Trojan
Simply accessing the homepage started my Java. Next thing i knew Trend micro picked up a bunch of Trojans in my Temp folder with the file names
jar_cacheXXXXXXXX.tmp (sunny\MyFiles.class)
jar_cacheXXXXXXXX.tmp (sunny\MyBuilds.class)
It was named TROJ_JAVA.BD and TROJ_JAVA.BE
jar_cacheXXXXXXXX.tmp (sunny\MyFiles.class)
jar_cacheXXXXXXXX.tmp (sunny\MyBuilds.class)
It was named TROJ_JAVA.BD and TROJ_JAVA.BE
I get a pop up on the first page asking if I want to allow a program to open. I click cancel and no virus is on my PC yet (that I can detect). I can't print screen for some reason while there.
It says-
From Horyq.info
Program Microsoft help and Support
Address hcp://services/sender?query=&topic=hcp://system/systeminfo/systemofmain.htm%A%A%A%A%A%A%A%A%A%%A%A%A%A%A%A%A% A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A (goes on with more)
It says-
From Horyq.info
Program Microsoft help and Support
Address hcp://services/sender?query=&topic=hcp://system/systeminfo/systemofmain.htm%A%A%A%A%A%A%A%A%A%%A%A%A%A%A%A%A% A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A (goes on with more)
Registered User
Joined: Apr 2010
Posts: 1,152
Likes: 1
From: Seattle, WA
here is a screenshot of what i am getting with the attack, also with the chrome element app i highlighted where the attack is originating from (red squares) there is a white line in upper left, thats where the element is coming from.
need to fix that home page
if you need anything else let me know 
need to fix that home page
if you need anything else let me know
Virus' can be embedded in Jpegs as well as Gifs, or as shown in the above image even a "strand" of pixels. The home page image rotates doesn't it? It's possible. Your computer automatically downloads the images that you see in a cache in your temp files - I'm not 100% but that could get the embedded virus to your system.
Joined: Jun 2005
Posts: 1,498
Likes: 1
From: Meifumado
Virus' can be embedded in Jpegs as well as Gifs, or as shown in the above image even a "strand" of pixels. The home page image rotates doesn't it? It's possible. Your computer automatically downloads the images that you see in a cache in your temp files - I'm not 100% but that could get the embedded virus to your system.
There can also be coding that directs toward a malicious url that then proceeds to download trojans/malicious software. A virus check on the forums may come up clean, but that does not mean that there is not embedded coding that is directing to malicious url's. Coding could be in pictures, video, comments, etc. All of this occurring with different persons on different antivirus programs would suggest imho that this is not a false positive--I'm not an expert--just an observer....
Registered User
Joined: Dec 2006
Posts: 1,281
Likes: 1
From: Aurora, IL
I got infected when the g35driver.com frontpage is loaded. Basically, using Firefox, I get a message that Firefox is unable install a Add-on or plug-in (can't remember exactly). Next thing that happens is that Windows Media Player will open. I close Firefox and close Media Player, and my PC gives me the blue screen of death. I reboot, and now I have a fake antivirus/alert installed on my PC. I used Malware Bytes Anti-Malware to remove it. I was able to recreate this condition 3 times, all when going to g35driver.com's front page.
Admins, here is the log in case it will help you to narrow down the issue. In the meantime, I'm shortcutting straight to the forums and bypassing the front page..
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4356
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/31/2010 11
17 PM
mbam-log-2010-07-31 (23-23-17).txt
Scan type: Quick scan
Objects scanned: 149593
Time elapsed: 5 minute(s), 46 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 13
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\wibcic.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\vdiwev (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\registrymonitor1 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\activedesktop\NoChangingWallpa per (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wibcic.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Kong\Local Settings\Temp\4E5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temp\4E6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temp\7785258.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temporary Internet Files\Content.IE5\3STL3VB0\exe[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Userinitxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ES15.exe (Rogue.SecurityEsssentials) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Admins, here is the log in case it will help you to narrow down the issue. In the meantime, I'm shortcutting straight to the forums and bypassing the front page..
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4356
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/31/2010 11
17 PMmbam-log-2010-07-31 (23-23-17).txt
Scan type: Quick scan
Objects scanned: 149593
Time elapsed: 5 minute(s), 46 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 13
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\wibcic.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\vdiwev (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\registrymonitor1 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\activedesktop\NoChangingWallpa per (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wibcic.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Kong\Local Settings\Temp\4E5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temp\4E6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temp\7785258.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kong\Local Settings\Temporary Internet Files\Content.IE5\3STL3VB0\exe[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Userinitxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ES15.exe (Rogue.SecurityEsssentials) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.