Joesax hacked (Was: Forumosa hacked?)

Hey joesax,

Did you solve the problem as my laptop is still doing what you described? In fact, I can’t get to the forumosa home page at all. I can on this desk top computer but only after clicking on through a google search.

[quote=“Fox”]Hey joesax,

Did you solve the problem as my laptop is still doing what you described? In fact, I can’t get to the forumosa home page at all. I can on this desk top computer but only after clicking on through a google search.[/quote]Hi Fox, the problem hasn’t recurred. So it seems to be fixed, though I think the root cause may still be there.

The things that the Panda scan it found and “disinfected” were:
Virus:Trj/ClassLoader.Z
Virus:Trj/ClassLoader.AA
They were both in Documents and Settings\Application Data[username]\Sun\Java\Deployment\cache\javapi\v1.0\jar\

There was also something called ByteVerify in the same place. Panda didn’t remove that, but I deleted it manually. Not sure whether that’s really a good idea but it seems to have got rid of the problem for now.

This is the link for the Panda scan:
pandasoftware.com/products/ActiveScan.htm
You have to run it through Internet Explorer, with ActiveX enabled (it probably is enabled by default on your computer anyway, but I usually have it turned off as it’s generally a liability for viruses). And you have to give them an email address, to which they will send quite a few advertising emails. However, I don’t think they give your email address to others. It’s just their own advertising you have to put up with, which is reasonable I guess as the scan is free of charge.

If you don’t fancy the sound of that, you could try the Trend Micro Housecall program (also free) which Belgian Pie linked to on the previous page. I couldn’t get it to work properly last night, but anyway they seem to be quite a reputable company so it’s worth a try. I’m going to try again soon as I’m not convinced that I’ve got rid of the root cause of the problem by running the free version only of Panda.

Warning! … Don’t visit naughty sites … :smiley: :wink:

I did the spybot scan and deleted all my spyware but nothing changed.

The problem seems to me to be definitely coming from Forumosa. Now my desktop has developed the same problem. It must have to do with a cookies problem from Forumosa itself. I just started using this computer and it developed the problem on the first connection. If I don’t use the cookies connect such as a redirect through google it connects fine. This pc also has a lot of security features so I don’t think it is spyware or a virus.

I would be very interested and surprised if this is true. Please keep me updated on your progress.

We have used phpBB software and hacked it since 2002. This would be the first time it has triggered this kind of malware. The only key code change we have made in over 6 months was the addition of Google Analytics last month. And even then, that would hardly be considered a major change in code.

That said, if there has been a server breach of some kind that we aren’t aware of, please bring it to our attention - in this thread or email us at admin @ forumosa.com

I thought that cookies couldn’t do anything to harm your pc

The redirect only happens with forumosa. Two people have experienced it and it seems to be a cookies problem. I get redirected to the same site as Joesax. my5677.com/youji/

There is nothing at that site. I have two computers at home a desktop and a laptop. I connected this desktop computer to the net and could go to forumosa once only. After that it must have dropped a cookie into my cache that redirects to this site. I can get to forumosa through a google search but not a yahoo search.

It can’t be a cookie, cookies can’t redirect, right? it must be code written into soemthing else an ad or something … it must be something else … and nothing at the site? I’m almost sure there is a code on it that you can’t see …

I think you are right BP. It is some kind of spyware.

C:\WINDOWS\system32\shdoclc.dll/dnserror.htm#http://www.my5677.com/youji/

If it’s not a bug, and it’s not a virus, it must be aliens.

Maybe this link can help …

OK, I have a theory. Is it possible that misspelling forumosa.com might lead to a redirect, which ends up on that page? Anyone want to chance it?

I tried spelling it F-O-R-U-M-O-S-A on Saturday and it didn’t work. That was using Bikefarm’s computer. It was OK using the /taiwan extension and my bookmark on my usual computer does it this way.

No problems with ‘forumosa.com’ from this shared computer though.

[quote=“irishstu”]OK, I have a theory. Is it possible that misspelling forumosa.com might lead to a redirect, which ends up on that page? Anyone want to chance it?[/quote]In my case at least it wasn’t due to misspelling. But the problem hasn’t recurred. I ran the Panda scan and the Trend Micro one, and one of those has fixed the problem.

We were hijacked. I ran panda and whatever the file is hijacked the panda site as well and I couldn’t get back on to it. I ran the hijackthis program that was suggested in in the link provided by BP. I think I’ve located the problem but I’m not sure how to delete it. I think the problem probably came from a link on forumosa.

You mean a link in a forumosa discussion, don’t you? Not a “Forumosa link” or anything that we rotate, I hope :slight_smile:

[quote=“Fox”]We were hijacked. I ran panda and whatever the file is hijacked the panda site as well and I couldn’t get back on to it. I ran the hijackthis program that was suggested in in the link provided by BP. I think I’ve located the problem but I’m not sure how to delete it. I think the problem probably came from a link on forumosa.[/quote]I was having problems getting the Panda scan and the Trend Micro one to work, and I think that might have been due to the hijacking. But I got them to work eventually, and that seems to have cleared things up.

The Trend Micro one was more thorough than the Panda one and got rid of more stuff. You might want to try that.

Could it have been a link to shakira porn or some amazing videos ?

[quote=“Big Fluffy Matthew”]Could it have been a link to shakira porn or some amazing videos ?[/quote]I don’t open that stuff.

Fox, why do you think the problem came from a link on Forumosa?