Virus alert?

I'm using McAfee VShield and a few times when I reload the "Today's Active Topics" I get a downloaded virus warning?

Virus name:
JS/IEStart.gen.c

Someone???

yclo,

Please contact a moderator, ASAP. Right now, I'm on my "Day-trading" drive. This drive doesn't contain an anti-viral program, as I don't store any data here, so I can't confirm any virus activity [my general purpose drive has a super-charged version of Norton's]. I figured that I would keep this drive "Simple & Stupid" and if I had problem, I would simply blow this drive away and reload the few programs that I have here. Maybe someone else can verify this activity? Anyone?

Dan

I just posted in the ARC Flashlight Forum, under Peter's thread about Shipping and noticed that the post ended up - not by me but by "Brite One" member #2577. I went to the profile and it allowed me to be able to update his profile...something isn't right. I sent e-mail using the "Contact Us" option at the bottom of the page.

I've since rebooted my system and logged on again and changed my password. Just ran a virus check last night - all's good. The last thing I downloaded was that "USMC answering machine" comedy link in one of the forums here (probably one of those "war" Forums in the Cafe?)...My system still checks good...

Would like to find out fast!

The virus alert may be a false positive. The only active content on "Today's Active Topics" that I can see is a script that gets the cookie, tests for "logged in" status, and outputs "Hello username".

Here's the code:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var session_cookie = getCookie('session2452483.1452');
if (session_cookie == null) {
var session_dt = "0";
var session_j = "0";
} else {
var session_array = session_cookie.split("&");
var session_dt = session_array[0];
var session_j = session_array[1];
}

function getCookie(name) {
var cname = name + "=";
var dc = document.cookie;

if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) {
end = dc.length;
} // end if
return (dc.substring(begin, end));
} // end if
} // end if
return null;
}

//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">AND:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var user_cookie = getCookie('ubber2452483.1452');
if(''==user_cookie || null==user_cookie) {
document.writeln('You are not logged in.' ,
' <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=login">Login</a>
or <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=agree">register</a>')
} else {

var user_array=user_cookie.split("&");
user_array[2] = unescape(user_array[2]);
document.writeln('Hello, ', user_array[2]);
document.writeln('[ <a title="Click here to log out."
href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=logoff">'
,'log out</a> ]');

}
//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">

Yclo, I've attempted to duplicate the situation, but can't get the infection nor the warning from my virus, trojan, nor browser guard software. Of course, like you, I can only observe it from the user's end.

Has your start page been reset, or is it just a warning from your virus software? If it's only a warning but no symptoms, it could be that something is close enough to McAfee's signature files to trigger a false warning. If the JS/IEStart.gen.c script is resetting your start page it should become obvious. Of course different browsers, and different versions and builds and patches could react differently. I'm sure if there is indeed a script trojan it will be noticed.

yclo,

Back again on my other drive and I'm not picking up anything. You might want to update your viral definitions and run a complete scan. Also empty your "Temporary Internet" folder, including offline content. Don't reboot your machine [if you can avoid it], as this sometimes will drive a Trojan deeper. If you are running Win9x/Me, you might want to set your folder options to "Show all files" and the scan the "Temporary Internet" folder with the "Find files" function, as these little beasties can hide there even after you cleared the files. You can also use the "Find files" function to scan your C drive for everything that has been created or modified in the last 24 hours. I hope for your sake that this is only a false alert.

Dan

I haven't seen it since that first post anymore, but for the few times it did pop up, I just clicked delete on my McAfee window and it went away.

I checked my startup homepage and it hasn't been changed.

Upgrading virus definitions now....

Weird, sorry for the scare.

It seems to me that JS/IEstart.gen is simply a "browser hijack" trojan that changes the users home page and adds favorites. It is also known as "JS Seeker" by other AV companies. There are many variations as shown here. More information is here and here. It is condsidered "low threat" because no other data is changed other than IE/Netscape's settings.

Google "JS Seeker" for lots more info.

I hope that this helps

hmmm...i just opened up the internet, and the homepage which was previously set to about.blank was set to something about netscape....

Did you just update Netscape? Are you using Netscape 7.0?? nice browser eh? I thought Netscape would NEVER make a decent browser but...

On a side note, I have had past experience having www.skeech.com suddenly becoming my startup page.

actually, no, i didn't update...

is it nice now? i remember it used to be crap, but if you like it, maybe i will check it out. (beats using microsoft stuff at least )

Stop using vShield or other such rigorous anti-virus s/w - problem solved.

But but but, I get scared!

I've been hit before by the chernobyl virus, lucky mine was a laptop so there was no physical damage. Few of my friends had to have parts replaced in their desktops, is the trouble worth it? It is to me.

-YC

I'm unable to duplicate this as well. There's nothing I can do if I can't see the problem and/or don't have the problem.

this probably won't help any, but i went to google and typed in the name of the accused, i got this

There are other interesting ones out there right now, too. Thing is, some of them can be picked up elsewhere, but won't actually show up doing strange things until somewhat later - then you don't know for sure where you, uh, "stepped in it."

Here's a nice example:

Wired News: Xupiter

The more things like this I see, the happier I am that my 'puters are a
-= MICROSOFT FREE ZONE =-

Wouldn't firewalls like ZoneAlarm do a better job with less of the false scares?

Here's a screenshot of with the window that popped up just a few minutes ago, right when I clicked to the "Today's Active Topics" link. (CPF daily on my shortcut bar)

-YC