Virus Report from Spell Checker

[Mr Edd]

Sorry not sure where to ask this...

My anti virus software (Kaspersky) on my home computer keeps popping up to tell me there is a Trojan horse virus in the spell checker on the forum.

How serious should I take this please?  Never happened before in over 12 months use, so why should it start now? Is it possible that someone can put a virus on the forum?

I don't use the spell checker on the forum I use the one that comes with Google toolbar so that is another mystery.

Thanks

Edd

[Aleksi "Lex" Kilpinen]

How did you figure it's the spell checker? I mean, did Kaspersky identify a certain file, and if so which file?

[Mr Edd]

Evey time I open a window on the forum Kaspersky pops up with the follow path...

forumname/forum/themes/default/scripts/spellcheck.js


Only started doing it this morning.  Even now as I opened this window to view your response it does it with the same path.

Thanks for your reply.

Edd

[Aleksi "Lex" Kilpinen]

So, it does the same on both your own forum AND this site?

I'm pretty sure this site should be clean, and we would have a lot more similar reports if it were infected for real.

You can try on your own forum, to replace the reported file with a clean one from the installation package, and see if it still does the same - if it does it's most likely a false positive for some reason.

[Mr Edd]

Does even with this forum with the path to simple machines website.  So I guess it maybe that Kaspersky is picking something up which needs to be told is actually okay.

Does here even when I refresh this window.

Edd

[Aleksi "Lex" Kilpinen]

Most probably Kaspersky has updated their virus definitions this morning, and there is an error in there - or it now mistakes the spellcheck.js for some other script for some reason.

I did make a post about this for the team, just so we can look in to this further.

Thanks for letting us know

[Mr Edd]

Yes it does it here too, even now when I clicked reply.  as you say it must be a false positive. I guess kaspersky has updated and keeps intercepting these scripts.

Thanks for your help.

I will see what I can do at this end and report back later.

Edd

[Mr Edd]

Sorry for the cross posts but very grateful for the quick assistance.

Thanks

Edd

[Aleksi "Lex" Kilpinen]

No problem - If we find out something new in relation to this, I'll try to make sure we update this topic as well.

[Aleksi "Lex" Kilpinen]

If you wish to have Kaspersky look in to this, and speed up the process of verifying it as a false positive,
please report it to Kaspersky at http://support.kaspersky.com/virlab/helpdesk.html

[feline]

I have the error on the files spellchecker.js and script.js ONLY on SimpleMachine.
On my both sites I have no warnings ...
Any thoughts ?

[Aleksi "Lex" Kilpinen]

No, Nothing comes to mind immediately - unless there's some version mismatch there....
I have made a post about this to the team, but no one else has picked up on this so far....

[Norv]

We are looking into this. Do you have heuristic detection turned on, in Kaspersky?

[feline]

We are looking into this. Do you have heuristic detection turned on, in Kaspersky?

Yes. it's Kaspersky Internet Security 2011 ..

[Mr Edd]

Just thought I would post an update on this...

I have been in touch with Kaspersky and had numerous emails with their support people.

Each time I went to my forum it would appear.  I created an account for them to login which they did but didn't have any reports for them.  What was strange was it stopped happening to me after a while. I have been a little busy since then so tonight I thought I would pop back in here to let you know.

Guess what it started happening again on this site but it no longer happens on my forum.

I have just taken a screen shot so hope it doesn't upset anyone by post a link to here here...



Each time a change a page on here I get the above.

Just to repeat I no longer get it on my forum. I told Kaspersky support I would report back to them if it appeared again, but it hasn't on my forum but has on this one.

Go figure???

Very strange.

Edd

[Mr Edd]

I thought I might post a clearer image of the message I get from Kaspersky.  But when I open the forum page here I get the message and also when I click the reply button it pops up again.

When I trued a few minutes ago my puter crashed and when it rebooted it said the NTLDR was missing.  I unplugged it for a minute and tried again and now is back up running again so here is the cleared image



I am not sure what is going on and I guess if I keep persevering with this then it may go the same way as my forum and clear itself.

Very strange. as it doesn't happen on my forum now but is still doing it on this one and only with SMF

Edd

[feline]

Setup your Kaspersky to query on each warnings if you will accept or denied that.
If the alert comes up, accept the warning and all works until you clear your browser cache.

[Mr Edd]

More strangeness...

I left this window open as I had something to do on the forum.  When I came back I was logged out (the window was still open).  I have just logged back in and now I don't get these messages.

Very strange.

Has someone on the forum logged me out so that I had to log back in again?

Is this what has happened causing the virus messages to stop popping up anymore?

Curiouser and curiouser.

Sorry feline I really didn't understand anything of what you said.

I know I am getting fed up with Kaspersky.

Edd


.

[Mr Edd]

I don't believe this it has just started again on my forum and on this site too.


I just want it to stop please pretty please.

Edd

[Mr Edd]

And now when I click the message it makes this machine crash.  Also when I come back to this forum and my forum I am logged off and I have to log back on.  Same with my forum.  And with other forums I use that are not SMF.  Dunno what is happening there???

Interestingly I have tried it on another computer I have with the same Kaspersky anti virus and it is okay, no messages and no crashes.

My guess is it is something to do with this puter.

Any ideas or should I format it and start again?

Edd

[Illori]

since smf does not directly have anything to do with your anti-virus program you are best to ask them what is going on. otherwise you need to wait for smf team members to return to this thread and comment on what may be going on. I know you want this solved quickly but bumping it with comments is not helping the developers look into the issue.

[Adish - (F.L.A.M.E.R)]

Try disabling Spell check and renaming the file. It might solve it for a while on your forum.

About this forum, we'll check it out.

[Mr Edd]

I am not bumping this thread I am trying to tell anyone who is interested what is happening.  As I mentioned earlier on I am in constant discussion with Kaspersky support sending the files etc.

I use 6 computers each with a registered version of Kaspersky. and it is happening on all of them. I am typing this on my wife's computer and it is happening on this now. Each time I open SMF on any of these machines I get the messages as posted in the screen shots.

I am very sorry if you find my constant post frustrating but other than Kaspersky who else can I approach about this?

Thanks for your patience.

I have to go to work today so I will not post again until tonight.

Edd

[Aleksi "Lex" Kilpinen]

I use 6 computers each with a registered version of Kaspersky. and it is happening on all of them. I am typing this on my wife's computer and it is happening on this now. Each time I open SMF on any of these machines I get the messages as posted in the screen shots.

This to me would pretty much confirm that it is not your puter messing things, but either something in Kaspersky or something in the script in question, or a combination of them.
Are you using heuristics just like feline is? If so, try turning off heuristic detection (if that's an option in the software, I'm not familiar with Kaspersky) as that is usually the biggest cause for false alarms in any AV software.

[Aleksi "Lex" Kilpinen]

Oh, and if either of you two could post the exact details of what was detected - it could possibly help diagnosing this.

[Mr Edd]

I saw that but to be honest I haven't a clue what that is???

Are you using heuristics just like feline is

Just then when I clicked reply it popped up again.  I am still on my wife's puter but it happens on all of them.  I have three computers in my office plus a laptop, this is my wife's in her office and my daughters laptop.  I bought 6 licences from Kaspersky hence why I have so many I can test from.

I will have to leave for work shortly so I will not be back till tonight.

Thanks for your help.

Edd

[Aleksi "Lex" Kilpinen]

I just got the latest public version of Spellcheck.js and checked it with VirusTotal
(http://en.wikipedia.org/wiki/VirusTotal.com )

With the following results:

File name:  spellcheck.js
Submission date:  2011-04-08 07:15:34 (UTC)
Current status:  finished
Result:  0/ 42 (0.0%)

Included in the test was Kaspersky 7.0.0.125

Now, I have no access to directly download the version on site to check, but I'd believe it's the same....

[Mr Edd]

I seriously don't think there is any issue with SMF spell checker.  I think it is to do with Kaspersky and they are looking into it.

I haven't yet been in my office to see if they have been in contact (only just got in and my tea is ready) about this yet. More later me thinks.  <g>

Edd

[Astra_200]

Exact same thing happened to me at about the same time, both on this and my own forum.

Kaspersky reported - Downloading object containing virus. HEUR Trojan Downloader.Script generic

I downlaoded my own /themes/default/scripts/spellcheck.js and /themes/default/scripts/topic.js files scanned with Kaspersky on my PC and it came back clean.

Cleared my forum and browser cache and have had no error messages since.

[Kindred]

As we have said: I believe that some recent update from Kaspersky is now flagging that file as a false positive.

Unfortunately, Kaspersky is the only one who can fix the problem with their program...

[Mr Edd]

Just reporting that it has stopped now on both my forum and this one. Hasn't done it for about 24 hours I think?.

I sent some files off to Kaspersky but had no reply from them as yet (probably co its the weekend).

If I get any reply from them I will update this thread.

Edd

[Mr Edd]

I have just received the following from Kaspersky...

Hello,
yes, this is good trace log. Thank you!
I've fixed detection, but if it repeats after 24 hours - please, write to us again (with new traces and new copy of detected file in archive with password "infected").
Thank you for your help.
-------------------------------------------
Regards, Ivan *********.
Virus analyst , Kaspersky Lab.

I changed his name to protect the guilty.

I have not had anymore problems now for over 48 hours either here or on my forum.  So looks like it has been fixed when they updated.

Thanks for everyone's help on here.

Edd

[Aleksi "Lex" Kilpinen]

Glad to hear that they fixed it

[Astra_200]

Mr Edd, nice to know Kaspersky are on the case, thanks for your efforts

LexArma, your avatar gives me the creeps, I'm sorry if its a family member portrait

[Astra_200]

It's from a computer game called The Secret of Monkey Island, when the main character is staring at a 'fearsome beast'.

Ah thanks Arantor, thats maybe why its eerily familiar, whatever happened to Guybrush Threepwood anyway??

[Mr Edd]

He He He

Thanks for the memories. I played that game for many happy hours too.

I reckon he is still out there fishing


I have no more problems with pop ups anymore.

Edd

[Aleksi "Lex" Kilpinen]

I've been seeing Guybrush again after so many years lately, it seems he is still the same wanna be pirate he always was