hl2.net giving me virus warnings

What these guys are saying is entirely possible and it probably utilizes the fairly new jpeg vulnerability, where code can be put into images now to do just about anything a hacker wanted with your pc, assuming its not patched. It would be specific to the image so some people may get it and some may not as they are different on each page view.

If you aren't familiar with this, here is the MS bulletin:

MS04-028

If you're still not satisfied, let me know and I can show you the proof-of-concept exploit code that makes it all work =p.
 
Chris_D, Munro and other mods...

Indeed, there is something suspect going on with the site. I've been getting Trojans for the past several days from HL2.net. One was placed in my root directory, c:\, and was called "bla.exe". I had another one in a directory called "ADDINS" off the Windows directory called "kbimg.exe".

I confirmed they were coming from the HL2.net by deleting them, then simply opening up IE to your site, specifically the Forums, and poof.. there they were again. IE would crash, and the malicious files would appear.

I've just upgraded my machine to Service Pack 2 to see if it would help in the matter, and I haven't run into another one yet. So fingers crossed.

You might want to check into your advertisers images. There is a flaw in IE where malicious code can hide in JPG images... so that could be a possibility.

I've been coming to the HL2.net since HL2 was announced last year.. and love the site. But unfortunately, I'm not sure I can trust it anymore.
 
Um, yeah i just got this as well.....there might be something to this?
 
blahblahblah said:
Eh-ahem. The only people who are reporting problems are IE users. Not firefox users. I use firefox and have 0 problems.
Click to expand...

See, that's what I was saying.
Edit: Although I haven't noticed anything,like some other IE users. I'm using IE and have got SP2. Maybe there's not proper protection in SP1(or maybe they haven't gotten the latest security patches).
 
This being my first post and all I hate to stir the kettle but there is definatly sumthin wrong with this site. I started comming here to read the reviews and stuff b4 the game came out. Now that I got the game I like to keep up with whats going on. After reading the(without looking back) I believe it was the lead editors post saying that someone has to prove it! Well thats BS! Theres somthing wrong here causing my sbc yahoo browser to crash whenever I come here for 5 minutes or longer (typing fast!) It needs fixed dont give us a bunch of prove this and that. Theres a problem! Deal with it! Im sure all these people including my self have better things to do than complain about this problem that IS REALLY THERE! Why would all these people make this up! Please give this some kind of attention as it only makes you look bad which is a shame after all you just put out a kick ass game but u cant fix the forum? Come on! :O


PS Heres your proof from this bla exe this site just put on my pc!
Today, November 20, 2004, 4:32:22 AM thats the time it was modified while I was making my post!!!!!! Fix this crap!!!
 
I just got it too. I was browsing this site, then IE started going crazy and freezing up, then quit. And zonealarm says:

bla.exe is trying to access the internet.

Allow | Deny
Click to expand...

I checked before, and it has only just appeared, and this is the only site I have been browsing except for a few others, which I doubt the other people who got that message were on. And, it is there, straight in the C drive.

Edit - here's the time modified 20/11/2004 09:52 - and that's when I was browsing this site.

Edit 2 - I just tried to delete the file, but it said it was in use, so i did Ctrl Alt Del, and saw that it was running in the background :(
 
Guys i think your most likely got something else on your system...

This is what is might be happening.
You have an activeX, 3rd party program or some other Program that has spyware in it ect running on your pc. When you vist Hl2.net the program picks up something, mabey the ads, mabey keywords, mabey something else. it then download files or other code that infects your system.

Of course the virus scaner doesn't pick it up as its most likely spyware not a virus that causes the backdoor.
 
I just thought I'd also say that I'm using Firefox & SP2 and I haven't had any problems.
 
I've never had a problem with this site and anyone who does shouldn't be using the internet.

Windowx Xp Sp1 (Havn't reinstalled Sp2 after my format yet)
Mozilla Firefox
AVG professional
 
Maybe it's just a certain ad, which only some people come across.

I deleted the file and browsed the forums a bit, but it didn't come up again.
 
TwwIX said:
they just dont give a shit that's the problem
Click to expand...
You don't seem to understand:

We can't do anything about the problem because we have not seen the problem yet. Yes, there is a possibility that some of the ads are causing issues but we can't do anything at all about it until we see it happening ourselves so we can see when it's happening.
 
If you are having problems send your virus scanner logs to a Admin or post it here. Else there is nothing they can do
 
I would just like to say that in the year and some odd months Ive been here, Ive had absolutely no problems with this site.

Keep up the good work. :D
 
Hope this helps

I'm going to try and post what I've noticed.

Yesterday, when logging in to the site, an add with a white background, and I believe orange text that said "Jobs" and a Caucasian male on the left was the top banner.

An hourglass came next to the arrow icon and started flickering on and off like crazy, so I know some activity was going on. After a few seconds, IE locked up and died. The hourglass stopped going crazy after IE died.

Any time I came to this site and that ad was up, the same thing would happen.
 
Alright, Virtumundo, a malware program, seems to be installing itself from this site. Ad-aware picks it up every time after I visit this site. It makes 2 new registry keys which cause unsolicited pop-ups to an anti-virus program that I've never heard of.

I'm going to do more testing and let you know what I find. I have Zone Alarm, IE, and Firefox, going to get an AV program and scan.
 
I keep having a ad come up asking if it can install "counter.cab" with no certificate... i keep saying no but it comes up all the time only on this site
 
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html

That's a better description.

The adware installed avhard.exe, curl.exe, kbun.exe, keyhard.exe, mctapi.exe, minst.exe, siilru.dat, urliis.exe, and vqaap.exe (or vgaap.exe) on my computer. Norton AntiVirus 2005 found all of these.

Not sure if bla.exe happens to be something this adware will install or not.

Symantec's description says that the adware has to piggyback on something else to get installed, so it may not be directly from the site. Like I said, I'm not sure on any of this coming from halflife2.net directly.

The date was created was November 19, 2004 1:46:48 AM Central Time on urliis.exe.

Anyone know of any Macromedia Flash vulnerabilities that could cause this? I sincerely don't remember installing anything, but my computer is in the living room where my roomies can use it. That's why I can't be sure on anything so it would help if some other people could confirm/deny this. AIM: o 0 Falcon 0 o (without the spaces)
 
You are using IE. IE has a lot of security flaws that allows automatic downloading without your approval (for example, ActiveX can permit automatic downloading).

Try downloading firefox. It is a much safer (and better) browser than IE.

Munro, can we have some action against this? It is looking like people are starting to have some evidence against these ads on this site. I thought these were google ads. If so, you should let google know.
 
blahblahblah, I do use Firefox and IE both.

I was viewing the site in IE to see what people were talking about.

Firefox is MUCH better imo, but I have to use both. I design web sites and I have to view them in both to make sure they get displayed correctly in most browsers.
 
I haven't been able to get the ad that was causing the problems to come up again after multiple refreshes. Maybe it was just passing through. If you have to use IE, keep your Windows updated. =P
 
Ever since the ads have stayed more or less the same (far less variety anyhow), I haven't had any more issues. But I do think it's something related to this site as I'm very careful about viruses and spyware. This was the only site setting off alarms. And I'm glad (it appears) the ads were limited to control this. (Could be I'm wrong and it was just luck, but I do think it's been better.)

For those saying get firefox, while I'm sure it's a great browser, that's not really the point IMO. Not everybody on here is going to convert to firefox (I simply prefer using MSN Explorer most of the time since it has features I happen to like and use often), and there's some sort of security issue a lot of people are experiencing somehow related to this site that doesn't happen other places. Whatever browser you use, I don't think it's out of line feeling that problem should be adressed.

Thanks.
 
We still can't do anything. We need to know which ads are causing this. Nate, it appears you're the only one with that kinda malware so far...

Thanks for being so thorough though, but try and catch the relevant ad next time.
 
Chris_D,

I've also encountered the Virtumundo malware while visiting HL2.net. Though I don't know which specific ads might be causing it, I'll keep my eye out.

I posted a couple of days ago experiencing Trojans appearing on my machine after visiting the site. But since upgrading to SP2, I haven't seen anymore. Of course, I'm using IE. It's been mentioned that this wouldn't be an issue if users used Firefox, but this is not the point. A user should expect no malware to be received from websites regardless of browser... especially websites as respected and trusted as HL2.net.

I'll let you and the community know if I can trace the Virtumundo instances down to specific ads.

Thanks.
 
well im not getting any viruses but i have been getting this box that says, error: this document contains no data. Im not sure what this has to do with anything, but i only get it on this site and ive only recently got it. Doesnt seem to be a big deal, but thought id share. :D

BTW im using firefox 1.0
 
I just updated to SP2 tonight.

I had been reluctant to update to SP2 after admins installed it at work and a few programs stopped working. However, I had every other Windows Update installed.

After installing SP2 I cannot get the Virtumondo registry key malware to come back, although several icky tracking cookies still come from the ads.

Looks like the vulnerability was fixed in SP2 and SP2 only. From here on out, anyone who wants to figure out which ads are doing this will have to be pre-SP2 users. Oh, and if any of you have urliis.exe in your running processes, you may want to get ahold of me. It's pretty nasty to remove even when your anti-virus says it's taken care of it. =)
 
ManHacks said:
well im not getting any viruses but i have been getting this box that says, error: this document contains no data. Im not sure what this has to do with anything, but i only get it on this site and ive only recently got it. Doesnt seem to be a big deal, but thought id share. :D

BTW im using firefox 1.0
Click to expand...

This document contains no data is caused by all your bandwidth being chewed up by other apps and thus Firefox eventually gives up trying to grab the site content.
 
i use firefox and its pop up blocker, so i dont get any ads/downloads. i recommend getting the newest version of firefox in order to prevent virus downloads
 
Chris_D said:
We still can't do anything. We need to know which ads are causing this. Nate, it appears you're the only one with that kinda malware so far...

Thanks for being so thorough though, but try and catch the relevant ad next time.
Click to expand...
Which ads? As far as i know there's only 2, atleast they're never changing away from those 2.

Obviously you won't take the word for the users, and doubt scanning logs will be worth shit. Why don't you just take a trial run on a couple of xp installations(one without any sp's and one with sp1 and one with sp2). Install some anti-virus and firewalls go to the forums and check what the anti-virus/firewall says.

Surely a couple of hours can't be too much to ask when this is a more and more popular matter on your site.

And you others get upgraded to SP2 now, the only reason software doesn't work is because it's outdated or you haven't gotten a patch for it. But that's the same as going from Dos/Win98 to 2k.
 
I'm on SP1, and I haven't experienced any problems. Running Kerio firewall.

And there are lots of ads on a rotation.
 
tweak around with internet settings, if you have a firewall, and if you have other virus programs, try using those as well.
or, just install Ad-Muncher.
it gets fid of ads, so if an ad is setting up the protocal, then it should just block the function of the ad. if that doesnt work, i have no idea what would.
(the Ad-Muncher site is simply www.admuncher.com)
(admucher has its problems, like its 30day trial period. when that comes up, just minimize it, or if the newer version is out, uninstall it and install the newer one)

ive been here a while, and ive never experienced something like that. it could be something else, like a virus built into your comp that activates after entering this site. it could be various things. it all depends on what does what in your comp.
 
You're missing the point. I've never said I don't believe you - I've said that for us to do anything we need to know which two ads are causing it so we can notify the people that are serving those specific ads.

Munro has tried several times to replicate different situations where this might be occuring including two versions of Windows, different service packs, different firewalls, different AV and different browsers. He's turning up nothing.

The ads are getting pulled until further notice. I would greatly appreciate any virus scanner or firewall logs as it may actually help us to get to the problem. We've been asking for more info for days but no one seems that bothered about actually providing it. There is also a thread stickied in this forum that includes my e-mail address and other information that'd be nice to help us solve the problem.

It's been up for nearly a day, but no one's replied yet. If you want us to solve this situation, please help us to do so because we've done all that we can now.
 
So you're saying that you took a brand-new installation, with NO AV / firewall, and browsed HL2.net using the latest version of IE?
 
I haven't personally.

The ads are gone now anyway. ANY FURTHER INFORMATION may be required to insure that when the ads are back up they won't be including the ones that are giving people problems.
 
You must log in or register to reply here.

Similar threads

Acepilotf14
steam group bad link
Replies
3
Views
408
Xtremecherry95YT
Xtremecherry95YT
Terminator
Long time...
Replies
12
Views
844
Xtremecherry95YT
Xtremecherry95YT
Krynn72
You guys, what the **** is up.
Replies
11
Views
2K
Tollbooth Willie
Tollbooth Willie
Tollbooth Willie
HL2.NET HORROR SLAP
Replies
7
Views
2K
Tollbooth Willie
Tollbooth Willie
ktimekiller
The "other" ValveTime website...
Replies
2
Views
650
Shem
Shem
Back
Top