yclo
Flashaholic*
I'm using McAfee VShield and a few times when I reload the "Today's Active Topics" I get a downloaded virus warning?
Virus name:
JS/IEStart.gen.c
Someone???
Virus name:
JS/IEStart.gen.c
Someone???
Virus alert?
- Thread starter yclo
- Start date
Help Support Candle Power Flashlight Forum
yclo
Flashaholic*
NightStorm
Flashlight Enthusiast
yclo,
Please contact a moderator, ASAP. Right now, I'm on my "Day-trading" drive. This drive doesn't contain an anti-viral program, as I don't store any data here, so I can't confirm any virus activity [my general purpose drive has a super-charged version of Norton's]. I figured that I would keep this drive "Simple & Stupid" and if I had problem, I would simply blow this drive away and reload the few programs that I have here. Maybe someone else can verify this activity? Anyone?
Dan
Please contact a moderator, ASAP. Right now, I'm on my "Day-trading" drive. This drive doesn't contain an anti-viral program, as I don't store any data here, so I can't confirm any virus activity [my general purpose drive has a super-charged version of Norton's]. I figured that I would keep this drive "Simple & Stupid" and if I had problem, I would simply blow this drive away and reload the few programs that I have here. Maybe someone else can verify this activity? Anyone?
Dan
Sigman
* The Arctic Moderator *
I just posted in the ARC Flashlight Forum, under Peter's thread about Shipping and noticed that the post ended up - not by me but by "Brite One" member #2577. I went to the profile and it allowed me to be able to update his profile...something isn't right. I sent e-mail using the "Contact Us" option at the bottom of the page.
I've since rebooted my system and logged on again and changed my password. Just ran a virus check last night - all's good. The last thing I downloaded was that "USMC answering machine" comedy link in one of the forums here (probably one of those "war" Forums in the Cafe?)...My system still checks good...
Would like to find out fast!
I've since rebooted my system and logged on again and changed my password. Just ran a virus check last night - all's good. The last thing I downloaded was that "USMC answering machine" comedy link in one of the forums here (probably one of those "war" Forums in the Cafe?)...My system still checks good...
Would like to find out fast!
The virus alert may be a false positive. The only active content on "Today's Active Topics" that I can see is a script that gets the cookie, tests for "logged in" status, and outputs "Hello username".
Here's the code:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var session_cookie = getCookie('session2452483.1452');
if (session_cookie == null) {
var session_dt = "0";
var session_j = "0";
} else {
var session_array = session_cookie.split("&");
var session_dt = session_array[0];
var session_j = session_array[1];
}
function getCookie(name) {
var cname = name + "=";
var dc = document.cookie;
if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) {
end = dc.length;
} // end if
return (dc.substring(begin, end));
} // end if
} // end if
return null;
}
//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">AND:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var user_cookie = getCookie('ubber2452483.1452');
if(''==user_cookie || null==user_cookie) {
document.writeln('You are not logged in.' ,
' <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=login">Login</a>
or <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=agree">register</a>')
} else {
var user_array=user_cookie.split("&");
user_array[2] = unescape(user_array[2]);
document.writeln('Hello, ', user_array[2]);
document.writeln('[ <a title="Click here to log out."
href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=logoff">'
,'log out</a> ]');
}
//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">
Here's the code:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var session_cookie = getCookie('session2452483.1452');
if (session_cookie == null) {
var session_dt = "0";
var session_j = "0";
} else {
var session_array = session_cookie.split("&");
var session_dt = session_array[0];
var session_j = session_array[1];
}
function getCookie(name) {
var cname = name + "=";
var dc = document.cookie;
if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) {
end = dc.length;
} // end if
return (dc.substring(begin, end));
} // end if
} // end if
return null;
}
//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">AND:
</font><blockquote><font size="1" face="Verdana, Arial">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"><!--
var user_cookie = getCookie('ubber2452483.1452');
if(''==user_cookie || null==user_cookie) {
document.writeln('You are not logged in.' ,
' <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=login">Login</a>
or <a href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=agree">register</a>')
} else {
var user_array=user_cookie.split("&");
user_array[2] = unescape(user_array[2]);
document.writeln('Hello, ', user_array[2]);
document.writeln('[ <a title="Click here to log out."
href="http://www.candlepowerforums.com/cgi-bin/ultimatebb.cgi?ubb=logoff">'
,'log out</a> ]');
}
//--></pre><hr /></blockquote><font size="2" face="Verdana, Arial">
Yclo, I've attempted to duplicate the situation, but can't get the infection nor the warning from my virus, trojan, nor browser guard software. Of course, like you, I can only observe it from the user's end.
Has your start page been reset, or is it just a warning from your virus software? If it's only a warning but no symptoms, it could be that something is close enough to McAfee's signature files to trigger a false warning. If the JS/IEStart.gen.c script is resetting your start page it should become obvious. Of course different browsers, and different versions and builds and patches could react differently. I'm sure if there is indeed a script trojan it will be noticed.
Has your start page been reset, or is it just a warning from your virus software? If it's only a warning but no symptoms, it could be that something is close enough to McAfee's signature files to trigger a false warning. If the JS/IEStart.gen.c script is resetting your start page it should become obvious. Of course different browsers, and different versions and builds and patches could react differently. I'm sure if there is indeed a script trojan it will be noticed.
NightStorm
Flashlight Enthusiast
yclo,
Back again on my other drive and I'm not picking up anything. You might want to update your viral definitions and run a complete scan. Also empty your "Temporary Internet" folder, including offline content. Don't reboot your machine [if you can avoid it], as this sometimes will drive a Trojan deeper. If you are running Win9x/Me, you might want to set your folder options to "Show all files" and the scan the "Temporary Internet" folder with the "Find files" function, as these little beasties can hide there even after you cleared the files. You can also use the "Find files" function to scan your C drive for everything that has been created or modified in the last 24 hours. I hope for your sake that this is only a false alert.
Dan
Back again on my other drive and I'm not picking up anything. You might want to update your viral definitions and run a complete scan. Also empty your "Temporary Internet" folder, including offline content. Don't reboot your machine [if you can avoid it], as this sometimes will drive a Trojan deeper. If you are running Win9x/Me, you might want to set your folder options to "Show all files" and the scan the "Temporary Internet" folder with the "Find files" function, as these little beasties can hide there even after you cleared the files. You can also use the "Find files" function to scan your C drive for everything that has been created or modified in the last 24 hours. I hope for your sake that this is only a false alert.
Dan
yclo
Flashaholic*
I haven't seen it since that first post anymore, but for the few times it did pop up, I just clicked delete on my McAfee window and it went away.
I checked my startup homepage and it hasn't been changed.
Upgrading virus definitions now....
Weird, sorry for the scare.
I checked my startup homepage and it hasn't been changed.
Upgrading virus definitions now....
Weird, sorry for the scare.
It seems to me that JS/IEstart.gen is simply a "browser hijack" trojan that changes the users home page and adds favorites. It is also known as "JS Seeker" by other AV companies. There are many variations as shown here. More information is here and here. It is condsidered "low threat" because no other data is changed other than IE/Netscape's settings.
Google "JS Seeker" for lots more info.
I hope that this helps
Google "JS Seeker" for lots more info.
I hope that this helps
Rothrandir
Flashaholic
hmmm...i just opened up the internet, and the homepage which was previously set to about.blank was set to something about netscape....
yclo
Flashaholic*
On a side note, I have had past experience having www.skeech.com suddenly becoming my startup page.
Rothrandir
Flashaholic
actually, no, i didn't update...
is it nice now? i remember it used to be crap, but if you like it, maybe i will check it out. (beats using microsoft stuff at least
)
is it nice now? i remember it used to be crap, but if you like it, maybe i will check it out. (beats using microsoft stuff at least
Monsters_Inc
Banned
Stop using vShield or other such rigorous anti-virus s/w - problem solved.
yclo
Flashaholic*
But but but, I get scared!
I've been hit before by the chernobyl virus, lucky mine was a laptop so there was no physical damage. Few of my friends had to have parts replaced in their desktops, is the trouble worth it? It is to me.
-YC
I've been hit before by the chernobyl virus, lucky mine was a laptop so there was no physical damage. Few of my friends had to have parts replaced in their desktops, is the trouble worth it? It is to me.
-YC
Rothrandir
Flashaholic
Tomas
Banned
There are other interesting ones out there right now, too. Thing is, some of them can be picked up elsewhere, but won't actually show up doing strange things until somewhat later - then you don't know for sure where you, uh, "stepped in it."
Here's a nice example:
Wired News: Xupiter
The more things like this I see, the happier I am that my 'puters are a
-= MICROSOFT FREE ZONE =-
Here's a nice example:
Wired News: Xupiter
The more things like this I see, the happier I am that my 'puters are a
-= MICROSOFT FREE ZONE =-
Monsters_Inc
Banned
Wouldn't firewalls like ZoneAlarm do a better job with less of the false scares?
