Quote Originally Posted by admin @ May 9 2006, 07:30 PM
Note: Their is no virus on the site or server. It has been thoroughly tested by myself, and other in the UK, and different countries.

Your computer has been infected via spoof emails, and is most likely WINFIXER, which is MALWARE, hence adaware, spybot, av will not find it.

The problem is on your own computer & the fix is here,

http://forums.bollyent.com/index.php?showtopic=12084
So are you telling me that all the machines I have used today are infected by that e-mail? Even though the e-mail was seen on only one of the machines, and the attachment was not run to install the Trojan? The only pages that show this behaviour are the Forum and Gallery pages on win2winracing. The only common factor is a visit to these pages on win2winracing.

The e-mail headers show the following routing:

Received: from [66.147.238.53] (helo=host.win2winracing.com) by pih-mxcore09.plus.net with esmtp (PlusNet MXCore v2.00) id 1FdOwf-00038z-Uo for <my-e-mail-address>; Tue, 09 May 2006 10:55:58 +0100

Received: from nobody by host.win2winracing.com with local (Exim 4.44) id 1FdOwZ-0003eW-5L for <my-e-mail-address>; Tue, 09 May 2006 10:55:51 +0100

X-Mailer: IPB PHP Mailer
Message-ID: <E1FdOwZ-0003eW-5L@host.win2winracing.com>

It seems that 66.147.238.53 resolves to both hc1.ded203.com and host.win2winracing.com... So where did the e-mail come from...?

Ivor and Mel

EDIT: I'm still trying to figure out what is going on here... It seems that whenever I connect to win2win, the browser downloads 2 Java files into:

C:\Documents and Settings\Ivor Hutchinson.ROMSDAL.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar

i.e.

count.jar-15d389d-xxxxxxxx.idx
count.jar-15d389d-xxxxxxxx.zip

(xxxxxxxx seems to vary) and AVG reports the ZIP file as being infected.