SpecialAttack.net :: Might want to avoid FPSbanana for a while!

The site is currently infected with the 'Black Internet' trojan.

It's embedded in the site itself somehow, which means all you have to do is go there-- you don't have to download anything, and you'll be infected. All the following programs did not detect the trojan AVG, Ad-Aware and Windows Defender.

If you've been to FPSBanana in the last day or less, check your task manager. Look for iexplore.exe running-- or multiple instances of it if you are surfing with internet explorer, of course. You might also be hearing audio advertisements and/or multiple weird noises and mouseclicks.

Apparently this trojan infects the MBR, to fix the virus problem make all folders viewable in the control panel -> large icons -> folder options -> view -> show hidden files, folders and drives, then reboot in Safe Mode and go here:

C:\Users\YOURUSERNAME\Appdata\Local\Temp

and deleting these two files:

Loader.exe
Smss.exe

And until further notice I strongly suggest that you avoid going to the website.

Quote:

About this Virus
The new FPSBanana virus is a Rootkit virus known as "Black Internet". It is extremely dangerous to your system and security on your computer. A Rootkit virus buries itself into your Master Boot Record which forces the virus to load upon startup. You cannot disable the virus through safe-mode or "msconfig".
!NOTE!
VIRUS SCANNERS WILL NOT DETECT OR FIND THIS VIRUS! ONLY REAL-TIME VIRUS PROTECTION CAN DETECT AND STOP THIS VIRUS FROM BEING INSTALLED.

As of right now, the only working real-time detection and stopping of this virus is Kaspersky. Kaspersky will NOT remove the virus if you already have it.
The virus is obtained through a Java exploit from the advertisements on FPSBanana. Adblock will NOT stop you from getting this virus. Even if you have Ripe, you can still get this virus.

What does it do?
First, the virus buries itself into your Master Boot Record to keep you from detecting and removing the virus easily with any type of virus protection software. Afterwards, it loads up an application that will keep Internet Explorer open and showing you ads in the background or hidden voice ads. There are also reports of this being a Backdoor virus also which can transfer your sensitive information to the creators.

Symptoms
- Internet Explorer opens with ads randomly
- Windows keep minimizing
- Your computer sound will keep turning up and down randomly
- You will hear the clicks of pages being browsed in the background
- Visiting websites might not work

Do I have the Virus?
Even if you think you do not have the virus, you could still be infected!
There is an easy way to test if you have the virus. Follow these steps...

Step 1)
Press CTRL+ALT+DEL on your keyboard. Click "Open Task Manager".

Step 2)
On the Task Manger, click the "Processes" tabs.

Step 3)
Look through your processes for "loader.exe". If you have that file running, there will also be one or multiple instances of "iexplorer.exe". If so, You are infected!

Image

Removing the Virus
To remove this virus, you are REQUIRED to have a Windows disk corresponding to your version of Windows OR a recovery drive that came from factory. If you do not, you are pretty much screwed... There are other ways but they have a 10% chance of working.

So now, insert your Windows disk into your CD/DVD drive and restart your computer. When it says to "Press any key to continue..." do so. If you have a recovery drive, you will either have to press a key that is defined on the Bios screen or press F8 before Windows loads. Choose to recover your Windows installation.

After you choose the option to recover your Windows Installation, you can choose to use Command Prompt to do so. Once the Command Prompt opens, type the following...

Windows XP: fixmbr
Vista or 7: bootrec.exe /FixMbr

After the process completes, you can then close command prompt and Restart your computer. When the computer loads up again, the Virus has been disabled. You just need to delete the file.

You can either use CCleaner to delete all over your Windows Temporary Files or goto your temp folder in the following location...
Windows XP: C:\Documents and Settings\Application Data\temp
Vista or 7: C:\Users\[YOUR USERNAME]\AppData\Local\Temp

Find the file "loader.exe" and delete it.

You should be all set now and the infection should be gone. Double check by following the the steps to check for the virus above.

Author:	[SpA]WildBlaze [ 13 Jul 2010, 23:57 ]
Post subject:	Might want to avoid FPSbanana for a while!
Just a bit of a heads up if your planning on looking for new maps or skins, looks like FPSbanana has been infected with a rather nasty virus, so you might want to avoid it for a while, and if you've been there recently you might want to check if you have Loader.exe running in your processes. http://www.gtfogaming.co.uk/community/w ... t8945.html Quote: The site is currently infected with the 'Black Internet' trojan. It's embedded in the site itself somehow, which means all you have to do is go there-- you don't have to download anything, and you'll be infected. All the following programs did not detect the trojan AVG, Ad-Aware and Windows Defender. If you've been to FPSBanana in the last day or less, check your task manager. Look for iexplore.exe running-- or multiple instances of it if you are surfing with internet explorer, of course. You might also be hearing audio advertisements and/or multiple weird noises and mouseclicks. Apparently this trojan infects the MBR, to fix the virus problem make all folders viewable in the control panel -> large icons -> folder options -> view -> show hidden files, folders and drives, then reboot in Safe Mode and go here: C:\Users\YOURUSERNAME\Appdata\Local\Temp and deleting these two files: Loader.exe Smss.exe And until further notice I strongly suggest that you avoid going to the website. about the virus if your wondering what it does Quote: About this Virus The new FPSBanana virus is a Rootkit virus known as "Black Internet". It is extremely dangerous to your system and security on your computer. A Rootkit virus buries itself into your Master Boot Record which forces the virus to load upon startup. You cannot disable the virus through safe-mode or "msconfig". !NOTE! VIRUS SCANNERS WILL NOT DETECT OR FIND THIS VIRUS! ONLY REAL-TIME VIRUS PROTECTION CAN DETECT AND STOP THIS VIRUS FROM BEING INSTALLED. As of right now, the only working real-time detection and stopping of this virus is Kaspersky. Kaspersky will NOT remove the virus if you already have it. The virus is obtained through a Java exploit from the advertisements on FPSBanana. Adblock will NOT stop you from getting this virus. Even if you have Ripe, you can still get this virus. What does it do? First, the virus buries itself into your Master Boot Record to keep you from detecting and removing the virus easily with any type of virus protection software. Afterwards, it loads up an application that will keep Internet Explorer open and showing you ads in the background or hidden voice ads. There are also reports of this being a Backdoor virus also which can transfer your sensitive information to the creators. Symptoms - Internet Explorer opens with ads randomly - Windows keep minimizing - Your computer sound will keep turning up and down randomly - You will hear the clicks of pages being browsed in the background - Visiting websites might not work Do I have the Virus? Even if you think you do not have the virus, you could still be infected! There is an easy way to test if you have the virus. Follow these steps... Step 1) Press CTRL+ALT+DEL on your keyboard. Click "Open Task Manager". Step 2) On the Task Manger, click the "Processes" tabs. Step 3) Look through your processes for "loader.exe". If you have that file running, there will also be one or multiple instances of "iexplorer.exe". If so, You are infected! Image Removing the Virus To remove this virus, you are REQUIRED to have a Windows disk corresponding to your version of Windows OR a recovery drive that came from factory. If you do not, you are pretty much screwed... There are other ways but they have a 10% chance of working. So now, insert your Windows disk into your CD/DVD drive and restart your computer. When it says to "Press any key to continue..." do so. If you have a recovery drive, you will either have to press a key that is defined on the Bios screen or press F8 before Windows loads. Choose to recover your Windows installation. After you choose the option to recover your Windows Installation, you can choose to use Command Prompt to do so. Once the Command Prompt opens, type the following... Windows XP: fixmbr Vista or 7: bootrec.exe /FixMbr After the process completes, you can then close command prompt and Restart your computer. When the computer loads up again, the Virus has been disabled. You just need to delete the file. You can either use CCleaner to delete all over your Windows Temporary Files or goto your temp folder in the following location... Windows XP: C:\Documents and Settings\Application Data\temp Vista or 7: C:\Users\[YOUR USERNAME]\AppData\Local\Temp Find the file "loader.exe" and delete it. You should be all set now and the infection should be gone. Double check by following the the steps to check for the virus above. Glad i decided to check the steam forums, was going to go to FPSbanana to see if there were any interesting skins for the new engi equipment

Author:	annarack [ 14 Jul 2010, 00:48 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
Nice find, thankfully I don't have it

Author:	sebas [ 14 Jul 2010, 00:54 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
If it infects the MBR it's not gonna go away by just soft deleting those files. And fixmbr is a bit of a risky command unless you want to format. Anyway, nice catch Wildblaze.

Author:	Lim-Dul [ 14 Jul 2010, 01:10 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
fixmbr is not risky if you're not multibooting. If you are, then you're probably using other loaders like GRUB anyway and should stick to nix-like recovery methods... Speaking of using nix to fix Windows - an excellent distro is Parted Magic - http://partedmagic.com/ - better recovery tools than the ones that Windows has and most of them are compatible with a wide range of filesystems.

Author:	[SpA]Scatterbrain [ 14 Jul 2010, 10:04 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
good find man, thanks!

SpecialAttack.net https://forum.specialattack.net/

Might want to avoid FPSbanana for a while! https://forum.specialattack.net/viewtopic.php?t=7569	Page 1 of 1

Author:	dckjns [ 14 Jul 2010, 11:46 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
Quote: There are other ways but they have a 10% chance of working. uh Good thing I read this, might have winded up there one way or another.

Author:	ProtectMyBalls [ 14 Jul 2010, 12:21 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
i was about to download the heavy bear skin :S

Author:	[SpA]Loke [ 14 Jul 2010, 13:33 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
'kay, I'm staying away from that site now. I have an account there with some of my stuff uploaded but luckily have it uploaded elsewhere as well. Thanks, Blaze.

Author:	[SpA]WildBlaze [ 14 Jul 2010, 20:45 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
Looks like this might have been fixed now, though you may want to be careful and keep an eye on your processes if you go there http://forums.steampowered.com/forums/s ... ?t=1360060 Quote: Update:This has been fixed. FPSBanana is safe to use again for the time being. Even though it's safe at the moment, if you plan on going there, make sure you're protected against this kind of thing before you go there to be safe. Also, just be careful on other sites as well - they could also get something similar and it doesn't hurt to be sure. I'll update this if FPSBanana is compromised again. Untill then though, thank you for sticking with this. Adiggity claims that FPSBanana is still not safe to use: Quote: Originally Posted by adiggity View Post FPSBanana is still not safe to use. ESETNod32 found Trojans in several downloads--including SteamCleaner, ironically--and SpyBot S&D regularly detected spyware after I visited the site. Play it safe and avoid. And please upload custom content somewhere else so we can enjoy it in peace ^^ This is the only report I've got so far of the site still being infected but keep it safe and make sure you are protected. This is also going to be used as a sort of support thread for the time being now that FPSBanana is safe. This is so users who were affected can post and get help from other members - happening already. Post if your PC was infected(or if you think you may be infected/curious/want to make sure) and you need help to get rid of it. There should be someone around sometime who is willing to help.

Author:	[SpA]SaintK [ 16 Jul 2010, 23:28 ]
Post subject:	Re: Might want to avoid FPSbanana for a while!
God damn wankers. Now i finally know were i got that rootkit virus. I've been downloading maps for the SpA servers from there when i noticed i got a rootkit virus on my PC. I couldn't find it's source on my PC, leading to a full format and reinstall. I was also completely unaware on how the fuck i got infected in the first place....

Page 1 of 1	All times are UTC+02:00
Powered by phpBB® Forum Software © phpBB Limited