PDA

View Full Version : Is Trains Pro Routes Infected with a Virus?



torino72
September 29th, 2012, 12:21 PM
Today when I went to the download site my antivirus blocked access with the message that this site is infected with the Trojan.US.AgentFUJ virus. I was there yesterday with no virus alert. Anyone else having this issue?

shaneturner12
September 29th, 2012, 02:13 PM
It's best to contact TPR directly for things like that, so they can sort it out.

Shane

sniper297
September 29th, 2012, 02:19 PM
Which antivirus? McAfee says it's okay, altho it contains one link to a problem;

http://www.siteadvisor.com/sites/www.trainzproroutes.org?pip=false&premium=false&client_uid=1982047667&client_ver=3.4.1.195&client_type=IEPlugin&suite=true&aff_id=679&locale=en_us&ui=1&os_ver=5.1.3.0

Problem link is here;

http://www.siteadvisor.com/sites/ttbwrr.com/summary/

torino72
September 29th, 2012, 02:39 PM
Here is the message I'm getting. I have sent an email to their contact email address.

STOP! Defender Pro blocked this web page.
The page you are trying to access contains malware.

Details:
Web Page: http://www.trainzproroutes.org/tprdownloads/index.php
Detected viruses: Trojan.JS.Agent.FUJ



Access from your browser has been blocked.
Take me back to safety (http://forums.auran.com/trainz/#)

shaneturner12
September 29th, 2012, 02:45 PM
You may want to check with another tool, as I've just found information regarding the product mentioned in that message being a rogue antispyware tool (from a Google search)

Shane

JCitron
September 29th, 2012, 03:07 PM
You may want to check with another tool, as I've just found information regarding the product mentioned in that message being a rogue antispyware tool (from a Google search)

Shane

Great find, Shane!

These things are nasty remove too.

@Torino - see if you can download and run:

http://roguekiller.en.softonic.com/

and then PC Rescue.

http://live.vipreantivirus.com/

Rougekiller does have options to fix hidden items such as desktop icons and restore broken links.
Vipre PC Rescue is the standalone version of the antivirus from Sunbelt Software.


John

shaneturner12
September 29th, 2012, 03:08 PM
I'm normally pretty good at finding things like that. It's amazing what Google can do sometimes when given the chance.

Shane

JCitron
September 29th, 2012, 03:22 PM
I'm normally pretty good at finding things like that. It's amazing what Google can do sometimes when given the chance.

Shane

I agree, Shane. Their removal can be nasty though. It depends upon which "kit" or how many features the malware developer uses to create the bug. I've been pretty lucky at removing these things, though. I think I have something like a 95% success rate at work. :)

John

shaneturner12
September 29th, 2012, 03:30 PM
I know what you mean. Hopefully the OP can remove the tool, and it may be worth warning others about it in case anyone else has that tool or anything similar installed.

Shane

VinnyBarb
September 29th, 2012, 08:09 PM
Great find, Shane!

These things are nasty remove too.

@Torino - see if you can download and run:

http://roguekiller.en.softonic.com/

and then PC Rescue.

http://live.vipreantivirus.com/

Rougekiller does have options to fix hidden items such as desktop icons and restore broken links.
Vipre PC Rescue is the standalone version of the antivirus from Sunbelt Software.


John

Good links to good software, as I might have to check one of my PCs.

Cheers

VinnyBarb

Robert2d6
September 29th, 2012, 08:19 PM
Get the free version and run it once in awhile on your PC. Good insurance. http://www.malwarebytes.org/

lackoo11111
September 30th, 2012, 02:14 AM
Looks like TPR is cursed .

meridious
September 30th, 2012, 09:00 AM
Hopefully I have things back to normal. It's been 2+ years since we got hit last so this doesn't surprise me in the least. I've been running security software on the site so obviously this attacker knew exactly how to bypass it.

Robert2d6
September 30th, 2012, 09:54 AM
Hopefully I have things back to normal. It's been 2+ years since we got hit last so this doesn't surprise me in the least. I've been running security software on the site so obviously this attacker knew exactly how to bypass it.

One thing to consider, is if you have malware on your PC, you may not get it all off, sometimes they design it to leave remnants. That is why a good malware removal program is a good thing to run, on occasion. Some anti virus programs are better than others. We used Vipre at work and a virus got though, so we removed it and went to ESET Nod 32 ( windows version) .

BTW, windows has a built in Malware removal tool that updates every month. Just go to Run and type in MRT and it will do it's thing. http://www.microsoft.com/security/pc-security/malware-removal.aspx

Stationbeem
September 30th, 2012, 10:56 AM
Just downloaded a few things from TPR then scanned them with "Microsoft Essentials" and no viruses detected.

meridious
September 30th, 2012, 11:04 AM
To clarify things more. It wasn't a virus per se. It was an injection of the base64 eval code which is basically a hijack.