PDA

View Full Version : VIRUS WARNING spot thread - PLEASE REPORT ALL OCCURRENCES!



MikePizzoff
07-Dec-2010, 05:27 AM
Spotted this one at 12:25 AM (Eastern Time) on Tuesday, Dec 7. It attempted to redirect me to this website: http://checkwinonline.com/fps/q=jy7lno3o before my computer caught it.

Danny
07-Dec-2010, 05:29 AM
if the page is loading slow in safari it shows in the history that each time i refresh the homepage its also taking me to another website as well that i cannot go to if i click on history, it just shows a visit registered there in the browser history. thats dodgy, but considering most ads pay per click on them its possible thats how some folks get it to count maybe and thats whats setting them off?

bassman
10-Dec-2010, 02:02 PM
Same thing happened to me while in Neil's thread about the dog beating. http://checkwinonline.com/fps/q=jy7lno3o

9:01 am Eastern

BillyRay
11-Dec-2010, 03:24 PM
Sat. Morning - was reading and new-tabbing threads just now.

From the Spider reboot thread was bopped over to the malware site again,

http: //pongeey.cz.cc/a111518/?u=37&t=1 (http://pongeey.cz.cc/a111518/?u=37&t=1)

And today, directed from the Jeffrey DeMunn Interview:

http://16792.pureguard35.com/xmsps/?f07=zjjkef&e3da9ffd=fofpoflzjo&8fe8d9fd=fzlzzwkkpl

ProfessorChaos
14-Dec-2010, 01:34 AM
just got the "reported attack page.....check winonline" message as i jumped to the "new posts" tab.

deadpunk
14-Dec-2010, 11:06 PM
Just now while reading something on the old forums :shifty:

Neil
15-Dec-2010, 08:21 PM
Seems we're not alone!

http://www.abovetopsecret.com/forum/thread635532/pg2

http://www.hockeyfights.com/forums/f28/just-got-security-warning-150631/

http://boards.straightdope.com/sdmb/showthread.php?t=586697

Can I ask a favour! I fear it's an advert that does this? Would you agree with this? So if you get it again, can you make a note of the advert displayed on the page at the time? Or does it redirect the entire page from this site elsewhere?

BillyRay
16-Dec-2010, 06:58 PM
Can I ask a favour! I fear it's an advert that does this? Would you agree with this? So if you get it again, can you make a note of the advert displayed on the page at the time? Or does it redirect the entire page from this site elsewhere?

Alrught. Just now. Hadn't even signed in, was redirected to the "your computer has a virus" screen.

Got a quick glance, just barely, of the banner ad atop the page at the time - didn't get the sponsor, but it has a blond woman with glasses at the left hand side. I hope that this helps.

Neil
16-Dec-2010, 09:19 PM
Can I ask any individual suffering from this gives me the following information:-
1) What happened? Most people for example seem to be opening up a page on HPotD, to only then find their page completely redirected off to another site. Can you specify if you were taken off to another page, or if not, what? eg: A pop up with HPotD still in your browser window?
2) The exact URL of the site you were redirected to?
3) Any glimpse of what the advert was showing when you were redirected off?

ps: I'm in communication now with the advertising company about this. But the more information the better!

deadpunk
17-Dec-2010, 03:14 AM
for me, HPotD completely closes, then a tiny box opens disclaiming that a threat was found. Next a 'windows' screen opens and begins trying to download software onto my computer. I've always closed it in such a haste that I have never seen the url. Sorry.

Neil
17-Dec-2010, 03:45 PM
So your main browser (at HPotD) closes, and you're left with a smaller pop up window (browser) at the redirected site?

Well, when it happens, if people can please supply the information I asked for, that would be most useful.

AcesandEights
17-Dec-2010, 04:01 PM
For me, the window went to a mozilla warning page such as this (with exception that it listed the offending target address mentioned in my previous post on this topic):

http://farm4.static.flickr.com/3191/2671676339_39d221029f.jpg

No additional pop-ups or new windows opened for me.

Neil
17-Dec-2010, 04:15 PM
^^ That's not very good surely? It doesn't tell the site/URL it was reporting?

AcesandEights
17-Dec-2010, 04:20 PM
^^ That's not very good surely? It doesn't tell the site/URL it was reporting?

That's a proforma example of the warning page substituting a mozilla address in as an example. The one I received listed the offending page as checkwinonlinedotcom

Which seems to be a fairly notorious attack page from what I've been able to find.

bassman
17-Dec-2010, 04:21 PM
I think it's safe to say that the checkwinonline website is the problem. But what ad? I don't think anyone has had time to see it. :confused:

MinionZombie
17-Dec-2010, 05:42 PM
For me, the window went to a mozilla warning page such as this (with exception that it listed the offending target address mentioned in my previous post on this topic):

http://farm4.static.flickr.com/3191/2671676339_39d221029f.jpg

No additional pop-ups or new windows opened for me.

That happened pretty much just like the above to the Cyanide & Happiness web comic website - turned out for them it was one of the adverts amongst the selection that rotated around on their website at the time. The offending advert was tracked down and taken out of rotation by them or their advertising people.

Not sure if that's the case in this ... er ... case, but figured I'd mention it nonetheless.

Neil
17-Dec-2010, 09:39 PM
That's a proforma example of the warning page substituting a mozilla address in as an example. The one I received listed the offending page as checkwinonlinedotcom

Which seems to be a fairly notorious attack page from what I've been able to find.
Well, my advertising company is on the case now...

So if anyone gets it, please DO post here, preferably with the URL you were redirected to... But what ever you do PLEASE DO post that it happened!

IT IS VITALLY IMPORTANT ANY SUCH REDIRECTION IS POSTED HERE IN THIS THREAD SO WE CAN BUILD UP A PICTURE OF THE PROBLEM. IF ONLY SO WE KNOW IT IS STILL HAPPENING!

MoonSylver
18-Dec-2010, 08:34 PM
3:14, closed IE & opened a small window "AV 8 has detected a threat. Click here to begin scanning." When you try to close it, it hijacks to the fake virus scanner. Here is the link for my history it hijacked to:

http://7a831.trendsecure49.com/xmsps/?a169=zjjkef&7d71=ffjzowfvwo&1f7416a=fzlzvjkfvo

Did not see which ad was up.

MikePizzoff
18-Dec-2010, 09:07 PM
Wow, while I went to view THIS thread it re-directed me to: http://febdl.trendsecure50.com/?id=2003&sz=6ae630e3a&vb=1&s=1 - I think it was a credit card ad.

Neil
23-Dec-2010, 03:31 PM
Can I ask you folks to all help out with this issue please? All you have to do is run a single program in the background to help me!

All it requires is downloading a simple monitoring program called "Fiddler" which tracks all web requests/response. The plan would then be, when you get a malware redirection, I (or you) can easily look up the request to the advertising feed that produced the advert, and the response that came back to result in the redirection? This would give invaluable information to pinpoint the cause!


It's very straight forward:-
1) Download and install Fiddler2 - http://www.fiddler2.com/fiddler2/version.asp
2) Ensure you run it all the time (or at least while on HPotD).

That's it!


Now! If/when you get a malware redirection, before doing anything else, with Fiddler do:-
File > Export Sessions > All Sessions, and email the file to me. I can then look at the logs myself and get the info :)


If you want to look at the problem yourself (not recommended) then:-

1) With the "Find" option along the top row (pair of binoculars next to it), search for "adtechus". This will highlight every request to advertising feed in yellow (in the left hand window/list).
2) Find the last one in the list (should be from the host adserver.adtechus.com) and select it, and then in the two right hand windows select "Raw View".
3) What you'll see is something like this:-

GET http://adserver.adtechus.com/addyn/3.0/5224/1274707/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+ke y4;grp=[group];misc=1293117691969 HTTP/1.1
Host: adserver.adtechus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://forum.homepageofthedead.com/index.php
Cookie: JEB2=4BC8D0066E651643ED638F54F00118F9



HTTP/1.0 200 OK
Connection: keep-alive
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 457

document.write("\n");
document.write("<scr"+"ipt language='javascript'>\n");
document.write("var rnd = Math.round(Math.random()*10000000);\n");
document.write("document.write('<IFR' + 'AME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC=http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=' + rnd + '></IFR' + 'AME>');\n");
document.write("</scr"+"ipt>\n");
document.write("\n");

4) And now the uber important bit. So the line you're looking at is the request to get the advert. In the left hand window, a line or two down, will now be a response from some 3rd party host (ie: not forum.homepageofthedead.com or adserver.adtechus.com) with the code that actually results in the redirection. This is what we're after! Click on the line(s) and post here the "raw" text from those two right hand windows. Here's an example from an innocent advert (from host delb.opt.fimserve.com):-

GET http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=9398942 HTTP/1.1
Host: delb.opt.fimserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://forum.homepageofthedead.com/showthread.php?18161-VIRUS-WARNING-spot-thread-PLEASE-REPORT-ALL-OCCURRENCES!&p=256837
Cookie: UI="226c0297c9e673a0e0|99ho8..-5.ty.holfts.f.f@@who@@holfts@@+9_9@@zezgzi yilzwyzmw ornrgvw@@xl_fp@@hlfgs vzhg"; pfuid=ClIoJkvI3MSssGG3hjNHAg==; TRG=MzkuND02MDY2Jg==; SUBHS=||||23.1292963860337; DMEXP=4


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SUBHS=||||24.1292963860337; Domain=delb.opt.fimserve.com; Expires=Thu, 30-Dec-2010 15:33:15 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 319
Date: Thu, 23 Dec 2010 15:33:14 GMT

<!-- 10.82.41.221,106899,300407 -->
<a href="http://www.myspacetv.com/" target="_blank"> <img border="0" src="http://aads.myspacecdn.com/Images/mstv_leader_728x90.gif"></a>
<script type="text/javascript">var _fanpid="664-000100";</script><script type="text/javascript" src="http://trgj.opt.fimserve.com/fp.js"></script>

5) Save your logs should they be need later: File > Export Sessions > All Sessions

ps: Remember you must be already running Fiddler to get the information we need!

Trancelikestate
25-Dec-2010, 06:04 PM
Sorry neil, hadn't looked at this page for awhile so i wasn't running fiddler.

Anyhow, redirected today to here: http://img3.imageshack.us/img3/7091/80017533.jpg
http://img190.imageshack.us/img190/4160/48560032.jpg

Neil
25-Dec-2010, 07:58 PM
Thanks for the report!

Please do and try and run Fiddler! Those logs will be very VERY helpful :)

MikePizzoff
29-Dec-2010, 08:36 PM
Wednesday, Dec 29 - 3:35 PM - media forum - http://ggcgl.yourantivirust0.com/?id=2003&sz=6ae630e3a&vb=1&s=1

Neil
04-Jan-2011, 02:03 PM
^^ You weren't running fiddler I assume? :(

Can't emphase how much it would help if someone was just running Fiddler2 when they got a malware redirection. Once it happened, a couple of clicks would then export the logs that could really move this problem forwards!

---------- Post added 01-Jan-2011 at 08:17 PM ---------- Previous post was 30-Dec-2010 at 10:27 AM ----------

Well, judging by reports... It definately seems to be slowing down?

But again guys, please do run Fiddler2 for me... The moment you get a redirection you're just 3-4 clicks away from exporting your logs and giving me some super valuable info!

---------- Post added 04-Jan-2011 at 02:03 PM ---------- Previous post was 01-Jan-2011 at 08:17 PM ----------

So guys, reports seems to be dropping off!? No one's simply getting them and ignoring them I hope?

Rancid Carcass
27-Apr-2012, 12:46 AM
This is a wee bit necro but my last two attempts to view the website resulted in a 'web attack: malicious download request 10' warning from my AV software (norton). Don't know if it's anything to do with the problems I've been having trying to access this site for the last week or so, but I thought I should let you guys know in case there's something sinister afoot. I should point out that it's not trying to redirect me anywhere, just to avoid confusion with the rest of the thread.

Neil
27-Apr-2012, 10:04 AM
This is a wee bit necro but my last two attempts to view the website resulted in a 'web attack: malicious download request 10' warning from my AV software (norton). Don't know if it's anything to do with the problems I've been having trying to access this site for the last week or so, but I thought I should let you guys know in case there's something sinister afoot. I should point out that it's not trying to redirect me anywhere, just to avoid confusion with the rest of the thread.

On it! (I had an occurrence yesterday too!)

capncnut
13-May-2012, 11:05 PM
Had an occurrence identical to what has been posted here three days ago, yesterday, and upon my return today. I did screen grab but since forgot to post in paint and now is lost. Will screen grab next time it happens.

bassman
16-Jun-2012, 12:44 PM
Sorry that I don't have any real information so that you can find it, but I've recently had HPotD go into one of those false "your computer has a virus" pop ups that blanks out the screen and attempts to appear as virus protection. The only way to get out of it is to close the browser. It's happened to me twice in two different locations.

Like I said....sorry I can't give you anymore information on it, but thought I would pass it along.

Neil
16-Jun-2012, 02:24 PM
Ta. If yo can tell me what the adverts are (top & bottom) that might be useful...

bassman
17-Jun-2012, 12:49 AM
Ta. If yo can tell me what the adverts are (top & bottom) that might be useful...

I never had a chance to see any of the advertisements. It happened immediately after clicking on "new posts"