Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30

Thread: VIRUS WARNING spot thread - PLEASE REPORT ALL OCCURRENCES!

  1. #16
    Team Rick MinionZombie's Avatar
    Super Moderator

    Join Date
    Feb 2006
    Location
    The Mandatorium
    Posts
    24,165
    UK
    Quote Originally Posted by AcesandEights View Post
    For me, the window went to a mozilla warning page such as this (with exception that it listed the offending target address mentioned in my previous post on this topic):



    No additional pop-ups or new windows opened for me.
    That happened pretty much just like the above to the Cyanide & Happiness web comic website - turned out for them it was one of the adverts amongst the selection that rotated around on their website at the time. The offending advert was tracked down and taken out of rotation by them or their advertising people.

    Not sure if that's the case in this ... er ... case, but figured I'd mention it nonetheless.

  2. #17
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    Quote Originally Posted by AcesandEights View Post
    That's a proforma example of the warning page substituting a mozilla address in as an example. The one I received listed the offending page as checkwinonlinedotcom

    Which seems to be a fairly notorious attack page from what I've been able to find.
    Well, my advertising company is on the case now...

    So if anyone gets it, please DO post here, preferably with the URL you were redirected to... But what ever you do PLEASE DO post that it happened!

    IT IS VITALLY IMPORTANT ANY SUCH REDIRECTION IS POSTED HERE IN THIS THREAD SO WE CAN BUILD UP A PICTURE OF THE PROBLEM. IF ONLY SO WE KNOW IT IS STILL HAPPENING!
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  3. #18
    Chasing Prey MoonSylver's Avatar
    Member

    Join Date
    Mar 2006
    Location
    Columbus, Oh
    Age
    54
    Posts
    3,475
    United States
    3:14, closed IE & opened a small window "AV 8 has detected a threat. Click here to begin scanning." When you try to close it, it hijacks to the fake virus scanner. Here is the link for my history it hijacked to:

    http://7a831.trendsecure49.com/xmsps...16a=fzlzvjkfvo

    Did not see which ad was up.

  4. #19
    Inverting The Cross MikePizzoff's Avatar
    Zombie Flesh Eater

    Join Date
    Feb 2006
    Location
    Philadelphia
    Age
    39
    Posts
    4,928
    United States
    Wow, while I went to view THIS thread it re-directed me to: http://febdl.trendsecure50.com/?id=2...30e3a&vb=1&s=1 - I think it was a credit card ad.

  5. #20
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    Can I ask you folks to all help out with this issue please? All you have to do is run a single program in the background to help me!

    All it requires is downloading a simple monitoring program called "Fiddler" which tracks all web requests/response. The plan would then be, when you get a malware redirection, I (or you) can easily look up the request to the advertising feed that produced the advert, and the response that came back to result in the redirection? This would give invaluable information to pinpoint the cause!


    It's very straight forward:-
    1) Download and install Fiddler2 - http://www.fiddler2.com/fiddler2/version.asp
    2) Ensure you run it all the time (or at least while on HPotD).

    That's it!


    Now! If/when you get a malware redirection, before doing anything else, with Fiddler do:-
    File > Export Sessions > All Sessions, and email the file to me. I can then look at the logs myself and get the info


    If you want to look at the problem yourself (not recommended) then:-
     

    1) With the "Find" option along the top row (pair of binoculars next to it), search for "adtechus". This will highlight every request to advertising feed in yellow (in the left hand window/list).
    2) Find the last one in the list (should be from the host adserver.adtechus.com) and select it, and then in the two right hand windows select "Raw View".
    3) What you'll see is something like this:-
    Code:
    GET http://adserver.adtechus.com/addyn/3.0/5224/1274707/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293117691969 HTTP/1.1
    Host: adserver.adtechus.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
    Accept: */*
    Accept-Language: en-gb,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive
    Referer: http://forum.homepageofthedead.com/index.php
    Cookie: JEB2=4BC8D0066E651643ED638F54F00118F9
    Code:
    HTTP/1.0 200 OK
    Connection: keep-alive
    Server: Adtech Adserver
    Cache-Control: no-cache
    Content-Type: application/x-javascript
    Content-Length: 457
    
    document.write("\n");
    document.write("<scr"+"ipt language='javascript'>\n");
    document.write("var rnd = Math.round(Math.random()*10000000);\n");
    document.write("document.write('<IFR' + 'AME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC=http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=' + rnd + '></IFR' + 'AME>');\n");
    document.write("</scr"+"ipt>\n");
    document.write("\n");
    4) And now the uber important bit. So the line you're looking at is the request to get the advert. In the left hand window, a line or two down, will now be a response from some 3rd party host (ie: not forum.homepageofthedead.com or adserver.adtechus.com) with the code that actually results in the redirection. This is what we're after! Click on the line(s) and post here the "raw" text from those two right hand windows. Here's an example from an innocent advert (from host delb.opt.fimserve.com):-
    Code:
    GET http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=9398942 HTTP/1.1
    Host: delb.opt.fimserve.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-gb,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive
    Referer: http://forum.homepageofthedead.com/showthread.php?18161-VIRUS-WARNING-spot-thread-PLEASE-REPORT-ALL-OCCURRENCES!&p=256837
    Cookie: UI="226c0297c9e673a0e0|99ho8..-5.ty.holfts.f.f@@who@@holfts@@+9_9@@zezgzi yilzwyzmw ornrgvw@@xl_fp@@hlfgs vzhg"; pfuid=ClIoJkvI3MSssGG3hjNHAg==; TRG=MzkuND02MDY2Jg==; SUBHS=||||23.1292963860337; DMEXP=4
    Code:
    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Set-Cookie: SUBHS=||||24.1292963860337; Domain=delb.opt.fimserve.com; Expires=Thu, 30-Dec-2010 15:33:15 GMT; Path=/
    Content-Type: text/html;charset=ISO-8859-1
    Content-Length: 319
    Date: Thu, 23 Dec 2010 15:33:14 GMT
    
    <!-- 10.82.41.221,106899,300407 -->
    <a href="http://www.myspacetv.com/" target="_blank"> <img border="0" src="http://aads.myspacecdn.com/Images/mstv_leader_728x90.gif"></a>
    <script type="text/javascript">var _fanpid="664-000100";</script><script type="text/javascript" src="http://trgj.opt.fimserve.com/fp.js"></script>
    5) Save your logs should they be need later: File > Export Sessions > All Sessions


    ps: Remember you must be already running Fiddler to get the information we need!
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  6. #21
    Dead Trancelikestate's Avatar
    Member

    Join Date
    Aug 2006
    Location
    Pittsburgh, Pennsylvania, United States
    Posts
    773
    United States
    Sorry neil, hadn't looked at this page for awhile so i wasn't running fiddler.

    Anyhow, redirected today to here:
    Last edited by Trancelikestate; 25-Dec-2010 at 05:07 PM. Reason: ...


  7. #22
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    Thanks for the report!

    Please do and try and run Fiddler! Those logs will be very VERY helpful
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  8. #23
    Inverting The Cross MikePizzoff's Avatar
    Zombie Flesh Eater

    Join Date
    Feb 2006
    Location
    Philadelphia
    Age
    39
    Posts
    4,928
    United States
    Wednesday, Dec 29 - 3:35 PM - media forum - http://ggcgl.yourantivirust0.com/?id...30e3a&vb=1&s=1

  9. #24
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    ^^ You weren't running fiddler I assume?

    Can't emphase how much it would help if someone was just running Fiddler2 when they got a malware redirection. Once it happened, a couple of clicks would then export the logs that could really move this problem forwards!

    ---------- Post added 01-Jan-2011 at 08:17 PM ---------- Previous post was 30-Dec-2010 at 10:27 AM ----------

    Well, judging by reports... It definately seems to be slowing down?

    But again guys, please do run Fiddler2 for me... The moment you get a redirection you're just 3-4 clicks away from exporting your logs and giving me some super valuable info!

    ---------- Post added 04-Jan-2011 at 02:03 PM ---------- Previous post was 01-Jan-2011 at 08:17 PM ----------

    So guys, reports seems to be dropping off!? No one's simply getting them and ignoring them I hope?
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  10. #25
    Dead Rancid Carcass's Avatar
    Member

    Join Date
    Feb 2009
    Location
    Flying blind on a Rocket Cycle
    Age
    48
    Posts
    680
    UK
    This is a wee bit necro but my last two attempts to view the website resulted in a 'web attack: malicious download request 10' warning from my AV software (norton). Don't know if it's anything to do with the problems I've been having trying to access this site for the last week or so, but I thought I should let you guys know in case there's something sinister afoot. I should point out that it's not trying to redirect me anywhere, just to avoid confusion with the rest of the thread.

  11. #26
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    Quote Originally Posted by Rancid Carcass View Post
    This is a wee bit necro but my last two attempts to view the website resulted in a 'web attack: malicious download request 10' warning from my AV software (norton). Don't know if it's anything to do with the problems I've been having trying to access this site for the last week or so, but I thought I should let you guys know in case there's something sinister afoot. I should point out that it's not trying to redirect me anywhere, just to avoid confusion with the rest of the thread.
    On it! (I had an occurrence yesterday too!)
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  12. #27
    Mall Security capncnut's Avatar
    Zombie Flesh Eater

    Join Date
    Aug 2006
    Location
    HELL
    Age
    51
    Posts
    11,974
    England
    Had an occurrence identical to what has been posted here three days ago, yesterday, and upon my return today. I did screen grab but since forgot to post in paint and now is lost. Will screen grab next time it happens.

  13. #28
    through another dimension bassman's Avatar
    Zombie Flesh Eater

    Join Date
    Feb 2006
    Location
    Atlanta
    Posts
    15,229
    United States
    Sorry that I don't have any real information so that you can find it, but I've recently had HPotD go into one of those false "your computer has a virus" pop ups that blanks out the screen and attempts to appear as virus protection. The only way to get out of it is to close the browser. It's happened to me twice in two different locations.

    Like I said....sorry I can't give you anymore information on it, but thought I would pass it along.

  14. #29
    Webmaster Neil's Avatar
    Administrator

    Join Date
    Jan 2006
    Location
    nr London
    Posts
    16,282
    England
    Ta. If yo can tell me what the adverts are (top & bottom) that might be useful...
    Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam. [click for more]
    -Carl Sagan

  15. #30
    through another dimension bassman's Avatar
    Zombie Flesh Eater

    Join Date
    Feb 2006
    Location
    Atlanta
    Posts
    15,229
    United States
    Quote Originally Posted by Neil View Post
    Ta. If yo can tell me what the adverts are (top & bottom) that might be useful...
    I never had a chance to see any of the advertisements. It happened immediately after clicking on "new posts"

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •