Second Life not safe (Virus/Malware/Something else)

[Niuania]

Hello everyone.

I startet on second life three days ago and have allready experianced alot of worrying things in the game and all of this leads me to uninstalling the game on my third day. This makes me very sad, because i allready meet new people wich i have talket with all the time, when i have been online in the game and it hurts to quit the contact with them allready.

 

Now i tell what i experianced and why i had to uninstall the game from Start to finish.

On my first day i was exploring the world and somehow ended up in a place callt ''Canine Cove'' (mature place) explored thoses clubs/bars and walket out and wondered what was down the road from there, at the end of the road there was a house (This is the first time i see  one of these black square's/boxes) When i get near this house i noticee a [black box/square]  pupup for a mili scound up in the left conor of my screen. Inside the house i found a in-game computer wich i clicked on, when i cliked on it i noticed one of these black square boxes again and at this point i tought it was somepart of the secound life game and it was completely normal.

On my secound day i was shoping in a mall named something like Alienmarket i cant remember the exact name, the reason i mention this is because my game crashed two times when i was inside one of these shopping malls

 

The Third day is the Scary one.

On the third day i'm together with one of my new in-game friends and we had to teleport to some place because i forgot to buy a thing for my dress the day before, i tell her to go to the place and send me a teleport because i dont know how to get to that place myself.

I click on the teleport and exactly the same time as when i land there one of these black Square Boxes shows up in the left conor of my screen! and my anti-virus goes in full alarm mode telling me my computer is under Attack! and i look into it and see all red colors because its rated as a High Risk/major attempt at intrusion into my computer!

 

I'm telling my in-game friend whats going on and logging off as fast as possible, shut down my  computer and took a break.

I dont know what to think of it, maybe it was just a freak accident i'm thinking. Maybe it was not related to Second Life i'm thinking. I'm wrong!.

I come back online later and the same friend sends me a teleport to the exact same place as last time and BoOom [Black Square/Box] pupup in the left conor of my screen and my anti-virus program goes Warning your computer is under attack! all over again!

 

I want to hear if you guys playing Second Life has had simmilar experiences, hope the people from Second Life will look into this

I will try to download the game one more time and if something like this happens again i will quit the game for good

[Whirly Fizzle]

I suspect the "black sqaure boxes" are the command console flashing up briefly when you are near media content.
It's annoying but it's not dangerous.
Take a look at the bug report: BUG-11349 - On CEF viewers, the console window that opens on top of the world view should be hidden.

If you switch over to using the Alex Ivy RC viewer, that "bug" is fixed (though technically it's not a bug really).
You can download the Alex Ivy viewer here: https://wiki.secondlife.com/wiki/Release_Notes/Second_Life_Release/5.1.0.511248

Your antivirus was probably complaining each time slplugin is launched by the viewer- a lot of antivirus software flags slplugin.
An slplugin instance will launch each time the viewer needs to load any web component, eg) when viewing user profiles, using search or when there are sources of inworld media.

You should whitelist both slplugin & llceflib_host (another media component antivirus tends to flag) in your antivirus software.
slplugin located inside the viewer install folder & the llceflib_host file is located within the llplugin subfolder.

[Love Zhaoying]

The "black square box" you see popup may actually be part of YOUR anti-virus software.

YOUR anti-virus software may THINK that SL (or some part of SL) is a virus.  That does not mean that SL actually is, however.

Many of us had to add Second Life to the "white list" (ok to run) for our anti-virus software.  This is especially true because Second Life installs a new version automatically when you run it sometimes - and the anti-virus software detects this.

Perhaps someone else would be able to help calm your fears, if they have the same anti-virus software and same experience as you - before they added Second Life as a "safe" program to their anti-virus software.

[LittleMe Jewell]

If your options are set to automatically play music/media then your anti-virus could be responding to whatever url that particular location is using.  Change your settings to not automatically play music or media.

[Chic Aeon]

OR -- you can just disable media in your preference settings and ONLY turn it on when you know you want to actually SEE something that is playing on a screen. 

Just saying LOL. I haven't had my media on automatic for at least five years. 

[Lindal Kidd]

Whatever the cause, it shouldn't make you uninstall Second Life.  While it is possible to contract a virus from media that you access in SL, this is VERY rare (I've been here for 10 years, and never gotten a virus or malware.)  Do check and see if your AV program is warning you about a particular music or media stream.  If that is the case, you may want to try the third party Firestorm viewer, which has a "blacklist" feature that lets you block specific streams.  Download Firestorm here: http://www.firestormviewer.org/

There are some hazards in SL, even though viruses aren't really one of the major ones.  I teach a class on Avatar Safety on Sundays, at 10 am SL Time at Caledon Oxbridge University.  It's free to attend!

[LittleMe Jewell]

5 minutes ago, Niuania said:

More information from Norton:

Risk         Status
High        Blocked
Advanced information
BMI Warning Name: Web Attack Malvertisement Website Redirect 10
Invasive URL: (Can write this if needed)
Network traffic from: onclickprediction.com (not writing the full thing) respond to the signature from a known attack, The attack is due to \Device\Hardiskvolume5\Program Files (86)\SECONDLIFEVIEWER\SLPUGIN.EXE

 

The part I bolded -- SLPLUGIN.EXE - is exactly what Whirly said you need to add to the whitelist -- i.e. tell Norton to IGNORE IT.  

If you want to then add more caution, go into your preferences and set MEDIA to NOT 'auto play'.   You can then turn it on only when you know and trust whatever is there.

[Parhelion Palou]

38 minutes ago, Niuania said:

Thanks very much for all the good feedback guys

 

I looked into the details of what was attacking me and where the attack came from.

This is very Interesting because the IP adress of these attacks came from:  United States, California, Mountain View

I Googled Linden Lab wich is the creator of Second Life and found this information: The company's head office is in San Francisco, with additional offices in Boston, Seattle, Virginia and Davis, California. Its offices in Mountain View, Brighton, Singapore and Amsterdam were closed in 2010.

At first i'm relieved because i see thier office is located in Mountian View wich is the same place as where i tracked the attack to come from, when i read it the secound time i notice thier office at Mountian View closed in 2010 so now i'm thinking what the ***** ?

 

More information from Norton:

Risk         Status
High        Blocked
Advanced information
BMI Warning Name: Web Attack Malvertisement Website Redirect 10
Invasive URL: (Can write this if needed)
Network traffic from: onclickprediction.com (not writing the full thing) respond to the signature from a known attack, The attack is due to \Device\Hardiskvolume5\Program Files (86)\SECONDLIFEVIEWER\SLPUGIN.EXE

 

I want to thank you guys for your comments they brought my fears down and they were very usefull, i'm defenedly open to the idea of its my anti-virus thinking the media stuff is somekind of virus, the part with Mountian View makes me a little nervous due to that place should be closed?

 

I also want to hear you guys thoughts on the information from Norton

 

What happened is you either automatically played or clicked to play something set up as Media-on-a-Prim. When you do that, a copy of slplugin.exe went onto the web to retrieve the content at the URL that was set in the prim. Apparently the website is infected (or deliberately set to be malware) with something from onclickprediction.com. Norton spotted that & flagged slplugin.exe because that's what was being used to get the web content. If you fed the same URL into Firefox or Chrome, Norton would catch it and say it happened in firefox.exe or chrome.exe (whatever the executables are named). It's more likely the website is in Mountain View than slplugin.exe is -- slplugin.exe is running on your computer and doesn't go through Second Life machines.

It's not a good idea to let media run automatically or to click on a media-on-a-prim when you don't know or trust the owner.

 

[Whirly Fizzle]

14 minutes ago, Niuania said:

But i still have one giant question mark over my heard, did my anti-virus program (Norton) warn me purely because it thinks this SLPUGIN.EXE is a Virus (but its not) or did i get redirectet to somewhere when i clicked on something, becuase i see something callt:  onclickprediction.com in my Network traffic and something callt Malvertisement Website Redirect in my BMI Warning

 

I'm not expecting you to be an expert on this, i'm just asking questions that i dont have the asnwer to myself  

In addition to what Parhelion said, it's possible that you do have some malware on your system, the oneclickprediction.com adware & it's able to redirect media on a prim web pages or internal browser web pages, or the login screen, search - anything that renders a web page in the viewer may be getting redirected to oneclickprediction.com, or rather it's trying to & Norton blocks it.

This problem has been seen before with infected systems.
Just to be sure, check your system to make sure you do not have the oneclickprediction.com adware on your system & remove it if it's found.

I also advise you to update to the Alex Ivy RC viewer which uses a much more updated version of CEF (used for media) & is much more secure.

Edited December 14, 2017 by Whirly Fizzle

[Niuania]

Thanks very much for all the good feedback guys

 

I looked into the details of what was attacking me and where the attack came from.

This is very Interesting because the IP adress of these attacks came from:  United States, California, Mountain View

I Googled Linden Lab wich is the creator of Second Life and found this information: The company's head office is in San Francisco, with additional offices in Boston, Seattle, Virginia and Davis, California. Its offices in Mountain View, Brighton, Singapore and Amsterdam were closed in 2010.

At first i'm relieved because i see thier office is located in Mountian View wich is the same place as where i tracked the attack to come from, when i read it the secound time i notice thier office at Mountian View closed in 2010 so now i'm thinking what the ***** ?

 

More information from Norton:

Risk         Status
High        Blocked
Advanced information
BMI Warning Name: Web Attack Malvertisement Website Redirect 10
Invasive URL: (Can write this if needed)
Network traffic from: onclickprediction.com (not writing the full thing) respond to the signature from a known attack, The attack is due to \Device\Hardiskvolume5\Program Files (86)\SECONDLIFEVIEWER\SLPUGIN.EXE

 

I want to thank you guys for your comments they brought my fears down and they were very usefull, i'm defenedly open to the idea of its my anti-virus thinking the media stuff is somekind of virus, the part with Mountian View makes me a little nervous due to that place should be closed?

 

I also want to hear you guys thoughts on the information from Norton

 

[Whirly Fizzle]

38 minutes ago, Niuania said:

I also want to hear you guys thoughts on the information from Norton

False positive.  A lot of antivirus HATES slplugin.exe.
It's been a problem for years.

Edited December 14, 2017 by Whirly Fizzle

[Niuania]

9 minutes ago, LittleMe Jewell said:

The part I bolded -- SLPLUGIN.EXE - is exactly what Whirly said you need to add to the whitelist -- i.e. tell Norton to IGNORE IT.  

If you want to then add more caution, go into your preferences and set MEDIA to NOT 'auto play'.   You can then turn it on only when you know and trust whatever is there.

Thanks for responding so fast LittleMe Jewell

I remembered one of you guys mentioning that SLPUGIN.EXE in the comments thats why i feelt it to be important to show that thing in my last comment.

But i still have one giant question mark over my heard, did my anti-virus program (Norton) warn me purely because it thinks this SLPUGIN.EXE is a Virus (but its not) or did i get redirectet to somewhere when i clicked on something, becuase i see something callt:  onclickprediction.com in my Network traffic and something callt Malvertisement Website Redirect in my BMI Warning

 

I'm not expecting you to be an expert on this, i'm just asking questions that i dont have the asnwer to myself  

 

 

 

[Niuania]

4 minutes ago, Whirly Fizzle said:

In addition to what Parhelion said, it's possible that you do have some malware on your system, the oneclickprediction.com adware & it's able to redirect media on a prim web pages or internal browser web pages, or the login screen, search - anything that renders a web page in the viewer may be getting redirected to oneclickprediction.com, or rather it's trying to & Norton blocks it.

This problem has been seen before with infected systems.
Just to be sure, check your system to make sure you do not have the oneclickprediction.com adware on your system & remove it if it's found.

I also advise you to update to the Alex Ivy RC viewer which uses a much more updated version of CEF (used for media) & is much more secure.

I'm not an expert on malware or viruses, how do i find out its even on my system if Norton does not detect and remove it by Scans, what do you advise me to do? do i have to send my computer to experts

[LittleMe Jewell]

29 minutes ago, Niuania said:

I'm not an expert on malware or viruses, how do i find out its even on my system if Norton does not detect and remove it by Scans, what do you advise me to do? do i have to send my computer to experts

If Norton has a Malware detection within it, then have it do a Full scan if one hasn't been done in a while.  If is has a Malware piece and has full scanned the system recently, then your system is likely fine and it is just the website that the Media was trying to go to.  If Norton does not have a Malware piece - i.e. only Virus protection - then you'll need to download some Malware software.

 

Second note - as to Whirly's recommendation for the Alex Ivy viewer: You can find the download for it on this wiki page:

http://wiki.secondlife.com/wiki/Linden_Lab_Official:Alternate_Viewers

 

Edited December 14, 2017 by LittleMe Jewell

[Lindal Kidd]

I notice that the OP's cut and paste of the Norton report cites the culprit as "SLPUGIN.EXE".  Notice that there is no L in the filename...it's "slpugin", not "slplugin".

If there is indeed a file called "SLPUGIN.EXE" lurking on her system, I'd investigate it very thoroughly, because it may indeed be malware, trying to mask itself as a legitimate piece of the SL viewer software.

You can safely tell Norton to ignore the correct name, SLPLUGIN.EXE.

[Niuania]

On 15/12/2017 at 4:08 AM, Lindal Kidd said:

I notice that the OP's cut and paste of the Norton report cites the culprit as "SLPUGIN.EXE".  Notice that there is no L in the filename...it's "slpugin", not "slplugin".

If there is indeed a file called "SLPUGIN.EXE" lurking on her system, I'd investigate it very thoroughly, because it may indeed be malware, trying to mask itself as a legitimate piece of the SL viewer software.

You can safely tell Norton to ignore the correct name, SLPLUGIN.EXE.

I'm sorry that one was my fault, it was not possible to copy paste the info from Norton so i had to write everything manually, i just miss spelled that part

[Niuania]

Hello everyone i'm back again today, i have done nothing other than scanning , scanning and scanning my my computer the whole weekend with defferent programs and today i was back online in Second Life. My whole day was brilliant for about 4 hours and the exact same thing happened as last time.

I dont even need to write the Norton info about the attack becuase its literally the exact same problem as last time

(right now i feel very frustrated)

[Rolig Loon]

Norton has a reputation for being excessively vigorous about identifying supposed evils.  I gave it up a long time ago myself because I got tired of identifying things to whitelist. If you have whitelisted SLPLUGIN.EXE and all sorts of other SL-related programs and sites and are still having trouble, consider getting a different antivirus package.

[Madelaine McMasters]

I gave up Norton (and then Windows) 17 years ago after two episodes of data corruption on my computers, one so thorough that neither my main HD nor my primary backup were recoverable. The data recovery company in Colorado that unsuccessfully tried to help me opined that Norton was the best thing that ever happened to them. The single biggest cause of data corruption on drives sent to them was... Norton.

[LittleMe Jewell]

Anti-virus programs in general are sometimes a pain with the whitelist stuff.   I was proactive on my new system and just put the entire freakin SL and Firestorm folders in the whitelist.

[Niuania]

39 minutes ago, LittleMe Jewell said:

Anti-virus programs in general are sometimes a pain with the whitelist stuff.   I was proactive on my new system and just put the entire freakin SL and Firestorm folders in the whitelist.

I want to belive that the problem simply is my anti-virus thinking SLPLUGIN.EXE is a virus. But my problem comes when i look at:

BMI Warning Name: Web Attack Malvertisement Website Redirect 10

Network traffic from: onclickprediction.com respond to the signature from a known attack, The attack is due to \Device\Hardiskvolume5\Program Files (86)\SECONDLIFEVIEWER\SLPLUGIN.EXE.

To me it seems like this something is trying to use this SLPLUGIN.EXE and redirect me into something else and attack me that way.

Would calm me down if someone from Second Life could tell me if this onclickprediction.com is somehow related to the Second Life game, but i'm afraid its not.

 

It also rates the attack to be High Risk. What does SLPLUGIN.EXE do since Norton has to rate it that High, it dosnt seem right

[Rolig Loon]

2 minutes ago, Niuania said:

Would calm me down if someone from Second Life could tell me if this onclickprediction.com is somehow related to the Second Life game, but i'm afraid its not.

"Someone from Second Life" is us.  This is a resident-to-resident forum.  Lindens drop by occasionally and they probably glance at what goes on here when they have time, but they rarely comment here.  They will tell you, if they do stop by, that the correct way to submit a performance concern is to file a support case. The category of Technical Support is only available if you are a Premium member, which is one reason why most technical questions end up being addressed here by SL residents who have been in world for a long time and have run into many of the same problems people commonly ask about. If you really want response from Linden Lab, you may want to spend the cash to become a Premium member for a month so that you can file a technical support case.

[Niuania]

2 minutes ago, Rolig Loon said:

"Someone from Second Life" is us.  This is a resident-to-resident forum.  Lindens drop by occasionally and they probably glance at what goes on here when they have time, but they rarely comment here.  They will tell you, if they do stop by, that the correct way to submit a performance concern is to file a support case. The category of Technical Support is only available if you are a Premium member, which is one reason why most technical questions end up being addressed here by SL residents who have been in world for a long time and have run into many of the same problems people commonly ask about. If you really want response from Linden Lab, you may want to spend the cash to become a Premium member for a month so that you can file a technical support case.

I'm sorry Rolig Loon i didn't mean to offend anyone, i just tought Staff members were active on the Forums and answered questions from both premium and non premium players

[LittleMe Jewell]

23 minutes ago, Niuania said:

I want to belive that the problem simply is my anti-virus thinking SLPLUGIN.EXE is a virus. But my problem comes when i look at:

BMI Warning Name: Web Attack Malvertisement Website Redirect 10

Network traffic from: onclickprediction.com respond to the signature from a known attack, The attack is due to \Device\Hardiskvolume5\Program Files (86)\SECONDLIFEVIEWER\SLPLUGIN.EXE.

To me it seems like this something is trying to use this SLPLUGIN.EXE and redirect me into something else and attack me that way.

Would calm me down if someone from Second Life could tell me if this onclickprediction.com is somehow related to the Second Life game, but i'm afraid its not.

 

It also rates the attack to be High Risk. What does SLPLUGIN.EXE do since Norton has to rate it that High, it dosnt seem right

 

LL doesn't control the things that people can put us as Media here and thus folks could have some sort of media that is from sketchy site. 

Thus I will reiterate what has been said a few times -- do not let Media automatically play (or Music, for that matter) and only click on inworld Media when you are fairly sure you can trust the site.  That should solve your issues.

[Rolig Loon]

43 minutes ago, Niuania said:

I'm sorry Rolig Loon i didn't mean to offend anyone, i just tought Staff members were active on the Forums and answered questions from both premium and non premium players

Oh, my.  I doubt that you offended anyone at all. I hope that I didn't accidentally offend you either. 

These forums are hosted and moderated by Linden Lab, and you will indeed see an occasional post by a Linden here and there -- mostly in the technical and Creation forums -- but the Lab doesn't have the time or staff to be actively involved in what goes on here.  In a way, that can be good for everyone. As residents, many of us have more experience in world than many Lindens do, so we can comment on weird things that may have happened years ago. We can also recommend some solutions that would probably not be in the Lab's playbook, like pointing to resources on other sites. The disadvantage, of course, is that we don't have a pipeline to the "official" answers and certainly do not have access to user accounts.  When we reach the limits of what we can do, all that's left is to refer questions to the LL support site.

[Parhelion Palou]

1 hour ago, Niuania said:

Would calm me down if someone from Second Life could tell me if this onclickprediction.com is somehow related to the Second Life game, but i'm afraid its not.

 

Per search, onclickprediction.com tries to place adware on your computer so that it can do pop-up ads. I didn't realize this was still attempted, but the article I read was recent. Norton is stopping it, so that's not a problem. It has nothing to do with SecondLife. You could just as easily hit the same thing when browsing the web. Slplugin.exe isn't doing anything wrong either -- someone has set a bad URL or a URL to an infected website in media-on-a-prim and you're attempting to view it. All slplugin.exe does is retrieve what's at the URL.

As LittleMe said, don't let media play automatically. In Firestorm's Preferences -> Sound & Media -> Media, make sure "Allow media to auto-play" is not checked. The next tab is Music. Make sure "Allow audio streams to auto-play" isn't checked. In LL's viewer's Preferences -> Sound & Media, make sure "Allow media to auto-play" isn't checked.