Mine exploration, photographs and mining history for mine explorers, industrial archaeologists, researchers and historians Mine explorer and mining history videos on YouTube Connect with other mine explorers on Facebook
Tip: do not include 'mine' or 'quarry', search by name e.g. 'cwmorthin', use 'Sounds like search' if unsure of spelling

Advanced Search
'Sounds like search'
Quick a b c d e f g h i j k l m n o p q r s t u v w x y z
Tip: narrow down your search by typing more than one word and selecting 'Search for all words' or 'Exact search'

Search for any word
Search for all words
Exact search
Tip: narrow down your search by typing more than one word and selecting 'Search for all words' or 'Exact search'

Search for any word
Search for all words
Exact search

Mine Exploration Forum

Jump to page << < 1 2 3 > >>
Author URGENT WARNING
JohnnearCfon

Avatar of JohnnearCfon

Joined: 22/12/2005
Location: Sir Caernarfon

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 14/10/2009 22:20:58
Reply |  Quote
It would seem that Pennmorfa.com (at least the slate quarry home page) has got a virus. Can someone who knows Dave Sallery please let him know. IP: 89.242.172.102
ICLOK

Avatar of ICLOK

Joined: 19/02/2008
Location: Ripley, Derbyshire up North.

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 14/10/2009 23:41:18
Reply |  Quote
He on his hols but I have a mobile so will give him a go!

--

'Sir, I am unaware of any such activity or operation - nor would I be disposed to discuss such an operation if it did in fact exist, sir.'
IP: 78.145.174.51
JohnnearCfon

Avatar of JohnnearCfon

Joined: 22/12/2005
Location: Sir Caernarfon

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 14/10/2009 23:57:38
Reply |  Quote
Thanks, I am still trying to remove the virus. So much for my anti-virus software! It has stopped a few in the past though. IP: 89.242.172.102
ICLOK

Avatar of ICLOK

Joined: 19/02/2008
Location: Ripley, Derbyshire up North.

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 00:27:06
Reply |  Quote
Ditto, I got stung just before you!!!

--

'Sir, I am unaware of any such activity or operation - nor would I be disposed to discuss such an operation if it did in fact exist, sir.'
IP: 78.145.174.51
ICLOK

Avatar of ICLOK

Joined: 19/02/2008
Location: Ripley, Derbyshire up North.

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 03:42:19
Reply |  Quote
Its took 5 hours and 20 quid but believe now cleaned out...

PLEASE NOBODY GO ON THIS SITE FOR NOW... THE VIRUS IS A TROJAN THAT LAUNCHES VIRUSPRO 2010 WHICH SENDS FAKE MESSAGES OUT RE YOUR PC HEALTH... THIS IS AN EXPENSIVE BITCH TO GET RID OF... AND JUMPS TO YOUR PC INSTANTLY... IT SEEMS TO DO IT BY WAY OF A PDF!

--

'Sir, I am unaware of any such activity or operation - nor would I be disposed to discuss such an operation if it did in fact exist, sir.'
IP: 78.145.199.5 Edited: 15/10/2009 04:07:38 by ICLOK
JohnnearCfon

Avatar of JohnnearCfon

Joined: 22/12/2005
Location: Sir Caernarfon

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 08:05:45
Reply |  Quote
I have got rid of it (I think/hope).

It did it just as I went onto the home page. I didn't launch any sub pages.

My AVG couldn't get rid of it, nor could Search & Destroy. I tried following the instructions on a website how to do it. Eventually I found a programme called STOPzilla which is free (although it did want me to pay to upgrade). The free version seems to have done it.
IP: 78.150.149.80
royfellows

Avatar of royfellows

Joined: 13/06/2007
Location: Great Wyrley near Walsall

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 08:51:01
Reply |  Quote
If you can identify the virus file you can access the HD on your machine from a bootable CD such as "NTFS File Reader for DOS" which is free ware and then delete it.
You then need to clean up the Windows registry.

More difficult are those viruses that rename a program file such as "MSAccess.exe" to some random name of its own choosing, and then rename themselves "MSAccess.exe". So every time you start Microsoft Access you are running the virus.

You cant get a virus without running something, or putting it another way, nothing can get into your machine if you are firewalled. Hardware firewalls are better than software one such as you get with Windows.
If your service provider has supplied you with a bog DSL modem, dump it and get a firewall router such as the very inexpensive Netgear DG834 or wireless DG834G

You machine is identified on the Internet by its external IP address, this is usually dynamic, in other words the providers server assigns one to you when you switch on your router. It stays current as long as your router is switched on. If you switch it off, pause and then switch back on you will get a new one. Try this if you think someone or something out there 'has your number'

You cant get a virus simply by visiting a website, you have to ‘do’ something. Unless of course your machine is wide open, not firewalled, then you can get a virus straight out of the blue from rogue machines that are set up to try random IP addresses. The old Windows 2000 was terrible for this as it came out of the box.

What did you download to get the virus?

EDIT
A further thought.
I am wondering if the website you visted was the one you thought it was.
I mean, some one could have hacked the DNS and diverted visitors to a phoney website set up by the hacker to infect everyone.
Internet is a jungle without rules. Tread carefully.


--

''the stopes soared beyond the range of our caplamps' - David Bick...... How times change
IP: 89.240.116.54 Edited: 15/10/2009 08:55:43 by royfellows
grahami

Avatar of grahami

Joined: 29/01/2007
Location: Telford, Shropshire

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 09:53:06
Reply |  Quote
Here at college we use F-secure Client Security as our primary anti-virus (as well as having our Firewalls etc.) - we have used it a for a long time now and it has not failed us yet. Many students (and staff!) manage to bring in infected USB drives, CDs etc. so we need something that works. You can download a trial of it from the web, though you have to pay for its continued use, like most software of this type. It's very effective and I use it on my home PC as well. In these days it's essential and not worth skimping on.

Usual disclaimer, I suppose.

Grahami

--

The map is the territory - especially in chain scale.
IP: 212.219.117.106
royfellows

Avatar of royfellows

Joined: 13/06/2007
Location: Great Wyrley near Walsall

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 10:12:29
Reply |  Quote
John
Just out of interest, when you visited the site, did you type in the URL, let google take you there, or select it from your favourites?

I have just had a phone call from a client which leads me to suspect something has been going on.
I suspect that some people have been induced into doing something that has overwritten their favourites with links to spoof or phishing websites. Something like this, I believe would not normally show up a virus on a virus scan or be blocked by an anti virus program if you tried to run it.

You havent had an email from UPS "unable to deliver to recipiant address" have you?
or a government warning or something, with an attachment for you to open.


--

''the stopes soared beyond the range of our caplamps' - David Bick...... How times change
IP: 89.240.116.54
ICLOK

Avatar of ICLOK

Joined: 19/02/2008
Location: Ripley, Derbyshire up North.

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 10:26:05
Reply |  Quote
I googled penmorfa, I opened it up and on the access scree when it opened a PDF jumped up called Packer.258 (may have been 253). My Norton package picked it up but by all accounts what I read was by then its too late and the virus disguised as a pdf up loads a downloader to your PC. I tried a free removal tool as per John which seemed to work but it did not get rid of the toolbar pop and the virus kept re-loading itself up so I bought Spyhunter which did it... the clever bit is it hides itself on boot and comes back....

I have a net gear router do I need to switch it off then?

Regs ICLOK

--

'Sir, I am unaware of any such activity or operation - nor would I be disposed to discuss such an operation if it did in fact exist, sir.'
IP: 89.242.61.251
royfellows

Avatar of royfellows

Joined: 13/06/2007
Location: Great Wyrley near Walsall

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 10:43:02
Reply |  Quote
ICLOK wrote:

I googled penmorfa, I opened it up and on the access scree when it opened a PDF jumped up called Packer.258 (may have been 253). My Norton package picked it up but by all accounts what I read was by then its too late and the virus disguised as a pdf up loads a downloader to your PC. I tried a free removal tool as per John which seemed to work but it did not get rid of the toolbar pop and the virus kept re-loading itself up so I bought Spyhunter which did it... the clever bit is it hides itself on boot and comes back....

I have a net gear router do I need to switch it off then?

Regs ICLOK


It sounds to me as though the site itself has been hacked or the machine its on has been infected or the DNS hacked. Take your pick.
I wonder if its dropping a file into your startup folder, if so the ordinary anti virus should find it. The rest is new to me, I would have to see an infected machine.

If you momentarily switch of your router, then back on, your providers server will assign a new external IP address to you.

I have to add that some people have static IP addresses for video streaming etc, however for majority of ordinary uses its dynamic.

Thanks for the information Mr ICLOK, I will think about this. I have to go out and do shopping as off to Nenthead early tomorrow.

EDIT
I have just searched Sophos for packer and found nothing.


--

''the stopes soared beyond the range of our caplamps' - David Bick...... How times change
IP: 89.240.116.54 Edited: 15/10/2009 10:47:50 by royfellows
grahami

Avatar of grahami

Joined: 29/01/2007
Location: Telford, Shropshire

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 11:10:40
Reply |  Quote
Had a brief look through our virus info contacts etc., too many possibilities to identify it at this stage - which trojan is reported ? I don't think anyone has mentioned the variety??

Cheers

Grahami

--

The map is the territory - especially in chain scale.
IP: 212.219.117.106
royfellows

Avatar of royfellows

Joined: 13/06/2007
Location: Great Wyrley near Walsall

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 11:11:39
Reply |  Quote
and more
I have just put an old machine on line and visited the site by manually typing in the URL.
YES you are absolutely correct, my machine was infected by just visiting the site. This frankly is new to me.
It is spyware which explains why some AV programs wont identify it.
I have also identified the files, but need more time to play with it.
I have to go and get this shopping done.

--

''the stopes soared beyond the range of our caplamps' - David Bick...... How times change
IP: 89.240.116.54
ICLOK

Avatar of ICLOK

Joined: 19/02/2008
Location: Ripley, Derbyshire up North.

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 11:56:42
Reply |  Quote
packer.253/8 is the carrier and I found it on net explained somewhere.

No signs of its return.

Regs ICLOK

Cant get hold of Penmorfa!!!

--

'Sir, I am unaware of any such activity or operation - nor would I be disposed to discuss such an operation if it did in fact exist, sir.'
IP: 78.150.84.95
JohnnearCfon

Avatar of JohnnearCfon

Joined: 22/12/2005
Location: Sir Caernarfon

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 12:17:50
Reply |  Quote
Sorry, I am very thick when it comes to this sort of thing!

I just went to my favourites list and clicked on that link. I didn't do anything (I didn't get chance to!). The page more or less loaded, I was starting to look at the index on that page to see if anything had been updated recently. Then Wham! I suddenly started seeing all my open windows start closing, then the machine shut down and started rebooting. After that I kept getting loads of pop ups from this VirusPro 2010 that said my machine was infected with this that and the other.

My first response was to run search and destroy, this identified some problems but could not fix all. I then ran a full scan with AVG, my normal antivirus software. This again reported some problems and fixed some.

Oh, it had installed itself on my start list, complete with an uninstall option which didn't work. I then went to control panel/add remove programs, although it was listed, that wouldn't remove it!

I then did a search on net and found loads of references to that virus. One of which told me how to do it. I tried following that but it kept self reinstalling. One page had a link to a "free tool" that would remove it. That turned out to be a link to a free version of Stopzilla which I installed, that seems to have done the job. Although on rebooting just now Stopzilla has told me it is still there and I should buy the registered version, I haven't but just deleted Stopzilla.

The only slight problem I am left with is that Windows Security Centre is now set to monitor VP 2010 rather than AVG. I will probably have to uninstall and reinstall AVG, but I have checked that and AVG is running and fully up to date.
IP: 78.144.28.118
AndyC

Avatar of AndyC

Joined: 24/10/2007

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 12:43:26
Reply |  Quote
If your current checkers are not picking it up, you can try Malwarebytes:

[web link]

Nice little program - and sorted a virus I had a few weeks ago when S&D and AVG filed to.

--

The nurses are stealing my underwear
IP: 62.171.194.7
royfellows

Avatar of royfellows

Joined: 13/06/2007
Location: Great Wyrley near Walsall

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 12:53:28
Reply |  Quote
John, you havent done anything silly, I can confirm that the machine I used was infected by just visiting the site.
I dont know how long this threat has been out, its possible that some anti virus suits dont have its profile yet and that this could be included in a near future update.

My old machine is running the old Windows 2K (NT V5), I shall wipe the HDD and put XP (NT V5.1) and deliberately get it again, if the website has not been fixed, when I get back from Nenthead.

It my be possible to get rid of the problem by running System Restore, I dont know at this time.

This would have been my first port of call on an XP/Vista machine if the AVG failed.

I did a 'system restore' of my own making by simply kicking the machine into Safe Mode, the virus/spyware does not run in safe mode, then using the search function to find all files created today which I promptly and sucessfully deleted.

The spyware or whatever is not particularly clever, its just dropping files into places where they will run automatically with Windows.



--

''the stopes soared beyond the range of our caplamps' - David Bick...... How times change
IP: 89.240.116.54 Edited: 15/10/2009 12:54:12 by royfellows
AR

Avatar of AR

Joined: 07/11/2007
Location: Knot far from Knotlow in the middle of the Peak District

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 13:03:54
Reply |  Quote
I tried googling packer 253 to see if I could get some more info, the most likely site turned out to be a dodgy hacker's links shop, not only that there was an "inappropriate for the office" picture on one side screen - good job no-one sits behind me at work.... Blink

p.s. the supposedly smart content filters we have at work which object to things like clip art library sites failed to pick this up

--

I sold my soul to Satan, but he brought it back and demanded a refund....
IP: 194.159.145.70
Spark

Joined: 03/05/2006

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 13:42:36
Reply |  Quote
It probably got installed by a script run from the web page. This seems to be a favourite way of virus writers installing their !"£$ on people's computers since it is the local system downloading and installing it. The only way to guarantee prevention of that method of "drive by infection" is to stop your browser running client-side scripting, which breaks 99.999% of all "modern" web sites.

Did anyone who was infected submit a sample to any of the anti-virus companies? If so, they will soon have protection available.

Spark
IP: 80.177.221.183
JohnnearCfon

Avatar of JohnnearCfon

Joined: 22/12/2005
Location: Sir Caernarfon

View Profile
View Posts
View Personal Album
View Personal Files
View all Photos
Send Private Message
URGENT WARNING
Posted: 15/10/2009 13:57:40
Reply |  Quote
I forgot to say, I already use a Netgear DG834 router.

I am currently scanning the system with the program AndyC recommended, thanks Andy.

I did try system restore at one point last night but it having shut down and rebooted it just said nothing has changed on your system so system restore hadn't reverted to the earlier date.
IP: 78.144.28.118
Jump to page << < 1 2 3 > >>
Moore Books: Specialist Books I.A. Recordings: Mining and Industrial History DVDs Starless River - Caving Store Explore a Disused Welsh Slate Mine
Disclaimer: Mine exploring can be quite dangerous, but then again it can be alright, it all depends on the weather. Please read the proper disclaimer.
© 2005 to 2015 AditNow.co.uk
Top of Page