FPSBanana- What the hell is going on?

[arch5]

Block this website to prevent FPSB viruses: lau9.cn AND o9Ji.cn <----DO NOT GO THERE, ITS A VIRUS!
More Info: http://www.gamespot.com/pages/forums/show_msgs.php?topic_id=26890398
More Info 2: http://www.facepunch.com/showthread.php?t=743732
WARNING: If when this page loads an installer comes up, close it immedatly, and if it dosen't close immediatly shut off the PWS on your computer.

REMOVAL INSTRUCTIONS!!!!!

How to remove:

Removal instructions

Use Task Manager to terminate the Trojan process.
Delete the original Trojan file (its location will depend on how it initially penetrated the victim machine).
Delete the files created by the Trojan:

%System32%\KB896425.log
c:\nxldr.dat

Delete the following system registry keys:

[HKLM\System\CurrentControlSet\Services\NetWorkLogo n]

Update your antivirus databases and perform a full scan of the computer.

How the virus installs itself onto your computer:

Installation

Once launched, the Trojan creates a DLL file in the C:\ root directory:
c:\nxldr.dat

It then launches this file and calls the "start" function:

When launching, the DLL file copies its executable file to the Windows system directory:
%System32%\KB896425.log

The Trojan creates a service called NetWork Logon in order to ensure that it is automatically run each time Windows is restarted:
[HKLM\System\CurrentControlSet\Services\NetWorkLogo n]

When launching, the DLL file gets a list of processes. It then loads itself to the address space of a process chosen at random from the list, as well as to the processes listed below:
EXPLORER.EXE
IEXPLORE.EXE

where the DLL file will install a hook for the send function of WS2_32.dll which is used to track the user's HTTP requests. For POST requests where the URL contains the following string:
/vk/unblock_deal.php

the Trojan gets the values of the following parameters:
account=
pin=

If the URL contains the string /dologin.php, the Trojan will get the value of the parameters listed below:
loginname=
&password=

For processes called WOW.EXE the Trojan gets the values entered in dialogue boxes, and will also take screenshots of some dialogue boxes.

The Trojan sends the harvested information to the remote malicious user's site.

The Trojan will also delete all links containing the string "the9.com" from the browser cache.

Spoiler

Spoiler

 

[Shakermaker]

.cn

There's your problem right there. Avoid Chinese sites like the plague.

 

[arch5]

There's your problem right there. Avoid Chinese sites like the plague.

Why would a chinese site be linked to FPSB lol?

 

[Shakermaker]

Why would a chinese site be linked to FPSB lol?

It's from your own post. One of your big red edits.

 

[arch5]

It's from your own post. One of your big red edits.

Ok, I removed it.

............is teh problem solved?

EDIT: Wait, do you mean that website was the virus or my post was a virus? lol

 

[AtomicSpark]

I don't get it. So you received a virus warning while visiting fpsbanana.com? Also, please don't link to suspected bad websites.

 

[arch5]

I don't get it. So you received a virus warning while visiting fpsbanana.com? Also, please don't link to suspected bad websites.

Yea, I get that warning.

Sorry about the link, I unchecked the "Parse links in post" box but it still made it clickable.

 

[AtomicSpark]

Well it could be one of many things. There could have been a naughty advertisement, a Cross-site scripting attack, or maybe even FPSBanana's servers are infected. In any case, this could happen with any website you visit.

I currently use Adblock Plus and NoScript (enabling the "allow top-level sites by default" option along with the new bookmark syncing feature make it easier). Websites with unobtrusive, unannoying ads and websites I trust get whitelisted. NoScript has successfully protected me against random lols and bad things on the Internet before. I also suggest that Windows users always use antivirus software that has a real-time or live scanner.

 

[Acepilotf14]

I hope to God you don't have Hl.2net whitelisted, Spark.
If not, god help you.

 

[AtomicSpark]

Of course, have to keep Munro fed.

 

[arch5]

Ok, apparently FPSB is under attack by stupidass foreign websites. Users on FPSB have been reporting unknown scripts linking to Chinese sites automatically getting into their "Projects".

Moderator: This may sound stupid, but one person on the forum said that they got high-risk viruses from FPSB. I suggust we temporarily sticky this topic and rename it to something like "FPSB Virus Protection" or something like that.

Moderator 2: Remove the links on this post that I made, and put a warning up not to go to the site. http://www.halflife2.net/forums/showthread.php?p=2953859#post2953859