Windows pop-up screen (3 Viewers)

[Jack Splat]

Guys, I got the pop-up screen yesterday with IE 6.0 (no patches). After reading this thread last night and much soul-searching, I decided to take my 50 lashes and tell the corporate security guys what happened . They ran a pretty serious virus check on my PC and found something called TROJAN HORSE - BACKDOOR, or something to that effect.The file they ended up putting in the virus vault was named YRNIMCI.EXE and located at C:\WINNT\SYSTEM32. I don't know enough to say go check and see if you have that file, or just go out and run some good anti-virus software, but my guess is that if you got the pop-up you now have that virus. Again, I don't know enough to even say whether it was a serious virus or just something to collect information about your internet usage.Take this as a "just letting you know what I know" message.Jack.

 

[3C's]

If you guys are running IE, click on Tools and then Windows Update. There are quite a few critical updates that have come out in the last few weeks, especially if you're running NT, 2000 or XP (serious issues). Definately go to MS and get the updates if you're running NT, 2K, or XP.

 

[FightingWombat]

Guys, I got the pop-up screen yesterday with IE 6.0 (no patches). After reading this thread last night and much soul-searching, I decided to take my 50 lashes and tell the corporate security guys what happened . They ran a pretty serious virus check on my PC and found something called TROJAN HORSE - BACKDOOR, or something to that effect.The file they ended up putting in the virus vault was named YRNIMCI.EXE and located at C:\WINNT\SYSTEM32. I don't know enough to say go check and see if you have that file, or just go out and run some good anti-virus software, but my guess is that if you got the pop-up you now have that virus. Again, I don't know enough to even say whether it was a serious virus or just something to collect information about your internet usage.Take this as a "just letting you know what I know" message.Jack.

EVERYONE WHO HAS SEEN THE POPUP SHOULD RUN AN AV SCAN! Do it sooner rather than later. You can do an online scan at Trend-Micro. I am willing to help anyone that gets hit with this crap get rid of it. I'm sure others (GregR, Jojooboo, Z Machine et. al) would also be will to lend their expertise. Trojans are very serious. It allows some jerk to have total control over your PC.

 

[Stumpknockers]

I'm running windows XP and I got the file download screen for a couple days. I couldn't make any sense out of it so I re-booted and I haven't had it happen since. Can't figure out why that might have fixed it but its not happening anymore so I'm happy.

 

[The Z Machine]

I'm running windows XP and I got the file download screen for a couple days. I couldn't make any sense out of it so I re-booted and I haven't had it happen since. Can't figure out why that might have fixed it but its not happening anymore so I'm happy.

You should still get your computer scanned for viruses just to be safe. Even if the pop-up is not happening anymore does not mean a "hacker" has not put a program on your computer. Typically what happens is this "hacker" will put a Trojan-horse program on your computer in order for it to be activated at a different time. Once the "hacker" has enough trojans installed he activates then all simulatneously in order to perform a Distributed Denial of Service Attack (DDOS). These attacks wreak havok on computer systems and leave portions of the internet unusable due to information overload.In order to maintain a smoothly flowing internet, all of us computer users must take precautions in order to prevent these sorts of attacks. Checking to make sure your computer is not infected is the best thing to do in this situation. If you need any more help, feel free to PM me or Wombat with any problems.

 

[jojooboo]

For those of you that don't have an antivirus application, now is the time to get one. I used to think I didn't need one either but it's very cheap peace of mind now that these things are getting even harder to detect and/or prevent. I use Norton Antivirus but I noticed that Pest Patrol (as linked earlier) claims to detect and disinfect this particular trojan. That may be an option for some of you.

Otherwise, I know there is a free virus scan available at http://housecall.antivirus.com/housecall/s.../start_corp.asp. I have no idea, though, if it will detect and disinfect this trojan that some (a lot of?) people may have been infected with. If someone uses it or another product that does work, please post that information here for others.

 

[Twilight]

I never saw it, but, once again, this seems like a targeted attack on the FBG's. Either a (former) board member is brassed off about a banning or some form of smackdown, or a rival finally realized the FBG's are the best out there and want to bring them down a peg or 2.Regardless, once again, I hope their box is fully updated, both the Server software and all the apps running. This sounds like a little more sophisticated attack than the Yahoo groups hacking, as I can't see this being just a script kiddie attack.Once again, GL guys.

 

[T.J.]

Anybody still getting the popup even after they have downloaded the patch! When i click on 'help' and then 'about IE' it still says that i am running version 6.0.2600.0000C0 and the updated versions says '0'!I went to microsoft and "thought" i downloaded it, even after i downloaded shut the computer down and still got the popup (only on the main screen of footballguys)! Then went the other route to 'Tools' and 'Windows Update' and downloaded it that way, shut the computer down and still getting the popup!So finally did a 'Scan for viruses' (I use Norton SystemWorks 2002) and after 25 minutes or so it tells me after scanning about 42,000 files that I have NO infected files!Can you computer guys help me out, am I doing something wrong??? I would love to get this problem solved?

 

[The Z Machine]

I'm going to do some experimenting on an XP box at my work. I never use IE on it, so I doubt I got the trojan. I'm installing the updates for IE now. We'll see if I ever get the pop-ups.The msot interesting thing to me is how the extra peice of HTML got inserted at the end of the footballguys.com homepage. That's the scary part for them I bet. Running a website is a 24-7 business.

 

[jojooboo]

Anybody still getting the popup even after they have downloaded the patch! When i click on 'help' and then 'about IE' it still says that i am running version 6.0.2600.0000C0 and the updated versions says '0'!I went to microsoft and "thought" i downloaded it, even after i downloaded shut the computer down and still got the popup (only on the main screen of footballguys)! Then went the other route to 'Tools' and 'Windows Update' and downloaded it that way, shut the computer down and still getting the popup!So finally did a 'Scan for viruses' (I use Norton SystemWorks 2002) and after 25 minutes or so it tells me after scanning about 42,000 files that I have NO infected files!Can you computer guys help me out, am I doing something wrong??? I would love to get this problem solved?

It would seem that you somehow haven't updated the browser if that is what you are seeing. Mine says Version: "6.0.2800.1106.xpsp2.030422-1633" and for update versions it says "SP1; Q818529; q330994"I think the key of all this is the "SP1" since the links others have posted indicate that patched versions with the service pack won't download the trojan.My only advice is to try the Windows Update thing again and make sure you choose "Open" instead of "Save to Disk" if you are prompted. I'm not even sure it asks that but I'm just thinking that maybe you are just downloading the files and not actually executing (installing) them.

 

[Dickie Dunn]

I ran McAfee VirusScan and it found the trojan "CoreFlood" in a Temporary Internet Files folder in a file called "README[1].TXT%00PROG.EXE"It wasn't there last week when I scanned after the e-mail problem, and this is the same file name that came up on the pop-up window.I use XP and had 6.0 without patch before running Windows Update earlier today.

 

[The Z Machine]

It would seem that you somehow haven't updated the browser if that is what you are seeing. Mine says Version: "6.0.2800.1106.xpsp2.030422-1633" and for update versions it says "SP1; Q818529; q330994"I think the key of all this is the "SP1" since the links others have posted indicate that patched versions with the service pack won't download the trojan.My only advice is to try the Windows Update thing again and make sure you choose "Open" instead of "Save to Disk" if you are prompted. I'm not even sure it asks that but I'm just thinking that maybe you are just downloading the files and not actually executing (installing) them.

I beleive that SP1 is in reference to Windows XP Service Pack 1 and not a patch for the actual browser. Perhaps it's a Windows XP thing that also needs to be patched. You should install all the critical updates for XP as well as IE.

 

[3C's]

First..can't say I'd blame this on anything other than a "scan" by a malicious person/persons. Could be a result of (EDIT: and should be considered as such...meaning someone with admin privileges to the website could have been infected by the email virus last week) the infected emails from last week. Don't know the answer yet, but some IE injection seems to be the thing here. EVERYONE USING IE...GET the patches/updates. There's some serious MS flaws that have come out in the last few weeks.

 

[Greg R]

It would seem that you somehow haven't updated the browser if that is what you are seeing. Mine says Version: "6.0.2800.1106.xpsp2.030422-1633" and for update versions it says "SP1; Q818529; q330994"I think the key of all this is the "SP1" since the links others have posted indicate that patched versions with the service pack won't download the trojan.My only advice is to try the Windows Update thing again and make sure you choose "Open" instead of "Save to Disk" if you are prompted. I'm not even sure it asks that but I'm just thinking that maybe you are just downloading the files and not actually executing (installing) them.

I beleive that SP1 is in reference to Windows XP Service Pack 1 and not a patch for the actual browser. Perhaps it's a Windows XP thing that also needs to be patched. You should install all the critical updates for XP as well as IE.

I'm pretty sure it's referring to the IE service pack and not to the OS. I was on standard win2k and loaded IE's SP1 and that's what I had when I made my previous post. I've since loaded win2k's SP4, and my IE is still at SP1.I agree with jojooboo that the first thing I'd check is to see if it was just downloaded, or if it was actually installed. If he is installing it, could he have two copies of IE and he's launching the one that isn't updated? I wouldn't imagine that would be possible with the registry stuff, but I'm more of a unix user.

 

[GECKO]

Downloading updates now, thanks for the trend XP owner

 

[3C's]

If he is installing it, could he have two copies of IE and he's launching the one that isn't updated? I wouldn't imagine that would be possible with the registry stuff, but I'm more of a unix user.

Not likely...IE get's layered into the OS and won't install 2 separate versions. (remember all the lawsuit stuff about how they couldn't remove it? ) I'd go through the windows update site....it's kind of fool-proof.

 

[3C's]

I'm more of a unix user.

I'm sitting here at home thinking....Smart man that GregR! I pretend to be a Solaris SA during the day, but at night I come home to fight off the evils of the MS world.

 

[Greg R]

Sorry for the double, but didn't want to mix topics. Here's a summary of the pertinent info on the CoreFlood Virus from Symantec.Consists of a .exe file which is it's loader, and a .dll which contains the primary code. Uses arbitrary file names, so don't necessarily expect yours to match what other infected users are seeing.The virus adds "<file name> %system%\<file name.ext>" to the HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run registry entry so that it is launched every time you boot windows. It connects to IRC and joins a predefined chat channel. It listens there for commands to execute on your system. So the hacker can enter commands there and your computer will carry them out.Unfortunately, they don't have a special cleaning tool for this virus that you can just download. Your Norton anti-virus or Symantec anti-virus (and probably most others) can clean it, but for anyone who doesn't have virus protection software, you should probably go get some.I suppose one thing you could try to see if you're possibly infected is to check that registry key and look for an entry of the form it adds. In win2k, open a command prompt window and type "regedit". It should bring up the registry editor. Just look in here, don't delete anything if you don't know what you're doing.Click on HKEY_LOCAL_MACHINE to expand it. Then click on SOFTWARE. Then click on Microsoft. Then click on Windows. Then click on CurrentVersion. Then click on Run. Look to see if there is an entry there that doesn't sound like it belongs. Like if you see stuff from Quick Time, Real, etc, those are probably ok. README[1].TXT%00PROG.EXE might not be.

 

[The Z Machine]

I'm pretty sure it's referring to the IE service pack and not to the OS. I was on standard win2k and loaded IE's SP1 and that's what I had when I made my previous post. I've since loaded win2k's SP4, and my IE is still at SP1.I agree with jojooboo that the first thing I'd check is to see if it was just downloaded, or if it was actually installed. If he is installing it, could he have two copies of IE and he's launching the one that isn't updated? I wouldn't imagine that would be possible with the registry stuff, but I'm more of a unix user.

Yeah I use linux here at home, so I have no way of verifying the IE stuff unless I log into the computer at work. Even there I use Mozilla on XP. I updated the IE on my box at work and there was no option for SP1. Maybe it was already installed. I use Mozilla on XP at work anyway. I would install linux but I need to run MS Project and the VBD app doesn't want to play nice with OpenOffice yet no matter how much I futz with the scripts. Plus the draft dominator doesn't work either.I also think it's impossible to install two versions of IE.

 

[The Z Machine]

I'm sitting here at home thinking....Smart man that GregR! I pretend to be a Solaris SA during the day, but at night I come home to fight off the evils of the MS world.

Huh... I'm the opposite. Work on XP at work and use linux and run a few servers (so I'm the sys admin here) from home.

 

[Greg R]

Huh... I'm the opposite. Work on XP at work and use linux and run a few servers (so I'm the sys admin here) from home.

You know, it's pretty funny, I used to be fairly decent in windows back in the windows 3 days. Then I get to college and it's all unix so I forget my windows stuff, and go to work in the oil patch and it's all unix here. Now that Intel's chips are nearly as performant as unix work stations, gotta go relearn windows again. Argh! At least there's still linux.

 

[3C's]

Huh... I'm the opposite. Work on XP at work and use linux and run a few servers (so I'm the sys admin here) from home.

For "ease" of use for my kids (and me) I've stuck with MS products up to now. Don't want to digress from the thread too much, but I didn't "grow up" with Linux. I run different workstations at home, but my primary box runs XP because all the admin doc's I have to do need to be done in "Orafice"...it's a MS world ou there (tried some others but it didn't work out well).

 

[3C's]

You know, it's pretty funny, I used to be fairly decent in windows back in the windows 3 days. Then I get to college and it's all unix so I forget my windows stuff, and go to work in the oil patch and it's all unix here. Now that Intel's chips are nearly as performant as unix work stations, gotta go relearn windows again. Argh! At least there's still linux.

It seems kind of interesting to me...there was so much "noise" out there about the email incident last week, but not much about this. This to me seems like it might be of more concern to some...I know I was.

 

[ahmngrn30]

I too am getting the pop-up. I did the virus scan... had 2 trojan horse ones and 600 + ones that I could just delete/clean. One of the Trojans was deletetable, but there is still one virus left called:TROJ KBMAN.A (on file C: Windows/System/fanstats/keys32.dll--i have no idea what this file is)I tried deleting the file it was on, the virus it self and just about nething else I could think of but this message kept coming up:"unable to clean (or delete) file C:Windows/System/fanstats/keys32.dll because it is currently in use".I have no knowledge of viruses or really computers in general so ne help on what to do about this is appreciated.

 

[Greg R]

I too am getting the pop-up. I did the virus scan... had 2 trojan horse ones and 600 + ones that I could just delete/clean. One of the Trojans was deletetable, but there is still one virus left called:TROJ KBMAN.A (on file C: Windows/System/fanstats/keys32.dll--i have no idea what this file is)I tried deleting the file it was on, the virus it self and just about nething else I could think of but this message kept coming up:"unable to clean (or delete) file C:Windows/System/fanstats/keys32.dll because it is currently in use".I have no knowledge of viruses or really computers in general so ne help on what to do about this is appreciated.

What anti-virus software are you using? Couldn't find the name at symantec, they may call it by some other name.

 

[Greg R]

Don't mean to turn this into a cpu security thread, but while people are actively looking into how safe your computer is, you might want to go to symantec and run their security checks. They have an online virus check, and also a security check that checks things that hackers and trojan horses try to exploit to get control of your machine.

 

[FightingWombat]

I too am getting the pop-up. I did the virus scan... had 2 trojan horse ones and 600 + ones that I could just delete/clean. One of the Trojans was deletetable, but there is still one virus left called:TROJ KBMAN.A (on file C: Windows/System/fanstats/keys32.dll--i have no idea what this file is)I tried deleting the file it was on, the virus it self and just about nething else I could think of but this message kept coming up:"unable to clean (or delete) file C:Windows/System/fanstats/keys32.dll because it is currently in use".I have no knowledge of viruses or really computers in general so ne help on what to do about this is appreciated.

ahmngrn30, To remove the trojan, you will need to boot into safe mode. On most PCs, you will have to hold down the F8 key when booting the PC. A menu will appear. Select #3, Safe Mode. Safe mode loads only the minimal drivers you PC needs to function, but not the trojan/virus. Once in safe mode, run the virus scan. Your AV software should have no problem getting rid of it.

 

[FightingWombat]

Don't mean to turn this into a cpu security thread, but while people are actively looking into how safe your computer is, you might want to go to symantec and run their security checks. They have an online virus check, and also a security check that checks things that hackers and trojan horses try to exploit to get control of your machine.

Good point Greg. Another good site for checking out your firewall is PCFlank.com. They have a varriety of firewall test, including one that looks for open ports that are commonly used by trojans.

 

[whitesnake]

WEll crap.....I have the virus now.....Norton went off and found 11 of them...I ran VirusScan night before last and I was clean....Last night I ran it again and had 11 of the bastards.......Norton can't fix, delete, or quarantine them!..Now what?.....any ideas?A little too late for the updates and patches.....I though Norton would keep stuff out. I have kept it updated....

 

[3C's]

Good point Greg. Another good site for checking out your firewall is PCFlank.com. They have a varriety of firewall test, including one that looks for open ports that are commonly used by trojans.

That's a very good site...I had forgotten about them. Though probably easy tools to use, Sysinternals has some very powerful tools that will tell you what's going on in your system...like what dll's are being used by which program.

 

[3C's]

WEll crap.....I have the virus now.....Norton went off and found 11 of them...I ran VirusScan night before last and I was clean....Last night I ran it again and had 11 of the bastards.......Norton can't fix, delete, or quarantine them!..Now what?.....any ideas?A little too late for the updates and patches.....I though Norton would keep stuff out. I have kept it updated....

You'll probably need to boot in safe mode too. And then try to run a virus scan. If you get cleaned up, get the updates. Also, AV's don't always catch everything because there are some things they're unaware of. And some stuff it does catch isn't actually a virus.

 

[3C's]

I too am getting the pop-up. I did the virus scan... had 2 trojan horse ones and 600 + ones that I could just delete/clean. One of the Trojans was deletetable, but there is still one virus left called:TROJ KBMAN.A (on file C: Windows/System/fanstats/keys32.dll--i have no idea what this file is)I tried deleting the file it was on, the virus it self and just about nething else I could think of but this message kept coming up:"unable to clean (or delete) file C:Windows/System/fanstats/keys32.dll because it is currently in use".I have no knowledge of viruses or really computers in general so ne help on what to do about this is appreciated.

Is there also a file called OREC32.EXE? This looks like a keystroke logger. Booting into safe mode and deleting it should work.

 

[FightingWombat]

WEll crap.....I have the virus now.....Norton went off and found 11 of them...I ran VirusScan night before last and I was clean....Last night I ran it again and had 11 of the bastards.......Norton can't fix, delete, or quarantine them!..Now what?.....any ideas?A little too late for the updates and patches.....I though Norton would keep stuff out. I have kept it updated....

Whitesnake, To remove the trojan/virus, you will need to boot into safe mode. On most PCs, you will have to hold down the F8 key when booting the PC. A menu will appear. Select #3, Safe Mode. Safe mode loads only the minimal drivers you PC needs to function, but not the trojan/virus. Once in safe mode, run the virus scan. Your AV software should have no problem getting rid of it. Once the initial trojan was loaded, it created a backdoor. The hacker could then load what ever he/she wanted. I your case, it looks like 10 more trojans/virii were added. That's why NAV missed it.

 

[FightingWombat]

I too am getting the pop-up. I did the virus scan... had 2 trojan horse ones and 600 + ones that I could just delete/clean. One of the Trojans was deletetable, but there is still one virus left called:TROJ KBMAN.A (on file C: Windows/System/fanstats/keys32.dll--i have no idea what this file is)I tried deleting the file it was on, the virus it self and just about nething else I could think of but this message kept coming up:"unable to clean (or delete) file C:Windows/System/fanstats/keys32.dll because it is currently in use".I have no knowledge of viruses or really computers in general so ne help on what to do about this is appreciated.

Is there also a file called OREC32.EXE? This looks like a keystroke logger. Booting into safe mode and deleting it should work.

keys32.dll is most likely a key stroke logger. They are very bad as they are used to steal passwords.

 

[tangfoot]

keys32.dll is most likely a key stroke logger. They are very bad as they are used to steal passwords.

To be fair, I use a keystroke logger on my pc just for CYA. If I crash while writing a paper, I want to be able to recover it.Hitting save all the time doesn't always get the most recent paragraphs.On the flip side, keyloggers can also be used to get credit card numbers, etc...IF used maliciously.

 

[JaxBill]

Is the main page down now? I tried going there and it took a longer than normal time to load, so I got out of it.

 

[Memphis Foundry]

For those of you who don't have an antivirus installed locally on your machine, Grisoft has a free version of their antivirus product for individual home users. I've been using it at home for a couple of years and it is a quality product. A locally installed antivirus has some advantages over the web-based ones as they can do "real-time" scans and stop infected files from being written to the hard drive.

Here's the AVG freeware version info:

AVG Free Version

I would encourage everyone who accesses this site with IE 6 to do a full virus scan as soon as possible. There are already way too many trojan-infected "zombie" machines under hacker control on the internet; keeping your machine virus-free, reasonably up to date on patches, and out of the control of hackers is the ultimate "good neighbor" policy on the internet.

 

[Dickie Dunn]

Looks like I got out of it relatively unscathed. Ran McAfee initially to find the virus last night, then clicked on the CoreFlood info and found out about running it in Safe Mode (as well as clicking off System Restore, so that if you ever have a serious crash, you won't go back to a point in which the virus still was in the system).Ran McAfee again in Safe Mode and found nothing else. Whew!

 

[jojooboo]

It seems kind of interesting to me...there was so much "noise" out there about the email incident last week, but not much about this. This to me seems like it might be of more concern to some...I know I was.

I have a feeling that most people didn't even notice that the window popped up and something was downloaded to their machine. All reports seem to indicate it happened pretty quickly and if you weren't really paying attention you wouldn't notice. Also, since this was on the FBG homepage, it's likely that many/most of the visitors do not actively participate in these forums and once they realize they are infected will not have any idea where it came from.I agree, though, that it's unfortunate that more noise isn't being made about this to get people to notice so they can clean their machines.

 

[Mystery Achiever]

I just ran Norton which found 7 infected files (coreflood) but it couldn't delete two: C\WINDOWS\SYSTEM\HEDFWMC.DLL and .EXE. Any ideas on getting rid of these two?

 

[FightingWombat]

I just ran Norton which found 7 infected files (coreflood) but it couldn't delete two: C\WINDOWS\SYSTEM\HEDFWMC.DLL and .EXE. Any ideas on getting rid of these two?

Reboot your PC. While rebooting, hold down the F8 key. A menu will appear. Select 'Safe Mode' (usually selection #3). Once in safe mode, do a virus scan. NAV should be able to get rid of them.

 

[Mystery Achiever]

Reboot your PC. While rebooting, hold down the F8 key. A menu will appear. Select 'Safe Mode' (usually selection #3). Once in safe mode, do a virus scan. NAV should be able to get rid of them.

Thx, Wombat! I now have all seven in quarantine. Now, to get rid of them. Can I just go to quarantine console and delete them safely? Sorry if these questions are elementary - this is fortunately my first virus. Really appreciate the help

 

[FightingWombat]

Thx, Wombat! I now have all seven in quarantine. Now, to get rid of them. Can I just go to quarantine console and delete them safely? Sorry if these questions are elementary - this is fortunately my first virus. Really appreciate the help

No problem! Glad you got those damn thing under control. Once they are quaranteened, have NAV delete them.

 

[3C's]

I like to make sure everything is working (able to boot up) before actually deleting the files, but they're infected anyway so they won't do you much good.

 

[Mystery Achiever]

quarantine is empty!!!!!!!!!!!!(3 c's; i did reboot first, since i was runing in safe mod to do the scan). you guys are the best!

 

[3C's]

Cool! 1 less zombie PC!

 

[BassNBrew]

FBG.com, you've been punk'd once again.- Blackeyedhacker.comI would be ironic.

 

[Drugrunner's Alias]

For those of you who are getting it and have not downloaded the patch..... Do it now!I just did it and I am no longer getting that pop-up screen.Thanks for the link GregR.Hopefully FBGs will still figure this one out and let us all know.

You're welcome... and I should have said, if you don't know what version you are on, click on the Help Menu, then "About Internet Explorer".If you're on IE 6 it should say at the top version 6.0 with some other numbers after it.2 or 3 lines below that it should say:

Update Versions:; SP1;

If you have that, then you have Service Pack 1 installed already.

Thank you very much for this post GregR. I don't understand computers, but I have total peice of mind now. Seems I have that patch already.

 

[pirate]

My home computer has PC-cillin, but not Norton is PC-cillin sufficient anti-virus protection. Thanks for your help

 

[FightingWombat]

My home computer has PC-cillin, but not Norton is PC-cillin sufficient anti-virus protection. Thanks for your help

It should be sufficient.