# Forum acting strange, or it's me.



## Deanofid (Oct 7, 2010)

Today, when I first opened the forum home page, AVG popped up immediately with a warning, then
popped up again with a notice of "Threat avoided". Since then, every page of the forum that I click
on loads and goes to the bottom of the page. I can scroll up to the subject I want just fine, but the 
next thing I click on goes to the bottom of _that_ page, and so on. Even when starting this subject, it
loaded the bottom of the page, and I had to scroll up to the dialog box.

Something is fishy. This started about 1:45pm PST. This doesn't happen with any of the other 
websites I usually visit.
Anyone know what is going on?

Forgot to mention, I'm on Firefox. It does the same thing on Google Chrome, but not on IE.

Dean


----------



## arnoldb (Oct 7, 2010)

I get the same result as Dean, with Firefox on Linux.
I don't have any anti-virus software running on my home Linux box, but same symptoms... - threads jump to the bottom, and I had to scroll up to type this reply.

I Don't get the same problem on other sites....

Did any of the sysadmins upgrade software ? - (I don't *yet* believe in viruses on Linux :big

Regards, Arnold


----------



## max corrigan (Oct 7, 2010)

I also have the same problem with Win7 and firefox click on a posting and it goes straight to the bottom of the page, even clicking reply to your posting went to the bottom of the page so Dene your not alone
Max..........


----------



## cidrontmg (Oct 7, 2010)

I confirm the same behaviour, using Chrome in WinXP. Other sites behave as usual.


----------



## kcmillin (Oct 7, 2010)

Me too, quite annoying.

Kel


----------



## mklotz (Oct 7, 2010)

Same here. Firefox 3.6.10 running on XP Professional


----------



## student123 (Oct 7, 2010)

Ditto.


----------



## Twmaster (Oct 7, 2010)

Wheeeeee! Hack-A-rama....

I'll also report that I am seeing the same rush to the bottom of the page.

Camino on Mac.


----------



## Deanofid (Oct 7, 2010)

Well, I hate that this has happened, but I'm glad it's not just my machine.

Just before it jumps to the bottom on the page, I get a similar thing to Student345. Down just above the
task bar, where addresses show up for a split second before the page loads, one of the things is 
"Lokern.cz.co". I can't catch all of it, as it flashes on and off too quickly.

Dean


----------



## GOOFY063 (Oct 7, 2010)

The same for me with firefox and i just updated to bitdefender 2011 but its not showing anythings going on,oops my bad still scanning and shows 1 threat so far no 2 still has 28 min's left


----------



## deere_x475guy (Oct 7, 2010)

Got the same Avast warning here. But no problems with jumping to the bottom of the screen. I am on Windows7 64bit and IE8.


----------



## gjn (Oct 7, 2010)

Deanofid  said:
			
		

> Down just above the
> task bar, where addresses show up for a split second before the page loads, one of the things is
> "Lokern.cz.co". I can't catch all of it, as it flashes on and off too quickly.
> 
> Dean



A Wireshark trace shows that to be a HTTP Temporary Redirect call to http://lokern.cz.cc/tf/anrvr.php. connecting to the actual domain in a browser returns an "account suspended" page, the full URL refers back to Google. It's unclear why this URL should be needed.

I'm getting the behaviour on FF on XP but not on IE6 on XP.


----------



## ksouers (Oct 7, 2010)

As you've all surmised already, we've been hacked (again).

I found some of it this morning and removed it, but the site was acting fine. Now I just got home to find this behaviour. I'm working on it.

Dean, thanks for catching that file name. That will help find the little so-and-so.


----------



## deere_x475guy (Oct 7, 2010)

Kevin, just wanted to say thanks!!!...without guys like you and the rest putting in the extra effort we wouldn't have this fine forum..!!!


----------



## zeeprogrammer (Oct 7, 2010)

No issues this morning. But now it jumps to the bottom.
When I first logged on I got an Avast - Trojan Horse warning.
Vista, PC

Thanks Kevin.


----------



## Twmaster (Oct 7, 2010)

Did the cracker get in via a hole in the OS, database or forum software?


----------



## Twmaster (Oct 7, 2010)

Also, any of you running Windows should update your anti-virus software and run a thorough scan against your computer.

Especially if you did not see any warnings from your anti-virus software. (You ARE running A-V software right??)


----------



## Cedge (Oct 8, 2010)

Running AV and Spyware scans but nothing popping up here. Behind a physical and software firewalls and nothing jingled.... so far. Firewall log does show one attempted access at 7:00 pm which was about when I went active on the site, but it does not appear to be our boy's work. Not all that uncommon here since I got notified of blocked probing actions fairly regularly.

Steve


----------



## Twmaster (Oct 8, 2010)

Steve, not everyone has good protection like you. Considering the poor security track record of some software vendors it's a simple thing to be proactive and run scans.


----------



## Blogwitch (Oct 8, 2010)

My AVG picked it up yesterday evening. 

Mine is doing the same as everyone elses, jumping to the bottom of the page.

Is anyone working on it, as it seems just like complaints at this time?


Bogs


----------



## Deanofid (Oct 8, 2010)

Kevin was on it earlier, John. I would imagine he's had to hit the sack by now.

Dean


----------



## Blogwitch (Oct 8, 2010)

I keep forgetting about the time differences Dean.


John


----------



## Deanofid (Oct 8, 2010)

Checking my other computer before going to bed, just to see if I could get the warning
to come up again and tell more stuff. 
AVG blocked it instantly, but left a small window up that said this:

Lokern.cz.cc/tf/anrvr.php
Exploit JavaScript Obfuscation (type 1410)
Process name: C:\Program Files\Mozilla Firefox\forefox.exe
Process ID: 440

That's all that was on the window, and AVG said it was blocked completely.
Don't know if this helps, but there it is.

Dean


----------



## Lakc (Oct 8, 2010)

Twmaster  said:
			
		

> Especially if you did not see any warnings from your anti-virus software. (You ARE running A-V software right??)



Some of us still get by without any av software. 

Your looking for a file in your user/localsettings/temp/ in a directory labeled "plugin(something)"

The affected file is plugin-kqay.pdf and its listed as trojan_pidief.smzb

It's relatively new, so there isnt too much out there on it so far.


----------



## ozzie46 (Oct 8, 2010)

Lakc  said:
			
		

> Some of us still get by without any av software.
> 
> r.



  Just my 2 cents but that seems like going to Antartica in the middle of winter with nothing but knee pants on.


 Admittedly I'm no computer guy but I don't see how you can be sure you don't get a virus without a v software. Your computer can be turned into zombie without your knowledge spewing out spam and other horrible stuff without security software.

 A well known Techie here in the states, Kim Komando,(she has a national radio show on techie stuff), says that some virus's are so sophisticated the only way to get rid of them is to reformat the hard drive.

 Any way thats my take on it. I've been known to be wrong a time or two before. : : :



  Ron


----------



## kustomkb (Oct 8, 2010)

Seems okay now,

Thanks Kevin and everyone else for keeping 'er ship shape.


----------



## deere_x475guy (Oct 8, 2010)

Yep, same here and I am at work.


----------



## Deanofid (Oct 8, 2010)

Thanks Kevin and any other folks who worked on this problem. Your time and help here is invaluable! 
All is ship shape, once again.


----------



## radfordc (Oct 8, 2010)

ozzie46  said:
			
		

> Just my 2 cents but that seems like going to Antartica in the middle of winter with nothing but knee pants on.



More like going to a bordello without "protection".


----------



## lazyman (Oct 8, 2010)

Hi
Just to throw mine in the ring as well, I thought it was because i'd visited " icanhazcheesburger" as well as "hmem" it happened on my desktop and my laptop, 2nd was today at work.
Anywho i've done a screen cap of the message that norton has in recent history.

LM


----------



## ozzie46 (Oct 8, 2010)

Yes, Thanks so much for your hard work and dedication. :bow: :bow:

 Pardon my bad manners. Give me a *club* *club* *club*. I should have thanked the folks for their hard work in my previous post. 

 Ron


----------



## ChooChooMike (Oct 8, 2010)

> Your looking for a file in your user/localsettings/temp/ in a directory labeled "plugin(something)"
> 
> The affected file is plugin-kqay.pdf and its listed as trojan_pidief.smzb
> 
> It's relatively new, so there isnt too much out there on it so far.



Found that on my work puter  Dunno how it got there. Inadvertently visited (via a Google link) a site yesterday that immediately popped up a box that said something about your puter needs scanning, OK ? NOOOOOOO, hung the browser trying to close the dialog, but possibly not quick enough. Deleted that file and no harm appears to be done (yet). Symantec Corporate Antivirus is doing a scan now. 

Reminds me to update my A/V at home, got the CD, but have to de-install ZoneAlarm 1st as it conflicts with that, then load Norton A/V upgrade, then re-install ZoneAlarm. Sheeeeesh, better get to it !

Mike


----------



## ksouers (Oct 8, 2010)

Well, he seems to have grown tired of playing with me. There has been no activity from him for about an hour or so. It was fun watching him squirm around trying to get around me. Automation is a wonderful thing.

Lets just hope he stays gone. Now I gotta find the hole he crawled in from...


----------



## max corrigan (Oct 8, 2010)

Well all seems ok at the moment did not fly to the bottom of the page so thanks to you guys that sorted this out, it seems strange (to me at least) that there are these little minded morons that sit in front of a computer racking their tiny brains out to come up with this sort of c...p to mess up someone else's life because their own life must be so pathetic..... unbelievable!

regards and thanks again Max......


----------

