[X] My Assistant

Geez, make that Trinity Rescue Kit boot CD right now - heck, everyone add it to their bit torrent queues!
A guy had this issue then I rebooted, ran the scan overnight and the next morning his computer was ready to go. No more annoying malware!

They certainly are worthless in Russia, but our ISPs are the ones letting the traffic through.

Yeah, no easy solution. Take them away, people lose money. Keep them, users get irate.

Trust me Bracken, you don't want each packet of data inspected by some censor. (IMG:[invalid] style_emoticons/default/wink.gif)

I would like to add that I too, enjoy this site frequently, but recently I have had to deal with Antivirus.NET infecting my computer. I don't know of any particular area, but I have a few more details.

Firstly, it is a very annoying program and will basically tell you to fuck off if you try to open ANYTHING. However, I discovered that adjusting your startup programs found with Run >msconfig, the virus does not load and will not bother you. With that in mind, I just had the virus pop-up again 5 minutes ago, and I immediately disabled it again.

Well there is another bug that has the same effect. If you can boot to a copy of Ubuntu on CD, you can rename C:\Windows\Prefetch to fix a bug where more and more applications quit working. I think it didn't let me just do that with Windows loaded, sadly. It was a few months ago. Note that Windows 7/Vista may have that under another name?




This post has been edited by lovehcomics: Feb 7 2011, 05:23

This virus is still prevalent on the site. It actually bypasses my Norton Antivirus and still downloads onto my system. I'm not exactly sure what ad is doing it, but it's definitely a big problem.

It's when you click on one of the picture thumbnails to enlarge, I believe.

I already asked for this several times, but I need the EXACT page and the EXACT time you see it. We have several different advertisers, each of which has hundreds or thousands of campaigns running at any given time.

Also, it wouldn't hurt to archive it into a passworded file such as with .ZIP or .RAR. I would be happy to try to figure out where it's coming from. Sadly, both that and the screenshot request are too complex for many users. If they know their way around a computer that well, then they likely already solved the problem themselves. :/

Pen and paper if they can't figure out how to do screenshots? Usually the text and/or URL is a big clue as to who the jerks are. Most if not all advertisers have an "offer ID" or such in the URL. Knowing the domain (www.xxxxxxxx.com) and those numbers would make Tenboro's job a heck of a lot easier. Heck, even just the text in the ad.

Simply knowing which page on the site you get it on would help tracking down which ad zone it is. But no speculation please, if you add junk reports it'll be even harder to figure out.

- Does it ever/never appear on the front page?

- Does it ever/never appear on the gallery pages?

- Does it ever/never appear on the image pages?

Which country you're browsing from might be useful, in case it's set to only target certain regions.

If you can capture the "selection source" HTML of the ad zones when it appears, that's even better. (In Firefox, you just right-click the ad banners, then do This Frame -> View Frame Source.)

Simply knowing which page on the site you get it on would help tracking down which ad zone it is. But no speculation please, if you add junk reports it'll be even harder to figure out.

- Does it ever/never appear on the front page?

- Does it ever/never appear on the gallery pages?

- Does it ever/never appear on the image pages?

Which country you're browsing from might be useful, in case it's set to only target certain regions.

If you can capture the "selection source" HTML of the ad zones when it appears, that's even better. (In Firefox, you just right-click the ad banners, then do This Frame -> View Frame Source.)

Yeah the code is probably even better than just the URL/text/time. Get straight to the source! (IMG:[invalid] style_emoticons/default/wink.gif)

BTW: Looking up the terms "Megakey" and "LSP" on Google pretty much proves that it uses a filter that works on all browsers. "msadm.dll" comes up for the entire first page of results. But I imagine we've all figured that out by now... heh

https://e-hentai.org/

that is the link straight to page 1 of the galleries. this is also the link I have saved on my favorites bar. clicking this link brings me to the galleries page, and then my browser says (along these lines) firefox needs additional plugins to run this page. 5 seconds later, firefox crashes and closes. 5 seconds later, AVG comes up with a malware named 4jhsx9j4ke3.exe or something (the name is always random but is always located in the same place; c:\users\name\appdata\local\temp\randomname\randomname.exe) avg seemingly "gets rid of it" but i immediately run malwarebyte's antimalware and it gets rid of it for me along with the same name file from another folder and a registration key.

Also important: were you logged on or not when you saw it? (If you're logged on you get two ad zones, otherwise three.)

I get it, and i am logged in. I don't really want to go to the page to get the URL, cause i am sick of fighting with the virus; I have had to beat it back 4 times now. I can tell you how to get to a page with it. on the gallery front page search "Debu Plus" and click on the image gallery that loads. once that page opens..."install additional plugins.... CRASH...Antivirus.net."

Side note, a quick and dirty way to get rid of the "Antivirus.net." Go to the "control panel" select "all control panel items" then "notification area icons" from here you can see the file name of the little bastard that jacked you computer and open up "my computer" and search the file name. once found drag the program to the desktop. log off your computer and then as soon as you log back in quickly grab the file and drag it to the recycling bin and empty it. Now it is gone.

Also important: were you logged on or not when you saw it? (If you're logged on you get two ad zones, otherwise three.)

yeh, I was logged in. just to note, I'm set to always be logged in.

also as for dealing with it. I find that as soon as the antivirus.net program shows up (it came up with different names a few times too, but with the same interface) if u immediately open task manager and close teh process, it won't try to close task manager on you. but if you stop the "scan" the it starts, it will continually close all the new processes you try to start until you restart your computer.

I know how to fight it now, but I just can't seem to get rid of it for good.

I've dealt with quite a few infections like it, usually it's not harder than booting Windows into safe mode and removing the startup keys from the registry. Or if you're not comfortable doing that, by using [technet.microsoft.com] Autoruns (also from Safe Mode) to examine what gets launched.

Still trying to track this down, but there aren't many reports and they are not consistent. Buuut, everyone who have reported it so far has been from the US, except for one guy who I suspect got it elsewhere, so I've tried disabling the ad zone I suspect the most for all US visitors. Let me know if you still get it or not.

I've been getting that Java loading virus lately as well.

I'm in the US, logged in, and it's on the gallery front page g.e-hentai.org every time.

If I see it again, I'll try to grab a screenshot of what ads are loading. I browse with task manager up so when I see Java start loading I quickly end the process. When I do that, IE gives the "blocked from downloading" notice as well.

https://e-hentai.org/?f_doujinshi=1&f...&advsearch=

at 12:20 am Feb 18

I think I got this too... I was browsing around and there was a java popup thingy. Now there is "AntiVira Av demo" scanning and I never even install this shit.

So it's not that one. I tried switching out another zone, let me know if you still get it now.

This attachment has the advertisement's java cache ("java cache\38\"), a text file with exact URLs/times and notes, Java console error log, and an archive of the entire page. All the images, .JS files, and so on.
Apparently this one only affects you if you still have 20 or earlier left installed? Yes, even if you install the latest version, it keeps the old one for compatibility. Go to Add/Remove Programs and remove the older versions!

The .JAR file is of course the source of the exploit, assuming I got the right advertisement. Top one was blank so... (IMG:[invalid] style_emoticons/default/huh.gif)

I'm in the USA but the time zone should point that out. Oh, and I meant the Mountain timezone. I used to live in CST. (IMG:[invalid] style_emoticons/default/wink.gif) It's 10:14AM here so compare to my post time.

This post has been edited by lovehcomics: Feb 18 2011, 19:14

This attachment has the advertisement's java cache ("java cache\38\"), a text file with exact URLs/times and notes, Java console error log, and an archive of the entire page. All the images, .JS files, and so on.
Apparently this one only affects you if you still have 20 or earlier left installed? Yes, even if you install the latest version, it keeps the old one for compatibility. Go to Add/Remove Programs and remove the older versions!

Excellent, that's exactly what I needed. This should be sufficient to get to the bottom of this - at least providing there isn't more than one offending ad, and even then it should help to track down any others. Thanks. (IMG:[invalid] style_emoticons/default/smile.gif)

Edit: I got word from the advertiser that the campaign has been suspended, and that it should stop showing up within thirty minutes or so. I hope that's the end of it, but let me know if you encounter anything else.

I have disabled the campaign, as listed in adshow.htm (#1265)

I'm impressed with whoever the user is that finally tracked this down; keep their information handy.

It appears that this campaign *was* one that was included in your campaigns that I looked at, but given the source I immediately dismissed it since I didn't believe it to be malicious.
Appears the client's advertiser is the one at fault.

You should see this campaign removed in the next 30 mins.

You're welcome.
What's funny is that I saw this while hunting for it the day before but on another site... and only copied the Java console log. Looking at it was useless since it didn't mention the URL for the class file so we couldn't get at the host site (likely same people). Useless to extreme for us! >:)

Now I'm kind of sad because I have to hunt harder for any others, but happy because I helped stop it for others. LOL

This post has been edited by lovehcomics: Feb 19 2011, 01:02