Spark
I ran the anubis report and it's not reporting anything infected. The response you are getting seems to be coming from the yui interface for the quick reply bar - the presence of a mutex doesn't neccessarily ggggmean that it's infected, right?
What worries me about the report is that it seems to be changing proxies.
..
Here's the latest - 4:30 this morning
http://anubis.iseclab.org/?action=result&task_id=10b2ef976db7c6b2431ac21427a3a55b9&format=txt
Dec 19 4:32 am (central)
Summary:
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Performs File Modification and Destruction:
The executable modifiesand destructs files which are not temporary.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
....
Not sure what you mean by "The response you are getting seems to be coming from the yui interface for the quick reply bar"
The report indicates that anubis detects the mutex within the code/scripts found at BF or a banner ad, etc.
It has nothing to do with anyones machine but the one used by Anubis when it scans Bladeforums.
Spark:
the presence of a mutex doesn't neccessarily mean that it's infected, right?
It means that Anubis is finding a script that will infect unprotected browsers. It changes security settings in Internet explorer (among other things).
The "drive-by" infections (usually banner ads) run a script, and will add a proxy to the security settings in IE.
Usually, once you re-boot all internet activity will be through the proxy set up by the individual that coded the ad. Most antivirus pages (Norton, AVG, etc) will be blocked. The real payload will begin downloading. Task manager, Cntrl/alt/delete, will be disabled, usually any searches will be re-directed, and the fake antivirus warnings will continually appear -falsely warning of infected files and prompting for payment.
If you do follow the links in the pop-ups and pay them, they then ding your card 4-5 times.
Anubis is finding this script NOW. As of 4:32 this morning.
As these 0day exploits are found, they're entered into the database of Google,Malwarebytes, Norton, etc and warnings will begin blocking BF in Internet explorer, firefox, etc.
Turning the warnings off (while the exploit is still found by Anubis) is not a good idea.
Here's an example of what's being done:
http://www.bleepingcomputer.com/forums/topic212841.html
here's a list of current 0day threats:
http://www.bleepingcomputer.com/forums/forum55.html
You can expect to continue getting warning from the various cloud based warning services - even after BF is no longer a danger.
But Anubis found an exploit at 4:32am. This is NOT residual. According to Anubis the code is currently present.