GoodSoundClub - Romy the Cat's Audio Site

In the Forum: Audio Discussions
In the Thread: World's Finest Sounding Audio Room

Post Subject: It is not as unfortunate as you wish make it to look.Posted by Romy the Cat on: 8/28/2007

Jordi wrote:
I have not been able to respond to all your questions until now because I was infected by a trojan on this site several days ago. It SUCKS having this happene because it takes radical hours of time to track this crapware down through the windows tree and in the mentime you get NOTHING DONE.

Actually you did not response to my question because different reasons. Let keep the reasons as your “little dirty secret” and let me to pretend that I do not know it… Anyhow let's address the problem is your virus first.

Jordi wrote:
I got this infection while reading posts on the Playback Listening page, Musician’s ear thread. My antivirus program alerted me with a pop up that a trojan was being downloaded. The program did NOT stop the infection. Since this was the ONLY WINDOW OPEN open at the time, it is where the infection occurded. After running a scan, I learned the details of this trojan:
Object name: systemwin.exe
Object path: C\
Discovery: Trojan horse PSW.Generic5.GOY
Here is more information about this trojan:
Spyware PSW.Lmir.ga Information
Name: Trojan.PSW.Lmir.gaCategory: Password CapturerDate: 2004-02-05Dangerous: Yes
Trojan.PSW.Lmir.ga is one of Password Capturer spywares.
Finding it on your computer means that your computer is infected with Password Capturer and crucial data could be endangered or even lost.
This Password Capturer is also known as:
•Trojan Horse - named by Panda.
• Win32.Lemir.N - named by Computer Associates.
• Win32/Lemir!PWS!Trojan - named by Computer Associates.
• Win32/Lemir.N!Trojan - named by Computer Associates.

Well, Jordi, being at software engineer, I’m accepting it as a quite serious accusation toward to my site, and since I personally responsible for my side, then toward to me. I do not find it unlikely - I find it absolutely impossible that you were able to get a virus from my web server. All applications that are running on my Web server where written by me and I know each single line of the code which is being executed there. Some, theird party components that I use, are very well regarded in software community and might not be a source for any problems, not to mention that I used them countless times for my clients. There are absolutely no menacing code or menacing intentions ever where implemented within my site. There are no installable objects that might be loaded to the user browser; not “push” techniques used, there are no active script injections or anything else which might be even potentially dangerous for a visitor. None! Zero!

The web server is also secured. The web server machine is behind a physical firewall with the only one port 80 opened. It runs IS5 on W2K Advanced Sever with all latest updates from Microsoft. No one besides me has an access to the server and I hardly doubt that a visitor is capable to upload anything menacing. The only uploading which is allowed from IIS might be done via 2 image uploading utilities, both of them accepts only images. Even the body of the visitor posts can’t contain any injection script as I have implemented a long time ago a code that would kill it.

Furthermore, after reading your post I installed on my web server the Symantec Antivirus Corporate Edition (that is running in the rest of my network), got the latest updates and scanned all drives of my web server. Of course I found nothing. I ran some intrusion detection packaged and some anti-worms-Trojan-zombies-Spyware tools, nothing was found. Why do you think I would need a virus sitting on my Web server if I personally access my website sometimes dozens times per day, using my site pretty much as my public notebook? I did not see any viruses, nor anyone else ever a report any suspicious activities on my website...

So, I sincerely feel that your accusations are not warranted; at least I do not see any rational for myself to worry and to conduct more looking. Anyhow, if anyone, ever detect any unconventional, virus-like behavior (Hey, we run Microsoft!) that might be associated with my site then please inform me. By the way, why I ask people to inform me and why I reject your Jordi “attempt” to inform me? Read my further explanations.

Jordi wrote:
The exe was sitting in the DirectX folder. I rebooted in safe mode and deleted the exe. Unfortunately though due to the fact that this trojan is sitting on the goodsoundclub site, I can not afford the time or the aggravation to visit again. Please do not ask at software engineer any more details about it because I have listed them all and beside, I do not want to come to this site again and risk reinfection ever again unless the webmaster can get it OFF THIS SITE! Best of luck to you all who stays behind!

A little knowledge is a dangerous thing, Jordi. There is no DirectX folder at goodsoundclub domain and there are no executables available for downloading. Besides if somebody did offer you to download an executable file from a site during your transactional browsing then you should be a complete fool allowing doing so. Anyhow, you shared with me your “little knowledge” about my site, let me to explain to you how actually you did get your virus (if you did in fact). Not particularly because I am willing to help you but because the unfortunate little knowledge is the source for big and damn accusations…

You made 5 posts at this site and all of them came from different IP address. The geography of those addresses however is very fascinating: Saudi Arabia, Belarus, Denver, Peru and Poland. Unless you are an air pilot then you have a hell of a lot traveling to do with your computer and than I understand why you were do busy during your “day-time job”. I do not know how you were able to fight with your home infested PC in Bethlehem Pennsylvania and at the same time to make a post from:

Network of Coditel Internet Corporation (9212.76.224.165) that is located according to my log file in Belgium, Brussels (Brussels Hoofdstedelijk Gewest).

So, the only plausible explanation would be that visiting my site you used proxy services. We, what was your motivation to hide yourself behind an anonymous proxy service I do not know – I do not care – what you say is an indication what you are and it is what maters. However, there is a minor technical aspect in this story. My site in order to post (pretty much as any other site out there) requires enabling a java script (to use the java-script-driven textbox editor). Here is your “anonymity” played with you a bad game. The web-based proxy services are notoriously dangers as they appending your HTTP request and your response object with any crap you might imagine… It happens that know the anonymous proxies well as I use them for year at AA, and I have witnesses multiple times very menacing actions from web proxies. If I use them I use a lot of attention and knowledge about what I VERY selectively allow them run java-script in my browser. BTW, if I was you and considering that you are a pilot-musician but not a software person and since you hardly know what you do with computers then I would not risk using java-script allowed web-based anonymous proxies with your IE6 browser – it is quite vulnerable browser.

So, Jordi where is brings us. You accusations about a virus at my site are fantasies, or perhaps the accusations are your demonstration of the “special intention”. If you are not wiling to post here then it is fine, you did not post anything that I found stimulating for myself anyhow. If you still intend to post or visit this site then you might do so, but please do not use trickery as they 1) Unnecessary, 2) Will backfire to yourself. I did extend you all courtesy at this site and have extended you all credits; waiting when you will make yourself to look ridicules… it did not took long.

I intentionally do not move your post and my reply to the site’s support forum as it has nothing to do with site but rather it has a lot of to do with YOU. Have a good evening…

Romy the Cat

PS: BTW, I just run some queries. Your post from on 8/24/2007 7:10:00 PM was made from 152.31.229.186 that belongs: Chase, United States, North Carolina Research and Education Network. I do not think any further comments are necessary:

http://www.google.com/search?q=152.31.229.186

I hate to be right... again...

Rerurn to Romy the Cat's Site