Infection blocked


)James

Recommended Posts

Received the above message when loading Maxthon browser version v4.4.6.200.

My antivirus is Avast and the message read

Infection:JPG:PHPAgent-B [Trj]
Process:C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
 
I've used Maxthon as my main browser for over a year without a problem does anyone know what this problem is or have had a similar problem?
Suggest this is Hackers Hiding Malicious Code in Exif Data of Images
So does anyone know what's going on
Thanks for any reply james
 
Link to comment
Share on other sites

Hiya James,

Yip same thing here this morning.

Im getting cheesed off with this now. First we had that mystery icon on the speed dial type page which has now disappeared after this recent update ( apparently sorted now as per other thread ). Now we have this trojan being picked up by avast all of a sudden -  JPG:PHPAgent-B [Trj]

https://www.whitefirdesign.com/blog/2014/07/07/hackers-hiding-malicious-code-in-exif-data-of-images/

To be honest. Understandably? my confidence in this browser is quiet low now, especially if logging into sites and/or buying stuff online and/or online banking?

Has it compromised our whole machine at this stage?

 

Link to comment
Share on other sites

Received the above message when loading Maxthon browser version v4.4.6.200.

My antivirus is Avast and the message read

Infection:JPG:PHPAgent-B [Trj]
Process:C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
 
I've used Maxthon as my main browser for over a year without a problem does anyone know what this problem is or have had a similar problem?
Suggest this is Hackers Hiding Malicious Code in Exif Data of Images
So does anyone know what's going on
Thanks for any reply james
 

Has Avast been updated recently? I suggest you visit their forum or contact them directly. They are usually really quick clearing/correcting false positives.

Link to comment
Share on other sites

Hiya James,

Yip same thing here this morning.

Im getting cheesed off with this now. First we had that mystery icon on the speed dial type page which has now disappeared after this recent update. Now we have this trojan being picked up by avast all of a sudden -  JPG:PHPAgent-B [Trj]

https://www.whitefirdesign.com/blog/2014/07/07/hackers-hiding-malicious-code-in-exif-data-of-images/

To be honest - thats it for me. I cannot use this browser any more, you would be an idiot to do so especially if logging into sites and/or buying stuff online and/or online banking.

Has it compromised our whole machine at this stage?

 

See ya!

Link to comment
Share on other sites

Hey Slank,

Thats a bit trite.

In fact I edited my post to reflect my concern in a better worded way.

It is understandable to be wary or concerned about this. First how were we to know this advert that appeared out of the blue was legit. Now we have this trojan being picked up all of a sudden. Two things like this - one after the other OF COURSE is going to cause concern as we use our browsers with alot of very personal data like logins and online banking. 

Do you think businesses would be confident with usage of Maxthon with this type of activity going on .. I dont think so.

So please, if you are not going to be helpful just dont bother saying anything ... Your "advice" so far seems to based on "Its everyone elses fault and not Maxthons fault". Fine, but thats your opinion which you have every right to. But everyone else has a right to their opinion also like being concerned for there online security. So for the moment I have moved, I have to be careful using browsers & trust antivirus - I cannot afford my paypal or my online banking to be compromised.  A reasonable stance to be taken I should think.

 

Link to comment
Share on other sites

Has Avast been updated recently? I suggest you visit their forum or contact them directly. They are usually really quick clearing/correcting false positives.

Can you say for certain this is a false positive?

I''l contact avast but a I think caution  should be advised until we have knowldge that this is a false positive.

James

Link to comment
Share on other sites

Where are you from?

Recently more and more users complain about viruses in Maxthon. Maxthon does not comment this and does not try to understand the reasons. "This is not our fault". But more and more users write about this. 
Maxthon has very bad reputation in Russia. Because ex-ambassador created fake MX websites and groups and very often post own build of MX with unwanted software there. For example, Avast says that "guards of settings" from Mail.Ru Group and Yandex are malware. What does Maxthon do to stop russian fake groups and websites? Nothing.
More and more users write about build-in DNS Unlocker. What does Maxthon do with this? Nothing again. Just "This is not build in. This is not our fault". What should MX do? They should find the source and protect users. But they just does not try.

So I'm asking: Where are you from?
If another user ask about the same infection we'll know what we should ask him.

*Prt Sc*

Link to comment
Share on other sites

Where are you from?

Recently more and more users complain about viruses in Maxthon. Maxthon does not comment this and does not try to understand the reasons. "This is not our fault". But more and more users write about this. 
Maxthon has very bad reputation in Russia. Because ex-ambassador created fake MX websites and groups and very often post own build of MX with unwanted software there. For example, Avast says that "guards of settings" from Mail.Ru Group and Yandex are malware. What does Maxthon do to stop russian fake groups and websites? Nothing.
More and more users write about build-in DNS Unlocker. What does Maxthon do with this? Nothing again. Just "This is not build in. This is not our fault". What should MX do? They should find the source and protect users. But they just does not try.

So I'm asking: Where are you from?
If another user ask about the same infection we'll know what we should ask him.

*Prt Sc*

I'm from the UK 

James

Link to comment
Share on other sites

Hey guys,

Thanks for reaching out.

I have asked our team to check the issue.

The problem was that our safe url was hacked. Now everything is safe.

One member on the Avast forum provided me with a link to test possible infected URL's 

Here's the link https://www.virustotal.com.

Running the URL test gave the results as :- 


The result is as follows

URL already analysed
This URL was last analysed by VirusTotal on 2015-10-28 09:13:24 UTC, it was first analysed by VirusTotal on 2015-10-28 09:13:24 UTC.

Detection ratio: 0/65

You can take a look at the last analysis or analyse it again now.
The analyse said 

URL Scanner    Result
CloudStat   Clean site
ADMINUSLabs   Clean site
AegisLab WebGuard   Clean site
AlienVault   Clean site
Antiy-AVL   Clean site
Avira   Clean site
Baidu-International   Clean site
BitDefender   Clean site
Blueliv   Clean site
C-SIRT   Clean site
CLEAN MX   Clean site
CRDF   Clean site
Comodo Site Inspector   Clean site
CyberCrime   Clean site
Dr.Web   Clean site
ESET   Clean site
Emsisoft   Clean site
Fortinet   Clean site
FraudScore   Clean site
FraudSense   Clean site
G-Data   Clean site
Google Safebrowsing   Clean site
K7AntiVirus   Clean site
Kaspersky   Clean site
Malc0de Database   Clean site
Malekal   Clean site
Malware Domain Blocklist   Clean site
MalwareDomainList   Clean site
MalwarePatrol   Clean site
Malwarebytes hpHosts   Clean site
Malwared   Clean site
Netcraft   Clean site
OpenPhish   Clean site
Opera   Clean site
PalevoTracker   Clean site
ParetoLogic   Clean site
Phishtank   Clean site
Quttera   Clean site
Rising   Clean site
SCUMWARE.org   Clean site
SecureBrain   Clean site
Spam404   Clean site
SpyEyeTracker   Clean site
Sucuri SiteCheck   Clean site
Tencent   Clean site
ThreatHive   Clean site
Trustwave   Clean site
VX Vault   Clean site
Web Security Guard   Clean site
Websense ThreatSeeker   Clean site
Webutation   Clean site
Wepawet   Clean site
Yandex Safebrowsing   Clean site
ZCloudsec   Clean site
ZDB Zeus   Clean site
ZeroCERT   Clean site
Zerofox   Clean site
ZeusTracker   Clean site
malwares.com URL checker   Clean site
zvelo   Clean site
AutoShun   Unrated site
PhishLabs   Unrated site
Sophos   Unrated site
StopBadware   Unrated site
URLQuery   Unrated site

Link to comment
Share on other sites

Hey Slank,

Thats a bit trite.

In fact I edited my post to reflect my concern in a better worded way.

It is understandable to be wary or concerned about this. First how were we to know this advert that appeared out of the blue was legit. Now we have this trojan being picked up all of a sudden. Two things like this - one after the other OF COURSE is going to cause concern as we use our browsers with alot of very personal data like logins and online banking. 

Do you think businesses would be confident with usage of Maxthon with this type of activity going on .. I dont think so.

So please, if you are not going to be helpful just dont bother saying anything ... Your "advice" so far seems to based on "Its everyone elses fault and not Maxthons fault". Fine, but thats your opinion which you have every right to. But everyone else has a right to their opinion also like being concerned for there online security. So for the moment I have moved, I have to be careful using browsers & trust antivirus - I cannot afford my paypal or my online banking to be compromised.  A reasonable stance to be taken I should think.

 

Trite, perhaps, but you did reword your post.

Advice? How could saying goodbye be considered advice? You had already made up your mind, I was just being sociable. 

I thought my advice to the OP was certainly worthy of consideration. He specifically asked if anyone had ever encountered a similar problem and I responded.

I also thought your post deserved a response.

Link to comment
Share on other sites

Hey guys,

Thanks for reaching out.

I have asked our team to check the issue.

The problem was that our safe url was hacked. Now everything 

Thanking you  BugSir007

Can i ask - while your safe URL remained hacked earlier - Could any of our site logins be compromised by this? 

Link to comment
Share on other sites

Trite, perhaps, but you did reword your post.

Advice? How could saying goodbye be considered advice? You had already made up your mind, I was just being sociable. 

I thought my advice to the OP was certainly worthy of consideration. He specifically asked if anyone had ever encountered a similar problem and I responded.

I also thought your post deserved a response.

Fair enough ... I will admit my original post was not as clear, but this was a sharp reaction .. a ah no, not again. I reworded it,  which i did admit in bold, showing my very reasonable concerns and illustrating why I felt i would have to move away, again all reasonable I would think.

I just found your reply at the time unhelpful, almost nothing could be wrong with Maxthon. Maybe because my original post was mis understood. I assume you are as concerned about security as the rest of us. As it happens BugSir007 has now said our concerns are correct "The problem was that our safe url was hacked".

So - my apologies for the initial bad wording, my edited wording I think explains my very reasonable concerns ..
 

Link to comment
Share on other sites

Thanks for asking.

The issue will not have any effect on you. You site logins are affected.

You might want to clarify that asap as the first part contradicts the second part, and the second part is quite concerning!

 

https://www.whitefirdesign.com/blog/2014/07/07/hackers-hiding-malicious-code-in-exif-data-of-images/

I'm not sure what this URL has anything to do with anything? How is it related to the problem that Avast picked up? did Avast mention that url as suspect? The link is just an article on how hackers are using exif data in images to spread dodgy code? Not sure how that is related to Avast?

 

Link to comment
Share on other sites

 

You might want to clarify that asap as the first part contradicts the second part, and the second part is quite concerning!

 

I'm not sure what this URL has anything to do with anything? How is it related to the problem that Avast picked up? did Avast mention that url as suspect? The link is just an article on how hackers are using exif data in images to spread dodgy code? Not sure how that is related to Avast?

 

sorry, i miseed a "not"...

Link to comment
Share on other sites

I'm wondering what is happening   I note the new beta post at http://forum.maxthon.com/index.php?/topic/17700-maxthon-cloud-browser-for-windows-v448600-beta-released/ mentions, "Fixed malcious webpage leak" in the changelog.

I also note that, the other day maxthon.com was offline for a while.  None of my browsers could log into my Maxthon account for an hour or two.  http://downforeveryoneorjustme.com/ reported that maxthon.com was not accessible from anywhere.  

Just before that, or at about the same time, (can't recall) my Windows User Account Control (UAC) on one of my Windows 7 machines asked me if I wanted Maxthon to make changes to my computer and I reflexively answered, OK.   

Then I wondered.  I checked here and see no reference to the event, but now see this thread.

I swept my machines for bugs and found nothing  but we know that none of the current antiviruses are anywhere near 100% effective in finding bugs.

Can anyone explain exactly what happened?

Link to comment
Share on other sites

 

I also note that, the other day maxthon.com was offline for a while.  None of my browsers could log into my Maxthon account for an hour or two.  http://downforeveryoneorjustme.com/ reported that maxthon.com was not accessible from anywhere.  

 

don't know about the other issues, but about this one, it was a dns error, I could access the forum after I changed the dns settings to fr open root one 

sigmax2.png

Link to comment
Share on other sites

it was a dns error, I could access the forum after I changed the dns settings to fr open root one 

Thanks.  Could have been you did that right when the site came back up. The site I used checked from more than one location and with multiple DNS servers using numeric IPs, I would assume to verify that it was not that sort of local look-up problem.

I wonder if what is posted in the English language forum is much noticed by the developers and server crews. I mentioned some feature issues some time back and they were acknowledged but nothing ever came of them.

Although I appreciate he experience of other users, (Thank you), I'd love to hear from from the Maxthon crew.  I mentioned some feature issues some time back and they were acknowledged but nothing ever came of them.

I also mentioned this just now and that is something about which I see no other mention.

... the new beta post at http://forum.maxthon.com/index.php?/topic/17700-maxthon-cloud-browser-for-windows-v448600-beta-released/ mentions, "Fixed malcious webpage leak" in the changelog.

I wonder if I am posting this in the right place, or if it should be somewhere else or start a new thread?

Link to comment
Share on other sites

it was a dns error, I could access the forum after I changed the dns settings to fr open root one 

Thanks.  Could have been you did that right when the site came back up. The site I used checked from more than one location and with multiple DNS servers using numeric IPs, I would assume to verify that it was not that sort of local look-up problem.

I tried several different dns , google dns did not work, open dns didn't either, fr open root did work, the issue lasted more than half a day and I have been "playing" with thoses dns for quite a while.

Bugsir and bugmiss are present every day and reply to most posts, they relay the bugs and requests to devs, but devs have their own priorities which are not always the same as ours...

 

and well, I don't think there's a better place to post. about the devs... same regret on my side

sigmax2.png

Link to comment
Share on other sites

@7twenty, why did you remove posting privileges from slank?

Edit: Uhm, apparently he's reached his daily limit? What's the limit, 5 posts?????

It was 4 actually, but upped by ody. It's only supposed to be for new users with less than 10 posts, but for some reason it's affecting all (or maybe some) users even with high post counts. Being looked into.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.