THERE IS A TROJAN VIRUS ON THE NEXUS

[Ranokoa]

I tried refreshing the page for like 20 minutes and the only thing that happened ever was on this add:

http://img835.imageshack.us/img835/6639/popupr.jpg

 

The long and thin banner up above, the 728,90 one. Tresseme or whatever has been seen over and over constantly, and other adds never did anything. My antivir never went off the frits, but I hope this helps. Only from the woman's breast cancer thing did anything happen.

 

Be well, sleep well, fight well, live long.

~Ranokoa

PS: For 20 minutes I spent my time refreshing over and over, and spent 20 seconds waiting on each time to load in case it was a late bloomer warning.

[alonsomartinez]

I got that same message The one about AVG surf shield.

[evilneko]

I'm poking around with another browser, not logged in and with HostsMan turned off so I actually see ads. Haven't heard a peep from Avast.

 

However, I did spot a Zwinky ad. Zwinky is known spyware.

 

Incidentally that IP address in Sugarbean's screenshot is owned by a hosting service in Luxembourg.

 

Edit: Got something. I noticed K-Meleon waiting on that IP address.

 

Here's the screengrab.

 

 

I reloaded again to get a log in privoxy of what servers I was talking to. This time no horizontal ad appeared.

 

 

 

Sep 23 20:30:55.359 Privoxy(00000abc) Request: tesnexus.com/downloads/today.php

Sep 23 20:30:55.781 Privoxy(00000528) Request: tesnexus.com/includes/css/style.css

Sep 23 20:30:56.093 Privoxy(00000e6c) Request: tesnexus.com/includes/js/script.js

Sep 23 20:30:56.390 Privoxy(00000a4c) Request: ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Sep 23 20:30:56.531 Privoxy(00000e48) Request: tesnexus.com/includes/js/notifications.js

Sep 23 20:30:56.859 Privoxy(00000774) Request: tesnexus.com/images/global/title.gif

Sep 23 20:30:56.859 Privoxy(00000774) Request: tesnexus.com/images/global/title.gif

Sep 23 20:30:56.859 Privoxy(00000774) Request: tesnexus.com/images/global/title.gif

Sep 23 20:30:56.859 Privoxy(00000774) Request: tesnexus.com/images/global/title.gif

Sep 23 20:30:57.140 Privoxy(00000704) Request: tesnexus.com/includes/top.php

Sep 23 20:30:57.140 Privoxy(00000d24) Request: tesnexus.com/includes/central.php

Sep 23 20:30:57.140 Privoxy(00000e44) Request: www.google-analytics.com/ga.js

Sep 23 20:30:57.187 Privoxy(00000fc0) Request: tesnexus.com/images/misc/affiliatestore.gif

Sep 23 20:30:57.265 Privoxy(00000630) Request: tesnexus.com/images/misc/smallad1.gif

Sep 23 20:30:57.453 Privoxy(00000d98) Request: tesnexus.com/images/misc/twitter.gif

Sep 23 20:30:57.453 Privoxy(00000b00) Request: tesnexus.com/images/misc/smallad2.gif

Sep 23 20:30:57.484 Privoxy(00000df4) Request: central.blacktreegaming.com/www/delivery/ajs.php?zoneid=35&cb=73640054995&charset=UTF-8&loc=http%3A//tesnexus.com/includes/top.php&referer=http%3A//tesnexus.com/downloads/today.php

Sep 23 20:30:57.546 Privoxy(00000ec4) Request: central.blacktreegaming.com/www/delivery/ajs.php?zoneid=18&cb=57673283281&loc=http%3A//tesnexus.com/includes/central.php&referer=http%3A//tesnexus.com/downloads/today.php

Sep 23 20:30:57.765 Privoxy(00000088) Request: tesnexus.com/images/global/rss.jpg

Sep 23 20:30:57.781 Privoxy(00000b64) Request: tesnexus.com/images/icons/user_add.png

Sep 23 20:30:57.812 Privoxy(00000cc0) Request: tesnexus.com/images/icons/small/feed.png

Sep 23 20:30:57.906 Privoxy(000008c0) Request: ads.intergi.com/addyn/3.0/5205/1171680/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1285291857812

Sep 23 20:30:58.062 Privoxy(000003cc) Request: ads.intergi.com/addyn/3.0/5205/1171675/0/170/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=001;misc=1285291857921

Sep 23 20:30:58.078 Privoxy(00000308) Request: tesnexus.com/images/files/ob.png

Sep 23 20:30:58.093 Privoxy(00000e5c) Request: tesnexus.com/images/icons/small/page_white_text.png

Sep 23 20:30:58.109 Privoxy(00000bf8) Request: tesnexus.com/images/icons/small/photo.png

Sep 23 20:30:58.187 Privoxy(00000260) Request: central.blacktreegaming.com/www/delivery/ajs.php?zoneid=42&cb=43556486959&charset=UTF-8&loc=http%3A//tesnexus.com/includes/top.php&referer=http%3A//tesnexus.com/downloads/today.php

Sep 23 20:30:58.375 Privoxy(00000504) Request: central.blacktreegaming.com/www/delivery/ajs.php?zoneid=41&cb=67202341401&charset=UTF-8&loc=http%3A//tesnexus.com/includes/central.php&referer=http%3A//tesnexus.com/downloads/today.php

Sep 23 20:30:58.390 Privoxy(00000a60) Request: tesnexus.com/images/icons/small/download.gif

Sep 23 20:30:58.421 Privoxy(00000ac4) Request: tesnexus.com/images/icons/small/page_white_magnify.png

Sep 23 20:30:58.500 Privoxy(000007dc) Request: tesnexus.com/images/icons/small/layers.png

Sep 23 20:30:58.687 Privoxy(0000098c) Request: helios.gamerdna.com/addyn/3.0/5223/1398675/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1285291858515

Sep 23 20:30:58.703 Privoxy(00000d7c) Request: tesnexus.com/images/icons/small/tag_green.png

Sep 23 20:30:58.750 Privoxy(00000de0) Request: helios.gamerdna.com/addyn/3.0/5223/1398676/0/170/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1285291858703

Sep 23 20:30:58.828 Privoxy(00000e28) Request: tesnexus.com/images/icons/small/webcam.png

Sep 23 20:30:58.906 Privoxy(00000d9c) Request: t1.extreme-dm.com/i.gif

Sep 23 20:30:58.906 Privoxy(00000d18) Request: central.blacktreegaming.com/www/delivery/ajs.php?zoneid=55&cb=66552280838&charset=UTF-8&loc=http%3A//tesnexus.com/includes/top.php&referer=http%3A//tesnexus.com/downloads/today.php

Sep 23 20:30:59.000 Privoxy(0000018c) Request: 212.117.168.89/js/

Sep 23 20:30:59.140 Privoxy(00000e40) Request: view.atdmt.com/MSI/view/253197318/direct/01/291862354

Sep 23 20:30:59.218 Privoxy(00000ea4) Request: central.blacktreegaming.com/www/delivery/lg.php?bannerid=79&campaignid=50&zoneid=41&loc=1&referer=http%3A%2F%2Ftesnexus.com%2Fincludes%2Fcentral.php&cb=eef7283494

Sep 23 20:30:59.250 Privoxy(00000bd0) Request: central.blacktreegaming.com/www/delivery/lg.php?bannerid=25&campaignid=27&zoneid=18&loc=1&referer=http%3A%2F%2Ftesnexus.com%2Fincludes%2Fcentral.php&cb=9c929fa922

Sep 23 20:30:59.312 Privoxy(000008f8) Request: media.fastclick.net/w/get.media?sid=56486&m=1&tp=5&d=j&t=n

Sep 23 20:30:59.421 Privoxy(00000df0) Request: 212.117.168.89/js/

Sep 23 20:30:59.593 Privoxy(00000eec) Request: ec.atdmt.com/b/MIMSIDLBYDBY/Static_300X250.gif

Sep 23 20:30:59.609 Privoxy(00000dc4) Request: e2.extreme-dm.com/s11.g?login=tesnex&jv=y&j=y&srw=1600&srb=32&l=http%3A//tesnexus.com/downloads/file.php%3Fid%3D34788

Sep 23 20:30:59.609 Privoxy(00000320) Request: adserverec.adtechus.com/adperf/3.0/5205/1171680/0/225/AdId=629134;BnId=2;ct=1424232589;st=488;ku=0;ccid=1;scid=1048818;iid=0;zcid=1472;subnid=1;camnid=5205;camsubnid=1;bnnr=6463228;ctlen=1848;

Sep 23 20:30:59.781 Privoxy(00000b34) Request: central.blacktreegaming.com/www/delivery/lg.php?bannerid=74&campaignid=49&zoneid=55&loc=1&referer=http%3A%2F%2Ftesnexus.com%2Fincludes%2Ftop.php&cb=9a99fd2a9b

Sep 23 20:30:59.859 Privoxy(000009c0) Request: 212.117.168.89/js/

Sep 23 20:30:59.984 Privoxy(000001d4) Request: central.blacktreegaming.com/www/delivery/lg.php?bannerid=84&campaignid=51&zoneid=42&loc=1&referer=http%3A%2F%2Ftesnexus.com%2Fincludes%2Ftop.php&cb=3cb43c0aad

Sep 23 20:31:00.171 Privoxy(00000ac0) Request: central.blacktreegaming.com/www/delivery/lg.php?bannerid=56&campaignid=27&zoneid=35&loc=1&referer=http%3A%2F%2Ftesnexus.com%2Fincludes%2Ftop.php&cb=e06f428a9c

Sep 23 20:31:00.218 Privoxy(00000bfc) Request: www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=702781495&utmhn=tesnexus.com&utmcs=ISO-8859-1&utmsr=1600x900&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.1%20r82&utmdt=The%20Elder%20Scrolls%20Nexus%20-%20Oblivion%20mods%20and%20community&utmhid=1768739898&utmr=0&utmp=%2Fdownloads%2Ftoday.php&utmac=UA-3620483-1&utmcc=__utma%3D80858258.1116318079.1285290685.1285290685.1285290685.1%3B%2B__utmz%3D80858258.1285290685.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B

Sep 23 20:31:00.218 Privoxy(00000c18) Request: tesnexus.com/images/global/topbar.png

Sep 23 20:31:00.375 Privoxy(00000f94) Request: 212.117.168.89/js/

Sep 23 20:31:00.390 Privoxy(00000ff8) Request: tesnexus.com/images/global/tpbg.gif

Sep 23 20:31:00.562 Privoxy(00000de8) Request: tesnexus.com/images/global/menu_bg.gif

Sep 23 20:31:00.593 Privoxy(0000053c) Request: tesnexus.com/images/global/tabl.gif

Sep 23 20:31:00.765 Privoxy(00000204) Request: tesnexus.com/images/global/tabr.gif

Sep 23 20:31:00.796 Privoxy(0000083c) Request: tesnexus.com/images/global/rmenuhead.gif

Sep 23 20:31:00.875 Privoxy(00000c5c) Request: 212.117.168.89/js/

Sep 23 20:31:01.281 Privoxy(0000033c) Request: 212.117.168.89/js/

 

 

 

Hope this helps. :thumbsup:

[slygothmog]

I got this as soon as I logged out and the adverts appeard.

 

http://i51.tinypic.com/f2ofp5.png

[topazwarrior]

I just had receive a malicious file when I opened nexus. It was a Olmarik (trohan horse)or something like that. The only screenshot I have countain french text,so I don't see the nesiccity to show it (most of people on Nexus don't understand french). But, this seem pretty strange....

[Outlaw214]

** SNIP **

 

EDIT by LHammonds: I've had enough of your tiresome rants. Your primary account was banned, now this one is forfeit as well. Please do as you said you might to and just go away.

[Dark0ne]

Your log helped tremendously, evilneko. I was able to work out that it's the 728x90 banners and the exact advertising agency who have been compromised. I've taken this agency out of my rotation (hopefully!) and will email them when I wake up "tomorrow" (it's 3am here now).

 

If people can confirm for me that they are no longer receiving this threat as of now onwards that would be great.

 

Thanks neko.

[alonsomartinez]

After reading your post Dark0ne I went onto Tesnexus and the first thing I see is this warning

 

http://img843.imageshack.us/img843/5291/weirdq.jpg

[gorbajev777]

For further information on this, heres a export of the kind of activity I've been seeing while access tesnexus tonight:

( By the way the 3 IP's listed all have a eastern european home )

I downloaded a detection and removal tool for the "HTTPS Tidserv Request 2" trojan and ran it. It detected the trojan installed into two of my system files.

 

Please note the time, as of 10:40PM EST it was still active.

 

 

 

Category: Intrusion Prevention

Date & Time,Risk,Activity,Status,Recommended Action,Risk Name,Attacker URL,Category,Attacking Computer,Destination Address,Source Address,Traffic Description

9/23/2010 10:40 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Microsoft Windows Help Center Remote Code Exec,http://www.tesnexus.com/,,,,,

9/23/2010 10:40 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Java Deployment Toolkit Input Invalidation,http://www.tesnexus.com/,,,,,

9/23/2010 9:36 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:36 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100923.001,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:36 PM,Info,Intrusion Prevention is monitoring 1341 signatures. Driver version: 9.2.0.98,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:31 PM,High,An intrusion attempt by 91.212.226.5 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"91.212.226.5, 443","<My computer and IP> port, 1209)",91.212.226.5,"TCP, https"

9/23/2010 9:30 PM,High,An intrusion attempt by 212.117.177.13 was blocked.,Blocked,No Action Required,HTTP Tidserv Request,"clikcpixelabn.com/LVD4w9sP7E3Yp9c9dmVyPTMuOTYmYmlkPW5vbmFtZSZhaWQ9NDA4MDAmc2lkPTAmcmQ9MTI4NTI5MDIzMSZlbmc9d3d3Lmdvb2dsZS5jb20mcT1zcHlib3QlMjBzZWFyY2glMjBhbmQlMjBkZXN0cm95JTIwZG93bmxvYWQ=06k",,"212.117.177.13, 80","<My computer and IP> port, 1122)",212.117.177.13,"TCP, www-http"

9/23/2010 9:19 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:19 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100923.001,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:19 PM,Info,Intrusion Prevention is monitoring 1341 signatures. Driver version: 9.2.0.98,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 9:03 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Microsoft Windows Help Center Remote Code Exec,http://www.tesnexus.com/,,,,,

9/23/2010 9:03 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Java Deployment Toolkit Input Invalidation,http://www.tesnexus.com/,,,,,

9/23/2010 7:56 PM,Info,Intrusion Prevention is monitoring 1341 signatures. Driver version: 9.2.0.98,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:56 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:56 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100923.001,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:44 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:44 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100922.001,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:44 PM,Info,Intrusion Prevention is monitoring 1339 signatures. Driver version: 9.2.0.98,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 7:35 PM,High,An intrusion attempt by 194.28.112.6 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"194.28.112.6, 443","<My computer and IP> port, 2705)",194.28.112.6,"TCP, https"

9/23/2010 7:25 PM,High,An intrusion attempt by 91.212.226.5 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"91.212.226.5, 443","<My computer and IP> port, 2347)",91.212.226.5,"TCP, https"

9/23/2010 7:15 PM,High,An intrusion attempt by 194.28.112.6 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"194.28.112.6, 443","<My computer and IP> port, 2341)",194.28.112.6,"TCP, https"

9/23/2010 7:05 PM,High,An intrusion attempt by 91.212.226.5 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"91.212.226.5, 443","<My computer and IP> port, 1608)",91.212.226.5,"TCP, https"

9/23/2010 6:54 PM,High,An intrusion attempt by 212.117.177.13 was blocked.,Blocked,No Action Required,HTTP Tidserv Request,"clikcpixelabn.com/tZf4AZ0x605JcRc1dmVyPTMuOTYmYmlkPW5vbmFtZSZhaWQ9NDA4MDAmc2lkPTAmcmQ9MTI4NTI4MDkwMyZlbmc9d3d3Lmdvb2dsZS5jb20mcT1zcHlib3Qrc2VhcmNoK2FuZCtkZXN0cm95K2Rvd25sb2Fk07g",,"212.117.177.13, 80","<My computer and IP> port, 1044)",212.117.177.13,"TCP, www-http"

9/23/2010 6:52 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 6:52 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100922.001,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 6:52 PM,Info,Intrusion Prevention is monitoring 1339 signatures. Driver version: 9.2.0.98,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 6:41 PM,High,An intrusion attempt by 91.212.226.5 was blocked.,Blocked,No Action Required,HTTPS Tidserv Request 2,,,"91.212.226.5, 443","<My computer and IP> port, 3175)",91.212.226.5,"TCP, https"

9/23/2010 6:27 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Java Deployment Toolkit Input Invalidation,http://www.tesnexus.com/downloads/file.php?id=20780,,,,,

9/23/2010 6:27 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Microsoft Windows Help Center Remote Code Exec,http://www.tesnexus.com/downloads/file.php?id=20780,,,,,

9/23/2010 4:48 PM,High,An intrusion attempt by 69.50.221.196 was blocked.,Blocked,No Action Required,HTTP Eleonore Executable Download,www.hthexhe.co.cc/x44/load.php?spl=newp_&,,"69.50.221.196, 80","<My computer and IP> port3, 3840)",69.50.221.196,"TCP, www-http"

9/23/2010 4:48 PM,Info,Intrusion Prevention Signature Auto Block has blocked IP: 69.50.221.196 for a period of: 30 minutes,Detected,No Action Required,,,Intrusion Prevention,,,,

9/23/2010 4:48 PM,High,An intrusion attempt by 69.50.221.196 was blocked.,Blocked,No Action Required,HTTP Acrobat Suspicious Executable File Download,www.hthexhe.co.cc/x44/load.php?spl=newp_&,,"69.50.221.196, 80","<My computer and IP> port, 3840)",69.50.221.196,"TCP, www-http"

9/23/2010 4:48 PM,High,An intrusion attempt by 69.50.221.196 was blocked.,Blocked,No Action Required,HTTP Eleonore Executable Download,www.hthexhe.co.cc/x44/load.php?spl=java_gsb&h=,,"69.50.221.196, 80","<My computer and IP> port, 3836)",69.50.221.196,"TCP, www-http"

9/23/2010 4:48 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Java Deployment Toolkit Input Invalidation,http://www.tesnexus.com/downloads/file.php?id=13962,,,,,

9/23/2010 4:48 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,MSIE Java Deployment Toolkit Input Invalidation,http://www.tesnexus.com/downloads/file.php?id=13962,,,,,

 

 

[slygothmog]

I'm still getting the AVG alert as well. I noticed the same advert on both occasions. But this advert has popped up previously without any warning sign.

 

http://i52.tinypic.com/2vklvft.png