|
Antivirus 2009 / "windows-defense.com" redirect & alert popup - resolved.
I'm not sure where to post this so I figured here would be good. Over the past two days, and on two machines, I've been getting this nasty "you've been infected - download our antivirus 2009 software to fix it" popup when accessing the EM forum. Clicking ok, cancel, or X brings me to their website and resizes my browser, etc. All the classic popup nasties. Just wanted you guys to be aware.
|
We've heard this before and it's always turned out to be some sort of spyware on the person's computer/browser, so I'd look out for that were I you. I know we're not running any ad like that.
|
I would normally agree, but I got this popup on two machines, my home machine which I just formatted last week, and a test machine at work which I've never used for the web before yesterday. :( Is it possible that some type of spyware or something is riding on the back of one of your seemingly legit ads?
|
Well, then I just don't know. I'll wait to see if we can any other reports before I go have the server guy pour over it looking for infection.
|
Cool, thanks for the acknowledgement. I'll let you know if I come across any more occurrences, and I'll try to grab more info about it if I do.
|
Quote:
Thanks, Ben |
I haven't seen that or any popups and I've been on EM a lot the last few days, making me think its not this site but something on your end.
|
I got word from another guy, so if anyone else sees it, take a screen shot and I'll email it to our tech guy. Might take a while since I'm on the farm in MO and darin is in a cottage somewhere with 28k webnets, but we'll try our best, :)
|
Ah, I forgot I paid off the advertising...
|
Quote:
|
I was in the mpguino blog post. Clicked open in new tab on More on HybridFest @ Pop Mech7.25 and did the same for the ford story. The ford story did not open in the new tab and I got the antivirus 2009 popup.
It's the first time I ever got something like that. It's a funny coincidence it happened on em... |
I found this. Just google it.
Quote:
|
I also got it yesterday, but, like a dumbass I didn't remember or write down the particulars on when it happened. I simply closed the window and opened a new one.
|
I just got it today when I browse this website. Is this website inflected?
|
http://webscweb-scannerfree.com/soft...=3&product=XPA
Here courtesy of firefox, avg, and ccleaners inate abilities to stop this **** from hurting my comp. Oh I was in the home mod section looking at the home made radiator with the hose connected to the creek, don't remember title. DO NOT CLICK LINK |
Probably a moot point by now, but I got it too just now.
|
Got it yesterday.
|
Get Firefox and the NoScript extension. NoScript prevents undesirable Javascript activity like popups. Takes a little time to figure out how it (and Javascript) work, but it's worth it. Browsing is much more secure.
|
NoScript is indeed a good extension, but if this is on EM we need to get rid of it...I'll send a note to darin and the server guy.
|
I haven't noticed this myself, but I've been away, as Ben mentioned.
I talked to the server admin today. His opinion is that it's likely ad-related, not forum related. Anybody seen the problem today (Saturday)? |
I had this popup too yesterday. I started Firefox with my previous session's tabs, and my EM tab switched to this "Antivirus" crap automatically. Only occurence of this so far.
|
I have yet to see this problem and I am usually here 2-3 times a day.
|
Just got this on my Mac in Firefox on the main forum page. It's not software or spyware installed on anyones computer, it's javascript running in an ad unit on the page.
|
Need more info. We have ads served by 3 different parties. If someone can provide details, it would help us figure out which one needs to be notified. Like: URL of the affected page, screen cap... thanks.
|
2 Attachment(s)
OK, got it again clicking a subscription link in my email to the MPGuino Workspace thread. I didn't even make it to the thread - Firefox just minimized itself as soon as the page started to load, and the popup replaced it. Here's the first dialog that pops up:
http://ecomodder.com/forum/attachmen...1&d=1217567679 Then clicking OK gives you this: http://ecomodder.com/forum/attachmen...1&d=1217567685 Clicking OK here or Cancel in the first popup brings you here (spaces inserted to avoid inadvertent click): http :// windows-defense . com /2009/1/_freescan.php?aid=77024209 |
Wanna get rid of it? I did and the program was free. It found all of the crap and got rid of all of it.
I kept getting pop ups like that and it was a Anti virus fake attack to get you to buy their program. Here's the link: SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware! |
cmags -
Quote:
CarloSW2 |
I got the popup today also - Haven't seen it anywhere else so it appears to be associated with this this site (EM) somehow...
|
Additional info can be found here
Remove Antivirus 2009, removal instructions and here - Miguel Campos Blog : Removing the Antivirus 2009 infection An interesting side note is that I viewed a youtube video about 'the price of electricity VS gasoline' about 30 minutes before the pop-up. May be related according to the msdn blog entry. |
Note that the popup does not mean you're infected with anything. It's simply a javascript redirect to a website which causes the alert and displays the fake virus scan progress. Just close the browser window.
I'm sure everyone knows that if you actually download and install the product from that site, you WILL be infected with malware. Our server admin has checked and assured us the problem isn't on EcoModder, but with one of the advertisers whose ads appear on the site. We've been in touch with the advertisers. Waiting to hear back. |
I'm not sure if this is related.
I've had 2 high level attack warnings on my work computer, both times I was opening this website. I've never had notices like this until then. Once on the 25th and then again on the 30th of july. I don't know if this info helps but the Norton details say;"risk level High" "risk name HTTP fake scan webpage" and "attacking computer 84.16.252.73, 80" "traffic description TCP ,www-http" the second one was identical except the attacking computer # ended in 138, 80. hope this helps |
Thanks for posting the IP. The "attacking computer" is not EcoModder's IP address, but the address of the redirect target, which is in Norton's list.
|
MetroMPG -
Quote:
CarloSW2 |
I've turned off all advertising in the forum and on the index page. It's still active on the blog.
We'll leave it off for 24 hours. Would each of you who has experienced the redirect and the javascript alert (I count 10, including myself... I've seen it twice in the last week) please let me know whether you see the redirect or not in the next 24h? I fully expect this will clear things up. Then the next task will be determining which ad service is sending the javascript. Thanks! |
MetroMPG -
I just tried to recreate the problem but I couldn't. CarloSW2 |
no more problems here, multiple log ins
|
If nobody tells me they got the redirect/popup before tomorrow AM, I'm going to re-enable one of the ad providers and then watch for feedback for another day or so. Currently we've got two providers (just canned the third, and Ben thinks they were the most likely source of the problem).
|
No problems today .. so far, I have been logged in since 9am est
|
I've been seeing a lot of this lately. A lot of my clients are getting it. No one knew how to get rid of it when it first came out, but aside from the links posted above (I haven't tried any of them), Malwarebytes is the only thing that can *easily* get rid of this trojan. Everyone's virus scanner is missing it because it's not technically a virus - it's malware. People think it's something they need or that it's legit, so they click on it... The best I can do is advise people to use firefox and not to open emails from sources they don't know, but even then, it's difficult to train people (especially OLDER people) to identify false popups. I can smell the bull**** in a split second, but a lot of people just click away happily and let the trojan in.
One guy got it from an actual fedex email, so caution there. It is advisable to install Linux or get an Apple ASAP - You'll never have problems like this again :-P. For now install Firefox and Thunderbird. I get paid to deal with things like this, and as much as I like making easy money running Malwarebytes and virus scans, the world is a lot better off avoiding these problems to begin with. |
So? Anyone else seen a redirect/popup since Friday afternoon @ 3:30 ET?
|
| All times are GMT -4. The time now is 09:26 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Content Relevant URLs by vBSEO 3.5.2
All content copyright EcoModder.com