Antivirus 2009 / "windows-defense.com" redirect & alert popup - resolved. - Page 8 - Fuel Economy, Hypermiling, EcoModding News and Forum

MetroMPG · 08-06-2008, 07:55 PM

Thanks for the reports. skyl4rk and Tom, can you remember whether you were requesting a forum page or a blog page when it happened?

skyl4rk · 08-06-2008, 10:59 PM

I came in through Recent Posts which is bookmarked.

MetroMPG · 08-07-2008, 01:27 AM

I experienced the redirect tonight after clicking an e-mail link that opened a forum thread. This is the 3rd time I've had it happen since this started last week.

Was able to capture a lot of relevant data by finding out how to view FireFox cache info. I know which ads were called before the redirect occurred, so we may have a smoking gun.

FYI, the actual redirect appears to be a sneaky thing - apparently it bounces across 3 different web sites - before ultimately landing at windows-defense.com.

Ben got the redirect as well this evening - in the forum also.

Anyway, tomorrow we'll see what the ad provider can do with the info I captured.

MetroMPG · 08-07-2008, 08:37 AM

New question for anyone who has experienced the redirect:

Two of the three times I've seen it, I was coming in "fresh" to the site, either typing the URL in (auto complete - I just hit "e" and it's my top entry), or coming in via an e-mail message (thread subscription notification). The other time was opening a PM - which spawned a new window.

I think this may be one reason why people who have been sitting on their "reload" buttons haven't been able to reproduce the problem. The exploit may be looking for a fresh "session" with no internal http referrer.

I know some of you have said you got it from clicking an EM link while already on the site, but at least syl4rk and Jamie also got it coming in to a new session from a bookmark or loading the site in a fresh browser.

jwxr7 · 08-07-2008, 08:47 AM

Yeah, all of mine happened with new sessions.

MetroMPG · 08-07-2008, 09:32 AM

Holy cow - I just noticed you got 81 mpg!

Did I miss a thread? Post up in the "success stories" forum!

cmags · 08-07-2008, 10:30 AM

Ok, fresh session (subscription link via email), and I got it again. I moved it around to see that the browser is minimized behind it and the popup won't let you at the browser until it's closed:

Of course, opening another browser window works around that. Right now I've got it sitting here and I haven't clicked on anything. I can leave my machine like this while I'm at work if someone can provide me with some way to run some logger or tracker to see what happens when I do click cancel. That is, if this will be helpful at all.

So yea, lmk if you need me to run anything while I have this up for tracking purposes. If no response by tonight, I'm taking my browser back.

MetroMPG · 08-07-2008, 10:47 AM

cmags, if you don't mind, can you go in your cache (launch a new browser session and type "about:cache") and identify the exact time you loaded the subscribed thread (search for the thread URL).

If it's still there, can you find any other downloads that occurred at the same time (or within a couple of seconds afterward)?

Specifically, do you have a cache entry with adoptserver.info in it? If you do, could you post the details? Also, could you post details of any entries with the string "nvero" in them?

thanks-
Darin

cmags · 08-07-2008, 01:14 PM

Ok, here's the key I found for my link following:

Code:

   Key: http://ecomodder.com/forum/showthread.php/iduino-mpguino-4215.html
     Data size: 34388 bytes
   Fetch count: 1
 Last modified: 2008-08-07 10:23:40
       Expires: 1969-12-31 19:00:00

Then here's the only entry for adoptserver.info:

Code:

 Key: http://adoptserver.info/state_.gif?up=http://ads.doubleclick.net/ads/bid=12/nxtd/fr012/wi/ai&key=678910083V18003
     Data size: 986 bytes
   Fetch count: 1
 Last modified: 2008-08-07 10:23:45
       Expires: 1969-12-31 19:00:00

And there are a bunch of entries for nvero, but here's the one immediately following the above two entries:

Code:

           Key: http://m1.2mdn.net/800562/wbk_mas_flick_v2_728x90.swf?clickTag=http%3A//ad.doubleclick.net/click%253Bh%3Dv8/3715/7/4e/%252a/h%253B206386908%253B0-0%253B0%253B28211234%253B3454-728/90%253B27653279/27671158/1%253B%253B%257Esscs%253D%253fhttp%3A//e.nvero.net/eas/cu%3D4574%3A%3Acamp%3D17810%3A%3Ano%3D29077%3A%3Akw%3Dlink1-29077%3A%3AEASLink%3Dhttp%3A//media.wachovia.com.edgesuite.net/sweepstakes/sweep/htmlVersion/
     Data size: 29635 bytes
   Fetch count: 1
 Last modified: 2008-08-07 10:25:35
       Expires: 2008-08-08 10:25:30

I'm attaching the whole Disk Cache for you too.

Hope it helps!

MetroMPG · 08-07-2008, 01:22 PM

That definitely helps. I believe we have our smoking gun. Thanks, cmags.