« In Tim Burton's Garage | Main | [insert rant placeholder here] »

and now the blog is sick [updated]

I got an email last night about viruses embedded on this site. I noticed yesterday that when I clicked the site on, some weird stuff was happening (like a tiny little box appearing in the upper left corner), but I guess Firefox picked it up before I could see what it was.

As far as I can tell - a) it doesn't happen every time I load the site up. b) I think the person who sent me a mail about getting pop ups has something wrong with her machine and c) whatever this exploit is, it's not doing anything malicious - no redirect, and it's not trying to install anything.

We're going to run a virus scan on our computer and hopefully that will take care of it.

If anyone sees anything funky going on here, please leave a comment as to what you're seeing and what browser you are using. Thanks.

And thanks, WR, for the helpful phone call this morning.

Update: Please see Stacy's comment and instructions here.

There is a reason I have a shrine to her in my bedroom. Ok, several reasons. But her ability to fix every single one of my web-related problems is one of them.


Listed below are links to weblogs that reference and now the blog is sick [updated]:

» Round the Reader from Speed of Thought...
10 Things I have done that you haven't: Billy Budd wins. Wow. Only seems to fit: Democracy, Whiskey, Sexy. Military Photos. [Read More]


Yup, you've got a Java downloader going on. Trend reports it as JAVA_BYTEVER.A-1 and the actual big nasty as HTML_MHTREDIR.C or .U. See this page for the Trend description and cleaning instructions.

Microsoft also has information about it over here.

I'm gonna wring his neck for doing a hit-and-run on you like that. Fucking QA people--so good at telling you where you went wrong, so lousy at helping one do anything about it.

Unfortunately I'm not much better--beyond telling you to make sure you have the latest security updates and strongly recommending you begin virus scanning your system now, my advice would be: Get Stacy.

(From what I can tell of the Microsoft page Trend Micro sends you to, this was an exploit first detected almost a year ago, with patches released by MS in April 2004. What's up with that?)

I <3 Ilyka.

Java ByteVerify. Tanya and I noticed it on Idol Tongues last night, both scanned, found it, removed it. Removal is as simple as opening your Windoze control panel, selecting Java Plugin control panel (might have to switch to classic view if on XP), clicking the Cache tab, and telling it to Clear the cache.

This little bitch lives in the tmp files, apparently, and clearing that cache removes it.


It'd be best if your virus scanner could tell you exactly which downloader it is, though...Tanya and I just happened to have the same one.

Just for your info, you don't need to go to classic mode in XP. Also, in rare instances (as in my case) you may have more than one Java Plug-In. Make sure you clear both.

However if you do go into classic mode, there's the java plugin right there, no irritating flipping through categories to find it. I'm just sayin'.

Hey WR, when you gonna make my paypal button say "Armstrong Williams Memorial Payola Link"?

I promise I'll let you play with the welder again.

I'm gonna wring his neck for doing a hit-and-run on you like that. Fucking QA people--so good at telling you where you went wrong, so lousy at helping one do anything about it.

Hey, that's Development's job. If you want QA to do it you're going to have to get the Scope change approved. ;-)

I would suggest that JavaScript (and probably Java) be disabled for the time being. It seems each permalink page has some malicious JavaScript at the top which spawns a 1 pixel by 1 pixel iframe.

Until whatever creepy crawly is removed, disabling JavaScript should prevent any trouble.