I have noticed already 2-3 days that every time as I come into this forum, my Avast says "Threat blocked, The connection to JS: Miner-C [Tr] is blocked. The site's infection was coinhive.com" and says that you must scan your computer:re:...

Anyone got same message/virus warning here?

Warhero

Not here and my anti-virus/ Malware checker tends toward over aggressivness

I have Avast, and it does not report this. Seems that the problem is at your end somewhere?.

Its warning you about some sort of bitcoin miner and its likely in JavaScript. I'd scan your computer for malware.

Ghostery shows 1 advertising script (nothing to do with yours) - blocked
Privacy badger shows 1 tracker (Newssltest) - Blocked
Ad Block Plus shows 6 advertisements blocked (but wont say what 6)
But JS: Miner-C [Tr] isnt one of them.

Well I have ran Avast every time and nothing serious found (fortunately)... Btw, it's interesting that this warning comes only here but not in WinSPWW2 forum.

Warhero

I checked between the 2 - and on the WW2 forum there was a report of a tracker from "coinhive.com" via privacy badger. Which is worrying. In fact - privacy badger is now showing that site on both forums, not just WW2.

I simply put that on Privacy Badger's block list for now, as its a tracker and not anything more serious.

Shrapnel has been notified

Now I'm concerned. Has anyone else had issues "bouncing" from thread to thread and seeing the following from... showuptimeexclusivesystem4updates and
freesoftwarestation telling you your flash player needs to be updated? I HAVE MODIFIED THE ABOVE FROM OG ADDY.

I run total Bitdefender Total Security Suite 2018, also ran the following Malwarebytes (Free Version), the new Defender (That was just downloaded with the new OS earlier this week.), MS Malicious Software Tool (Which did find 300+ infected files earlier in the week.), MS Emergency Repair Kit, downloaded AVG (Free) and Roadkiller all negative ACCEPT as noted but afterwards.

My Bitdefender is blocking and identifying the above as malware. That BITCOIN ISSUE COULD BE A LITTLE MORE SERIOUS THAN NOTED DEPENDING ON WHICH VERSION HAS GOTTEN INTO YOUR SYSTEM. ALSO ZEUS is on the rise again from latest malware reports, they believe due to the holiday season and improved "spoofing" of otherwise legitimate websites.

I would be curious what Shrapnel comes up with, it might just blow my current sense of relief and security. :rolleyes:

Reports,
Pat
:capt:

I was getting some pop-ups for a porn/dating site yesterday when I opened these forums, seems to be fixed today.

BUT I'd just updated to the new version of Firefox so I assumed the problem was with Firefox not these forums.

Same here too. Mine is advert pop up, but only when using incognito in chrome for ascertaining whether the image i uploaded shows up correctly. VirusTotal.com, Google Web Safety Checker, and Windows Defender all show negative at the time.

Kinda worried, probably related that the forum has seen a surge of new members probably spammers with vietnamese nicknames.

For now only accessing the site with mobile device.

This is just for FYI, just checked my Bitdefender logs the first attack on my system occurred on 17 DEC @ 1036 and was blocked successfully along with 24 others thus far. That would be about normal for me when looking into the site prior to getting ready for work. Just trying to provide some kind of timeline for the "IT" person.

Regards,
Pat
:capt:

I'm also getting reports, from Malwarebytes, whenever I click on the link in the email to come to a thread on WipSPMBT (the only forum I look at.)

Malwarebytes is telling me that access to the websites "deloton.com" and "go.pushnative.com" is blocked.

Shrapnel IS looking into this but so far they have not found any malware but the process is still ongoing. I personally have not seen any of these pop up ads and I'm on an off these forums 10-15 times a day ( or more )

My anti-virus (Kaspersky Internet Security) throws up a warning every time I visit a page in the forum. It recommends that I close each page I visit.

This information is shown in the report:

Download blocked

http:/forum.shrapnelgames.com/clientscript/vbulletin_read_marker.js?v=381

Object name: HEUR:Trojan.Script.Generic

Just started to get the same warnings from Kaspersky:

Download blocked
http: //forum.shrapnelgames.com/clientscript/vbulletin_read_marker.js?v=381
Object name: HEUR:Trojan.Script.Generic
Object: http: //forum.shrapnelgames.com/clientscript/vbulletin_read_marker.js?v=381 Application: Firefox
Object type: Trojan program
Time: 21/11/2017 01:58

This occurs with every page/thread opened in the forum

Same warning (as earlier) again even today...

They're still looking and as long as people are reporting them I am passing them on.

And even today... Nice to see that I'm not only one who have warnings. Hopefully Shrapnelgames will find solution someday?

Warhero

Btw, I got same message recently in WinSPWW2 forum first time ever...

Warhero

I thought the forums were down yesterday to fix this - apparently not...

All I can tell you is what I have been told......"[] we have scoured the files – ALL FILES – in the forums and there are no instances of viruses. People should clear their cache and see if they are still having troubles. Andy had mentioned maybe ads showing on or site may cause the trouble. Google and Shrapnel are the only ads allowed on our site. We scanned our ad serving software and no problems there either."

All I can add to that is Andy reports
============
"Cleared cache and closed and reopened firefox.

privacy badger add-on to firefox is still showing the "coinhive.com" tracker (blocked)

No Coin add-on to firefox is still showing that a coin miner has been detected on the site, and blocked"
=============

but from my end I have had NO issues at all using Chrome or Internet Explorer or Edge.... 99% of the time I use Chrome but I tested with the other 2 and same result...nothing

So it still remains a baffling mystery but the attempts to sort it out have not been abandoned

Don

FWIW I have added Privacy Badger to my Chrome and I'll see what pops up..so far nothing at all

I cleared Firefox's history this day and shut browser. Then I reopened it and now no any warnings here:)... But what will happen tomorrow? No more warnings?

Warhero

I guess we'll have to wait and see.....nothing is showing up on Badger ATM for me

This ain't anything new. Happens all the time. Makes me mad. I mean who understands this ****? I bet 99% of all the computer users don't even know what viruses and malware is. I know I don't. How is anybody supposed to act responsible about this, if they don't understand the problem? I wish the ghost of Babe Roth or some other heavy hitter would knock the internet satellite out of orbit. Hell, I haven't been able to get a new game to load on my machine for about 10 years. I think PC stands for personal confuser not Personal Computer.

Unfortunately it came back though I kept problem already solved:(... But main thing is that Avast will block that (trojan?) malware away from my PC. No matter how many times I will see same warning in this forum.

Warhero

My Norton software has been blocking coinhive.min and cryptonight-asmjs.min for about the last two weeks when I visit the SPMBT or SPWW2 forums.

I am using Mircosoft Edge as my browser.

Coinhive.com is still present, I.P. address 94.130.129.243 also oel1.gq

https://malwaretips.com/blogs/remove-coinhive-miner-virus/

The Coinhive Miner Trojan is commonly bundled with other free programs or browser extensions that you download off of the Internet. Unfortunately, some free downloads do not adequately disclose that other software will also be installed and you may find that you have installed Coinhive Miner without your knowledge.

Once this malicious program or browser extension is installed, the Coinhive Miner will inject an in-browser Monero miner from coin-hive.com/lib/coinhive.min.js, which uses more than 50% of your CPU’s power and graphics cards power. What this means, is that when the miners are running you will find that your computer is running slower and games are stuttering or freezing because the Coinhive Miner Trojan is using your computer’s resources to generate revenue for themselves.
This will cause your CPU to run at very hot temperatures for extended periods of time, which could shorten the life of the CPU.

When infected with the Coinhive Miner, other common symptoms include:

Very high CPU and graphics cards usage
Web browser is using more than 50% of the CPU power
PC connects to coin-hive.com/lib/coinhive.min.js
Windows minimize and maximize slowly, and programs run slower
Programs don’t launch as quickly
General slowness when using the PC or Web Browser


FWIW I have installed Privacy Badger and it and my normal protection software does not report a problem to me...all I have is a mild warning regarding www.newssltest.com

I installed Malwarebytes and now I get a message saying coinhive is being blocked

My contact with Shrapnel tells me

"We are still looking. Three different companies besides us have scanned our site, including Google. No one has found any maleware."

so it's being looked into but it's still a mystery

Well now.......this is new

http://forum.shrapnelgames.com/attachment.php?attachmentid=15041&stc=1&d=1511788436

THAT is someone who posts regularly on both forums as Pibwl

http://forum.shrapnelgames.com/attachment.php?attachmentid=15042&stc=1&d=1511788733

and the coinhive IP that shows for me every time I check the forums this morning is

http://forum.shrapnelgames.com/attachment.php?attachmentid=15043&stc=1&d=1511789243

http://forum.shrapnelgames.com/attachment.php?attachmentid=15044&stc=1&d=1511789267

but that changes from day to day

now it's showing a new ISP but still from Kassel Germany

http://forum.shrapnelgames.com/attachment.php?attachmentid=15045&stc=1&d=1511789665

http://forum.shrapnelgames.com/attachment.php?attachmentid=15046&stc=1&d=1511789672

and now a new one from 94.130.90.154......still Kassel Germany

Now it shows the block from 94.130.90.167

Kassel once again

IP address or hostname
94.130.90.167
Lookup
IP 94.130.90.167 Hostname static.167.90.130.94.clients.your-server.de ASN AS24940
Country Germany (DE) Provider Hetzner Online GmbH DMA 0
City Latitude 51.299301147461 Area 0
Region Longitude 9.4910001754761 TimeZone Europe/Berlin
Postal Code Continent EU DateTime 2017-11-27 16:54:21

This time 94.130.102.124

guess where.......Kassel

then again 94.130.128.151

Kassel


http://www.ip-tracker.org/blacklist-check.php?ip=94.130.128.151
Blacklist Status: Not Blacklisted

Hmm seems that source of infection is in Germany (Kassel)... Could Shrapnelgames able to remove threat from here? Or via German authorities (police for example)?

Warhero

Hmm seems that source of infection is in Germany (Kassel)... Could Shrapnelgames able to remove threat from here? Or via German authorities (police for example)?

Warhero

And the chances of that being a legit IP address or it actualy originating from that country let alone town is,
You might win the lottery.

Its not a problem so long as you own decent antivirus software, not nice but will be sorted at some point.

To politicaly correct nowadays first Kapersky software I had asked me twice if it could fight back as my computer had been underattack for 3 minutes. As they were originaly major hackers in both cases reported threat disabled & let me continue.
Of course this was banned you cannot defend your property aggresivly.

As an experiment I stripped Chrome of all ad blockers and privacy guard extensions then opened up the shrapnel forums with the browser "nekkid".

On opening the task manager, no process was taking any inordinate amount of CPU, whether it was any of the several chrome services running or a.n. other. Active coin miners are supposed to eat CPU cycles - and nothing was doing so.

So my conclusion is that the "threat" was very low - none of Malwarebytes or Spybot Search and Destroy found anything "placed on" my PC either.

So I am perfectly happy to continue on the forums with Firefox with Privacy Badger and Ghostery as usual, and Ad Block Plus of course - otherwise many web pages cannot be seen for intrusive ads!. But then - those are the sort of things a sensible web user has added to their browser these days in any case. Nb - those extensions are available for Chrome as well.

I'm getting it too.

From Norton -

"JSCoinminer Download 10"

Cpu usahe might be low, but bitcoin miners ate kniwn for their use of gpu hardware.

And ip address diesnt mean nothing in this day and age when professional hackers normly use proxies to mask their true origin.

RightDeve is correct - miners famously use graphic card processes.

I am still getting a blocked "malicious link" and "malicious webpage" by Kaspersky due to a "Trojan Script" //forum.shrapnelgames.com/clientscript/vbulletin_read_marker.js?v=381 (http://forum.shrapnelgames.com/clientscript/vbulletin_read_marker.js?v=381)

So, warnings will come every time as I come here until end of world?

We are still working on this. Probably won't be till end of world. But we have to locate the problem.:hurt:

We are still working on this. Probably won't be till end of world. But we have to locate the problem.:hurt:

I must say that I do not have any warnings or other thing that would cause a negative experience on the forum. Unfortunately, on my mobile device, I get a number of PUP popups.

On my PC machines I run Comodo Internet Security 10.

<br>

Just as a FYI - I get the same warnings and blocks from Kaspersky whether using Firefox, IE, Edge or Chrome...

Yay! :)

No warnings or blocks today!

I still get the same warnings as Don. I'm using Malwarebytes.

Today I get no messages if I use internet explorer .

If I use Chrome I was still getting the coinhive message so I flushed my cache from chrome but now I get the coinhive blocked message AND go.pushnative.com has been added.

If I view the site with Edge I'm warned about coinhive , pushnative and now deloton.com


Personally I don't think this is Shrapnel. Why are there different warning for different browsers... ??

Still no warnings about the site using IE.....I think these alert systems are too sensitive

Wonderful........now the blocked messages are showing up In IE

The entire situation is frustrating for us, Shrapnel and everyone using these formations. What I would like to do is resurrect Vlad the Impaler and send him on a mission against malware authors :mean:

INFO found Here (https://www.bleepingcomputer.com/news/security/coinhive-is-rapidly-becoming-a-favorite-tool-among-malware-devs/)



Currently, some experts refer to the technique of hijacking users' browsers for cryptocurrency mining as "cryptojacking."

Some have also predicted the Coinhive cryptojacking disaster. For example, at least two ad blockers have added support for blocking Coinhive's JS library — AdBlock Plus and AdGuard.

In addition, developers have also put together Chrome extensions that scan your browser and terminate anything that looks like Coinhive's miner script — AntiMiner, No Coin, and minerBlock.

While this year might be remembered for the WannaCry and NotPetya ransomware outbreaks and the CCleaner and Equifax breaches, silently, cryptocurrency miners have been one of the most active and prevalent threats.

This past two weeks, Kaspersky reported seeing over 1.65 million computers infected with cryptocurrency mining malware in the first eight months of the year, and IBM also reported a spike in cryptocurrency malware installed on enterprise networks.

Currently, according to the Coinhive team, the library's launch appeared to have exceeded expectations. Even if developed with good intentions, Coinhive's name and reputation is bound to be smeared in the dirt if malware authors continue the trend they're currently on.


I have added No Coin to Chrome. I'll let everyone know if there as a change at my end

I have No Coin AND MinerBlock set up in Chrome now and this session was the first I didn't get a malwarebytes warning pop up but be advised Shrapnel is not ignoring this and is in fact making progress sorting out how these are getting in

Logged on again and no pop up warnings....that's twice in a row and a big step forward...

THREE TIMES logging on with no warning pop up......feeling a bit more than cautiously optimistic

DAMN! The warning pop up is back ..but it only happens once now..used to be every time I went to a different subforum.....2 steps forward... one back

Bummer - getting Kaspersky warnings again...

same as before every thread or sub forum :(

I have seen coinhive come and go today. I bet its inside some advertisement stream.

I do not understand what is going on, however a few observations. I run Chrome on my android and yes, I get redirects to advert web sites. However, when I run Opera on my Android device there are no redirects. The difference between Chrome and Opera is the absence of ad blocking in Chrome.

On my PC I run adblocking in Chrome and I am not redirected to other web sites.

Not being satisfied, I ran Malwarebytes and then followed with Hitman Pro. Hitman Pro found a conduit malware app. Otherwise my PC machines were clean ecxept for cookie trackers and PUPs.

Two ways I can think of getting infected: downloading scenarios and maps from the forum or the adverts.

In the past, I would delete tmp files in my appdata/local/temp folder as a routine practice.
<Br>

Hmm now my Avast gave not any warnings;). I use Mozilla as default(not sure about other Edge/IE... Btw, seems to be no warnings with WinSPWW2 forum:). Hopefully both forums are "clean" now?

Warhero

The forums are clean now. If you are still showing warnings you should clear your cache. Sorry for how long this took. We could not find the infections. But finally got this cleaned up.

:party:

The forums are clean now. If you are still showing warnings you should clear your cache. Sorry for how long this took. We could not find the infections. But finally got this cleaned up.

Thanks for clearing this up. Been out of contact for two weeks, not daring to override Kaspersky's warning, running scans periodically to make sure nothing amiss. No threats detected, but you can't be too careful in cyberspace. Better safe than sorry, no?