Last night, it seems CAG, along with several other sites running PHPBB forum software (including SpeedTv.com), were compromised. So far, it does not appear to be serious and seems like only a redirect link was inserted into the forum pages. No information was lost.

Of course this is little consolation to those who installed the malware plugin (http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=260546). I thought I made the necessary updates to prevent this from happening, but apparently my changes never took. My apologies.

Thanks to everyone who emailed me about the problem and I hope you can get your PCs back to normal quickly. Thanks to Defender for helping to get the site back up quickly.

Here are Defender's plugin removal steps:

We have a serious problem. We were hacked. If you have downloaded the file PLUGIN_INSTALL.EXE that was a fake patch to your computer you must delete it asap. DO NOT INSTALL. If you have please follow the instructions below to remove it. I make no claims that this will help you or that you won't screw your computer up. This is what I did and it worked for me. Print or copy this immediately!!!!! Read all instructions BEFORE attempting. Make sure you understand them,

1. Remove your computer from the web. You should just unplug the network cable.

2. If you have system restore on...you must shut if off immediately.

3. Shut down your computer. You can ctr-alt-del and go to USERS. From there you can choose to logoff..then shutdown.

4. Reboot your computer and hold the F8 key. This will bring up a boot menu option from windows.

5. Choose SAFE MODE.

6. Search your computer for a file named sp2patch.exe

7. Go into c:/windows/system32/ and delete the folder (remember the folder name please) that sp2patch.exe was inside.

8. Go to the start button and click RUN.

9. Run REGEDIT

NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7.

11. Do a search for sp2patch.exe in regedit as well. DELETE any entries found.

12. Reboot into normal windows mode.

13. If you reboot and do not get any errors then you may have been successful. If you ctr-alt-del you can see the system processes. If you see only 1 csrss.exe then you have it.

14. Shut down, attach your network cable again and reboot.

-Defender
Good Luck!

Good to see the site back. Great job on that guys.

hooray

Atleast them pornos you made arent all over the net.

And people wonder why I'm on a Mac and browse with Safari.

I browse with Firefox, and it owns... but lets not jack CheapyD's thread :p

Glad for the responsive reaction.

First off, Great job guys. Secondly, what other sites were down that were running php? And lastly, any clue or suspicion as to who did it other than those eaxposed.com people?

Nobody with common sense installed the plugin... you could tell it was fishy right away.

Atleast them pornos you made arent all over the net.

Umm then you didn't see this! CheapyD pr0n (http://gaymen.com/)

Yeah, good job on getting the site back up so quickly. I thought I was actually going to have to do some work today! :shock:

Well, at least I have 2 laptops cause I lost one last night to the blue screen of death. Fatal system Error :cry:
Great to see the site back up

There is no way I'm clicking that link.

Nobody with common sense installed the plugin... you could tell it was fishy right away.

By the way, where was this plug in? Was it introduced on the site last night?

great job getting the site back up

:twoguns: Damn hackers!

FUCKING IDIOTS HACKING TEH SITE!

Glad the site is back Cheapster.

Thanks for getting the site back up so soon

It's nice to see you got everything working again.

Damn sucks for those that downloaded it. Thankfully I saw it for what it was and didn't.

And people wonder why I'm on a Mac and browse with Safari.

* High-Five's PittsburghAfterDark *

Like a moron, I clicked the link (but never installed it). Even if I had, it wouldn't have worked on a Mac.

The whole thing sucks, though. I hope no one was really affected.

Good work on getting the site back up so quickly...I was scared their would be nothing for me to read while at work

Good job, on getting this site back up, it's awesome the site is back up so fast! Exellent work guys

Yay! Reprieve from work all day.

I downloaded it on a Lab pc I have at home, knowing it was a virus or trojan of some sorts. I guess I was just curious to see what would happen and since it was my test pc,, I had nothing to lose. When it installed, it started playing some Michael Jackson song and was running something from the command prompt. After installing, my system wouldnt shutdown, but I didnt notice anyything else wrong. After I had my fun, I just re-imaged the machine and I'm back up and running..

I tried it just to see what it'd do, but MS Antispyware was up to the task. Didn't even get through.

Great job getting the site back up.

i hate hackers

Its good to see the site backup, goddamn hackers

My CAG withdrawal is finally over!

Nobody with common sense installed the plugin... you could tell it was fishy right away.

Shoulda told that to my friend. :( He was over late last night, and I had went to the bathroom. I came back, and he said he had downloaded something. Then, my PC wouldn't shut down...I was pissed. :evil: I hope I got rid of all of it...

I saw the plugin last night and I didnt download it. I was frankly suspicious.

I know Cheapy D would have mentioned something days before doing something like having a plugin.

I am sooooo glad I followed my instincts!

Wow, good thing I did not download it.

I figure it was too much hassle and it was late, so I just ignored it. :D Whew...

Apparently Firefox never picked it up because I never saw any downloads. Plus it doesn't hurt to have Norton as backup. :)

Glad you were able to get everything back up and running so quickly.

I download it last night. It wouldn't let me shutdown, I did a system restore and it fix it. It show it has only one csrss.exe running in system process. I even did a search for a sp2patch.exe, it was located at windows/preface not system32/ I just delete it anyway and also did a regedit and delete the whole folder.

Anyone know what the plugin does to your computer besides making it not shutdown correctly?... besides the michael jackson music?

Anyone know what the plugin does to your computer besides making it not shutdown correctly?... besides the michael jackson music?

I never got any music with mine...

I browse with Firefox, and it owns... but lets not jack CheapyD's thread :p

Glad for the responsive reaction.

Actually, I use an alternative browser, Opera to browse CAG at home. Since I switched to DSL, I thought it would be a good idea to not use Explorer so much since all the hackers attack Explorer.

Anyone know what the plugin does to your computer besides making it not shutdown correctly?... besides the michael jackson music?

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=260546


Oh yeah...and updates reminder :arrow: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563 ](*,)

Its good that CAG is back up so quickly. School would be really boring if I couldn't go to CAG.

my Laptop was infected since I was curious last night :(. Anyway I am using win 2k and looks like the plugin doesn't really work for win 2k but it does causing I couldnot reboot my laptop.

I have removed it manually by deleting the sub directory under system32 which contain csrss.exe and all registry which has that directory and the csrss.exe under need it.

Looks like it works as usual now.

So I don't get it- it seems as if it was just a punk-ass stunt more than anything, and it was easily removed... I wonder what the whole point of the attack is. I mean, at least terrorists announce why they did what they did.

WTG on getting the site up so quick! WoOt!

Umm the software was malware.

It was either a keylogger or it was simply just sending your files to another place.

If you had the fake patch running and logged into your paypal/ebay or any account for that matter...GO CHANGE YOUR PASSWORDS ASAP.

I downloaded it, but deleted it. I im'd Scorch and were we looking for a mod to IM. Luckily we got in contact with punq. It was pretty cool tryin to figure out what the hell was going on. Thanks CheapyD!

After playing halo 2, i came back to the PC to refresh CAG, "forums hacked" was everywhere. Thanks to CheapyD and the CAG crew, i'm glad everything is back up and running. Hope Moxio didn't get the plug-in, him listening to music could have serious effects.

I downloaded it so I could scan it and see if it was bad or not... but like an idiot, i slipped while right-clicking and clicked open instead of scan. It came up and asked for the number of ports or w.e, and I closed it right away. Could that have done anything to my system? Im at school right now so I cant do anything about it... yet.

like an idiot i dl'ed it. i ran AVG scan, but it didn't detect anything. i'm gonna edit the registry tonight. the only thing i could find wrong was that it wouldn't let me shut the pc down.

it's shut down now, but i left the machine on last night in standby mode. oh well, i hope my nekkid pics don't end up next to Fred Durst's(sp?).

I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.

http://www.bbc.co.uk/cult/24/your24/images/favourite_character.jpg

He's on the case.

I'm glad everything is back to normal...

everything is back to normal...

...or is it?

The redirect looked funny, so the first thing I did when I came across the redirect page was a Google search - which confirmed this thing was no good.

I got a trojan last year that was a bitch to remove, so I'm always suspicious about these things now.

Well fuck. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?

I make no claims that this will help you or that you won't screw your computer up.

uh oh

How do you remove it from the registry? I keep getting an error when I reboot my computer. I found the file and deleted it but I thinks there's more on my computer.

i hate hackers

The correct term is script kiddie. phpbb exploits are WIDELY known about and have been for a very long time now. (phpbb is not secure, at all)

and "scripts" exist for the purpose of sploiting it. which is what happened.

these script kiddies posess very limited actual knowledge, and therefor "hacker" is giving them way too much credit as the script was readily available for download created by someone else.

I had clicked my CAG link on Fav. Places and then got up to take a dump. When I came back there was this curious white screen with plain text saying "Because of trafficking issues we have installed this patch." (or something similar) I didn't remember what link I had clicked before I left, but I figured it was suspicious.

Came back to CAG a few minutes later and saw all the "CAG FORUMS HAVE BEEN HACKED DO NOT LOG IN/ENTER" .. so I took a screenshot of it. :)

I have always wondered what kind of people sit around and make viruses and malware. It seems so pointless to me. Don't you have anything better to do with your time? Or do they get some kind of power trip off of it?

Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?

Wow, I'm kinda glad i went to sleep at 8:30pm last night. But i'm glad the site is back up.

I have a snowday today! YAY!

And people wonder why I'm on a Mac and browse with Safari.

The plugin would have shown up no matter what OS/browser you were using.. I would use a Mac, but only if I had a second machine...

Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?

don't have a clue. i'm afraid you may have deleted the non clone version of the file.

NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7.

Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?

don't have a clue. i'm afraid you may have deleted the non clone version of the file.

NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7.

That's what I was thinking, but everything else seems to be running correctly. :? Anyone??

Glad CAG is back. We had a long discusdion in the chat room last night when this

See? I always knew there was benefit to browsing the web on a PowerBook. :-P

Allright, so I'm a moron. I downloaded this crap and scanned it with virusscan which came up fine, so i ran it. I followed the instructions, but i still get errors looking for files when the computer boots up. Now I followed all the instructions except for one thing. When doing the registry scan for the crss, a whole bunch of things popped up, and i only deleted the one that was really obvious, as I didn't want to delete other ones that might screw stuff up (most were listings for perfectly good files: firefox, bejeweled, etc... do i delete all of these?

I d/l it like a dumbass and went to set it up, and it brought up the black box in run. I hit enter then it asked some thing and I just closed it out and deleted it in the recycle bin. I then did a system restore and did a search for sp2patch.exe, It didn't find anything and in the process it only shows one crs. So am I ok or not? I'm really worried right now and I hope everything is ok.

You sound ok.

Boy, like a dumba$$ I downloaded it and opened it. Noticed it didn't do anything, so I checked task manager to see if something was running. And there behold csrss.exe was running under my user name, so I knew something was up. Went back to CAG and all the threads read "CAG Hacked... " Couldn't turn my comp off initially, but eventually turned it off. Woke up and read how to get rid of the fake patch and everything is fine now. Major thanks to defender for putting together the step by step removal tips.

OK, Defender,
I posted wrong a minute ago. It was in step 11: "11. Do a search for sp2patch.exe in regedit as well. DELETE any entries found."
I get a big list of stuff.... Do I delete ALL of these entries? some look ok... or are they affected or something?

Reason being that I'm still getting errors looking for files when Windows boots up normally.

Any suggestions would be greatly appreciated

And people wonder why I'm on a Mac and browse with Safari.

The plugin would have shown up no matter what OS/browser you were using.. I would use a Mac, but only if I had a second machine...

I'm using FireFox on RHEL4, and the plug-in never showed up.

I'm very lucky I didn't visit the site last night. I'm usually a downloading freak, it's good I missed this one.

I noticed that it started showing the messege right after 1am EST, I decided not to download, i googled the file, but couldn't find anything. So, I then gave up on my posts for the night and decided that I would wait till the morning to find out if it was legit.

I didn't download the installer from the CAG hacked page. It seemed so "iffy" to me that this wouldn't have been announced earlier. However, I was curious and googled the link and ended up at the hacker's page (something about being angry at phpbb and wanting to bring them down, which the script doesn't even do). I must have clicked on something as a file did get transferred via my Opera browser. Despite the fact that I never opened it, I did get two csrss.exe files in Task Manager and found a new folder ("JqxHnbrh") in my System32 folder. I did an F8 reboot and deleted the files from the cmd line. Never had trouble restarting and nothing seemed adversely affected.

Something to think about if it ever happens again, Defender's tips looked very similar (font and background) to the hacker's page, and I was suspicious that it was just further mischief. I have Windows 2000, not XP, so I couldn't follow his advice anyway, but I was leery of deleting the Service Pack and deleting system files merely because it was signed "Defender." It wasn't until the main page was restored that I had confidence that it was real.

Any idea on what I should do? I think I got it all off, but I posted my problem above. Should I just use the manufacturer's Windows XP disc and reinstall Windows all over again?

Well, it also seems something may be wrong with my cookies. Each time I close IE, when I get back here to CAG, I have to manually log in each time, even though I check the box to stay logged in. :?

Just because you don't have the ps2patch file doesn't mean you are okay.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Damn, I'm really pissed after seeing all the CAGers that got infected by this crap. There's gotta be at least 10 for every 1 that posts about it on this thread, too. :cry:

Hopefully the :censored: hacker discovers that karma is a bitch.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.

Once again, I'd like to apologize to the CAG community for this pain in the ass hassle.

I really thought I was prepared for this and had made the proper corrections last weekend. Little did I know that the changes I made never saved.

:oops:

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

I'll start the praying now, thanks! Only firewall i have is the Windows one, so God knows right, heh....

Don't worry bout it Cheapy, ain't a thang but a chicken wing.

I'm pretty sure ipconfig.exe is part of Windows. I don't think if you have that it means you were infected. (Are you absolutely sure on that Scrubking? And do you have a site with info, etc?) ipconfig.exe is mentioned on MS's site as part of Windows 2000:

http://support.microsoft.com/kb/223413/EN-US/

quick action, awesomeness! thanks cheapy and defender :)

And people wonder why I'm on a Mac and browse with Safari.

I'm pretty sure ipconfig.exe is part of Windows. I don't think if you have that it means you were infected. (Are you absolutely sure on that Scrubking? And do you have a site with info, etc?) ipconfig.exe is mentioned on MS's site as part of Windows 2000:

http://support.microsoft.com/kb/223413/EN-US/

Well that was the only stuff that started acting up. I had no sp2patch file whatsoever. Anyway I haven't had a problem so if they are real win files then they must not be that important so you can just reinstall em or whatever. I would reinstall fresh versions anyway just to be on the safe side.

What link is everyone talking about?
Where was this link posted to begin with?

No harm to my computer as I didn't download and install the plug-in. It really seemed fishy to me from the beginning.

IIRC, it started . . .

Due to the high volume of traffic we've been RECIEVING...

*cough*spellcheck*cough :roll:

Glad you were able to get the forums up and running again, Cheapy! :applause:

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...

That's what I'm saying - it probably installed its own version of those files, but I'm not a hacker so I don't know.

I would say to check the date on those files - I would suspect the most recently used or accessed ones are the bad ones.

I believe that if you delete them you can do a repair install that will reinstall those files again without formatting and installing from scratch.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...

That's what I'm saying - it probably installed its own version of those files, but I'm not a hacker so I don't know.

I would say to check the date on those files - I would suspect the most recently used or accessed ones are the bad ones.

I believe that if you delete them you can do a repair install that will reinstall those files again without formatting and installing from scratch.

Well, I looked at their dates, and they were all from a while ago (like August 2004) so I don't think any of them are bad.

anyone getting the "ping of death attack"? cause i am......208.53.160.48 keeps pinging my computer...sigh

Well I only had one copy of each of those files, so I just did a system restore to the morning before I saw the plugin. The thing is, I didn't run it (Windows stopped me before that, and I decided not to run it), but I noticed I was getting pop ups and had Ad stuff in my "Processes" tab of Task Manager. Spybot picked up a lot of stuff, but then said it couldn't remove a lot of it. Adaware didn't pick up the same stuff I think, but I removed what it did pick up anyway.

So now, after my system restore, I will re-install McAfee (i took it off cause it was slowing my comp down so much) and go from there.

I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!

Whew, glad that I didnt download it. Nice to see you guys got everything back in order.

I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:

I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?

I downloaded it by accident yesterday. You know sometimes you just click the mouse for no apparent reason, well I clicked it right as the screen switched over to the hacked screen and clicked it right on the plug in link :? .

Alright, I did pretty much exactly as Defender and others have said. I think I'm set now and have cleaned it all out but I just want to make sure. All I have left now is one csrss.exe in my system folder and only one running in taskmanager. The date it says that it was created was on 8/25/2003 and then the date it says that it was modified was on 8/29/2002. It sounds kind of fishy buy I think I did basically everything Cheapy, Defender, and others have said to do. Is this the alright csrss.exe file?

I believe the correct file should be in the system32 folder as apposed to being in a subfolder of system32.

I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?

I believe the correct file should be in the system32 folder as apposed to being in a subfolder of system32.

Well I don't see anymore csrss or folders in the system32 folder. I see just one csrss.exe but it is not in any specific subfolder just in the system32 one.

Just because you don't have the ps2patch file doesn't mean you are okay.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

I ran a search for Ipconf.tsp and it came up under system32, but said it hadn't been modified since sometime in 2004. The same thing goes for Ipconfig.exe. Should I assume that those files are fine, then? HOWEVER, I did come across something called IPCONFIG.EXE-05D7908C.pf under C:\Windows\Prefetch and this file was modified on 2/28/05. Should I delete that?

Until somebody confirms this exploit actually does something with ipconfig.exe I wouldn't fool with it. Just my 2 cents.

I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?

If you reformat and then reinstall Windows XP it will get rid of all your problems. I was also infected and that's what I'm going to do. It's the only way to be sure you're completely clean. Just be sure to back up any files you want to keep since reformatting deletes everything.

I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?

If you reformat and then reinstall Windows XP it will get rid of all your problems. I was also infected and that's what I'm going to do. It's the only way to be sure you're completely clean. Just be sure to back up any files you want to keep since reformatting deletes everything.

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.

Great job Defender, looks like the site really couldn't run without you... you're a modern day Wizard of OZ!

I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?

Umm...could anyone possibly answer my question?

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?

I think I'm safe. Whew.

Nice work, gang.

Safe mode question: I'm trying to follow the directions to remove this DAMNED thing (Sygate firewall picked it up right away and it isn't able to transmit ...but I need it off.) I try to startup in safe mode but it won't start. goes to a bunch of disk partition commands and then just freezes. any ideas/suggestions? any other way to get this off my computer?

I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?

Umm...could anyone possibly answer my question?

ipconfig.exe is a legit windows file. I wouldn't worry about it. Unless somebody finds some real info that this is part of what the exploit hoses up.

also I try to delete the folder in the system32 directory but cannot delete it.

also I try to delete the folder in the system32 directory but cannot delete it.

you need to be in safemode.

I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?

also I try to delete the folder in the system32 directory but cannot delete it.

you need to be in safemode.

but I can't seem to get in safemode

also I try to delete the folder in the system32 directory but cannot delete it.

you need to be in safemode.

but I can't seem to get in safemode

I know that some PC's don't like it if you hold down the F8 key. Did you try tapping the F8 key? That works on some PC's.

I can at times get to the safe mode boot screen, highlight safe mode, and it starts to load (shows many lines of "Disk partionion blah blah and then nothing.

I am fairly confident that you can rid yourself of the malware.

I was pretty thorough in watching what it did. I know how to manually track and delete these things. One thing you can look for in a file is when it was changed. You can even search your drive by date modified. I only found those files and in the registry only keys associated with them.

I should have written down all the actual key locations but it was really late...5am EST. I was really tired.

You can obviously reinstall windows to rid yourself of this thing but it isn't absolutely the only way. You most likely have items still in the registry if you are getting errors on startup.

ifconfig.exe you shouldn't mess with. Csrss.exe must be running as user SYSTEM....

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.

Safe mode question: I'm trying to follow the directions to remove this DAMNED thing (Sygate firewall picked it up right away and it isn't able to transmit ...but I need it off.) I try to startup in safe mode but it won't start. goes to a bunch of disk partition commands and then just freezes. any ideas/suggestions? any other way to get this off my computer?

You might want to run a checkdisk at bootup. Could be some files that got corrupted & the space needs to be reclaimed causing it to hang up

Can someone answer this...

I downloaded the plugin, and tried to open/run it. But nothing ever popped up. When I went to the task manager, I saw something along the lines of login.exe that was in the Processes tab. I ended it, of course. So, did this thing ever installed onto my comp? Since searching for the sp2patch file had no results.

Just a helpful note, since nobody's really mentioned it:

csrss.exe is NOT a normal Windows ME process. I know most everyone uses XP, but if you're one of the few still on WinME and you have that file, odds are you picked up this trojan if not another, since there are several that use csrss.exe.

Just a helpful note, since nobody's really mentioned it:

csrss.exe is NOT a normal Windows ME process. I know most everyone uses XP, but if you're one of the few still on WinME and you have that file, odds are you picked up this trojan if not another, since there are several that use csrss.exe.

People still use Windows:ME? Millinieum Edition my arse! ME is an inside joke at Microsoft. ME secretly stands for 'More Errors' ;)

I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?

I am pretty sure sp2patch file is only if you use win XP. If you use Win 2K then find the csrss.exe under the sub directory of system32 directory.

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.

Thank you very much. Yeah, I don't think there's really much I need to backup then. Most of the crap on here is pointless anyway. I don't really play PC games, and all of my programs can just be reinstalled...thanks!

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.

Thank you very much. Yeah, I don't think there's really much I need to backup then. Most of the crap on here is pointless anyway. I don't really play PC games, and all of my programs can just be reinstalled...thanks!
No problem. One more thing you might want to backup is any e-mail that is stored on your local machine.

I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?

I am pretty sure sp2patch file is only if you use win XP. If you use Win 2K then find the csrss.exe under the sub directory of system32 directory.

Actually, I do have Windows XP. But never downloaded Service Pack 2 ever since I heard so many bad things about it.

Every time I try to post or get data from the site, it tells me that it is in debug but when I refresh the page it comes up fine. Also, when I try to post it tells me that I have to resend the data or something like that.

I think it's little kinks left over from the hack, but I'm sure defender knows the full situation.

This is what I keep getting:

phpBB : Critical Error

Error updating sessions table

DEBUG MODE

SQL Error : 1034 Incorrect key file for table: 'phpbb_users'. Try to repair it

UPDATE phpbb_users SET user_session_time = 1109729229, user_session_page = -9 WHERE user_id = 14908

Line : 293
File : sessions.php

I am fairly confident that you can rid yourself of the malware.

I was pretty thorough in watching what it did. I know how to manually track and delete these things. One thing you can look for in a file is when it was changed. You can even search your drive by date modified. I only found those files and in the registry only keys associated with them.

I should have written down all the actual key locations but it was really late...5am EST. I was really tired.

You can obviously reinstall windows to rid yourself of this thing but it isn't absolutely the only way. You most likely have items still in the registry if you are getting errors on startup.

ifconfig.exe you shouldn't mess with. Csrss.exe must be running as user SYSTEM....

I have it now running as a user SYSTEM but what exactly is its purpose?

Just wait it out, it's no biggie.

Just wait it out, it's no biggie.

It's freakin' annoying man. It is so irritating.

I think it's little kinks left over from the hack, but I'm sure defender knows the full situation.

Defender may not have all the hack-related kinks ironed out yet, but he can sell you a DS for $250. :D

That’s weird. I haven't once had that problem since I've visited CAG after it was hacked.

yeah, i use to get that before the hack(the debug thing) also the refesh seems a bit weak. it takes for ever to refresh properly. like i'll refresh and get the same thing right after i posted. it has like a wierd delay or something.

It's deja vu all over again. :rofl:

Firefox is trying to connect to that plugin again.

2:0

Yeah, i just got sent to a page with some text related to that plugin, after a few secs of lookin on CAG. I recognized the URL to the plugin...It just doesn't want to go without a fight...

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

SITE SEEMS TO REDIRECT AGAIN WITH SIMILAR HACK

YOU NEED TO CLOSE DOWN THE SITE IF IT'S POSSIBLY GOING TO HARM YOUR USERS. SERIOUSLY!!!

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

Now I'm starting to get those error pages.

It lOOks like CAG got hacked again.

WARNING! CAG GOT HACKED AGAIN.PLEASE DO NOT DOWNLOAD THAT PLUG !!!!

I keep getting redirected, but have seen no mention of a plugin

lame

im scared

im getting redirected too, no plugin though

Same here, but it's still annoying.

I'm getting something different:
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

Everytime I click something I have to click the stop button when it shows up, otherwise I get redirected to the above screen.

I can't see where it gets redirected. I only see forums and same IP it's redirecting to.

I'm getting something different:
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

Everytime I click something I have to click the stop button when it shows up, otherwise I get redirected to the above screen.

I'm getting this also..is there any way to fix this?

im getting the installer thing now bah

Man this sux

Damn Cheapy. Sort this out.

Are you guys going to change your passwords after this?

The redirects stopped...

w00t.

For now.

ahhhh the haxor is attacking a-gain

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

I'm getting this too, and I searched for sp2patch.exe and didn't find it...what should I do now?

Edit: The patch never got downloaded to my knowledge.

I hope this all gets worked out. I wasn't getting the downloader, just the redirect...

its the calming before the storm of cheapyd pr0n

I think it has stopped.

http://plugin.xtupx.com/


no plug-in download, but i was getting redirected to the above link

How were some people posting during the hack? Are they using Firefox or Safari?

im scared

You look scared :rofl:

How were some people posting during the hack? Are they using Firefox or Safari?


"I've got the magic stick...." :lol:

I think it has stopped.

Yeah, seems like it's fine for now. I hope we get to the bottom of these hacks and take care of the problem.

How were some people posting during the hack? Are they using Firefox or Safari?


"I've got the magic stick...." :lol:

I'm using Firefox and still get redirected.

Die hackers!

To stop the redirect (courtesy of Masha):

1) Go to C:\Windows\System32\Drivers\Etc
2) Open "hosts" with Notepad
3) Add the line "127.0.0.1 plugin.xtupx.com" to the end of the file
4) Save and reload... presto!

sweet jesus, the clones are attacking!

How were some people posting during the hack? Are they using Firefox or Safari?

no idea....i kept going back and forth to get a 1/2 second glimpse of some of the new posts between getting redirected :lol: some times resulting in me only being able to read one new word at a time

How were some people posting during the hack? Are they using Firefox or Safari?

I was hitting "stop" right before the redirect... I am running IE.

Has anyone email Defender yet about this problem?

Phew...it quit with me too. Damn hackers, lets find out who they are and tar and feather them. that'll teach em.

Cheapy just needs to update his board version and remove wherever the redirect is in the files (sometimes hard to find and hidden).

Easiest is to cat all the files and do a grep for the IP or address on *.

It has stopped for me finally

To stop the redirect (courtesy of Masha):

1) Go to C:\Windows\System32\Drivers\Etc
2) Open "hosts" with Notepad
3) Add the line "127.0.0.1 plugin.xtupx.com" to the end of the file
4) Save and reload... presto!

neah. It's not mine. Someone reminded me yesterday about this trick. Don't remember who it was, but I remember big rounded B :bouncy: :bouncy: bs

EDIT : It was CappyCobra.


1) Go to C:\Windows\System32\Drivers\Etc
2) Open "hosts" with Notepad
3) Add the line "127.0.0.1 <TAB> plugin.xtupx.com"
4) (I think this can be optional) Go Start > Run> ipconfig /flushdns
You can reboot as well.
5) Save and reload... presto!


Admins, are there any logs? Can trace them back?

Titties!!!

-Edit- That was the hacker, I swear.

Hackers think they are so great, but they arent. I bet I ruined their day now. :cool:

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

I'm getting this too, and I searched for sp2patch.exe and didn't find it...what should I do now?

Edit: The patch never got downloaded to my knowledge.

I don't think anything happened with this one. Well, hopefully nothing was downloaded... :?

Hackers think they are so great, but they arent. I bet I ruined their day now. :cool:

Hackers? How about Microsoft? You can bet no Mac or Linux users were affected.

I wonder if anybody not using MSIE was.

Has anyone email Defender yet about this problem?

Cheapy is on now. I am sure he has contacted him/done something.

man this sucks, good thing i was home playing shadow hearts all day and didnt have to deal with it

Yeah it seems like sites are still getting hit even after upgrading to the latest phpbb version.
We'll keep you updated...

I'm getting something different:
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

Everytime I click something I have to click the stop button when it shows up, otherwise I get redirected to the above screen.


ITS A TRAP!!

i got the same thing 2..but it stopped :_x

Hackers think they are so great, but they arent. I bet I ruined their day now. :cool:

Hackers? How about Microsoft? You can bet no Mac or Linux users were affected.

I wonder if anybody not using MSIE was.

You're right, I didnt get effected one bit!

WARNING! CAG GOT HACKED AGAIN.PLEASE DO NOT DOWNLOAD THAT PLUG !!!!

What? No it didn't..

Titties!!!

-Edit- That was the hacker, I swear.

they're so mean man

WARNING! CAG GOT HACKED AGAIN.PLEASE DO NOT DOWNLOAD THAT PLUG !!!!

What? No it didn't..

It was redirecting to another site again. Guys, don't bump this unless there's a problem again.

Hackers think they are so great, but they arent. I bet I ruined their day now. :cool:

Hackers? How about Microsoft? You can bet no Mac or Linux users were affected.

I wonder if anybody not using MSIE was.

I was using Firefox and still was affected

I was a retard and actually downloaded the plug in
I tried to double click the file but nothing happened. Is my computer f'ed?

Just because you don't have the ps2patch file doesn't mean you are okay.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.

I ran a search for Ipconf.tsp and it came up under system32, but said it hadn't been modified since sometime in 2004. The same thing goes for Ipconfig.exe. Should I assume that those files are fine, then? HOWEVER, I did come across something called IPCONFIG.EXE-05D7908C.pf under C:\Windows\Prefetch and this file was modified on 2/28/05. Should I delete that?

I was a retard and actually downloaded the plug in
I tried to double click the file but nothing happened. Is my computer f'ed?

Better look at the front page and follow the steps in that thread.

..Why was my post deleted.. and when did it get "hacked" again?

Again? Damn!

..Why was my post deleted.. and when did it get "hacked" again?

I couldn't tell you why your post was deleted, but the second hack happened maybe an hour or so ago...just look at the post times above.

I am going to kick those hackers asses

well this is getting old quick

neah. It's not mine. Someone reminded me yesterday about this trick. Don't remember who it was, but I remenber big rounded B :bouncy: :bouncy: bs


It wouldn't be these would they? ;)

I've got both the ipconf.tsp and ipconfig.exe file, but it says they were last modified in 2002... Am I safe?

oops, I downloaded the plug, installed it, and then put it on cd's and distributed to people for them to use...was that bad?

How were some people posting during the hack? Are they using Firefox or Safari?

no idea....i kept going back and forth to get a 1/2 second glimpse of some of the new posts between getting redirected :lol: some times resulting in me only being able to read one new word at a time

Wow, that's insanity.

neah. It's not mine. Someone reminded me yesterday about this trick. Don't remember who it was, but I remenber big rounded B :bouncy: :bouncy: bs


It wouldn't be these would they? ;)

Gotch ya ....them... :rofl:

I tried searching for sp2patch.exe but it couldn't find it. Does that mean i'm safe? I could find sp2patch.exe in regedit though. And i checked the system processes not in safe mode and found only 1 csrss.exe. I'm really paranoid now, can anyone tell me if i'm safe or not?

oops, I downloaded the plug, installed it, and then put it on cd's and distributed to people for them to use...was that bad?

Yes, very bad. You will undoubtedly burst into flames at any moment.

..Why was my post deleted.. and when did it get "hacked" again?

I don't think your post was deleted. Masha made two threads.

http://plugin.xtupx.com/


no plug-in download, but i was getting redirected to the above link

same here.

i blame fat wallet..... those bastards.

Sounds llike you're ok/ csrss.exe is a system process, so there should be one running. If therre are a bunch, then you're in trouble...

We fixed this fast this time. We will do our best to keep this site safe for the CAG community.

Please do NOT download anything from a popup! EVER

Okay, I thought I was safe...but I wasn't. There was something flashing on my screen for a bit, and then it stopped. And then it flashed again real quick. It did this quite a number of times before I rebooted to Safe Mode and checked to see if there was anything modified during the time I installed the plugin (when I opened it, nothing happened, but it did install). What I did was searched in my C:\Windows\system32\ folder for anything that was modified during the night I had installed it. It appears that there was a folder created on February 28, 2005 10:30pm (the time I had installed the plugin). I deleted the folder, which had csrss.exe in it (I guess it was a clone or something). And I also ran REGEDIT and deleted sp2patch.exe (I don't have Service Pack 2, so anything related to that I really don't care if I delete it or not). So ends my story. Everything is running fine...except that I get an error after I boot up telling me that C:\Windows\system32\SomeWeirdFolderName\csrss.exe is missing. So I get into the Task Manager and it shows that csrss.exe is already running.

Does anyone know how to get rid of that error message? My comp runs fine now, it's just the error message that pops up that is troubling me now.

oops, I downloaded the plug, installed it, and then put it on cd's and distributed to people for them to use...was that bad?

Yes, very bad. You will undoubtedly burst into flames at any moment.

Oh well, I guess I'll go stand near my neighbors house, so I dont die without doing some damage. My neighbors are morons.

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

I'm getting this too, and I searched for sp2patch.exe and didn't find it...what should I do now?

Edit: The patch never got downloaded to my knowledge.

I don't think anything happened with this one. Well, hopefully nothing was downloaded... :?

Yeah, it looks like their host shut them down.

didn't read through this entire thread but have a few suggestions. you could always install and run SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html

it will prevent most of this garbage from insalling. it works for both IE and Firefox. they release updates for new stuff every other week or so too.

or you could also use SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html which is a realtime spyware scanner. its basically like A/V software for spyware.

the best part - both of these programs are completely free.

also, I would also use AdAware and Spybot to scan for already existing stuff on your pc.

AdAware - http://www.lavasoft.de/support/download/

Spybot - http://www.safer-networking.org/en/index.html

or you can also use MS own spyware software which offers realtime protection as well as anytime scanning.

MS Antispyware - http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

the MS software is in beta form at this time however but seems to work very well.

hope this helps.

didn't read through this entire thread but have a few suggestions. you could always install and run SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html

it will prevent most of this garbage from insalling. it works for both IE and Firefox. they release updates for new stuff every other week or so too.

or you could also use SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html which is a realtime spyware scanner. its basically like A/V software for spyware.

the best part - both of these programs are completely free.

also, I would also use AdAware and Spybot to scan for already existing stuff on your pc.

AdAware - http://www.lavasoft.de/support/download/

Spybot - http://www.safer-networking.org/en/index.html

or you can also use MS own spyware software which offers realtime protection as well as anytime scanning.

MS Antispyware - http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

the MS software is in beta form at this time however but seems to work very well.

hope this helps.

Antispyware and antivirus programs don't seem to be catching this thing for people who clicked to install it.

13. If you reboot and do not get any errors then you may have been successful. If you ctr-alt-del you can see the system processes. If you see only 1 csrss.exe then you have it.

I see one csrss.exe, does that means i have a virus?
I hope not. :roll:

Nevermind, I read the post above mine. I guess i'm fine.

Antispyware and antivirus programs don't seem to be catching this thing for people who clicked to install it.

NOD32 cought it last night with no problem. I STOPped using other AVs a few years ago.

Antispyware and antivirus programs don't seem to be catching this thing for people who clicked to install it.

NOD32 cought it last night with no problem.

I just heard people talking about it last night and saying that Norton and some others weren't catching it. I guess some can though.

THose punks at eaxposed are all giddy with the script kiddie tool that got release for phpbb.

*Disclaimer*
Linking to the 'hacker' forum. Mods, nuke it if you wish. Just wanted to show people here those punks agendas.

Hacker Punks and thier script kiddie tools (http://eaxposed.com/viewtopic.php?t=4771)

Yeah, it looks like their host shut them down.

They'll move it to another server and ....try again.

"plugin" link (http://eaxposed.com/viewtopic.php?t=6636&postdays=0&postorder=asc&star t=15)

This is a link to the thread on eaexposed where a "plugin" program that exploits phpbb is posted. I wonder if this is the one they used?

THose punks at eaxposed are all giddy with the script kiddie tool that got release for phpbb.

*Disclaimer*
Linking to the 'hacker' forum. Mods, nuke it if you wish. Just wanted to show people here those punks agendas.

Hacker Punks and thier script kiddie tools (http://eaxposed.com/viewtopic.php?t=4771)

What fuckers. I just read the entire topic. Their just playing around it seems and going after random sites. I hope they all burn for putting good honest sites down like this. Stupid idiots. And I here that CAG was attacked again, when? Also, what happened to my thread in the CAG news, feedback, and site assistance forum?

Mods or whoever, I say use their stupid fucking program against them. Nuke their site.

Mods or whoever, I say use their stupid shaq-fuing program against them. Nuke their site.

I wise man once said:

Kill'em all and let God sort'em out!
It's time to kick ass and chew bubblegum. And I'm all outta gum!

- Duke Nukem
http://news.bbc.co.uk/olmedia/1540000/images/_1544813_game150.jpg

Mods or whoever, I say use their stupid shaq-fuing program against them. Nuke their site.

I wise man once said:

Kill'em all and let God sort'em out!
It's time to kick ass and chew bubblegum. And I'm all outta gum!

- Duke Nukem
http://news.bbc.co.uk/olmedia/1540000/images/_1544813_game150.jpg

Truly a wise man indeed. Now where is our Duke Nukem Forever.

holy shit, these guys don't even deserve to be called hackers.. just some script kiddies.

holy shit, these guys don't even deserve to be called hackers.. just some script kiddies.

I read through that. I had no idea what was going on... :?

holy shit, these guys don't even deserve to be called hackers.. just some script kiddies.

You're right about that. One thing I don't get is what do they have against CAG? What is their vendetta? Did they miss out on a deal/sale and now are disgruntled or something. What's the point of going after a site like this is where I"m getting at.

Mods or whoever, I say use their stupid shaq-fuing program against them. Nuke their site.

I wise man once said:

Kill'em all and let God sort'em out!
It's time to kick ass and chew bubblegum. And I'm all outta gum!

- Duke Nukem
http://news.bbc.co.uk/olmedia/1540000/images/_1544813_game150.jpg

Actually Rowdy Roddy Piper said that in "They Live". I feel old.

Mods or whoever, I say use their stupid shaq-fuing program against them. Nuke their site.

I wise man once said:

Kill'em all and let God sort'em out!
It's time to kick ass and chew bubblegum. And I'm all outta gum!

- Duke Nukem
http://news.bbc.co.uk/olmedia/1540000/images/_1544813_game150.jpg

Actually Rowdy Roddy Piper said that in "They Live". I feel old.

You've actually seen that before??? Whenever TNT or TBS would air that after WCW, I would quickly change the channel.

Mods or whoever, I say use their stupid shaq-fuing program against them. Nuke their site.

I wise man once said:

Kill'em all and let God sort'em out!
It's time to kick ass and chew bubblegum. And I'm all outta gum!

- Duke Nukem
http://news.bbc.co.uk/olmedia/1540000/images/_1544813_game150.jpg

Actually Rowdy Roddy Piper said that in "They Live". I feel old.

You've actually seen that before??? Whenever TNT or TBS would air that after WCW, I would quickly change the channel.

Actually I saw at a theater when it came out. Ah, good times.

I saw "They Live" in the theater too. :oops:

FYI, I'm hiring a Server Security guy to work on the CAG server.

What was up with the recent php errors that just happened a moment ago? I was trying to get in to any thread but it kept saying php:critical error or something similiar.

I saw "They Live" in the theater too. :oops:

FYI, I'm hiring a Server Security guy to work on the CAG server.

Maybe you could hire this dude. I'm sure he'll keep your server safe ;)
http://www.whitetrashwrestling.com/home/profiles/images/bruiser.jpg

I saw "They Live" in the theater too. :oops:

FYI, I'm hiring a Server Security guy to work on the CAG server.

Does that mean you'll be raising the CAG monthly subscription fee?

I saw "They Live" in the theater too. :oops:

FYI, I'm hiring a Server Security guy to work on the CAG server.

Does that mean you'll be raising the CAG monthly subscription fee?

Yep, it's now two beatings, three BJ's, and a happy ending.

I saw "They Live" in the theater too. :oops:

FYI, I'm hiring a Server Security guy to work on the CAG server.

Does that mean you'll be raising the CAG monthly subscription fee?

Yep, it's now two beatings, three BJ's, and a happy ending.

All I have left is a BJ.

*cartman style*

Sucki sucki five dolla! Me love you long time! Hey cho cho boy!

:p

holy shit, these guys don't even deserve to be called hackers.. just some script kiddies.

The word is "crackers" - which more often than not have not done any actual hacking.

I deleted the folder, which had csrss.exe in it (I guess it was a clone or something). And I also ran REGEDIT and deleted sp2patch.exe (I don't have Service Pack 2, so anything related to that I really don't care if I delete it or not). So ends my story. Everything is running fine...except that I get an error after I boot up telling me that C:\Windows\system32\SomeWeirdFolderName\csrss.exe is missing. So I get into the Task Manager and it shows that csrss.exe is already running.

Does anyone know how to get rid of that error message? My comp runs fine now, it's just the error message that pops up that is troubling me now.

Same problem here.

hey, i know absolutely nothing about all this redirect stuff, etc...but i have a question...is this "program" everyone is saying not to download something that was installed automatically onto a user's machine when logged into CAG or is it something along the lines of actually "agreeing" (if that is the right word?) to d/l something (ie. my knowingly d/ling a program like spybot from download.com)?

i haven't d/led anything from CAG but was redirected to some page with programming code on it like most others, and just want to know if i need to go through all the steps that cheapyd and defender outlined

this is me reading this whole thread :?:

thanks to one & all in advance :D

If you saw something like this...

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

then I think you are ok. Looks like the "hackers" site was taken down by the host or something.

thats exactly what it was

thx cheapy :D

If you saw something like this...

Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52

then I think you are ok. Looks like the "hackers" site was taken down by the host or something.

Did anyone else notice something while surfing the site yesterday that seemed like another hacker attack? I noticed it around the time I signed off.

yeay cag is back up!

Huh, weird. I had that plugin and forgot to remove. So when I ran lavasoft's adware detection program today(which had to be updated), apparently it was deleted after it was completed. Cause the folder isn't there anymore. Just something that I'd thought I'd pass along for those that haven't removed it yet.