Comments on: Syfy.com Hosts Malware

By: Backpain

Backpain — Mon, 10 May 2010 03:27:01 +0000

Just an update. I found a file in mine that is the one that will keep coming back even after the virus software kills it. I found it running in my tasks tracked via windows defender. It’s in the C:\users\tom\ appdata\local\temp\yrl.exe.
Thats the file that allows this virus to keep coming back. I was able to select and remove it in the defender program under the history. I have not been back online to do anything but do virus updates, then lock the firewall down. I have scanned the computer every night for the last 2 and the virus seems to be gone and none of the virus software are picking up any more problems.
If someone with this issue still has a problem, go delete and shred the file and let me know if that did it for you too. I also turned off 2 other files that were running as unknown and will post them up when I can find them.

By: Nathan Driskell

Nathan Driskell — Sat, 08 May 2010 19:28:56 +0000

To be honest, I did not find a way to remove it completely. I ran through many different virus scans, it still always reappeared. I ended up formatting my system, then installing AVG’s free edition, then updated it and scanned everything. For me it was not to hard, as I format my systems every 2-3 months anyway, but for some this may be a nightmare to consider. If you are going to format, backup your data, but be SURE to scan all this data once you have formatted for the virus. I found no virus, and everything now is fine. This virus from Syfy was a nightmare, that could repeat at anytime, so be sure to listen to all warnings.

By: Backpain

Backpain — Sat, 08 May 2010 18:07:39 +0000

I\\\’m not so good with computers so trying to find some of the stuff you guys are talking about is hard for me. I have been running windows defender which did catch part of the virus, but didn\\\’t remove it completely. I also used spybot search and destroy, Ad aware, and my Mcaffe that cox provides it\\\’s customers. I got rid of the pop up windows which it tries to do overnight while asleep, 10-12 per night. I just want to warn you guys that even with no popups, the virus is still not gone. My file sharing has been activating on it\\\’s own, then the next day password protected filesharing was activated. Every time I run Windows defender in full scan mode it picks up the virus again. It will kill it and then it comes back again every night. This is with my computer not being connected to the net. I lock down the firewall in Mcaffe and turn off the manual switch for my wireless. I\\\’m totally stumped on how to get rid of this completely.

By: Sigma

Sigma — Tue, 04 May 2010 04:25:00 +0000

This happened to me at at 8:02 PM PST and Google Chrome did not flag it as malware util at least 9 PM. For me, the only warning I got was UAC which contained the malware.

By: Nathan Driskell

Nathan Driskell — Tue, 04 May 2010 04:10:47 +0000

Agreed. I may reformat now, just to be 100% sure it is gone. Pathetic this can occur to such a large site. Will never ignore Chrome’s warning again.

By: Nathan Driskell

Nathan Driskell — Tue, 04 May 2010 04:07:00 +0000

The file was there. I deleted everything that occurred close to the time I visited the site and onward. Proxy server is not in use, so that is good. I am doing more virus scans, I may need to switch to AVG again, I do not think Advira is keeping up, as it let this in to begin with, and did not appear to delete the virus as the popups keep occurring.

By: smitty

smitty — Tue, 04 May 2010 04:04:30 +0000

this also happened to me not more than 30 min ago. my antivirus caught one of them, but two ended up on my system. luckily for me, i have memorized the correct list of processes that should be running on my system, so i found the two viruses right away.

my take home lesson from this is to always trust chrome when it tells me not to visit a site.

By: Sigma

Sigma — Tue, 04 May 2010 03:21:47 +0000

Also check your temp directory for any files created near the time you visited the site. You will see a java_install_reg.log file for the Java exploit along with some hidden files named notepad.exe, win.exe, etc. and some dlls. Also, it installs a proxy on port 5555 so make sure you check your LAN settings for IE and Chrome so that they are not going through any proxy. If you can log out and log back in without any strange popups, I think you are safe.

BTW, I find it ironic that you posted about Chrome’s Security a month ago Though, this isn’t completely Chrome’s fault because it was a crappy plugin that was used as a vector, Chrome still gets some of the blame.

By: Nathan Driskell

Nathan Driskell — Tue, 04 May 2010 02:52:36 +0000

I am doing a full virus scan, found 3 so far. If this occurs, I will reformat. As of 9:50 PM Central time the site still shows up containing malware.

By: Sigma

Sigma — Tue, 04 May 2010 00:49:29 +0000

Also, syfy acknowledges this issue: http://twitter.com/Syfy/status/13329226716