, seemingly innocous piece of code.  That piece of code won't show up in a virus scan because it isn't malicious in and of itself.  It then phones home to get the rest of the program and run it.

Now, someone posted something about this happening to them earlier - they were browsing Simtrop when they got a message like that one.  I'll tell you what I told them - the file is blocked, the threat isn't materializing - don't worry about it.  If people had any idea how often their computers came under these kinds of attacks, they'd never use the internet again.

Then again, from the sounds of this Norton employee, the file isn't actually on your computer, assuming that they're right about the warning message being worded horribly.

I would also like to point something else out here.  I know you say that you don't like NoScript, but ask yourself this - which is more important - the security of your computer or having to reload a page a couple of times because the javascripting didn't work at first?  Not running NoScript because you have to enable scripting on a web site by web site basis is about the same as saying you aren't going to run a firewall because the programs all have to be given permission to access the net initially.

Originally posted by: Patricius Maximus

I have McAffee Total Protection installed on  my computer. I also have the default Windows Defender enabled. So, I think I have a good defense against malware.quote>

Hate to break this to you, but the McAffee internet protection is the worst of the mainstream ones to have.  The computer security rating it generates is completely bogus and not that terribly long ago, it's program even got flagged by another prominent internet security system as being spyware due to the insane amount of pop-ups it'll run unless you bought all your security through them.  They'll actually spam you if you only have one part of the security package and not the whole thing.

It is eerie how it's connected to the same sites that were connected to the ST Outage.

Disturbing .

quote>

Not really.  Specific kinds of attacks have a tendency to come from specific sites and sites affiliated with it.

[smstevenms 7]

Originally posted by: Patricius Maximus

I have McAffee Total Protection installed on  my computer. I also have the default Windows Defender enabled. So, I think I have a good defense against malware.quote>

Hate to break this to you, but the McAffee internet protection is the worst of the mainstream ones to have.  The computer security rating it generates is completely bogus and not that terribly long ago, it's program even got flagged by another prominent internet security system as being spyware due to the insane amount of pop-ups it'll run unless you bought all your security through them.  They'll actually spam you if you only have one part of the security package and not the whole thing.quote>

+1 When McAffee  is working it's not doing much, and if something goes wrong with it is a PITA to remove. 

I use Spybot, and Avast along with W.D. and Spyware Blaster. I also try other programs that are free just to try them out. Truth be told though, there's no way to prevent attack fulling, the best ways is: keeping everything updated, visiting and download from sites you have "come" to trust, all of the obvious other advise. It also helps to understand the type of virus/spam protection you have and the settings of them and your pc.