So I've been an attacker of some of these people that post the virus warnings, but speaking as someone who's dealing with it right now, I can tell you they're real.

You could keep it all in one thread

Jazz said:
You could keep it all in one thread

Figured I'd start one cleanly.

Okay, kicked it's ass. What one needs to do is to delete several registry entries, then delete the program itself.

-Registry Entries-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun ""
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun ""
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload "RunInvalidSignatures" = "1"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings "ProxyOverride" = ""
HKEY_CURRENT_USERSoftwareAvScan

And delete the .exe file "[random]tssd.exe" where random is a randomly created string.

I just want to make a note to newbies here: Be very careful about deleting registry entries. If you delete the wrong thing then you will really regret it.

Shatari said:
I just want to make a note to newbies here: Be very careful about deleting registry entries. If you delete the wrong thing then you will really regret it.

I think I know what I'm talking about, thanks.

Xaniseth said:
I think I know what I'm talking about, thanks.

Apparently, not enough to tell us which browser you use, which OS you use, what circumstances this happened under, and what makes you think it's from e621.

Xaniseth said:
I think I know what I'm talking about, thanks.

I was talking to any newbies who aren't aware how important registry entries are to their computer. If the common layman deletes one wrong file, they'll be taking it in to the shop to get it fixed.

Kald said:
Apparently, not enough to tell us which browser you use, which OS you use, what circumstances this happened under, and what makes you think it's from e621.

Google Chrome, Windows Vista 32-Bit SP1, Toshiba Satellite L305D, normal browsing with SimCity 3000 Unlimited idling in the background. I believe it's from e621, because it's the only website I've visited today.

K, anything else you'd like to know?

Yes, important things like, "what ad specifically do you think is doing this so we can investigate?"

or even "what specifically is it installing on your machine?"

....you know, the things that would actually allow us to look into this instead of it sounding like youre scaring people and/or talking out of your arse.

oh, and

"why did you have to make a new thread".

I blast through a few thousand banner ads a day just doing the moderation work, I still have yet to encounter this mythical ad on our rotation.

mellis said:
Yes, important things like, "what ad specifically do you think is doing this so we can investigate?"

or even "what specifically is it installing on your machine?"

....you know, the things that would actually allow us to look into this instead of it sounding like youre scaring people and/or talking out of your arse.

oh, and

"why did you have to make a new thread".

I blast through a few thousand banner ads a day just doing the moderation work, I still have yet to encounter this mythical ad on our rotation.

I don't have a specific ad, because I'm not psychic. It ran itself as I browsed. It's installing, like I said, a scareware program called "Antispyware Soft". Take a gander at http://www.spywareremove.com/removeAntiSpywareSoft.html for info. AND I made a new thread to keep this one from the bullshitty responses.

So, what you're saying is, you have no idea what ad is doing this or how, but you're sure it came from here and not because of anything else on your machine, but can't tell us what it is...and that people should delete a bunch of completely different registry entries than what it says to on that link you sent.

...and felt you needed to make a new thread to increase panic. Fantastic.

mellis said:
So, what you're saying is, you have no idea what ad is doing this or how, but you're sure it came from here and not because of anything else on your machine, but can't tell us what it is...and that people should delete a bunch of completely different registry entries than what it says to on that link you sent.

...and felt you needed to make a new thread to increase panic. Fantastic.

No, I posted it because I wanted to add more information. But I get accused by a mod for causing 'panic'. Lolz.

You didn't ad any information. You created a thread freaking out about adware you supposedly got from us, and gave incorrect information as to how to remove it (based on your own link), instead of using one of the existing threads, but can't actually tell us where it came from or anything whatsoever that would actually help us find or remove it.

mellis said:
You didn't ad any information. You created a thread freaking out about adware you supposedly got from us, and gave incorrect information as to how to remove it (based on your own link), instead of using one of the existing threads, but can't actually tell us where it came from or anything whatsoever that would actually help us find or remove it.

Incorrect information? Aside from the fact that I did exactly as I said and the program is gone, and multiple websites I've gone to support this, I think I'm being accused of bullshit.

You still can't tell us what you think is actually causing it. We have thousands of users viewing thousands of pages each day - you'd think this would be more widespread if something in our fairly tiny ad rotation was doing it, no? I want to believe you, I really do, because if there is malware I want to act as quickly as possible to deal with it. But you're not actually saying anything useful that would allow us to do anything about it.

I'm still trying to figure out what the fuck in the rotation would even cause it. Last I checked, our ads are all jpegs.

mellis said:
You still can't tell us what you think is actually causing it. We have thousands of users viewing thousands of pages each day - you'd think this would be more widespread if something in our fairly tiny ad rotation was doing it, no? I want to believe you, I really do, because if there is malware I want to act as quickly as possible to deal with it. But you're not actually saying anything useful that would allow us to do anything about it.

I'm still trying to figure out what the fuck in the rotation would even cause it. Last I checked, our ads are all jpegs.

Look, I don't pretend to be psychic and know where all of these came from. I don't even to pretend to understand how the hell it would happen. I'm just trying to report what happened, okay? Be calm.

This is an extremely serious matter, and you insist you got it from here, but yet can't tell us what ad it came from, what page caused it, what the circumstances at the time were, why you specifically think it came from here other than 'I was on here at the time the popup happened', and neither you nor I have any idea how this could even be possible under the current site setup.

And you make a new thread about it which was completely unneccessary, and just increases the level of freakout beause now people are seeing multiple threads about this, so far, completely unsubstantiated and unable to be tracked, described, or detected thing.

I hope you can see why this is just a little frustrating at our end.

mellis said:
This is an extremely serious matter, and you insist you got it from here, but yet can't tell us what ad it came from, what page caused it, what the circumstances at the time were, why you specifically think it came from here other than 'I was on here at the time the popup happened', and neither you nor I have any idea how this could even be possible under the current site setup.

And you make a new thread about it which was completely unneccessary, and just increases the level of freakout beause now people are seeing multiple threads about this, so far, completely unsubstantiated and unable to be tracked, described, or detected thing.

I hope you can see why this is just a little frustrating at our end.

Look, I'm sorry for starting a new thread. merge this one with the other if possible, or out and out delete it. I apologize, i'm used to other forums. I'll hold my tongue in the future.

If you get any actual concrete information that lets us actually do something about this, please, PLEASE let us know. Like, what ad you believe is causing it. Or, even better, how it's apparently doing it through a jpg.

I don't want to come off as an asshole here, but seriously, if this IS happening, then it needs to be dealt with immediately and in order to do that we need actual, real information about the cause to do that. But so far, nobody can produce any information that would let us do that, instead, we get vague panic. What we currently have, really, is freakout threads causing confusion without actually helping track down this supposed virulent ad.

mellis said:
If you get any actual concrete information that lets us actually do something about this, please, PLEASE let us know. Like, what ad you believe is causing it. Or, even better, how it's apparently doing it through a jpg.

I don't want to come off as an asshole here, but seriously, if this IS happening, then it needs to be dealt with immediately and in order to do that we need actual, real information about the cause to do that. But so far, nobody can produce any information that would let us do that, instead, we get vague panic. What we currently have, really, is freakout threads causing confusion without actually helping track down this supposed virulent ad.

Honestly, if I do find it and collaborate it, I'll help. I'm sorry for apparently helping the panic, I thought it'd be a good idea to add.

mellis said:
why you specifically think it came from here other than 'I was on here at the time the popup happened

Well he stated that he had only visited a single website, e621, today.

The thing confuses me is like you said, everything is jpg. That's about as safe as you can get for ads.

A bit of speculation... Maybe one of the ads linked to a site with a virus, and he clicked it by accident? That's the only thing I can think of. That would explain why so few users have actually seen it, despite the small number of ads on the site. And how people could be getting infected when the ads are jpg only.

EDIT: The thing is, I haven't even seen any ads from any company that I wouldn't consider reasonably trustworthy. Sure it's porn companies, but all the ads seem to be for big name companies that wouldn't risk their reputation by pushing spyware/viruses on people.

Marbles said:
Well he stated that he had only visited a single website, e621, today.

The thing confuses me is like you said, everything is jpg. That's about as safe as you can get for ads.

A bit of speculation... Maybe one of the ads linked to a site with a virus, and he clicked it by accident? That's the only thing I can think of. That would explain why so few users have actually seen it, despite the small number of ads on the site. And how people could be getting infected when the ads are jpg only.

EDIT: The thing is, I haven't even seen any ads from any company that I wouldn't consider reasonably trustworthy. Sure it's porn companies, but all the ads seem to be for big name companies that wouldn't risk their reputation by pushing spyware/viruses on people.

Normally my mouse hand is fairly steady, but it's possible I might have accidentally clicked on something.

There's also a slim possibility that the ad in question is using iframe hijinx to slip it in. That's why it's important to actually figure out what ad, if any, is actually doing this, and under what circumstances.

I want to believe the reports, since I honestly don't think our users are being malicious or sending us on wild goose chases, but I can't replicate the event and I can't get any info to help track it besides 'I was on the site, and something happened'. I'm still trying to replicate this popup and looking into things, but until I get something more concrete, or manage to do it myself, I can't progress in either direction - removing the problem from the site, or identifying the problem as something else on their machine.

mellis said:
There's also a slim possibility that the ad in question is using iframe hijinx to slip it in. That's why it's important to actually figure out what ad, if any, is actually doing this, and under what circumstances.

I want to believe the reports, since I honestly don't think our users are being malicious or sending us on wild goose chases, but I can't replicate the event and I can't get any info to help track it besides 'I was on the site, and something happened'. I'm still trying to replicate this popup and looking into things, but until I get something more concrete, or manage to do it myself, I can't progress in either direction - removing the problem from the site, or identifying the problem as something else on their machine.

I'm setting up a test computer (an old computer I've got sitting around) but I'm running very low on alloted bandwidth for today. I'll post if I find anything.

Just chiming in. I have a friend checking the feed-through he set me up with. Checking all the temp files linked to e621 and individually checking each image for anything more than just the picture showing up. No idea if any of the ones that have loaded for me had anything easter eggs tagging along, but so far today, nothing. He's check a good 300 in the cache and temps. I only come to e621, Yahoo Mail, and Facebook to fart around. Other than that, no other websites in my History except for that anthro dildo website. Anytime that one pops up while browsing, I click because at least I trust it.

In short, I'm having all my "ad banner history" as we'll call it being checked through. If someone snug an addendum onto a jpg and it's in the waiting, I'll let you guys know, though I'm sure adbrite is usually reliable about not being mal'd.

So apparently it's spread via a Trojan, so looking for Trojans and not adware/malware might be advisable.

UPDATE: According to MBAM (Malwarebytes AntiMalware), this particular malware is generally spread by pretending to be a porn video or image, so the banner ads may not be the culprit after all.

I figured I would chime in here and say I have not had any trouble with any malicious popups or spyware threats on my end, but I think I found something else...interesting. (Also, by the way, I scanned my computer yesterday w/ Avast, SpyBot, and MBAM, and I have no infections.)
I don't know if this information can be of any help/use or not, but here goes:

I am using MBAM as well, and I have the "Website Blocking" feature currently active. I am using FF 3.6.3 with the only tabs open being e621. I spammed the refresh button to change the banner ads, and one of the ads triggered the "Malicious IP Block" info balloon as soon as the ad appeared on the page. The IP address was 89.149.236.101. (Sorry, I forgot to screencap the ad.)

...and another time it triggered it, I managed to screencap the advertisement that triggered it (http://tinypic.com/view.php?pic=2d5006&s=5), but I forgot the IP address. Sorry! :-X

The text advertisements haven't triggered anything so far, so it must be just the image ones?
They could just be just false positives, or they could be legit viruses, I have no idea...

WolfieWolfie1992 said:
...and another time it triggered it, I managed to screencap the advertisement that triggered it (http://tinypic.com/view.php?pic=2d5006&s=5), but I forgot the IP address. Sorry! :-X

I refreshed until I got that, and MBAM popped a block on it.

WolfieWolfie1992 said:
I am using MBAM as well, and I have the "Website Blocking" feature currently active. I am using FF 3.6.3 with the only tabs open being e621. I spammed the refresh button to change the banner ads, and one of the ads triggered the "Malicious IP Block" info balloon as soon as the ad appeared on the page. The IP address was 89.149.236.101. (Sorry, I forgot to screencap the ad.)

That IP traces to Hong Kong.

Xaniseth said:
I refreshed until I got that, and MBAM popped a block on it.

That IP traces to Hong Kong.

Those wacky Chinese...

deadjackal said:
Those wacky Chinese...

(As a note, I have no idea if this IP actually corresponds with the malware, but here it is. Google-fu.)

Whois info on the IP (from http://ip-lookup.net/index.php):

inetnum: 89.149.236.0 - 89.149.236.255
netname: GIBIBITS-LTD-966647
descr: Gibibits-Limited
country: HK
admin-c: KB1643-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Konstantin Begidzhanov
address: FLAT/RM 813 8/F Hollywood Plaza
address: 610 NATHAN RD, KL
address: Hong Kong
phone: +852 36931522
fax-no: +852 36931522
abuse-mailbox: [email protected]
nic-hdl: KB1643-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

Just something to add. There are ways to run HTML/javascript/exploit code with a text file disguised as a JPG file and adding a mime-type modifier to the header. I remember finding something like this a long time ago, not here of course.

Maybe one of the ad sources got infected or hacked and is therefore infecting e621 with proxy JPGs. This probably doesn't help much, but it's a possible clue.

I don't believe this post causes any sort of panic or drama, but just in case it does, my apologies.

No, that's fine. This has become the sort of 'official thread' for this, I guess. We're aware of the header thing, we're still looking into this, haven't found anything malicious yet, but continuing to look.

I just got this, and I believe it came from e621. The only things I were on were e621 and cooliris (browsing e621) on firefox. I was going through all of the e621 pics sequentially and was at some dr comet pics. After I clicked onto the page for one of them (around 6813-6823 if it helps) one of those talk-bubble alerts popped up over the green windows anti-virus shield icon (in legit windows 7) in the bottom right tray next to the windows clock, and I clicked it thinking it was a virus update.

Well it turns out that shield icon was this program (which was obvious after the fact, since it was pixellated) and it opened a fake virus program. I tried opening task manager but the fake program blocked it saying "taskmgr.exe is infected, do you want to activate your antivirus software now?" It did this to everything I tried to open. So I restarted my computer and opened task manager (which opened this time) and rexpfnmtssd.exe was running, so I ended it.

I did a computer search, which found that program under appdata/local/lyhmbakrv as well as a pf file under windows/prefetch.

I'm not about to go deleting registry keys without knowing exactly what they are and why I need to delete them, and I would like to remove this the correct way. If anyone knows a good place to go for information or help, I'd appreciate it.

I unfortunately did not see what ad was displaying at the time, as I was opening several e621 tabs at once and was a little preoccupied with the malware.

RlctntFr said:
I'm not about to go deleting registry keys without knowing exactly what they are and why I need to delete them, and I would like to remove this the correct way. If anyone knows a good place to go for information or help, I'd appreciate it.

Uhh, install an antivirus? Your message gives no info except that this malware generates random names for files

Preventive actions are underrated. I'd help if I could, but ads that I see don't vary much (baddragon, black label ads and some Czech guys who want to make my penis bigger)

Possible actions: when a person running active antivirus (like MrMewMew) gets a warning about virus probably should <em>save the whole page, including iframe contents</em> and pastebin it somewhere to let admins invesigate it.

I do have an antivirus. Avast didn't and still doesn't pick it up as a virus, even when I scan the file directly.

Here's some more information on the virus: http://www.bleepingcomputer.com/virus-removal/remove-antispyware-soft

I'm currently in the process of removing it using that guide. I'll post the results when I'm done.

Ehh, this is a guide to remove antispyware soft, I suppose it has nothing to do with spyware/malware removal

RlctntFr said:
I do have an antivirus. Avast didn't and still doesn't pick it up as a virus, even when I scan the file directly.

Here's some more information on the virus: http://www.bleepingcomputer.com/virus-removal/remove-antispyware-soft

I'm currently in the process of removing it using that guide. I'll post the results when I'm done.

Probably because it isn't a virus. Go get MalwareBytes Anti-Malware.

Xaniseth said:
Probably because it isn't a virus. Go get MalwareBytes Anti-Malware.

That's what that site told me to do. It appears to have worked. Thanks.

Malwarebytes just displayed a info balloon <em>twice</em> on a blocked IP: 212.95.55.20. The banner ad displayed was the ZENERX one...

Haven't had any issues with the text ads yet.
Just thought y'all would like to know...

RlctntFr said:
I do have an antivirus. Avast didn't and still doesn't pick it up as a virus, even when I scan the file directly.

Here's some more information on the virus: http://www.bleepingcomputer.com/virus-removal/remove-antispyware-soft

I'm currently in the process of removing it using that guide. I'll post the results when I'm done.

haha that reminds me of what happened when browsing on my wii. just going to random sites then a "my documents" folder showed up. at first i was like what the hell? it starts "scanning" the folder and said it has 100+ viruses. and all this time i thought my wii has been running just fine >.>

luvdaporn said:
haha that reminds me of what happened when browsing on my wii. just going to random sites then a "my documents" folder showed up. at first i was like what the hell? it starts "scanning" the folder and said it has 100+ viruses. and all this time i thought my wii has been running just fine >.>

I see... So the virus installs windows XP onto wiis?
Devious bastards..

Aurali said:
I see... So the virus installs windows XP onto wiis?
Devious bastards..

haha

Aurali said:
I see... So the virus installs windows XP onto wiis?
Devious bastards..

XD

I didn't get a virus, but when this came up, plugins (for whatever reason) needed to be installed apparently. Dunno if this is useful, or if there is even a malware scare any longer, but here's the screenshot: http://img688.imageshack.us/img688/2661/proofzc.png

And yes, I have a CRT screen. Don't make fun of my native resolution pl0x. :'(

Somewhere someone probably noted that ad uses malicious embed PDF file

Anonym said:
I didn't get a virus, but when this came up, plugins (for whatever reason) needed to be installed apparently. Dunno if this is useful, or if there is even a malware scare any longer, but here's the screenshot: http://img688.imageshack.us/img688/2661/proofzc.png

And yes, I have a CRT screen. Don't make fun of my native resolution pl0x. :'(

Do you have any fire wall?

Also, CRT's pwn :D
I have a 22" CRT.

crt's are awesome for gaming and image editing

Fox2K9 said:
Do you have any fire wall?

Also, CRT's pwn :D
I have a 22" CRT.

I do. I'll stress that I'm not trying to scare anyone -- I didn't click the ad, nor did it magically impregnate my computer with malware. I just thought it could be relevant <em>if</em> one of the ads here is malicious in some way.

Maybe it's not. And yeah, I wouldn't give up my CRT for color accuracy. Not yet anyway.