Virus Problem **Updated Topic - 1/12/2010**
This is the official forum post for the virus problems some users are experiencing with our ad networks. From now on please post all virus reports here.
One or more of the ad networks that serve advertisements on the site has been loading ads that are infected with a virus. We have been monitoring the situation for almost two weeks now, working with users to identify the infected networks, and then shutting them down from our ad rotation.
Despite our best efforts, the Instructables Staff has not been able to reproduce the problem locally, either because the viruses are appearing in only certain geographic areas, or because we work on Macs. As a result, we've been relying on users to help us identify the problem and target the infected ad networks. Please understand that we are not serving these ads intentionally, nor is there a virus on Instructables directly, or our servers, and that we are doing everything possible to shut down the suspected ad networks that are causing this problem.
Here's what we know so far
The virus appears to be what Microsoft calls a Rogue Antivirus. It basically tricks users into thinking that their computer is infected with a virus, when their machines are in fact just fine. A fake virus scan window alerts users that their computer is infected. Once alerted with this news, users are misleadingly encouraged to install malicious software on their machine. The alerts seem to pop up after users are redirected away from Instructables, sometimes immediately after loading a page on the site, or in some reports, just from users dragging their mouse over the ad spot. The problem appears to have only effected a very small percentage of our users, as hundreds of thousands of people visit the site each day and only a few dozen reports have come in over the last two weeks.
What to do
Don't click on any links that instruct you to install software onto your machine. Update the definitions for your virus program and install the latest updates for your operating system. If you should experience any of these redirects or virus screens, please read the section below about how you can help us, and post your information to this forum topic.
How you can help
If you see a pop-up warning you that you are infected, or if you are redirected away from Instructables and onto another page that triggers a virus alert, take a screen shot (command + shift + 3 in mac; print screen button in windows) close the page down, and then come to this forum topic and post as much as you can describing what you were doing before the problem happened, what happened when the virus attacked, and what you did to fix the problem.Please include the following details with your post if possible - the following information is necessary for us to identify which ad network the virus is coming from:
- any ads serving on the page that you remember
- description of malware
- the URL of the page on Instructables you were viewing
- direct URLs of malware
- screenshots
- city, state and or country you are located in
- what operating system and browser you are using
Previous forum topics about this problem include "Ad-Problem", "Virus on Instructables" and "instant start virus alter programme". While these forum topics are still useful in identifying the problem, we need to congregate all new reports here with the bulleted information above so we can gather the necessary facts to pass along to the ad networks to start attacking this problem as aggressively as we can.
I've aggregated offline screen shots, emails, and other useful comments below that contain useful clues to get the ball rolling.
Please accept our deepest apologies for this unacceptable frustration and continue to work with us so we can completely eliminate this virus problem our ad networks.
****1/12/2010 Update****
There's reason to believe that the virus could have infected your browsers cache, and thus be re-infecting your computer from there. As per the instructions given in the New York Times Article "What to do if you saw an antivirus pop up ad" please follow the steps below before posting any new virus reports on this forum thread so we can be sure that your computer is not repeatedly infecting itself regardless of the state of the site.
1) Close the screen
2) Clear your browsers cache (directions here)
3) Scan computer with a legitimate anti virus software
4) Run any and all updates to your operating system
If you are then still seeing warning messages and pop ups about the malware, then please do let us know so we can continue to track and fight this problem.
We've shut down all of our ad networks that aren't absolutely essential to the running of the site and are working with the last two remaining networks to troubleshoot this problem. All data shows that the ad networks are responsible for the virus attacks that many sites have been experiencing around the web recently (this is not just a problem on Instructables ), and we've got to take the fight to them to effectively stop the attacks.
88
comments
|
Add Comment
|
sort by:
active |
newest |
oldest
Thanks everyone for your patience and help! Tracking this down has been a real nightmare, and we still haven't seen the issue ourselves, which makes fighting particularly difficult.
If you are able to consistently see it, could you install the Live HTTP Headers add-on for Firefox, set it to capture the headers while you browse Instructables, and send us the results once you see the virus warning? All other reports are helpful, but this is the only sure way we'll be able to isolate and nail it.
If you are able to consistently see it, could you install the Live HTTP Headers add-on for Firefox, set it to capture the headers while you browse Instructables, and send us the results once you see the virus warning? All other reports are helpful, but this is the only sure way we'll be able to isolate and nail it.
Not that this is an excuse for the virus problem that Instructables was experiencing a few months ago, but it's nice to know that at least it wasn't just us...
"Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.
Malware delivered by Yahoo, Fox, Google ads
"Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.
Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."
Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.
"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast..."
Aug 4, 2011. 7:22 AMgrundisimo
says:
It's been a while since anyone was on here but i just got attacked on this very page.
Oct 18, 2010. 9:04 PMkikazz
says:
wow seeing this... a computer virus is just like a real one... sometimes it can even cause panic in a mad scramble to find it and then figure out how to kill it.
Mar 28, 2010. 11:08 AMM4industries
says:
Giant guide is infected.
Ads: Restaurant City, Quaker
Ads: Restaurant City, Quaker
Mar 28, 2010. 11:11 AMM4industries
says:
The popup said
Windows wants your permission to install antivirus software.
Allow, Don't Allow
Windows wants your permission to install antivirus software.
Allow, Don't Allow
Please help, Im having troubles with my pro account. I am a pro member, i bought the 2 year 40$ plan in january this year. But, i get tons of ads. Advertisements on every single solitary page i click on. They are big ads that pop up and they just are not going away. The ads themselves are broken too, when i click on the "x" in the corner to close the ads, they close and immediately re-open. I have yet to log onto ibles without being bombed by ads. its ridiculous. its not like every now and then. it is every single page i click on. even right here on your profile page.
Please help.
-kevin
Mar 6, 2010. 12:26 PMM4industries
says:
Dude, nice profile image :) I had found that same pic on google images and I had recommended to somebody else to be their profile image and I had no idea somebody already had it.
Mar 8, 2010. 6:36 PMM4industries
says:
Yeah, I've seen at least one person with the same picture on their profile. There is no rule that your image has to be unique.
YEah.
and just wondering was your username suppost to have something to do with Mythbusters. If so, mythbusers is M5industries not M4industries.
and just wondering was your username suppost to have something to do with Mythbusters. If so, mythbusers is M5industries not M4industries.
Mar 10, 2010. 4:25 PMM4industries
says:
People have asked that. I did that on purpose to point out that I am similar but inferior to M5 Industries.
I was kidding... i just read the forum topic and it had the word virus in it. :)
LOL mac = no viruses : : : forum topic with virus in the title = get a mac
thats my logic :D
But in all seriousness, you are right .
LOL mac = no viruses : : : forum topic with virus in the title = get a mac
thats my logic :D
But in all seriousness, you are right .
Mar 6, 2010. 2:58 PMM4industries
says:
Sorry if I was too serious, I tend to do that too often.
But that is true, safari can catch viruses, but the actual processor and firmware are Fort Knox safe.
But that is true, safari can catch viruses, but the actual processor and firmware are Fort Knox safe.
Mar 10, 2010. 7:29 PMrosebud557
says:
I found another fake virus on: Waste Oil Furnace for Melting Metal, posted
rjeblogue on March 5, 2008. Thanks
rjeblogue on March 5, 2008. Thanks
Could you reference the actual URL of the "PEN Hack VIDEO"? I tried doing an I'ble search for "Pen Hack" and don't find anything with that exact name. There are a few of "pen gun" I'bles, but none where I saw any sort of video attached.
When you wrote ".. that has been removed" above, do you mean that the I'ble itself has been removed? The video has been removed from the I'ble? Or that your comment was flagged and removed?
When you wrote ".. that has been removed" above, do you mean that the I'ble itself has been removed? The video has been removed from the I'ble? Or that your comment was flagged and removed?
Mar 10, 2010. 8:22 AMBobblob
says:
The URL:
http://www.instructables.com/id/Save-200-in-2-Minutes-and-have-the-Worlds-Best-W/ This appears on the main page ( http://www.instructables.com/) among several others in a scrolling group of images of other Instructables. I'm not interested in selecting the video again ....sorry! I guess my linux box would be safe but going to the 1st URL I posted here will allow you to see the video image.
The Instructable remains there.. As soon as I could get my Linux machine booted I posted a warning in the comment section at that instructable. I could not and can not find it now after just checking all 3 pages of comments ...So I'm guessung it was removed. Thanks for following up on this!
http://www.instructables.com/id/Save-200-in-2-Minutes-and-have-the-Worlds-Best-W/ This appears on the main page ( http://www.instructables.com/) among several others in a scrolling group of images of other Instructables. I'm not interested in selecting the video again ....sorry! I guess my linux box would be safe but going to the 1st URL I posted here will allow you to see the video image.
The Instructable remains there.. As soon as I could get my Linux machine booted I posted a warning in the comment section at that instructable. I could not and can not find it now after just checking all 3 pages of comments ...So I'm guessung it was removed. Thanks for following up on this!
Mar 7, 2010. 10:27 AMchotii
says:
I just navigated directly to my own Instructable. MSE flagged a trojan: Trojan:JS/Redirector.
I went to this page http://www.instructables.com/you/backtalk/?action=reply&commentId=CPFA9HWG69MUWGV
However, returning to that page did not create the same flag. I'm sorry, I don't know what ad came up the first time, as I was too alarmed to notice.
I am running Windows 7. I am in Seattle, WA
I went to this page http://www.instructables.com/you/backtalk/?action=reply&commentId=CPFA9HWG69MUWGV
However, returning to that page did not create the same flag. I'm sorry, I don't know what ad came up the first time, as I was too alarmed to notice.
I am running Windows 7. I am in Seattle, WA
Mar 6, 2010. 12:29 PMM4industries
says:
I see them here and there. No correlation to the topic or add that I have noticed.
I just got this one, immediately after logging-in - sorry didn't catch the ad.
L
L
Can you confirm that you are only seeing house ads (ads that link to Instructables)? Knowing that this is unrelated to an ad network will help me track it down.
I'll confirm that. But before I logged-in I may have had something else.
My default login is via http://www.instructables.com/you?show=DISCUSSIONS so that took me to the "login and we'll take you to you" login page. Click button - that thing popped up.
(I wasn't paying attention past clicking the button I'm afraid)
L
My default login is via http://www.instructables.com/you?show=DISCUSSIONS so that took me to the "login and we'll take you to you" login page. Click button - that thing popped up.
(I wasn't paying attention past clicking the button I'm afraid)
L
What browser are you using? Have a look at
http://www.instructables.com/id/Instructables_Ad_Networks/
to help track it down.
http://www.instructables.com/id/Instructables_Ad_Networks/
to help track it down.
Since you're pro, you're not seeing any network ads (and I don't think we're running any direct campaigns right now, but I'll check). So, you should only be seeing house ads. So, this is quite strange. If you can get it consistently, please try Live HTTP Headers mentioned above to help me track it down.
Jan 17, 2010. 7:13 AMJJYork
says:
I come to this site frequently and have not had anymore problems since the 7th
HTTP Headers
Since I can't get this to occur under Firefox I installed IEwatch, which has a free trial.
Anyways here's what I captured from ctrl r'ing the sweather legging instructable,sorry it's 7 meg.
BTW if I'm abusing the servers by ctrl-r'ing to get the problem to happen, let me know.
Since I can't get this to occur under Firefox I installed IEwatch, which has a free trial.
Anyways here's what I captured from ctrl r'ing the sweather legging instructable,sorry it's 7 meg.
BTW if I'm abusing the servers by ctrl-r'ing to get the problem to happen, let me know.
Got the virus scanner again. I was looking at SaskView's Useless Machine 'Ible. I run Win XP and am using IE8, also, I use AVG.
Link: http://online-spyware-killl1.com/scn1/?id=%3Dnm39jTuMzA5LjEyNi4yMSZwaWQ9NDBzMSZ0aW1lPTEyNjIxOYENNAkM
Photo 1: http://www.flickr.com/photos/34888294@N02/4263351251/
Photo 2: http://www.flickr.com/photos/34888294@N02/4264103222/in/photostream/
Link: http://online-spyware-killl1.com/scn1/?id=%3Dnm39jTuMzA5LjEyNi4yMSZwaWQ9NDBzMSZ0aW1lPTEyNjIxOYENNAkM
Photo 1: http://www.flickr.com/photos/34888294@N02/4263351251/
Photo 2: http://www.flickr.com/photos/34888294@N02/4264103222/in/photostream/
All of our ad networks besides Google Adsense have now been turned off. Can you poke around a bit and let me know if you run into any more trouble?
So far I havent had any problems. I've been going to some of the more "popular" 'ibles and haven't had any problems (the popup seemed to happen most to me on those).
Thanks and I hope you figure out the culprit!
Thanks and I hope you figure out the culprit!
 | Jan 12, 2010. 6:56 AMwebman3802 says: |
 | Jan 12, 2010. 5:27 AMdanstax says: |
| | Jan 11, 2010. 2:16 PMdougoutcanoe(author) says: |
 | Jan 11, 2010. 1:55 PMPepsi Supreme says: |
had one today and one yesterday. sorry but i didn't have time to catch the specific alert as trendmicro closes the site immediately. only happening in the forums for me, i've yet to get popped while reading ibles.
Jan 11, 2010. 11:19 PMPhotoMaster
says:
I am trying again, as my last comment vanished. For several weeks now, the first instructable I decide to view launches a bogus virus warning and scan, which if I click through will infect my computer. I had it happen on an older computer. On this PC I deactivate my network card, close my internet explorer, re-connect my network card, re-connect to the internet, and finally reconnect to instructables. After this I am fine to use instructables until the next day when I will have the same scenario. I had it happen again this morning (NJ time). My cache was cleared earlier, so I know it is not in my cache. The problem still exists as of around 12:30am, 1/12/10.
Greg
Greg
Jan 9, 2010. 11:52 AMnewtoon
says:
Since a couple of days something leads me to this adress when I visit instructables.com.
I´m not logged, when this happens.
Here`s the link: http://antispywareonlinel6.com/scn1/?id=%3D3G09DDuMzcxLjc4LjEzMiZwaWQ9NDBzMSZ0aW1lPTEyNjEwNYYOMAkM
I´m not logged, when this happens.
Here`s the link: http://antispywareonlinel6.com/scn1/?id=%3D3G09DDuMzcxLjc4LjEzMiZwaWQ9NDBzMSZ0aW1lPTEyNjEwNYYOMAkM
All of our ad networks besides Google Adsense have now been turned off. Can you poke around a bit and let me know if you run into any more trouble?
Jan 11, 2010. 12:30 PMDoctor What
says:
All of your ad networks? Does that take a hit in the profit area?
It sure does, but we've absolutely got to identify which network is causing the problem so we can get rid of it.
Jan 11, 2010. 4:05 PMDoctor What
says:
Sorry to hear that. I hope you get well soon (instructables being sick and all)!
Jan 11, 2010. 12:28 PMBrick Moon
says:
After one occurrence yesterday, so far so good this afternoon. No problem after viewing about 20 various Instructibles pages. Apparently no evil from Google.
Jan 7, 2010. 3:19 PMJJYork
says:
Happened to me. Had done a search on "magnets" and clicked on the instructable "how to obtain cheap rare earth magnets". Had not clicked on an outside site but one is contained within the instructable. Just closed out
All of our ad networks besides Google Adsense have now been turned off. Can you poke around a bit and let me know if you run into any more trouble?
Just to be clear - this just happened to you and you saw screens similar to what are shown in the screen grabs above?
A viewer of my youtube video left a comment tonight about a virus after clicking a link to my 'ible. I had a couple earlier but didn't think they were real.
This REALY sucks, cause a hefty percentage of the traffic here lately has been because of my 'ible.
Instructables should have contacted all the members and alerted them to this problem. Not sweep the issue under the rug, and continue letting rogue ads slip though.
NOT HAPPY AT ALL!
This REALY sucks, cause a hefty percentage of the traffic here lately has been because of my 'ible.
Instructables should have contacted all the members and alerted them to this problem. Not sweep the issue under the rug, and continue letting rogue ads slip though.
NOT HAPPY AT ALL!
Hey SaskView. I'm sorry that you are not happy and I'm also sorry that one of your viewers was affected with our virus issue.
I hear that you feel that the issue was swept under the rug, but I really do think that we've been doing everything we can to try and work with users to understand the problem and work as fast as we can to resolve the problem.
We've had a pretty active discussion about the problem here on the bug section of the forums and the Instructables Staff has been working hard to pinpoint the ads causing the problem and shut down those networks. The search was a bit like finding a needle in a haystack because we couldn't reproduce the problem locally at our offices and because we work with many different ad networks and their affiliates.
After turning off some suspected ad networks last week, and then learning of a few more reports over the weekend, we decided to take the strongest approach we can and shut down all of our networks besides Google Adsense.
Please let me know if you continue to hear reports come in from your viewers. We rely on our advertising to survive, so shutting almost all of them down is no small decision or response to this problem.
I'm the lead person to talk to about this problem. Please do let me know if you hear of any more reports.
I hear that you feel that the issue was swept under the rug, but I really do think that we've been doing everything we can to try and work with users to understand the problem and work as fast as we can to resolve the problem.
We've had a pretty active discussion about the problem here on the bug section of the forums and the Instructables Staff has been working hard to pinpoint the ads causing the problem and shut down those networks. The search was a bit like finding a needle in a haystack because we couldn't reproduce the problem locally at our offices and because we work with many different ad networks and their affiliates.
After turning off some suspected ad networks last week, and then learning of a few more reports over the weekend, we decided to take the strongest approach we can and shut down all of our networks besides Google Adsense.
Please let me know if you continue to hear reports come in from your viewers. We rely on our advertising to survive, so shutting almost all of them down is no small decision or response to this problem.
I'm the lead person to talk to about this problem. Please do let me know if you hear of any more reports.
Jan 10, 2010. 1:26 AMBrick Moon
says:
The problem continues. On viewing random Instructables pages (which I usually open in a new tab), an average of perhaps one out of eight times, the rogue antispyware warning immediately appears. I just run the task manager and shut down IE browser. So far, restoring the session afterwards has not resulted in the same occurrence.
Running IE8, XP.
Running IE8, XP.
All of our ad networks besides Google Adsense have now been turned off. Can you poke around a bit and let me know if you run into any more trouble?
Jan 10, 2010. 10:28 AMchotii
says:
Doggone it, the "antivirus" ad popped up when I was reading THIS page, about the virus!!
It redirects me to onlineantivirust5.com, but I don't know what ad was showing at the top of the screen when that happened, because boom it was gone and I was redirected.
I am not a Pro member, but I was logged in. I am running IE8, with Windows 7.
All of our ad networks besides Google Adsense have now been turned off. Can you poke around a bit and let me know if you run into any more trouble?
Jan 7, 2010. 8:23 PMkatmckee
says:
sorry to bear the bad news. i went into the home page not signed in, clicked on next page of popular ibles, clicked on the crocheted moustache hat ible, and bam... warning I have viruses, fake scanner, attempt to save a .exe
As a pro member, you shouldn't be seeing any ad networks. Can you confirm that you were logged in when you saw this?
Jan 7, 2010. 6:33 PMcylonics
says:
I have not seen it again recently. Have been surfing ibles and hitting F5 with impunity. I have noticed however, the ads no longer change with refresh. Will just surf more and tempt fate.
Jan 7, 2010. 6:45 PMcylonics
says:
Correction: If the page is allowed to load fully, F5 will load a new Ad. Just refreshed 10x at 3 different ibles, the problem did not reappear. Also noticed the ads before were the tall vertical type, and are now square, and mostly "Ads by google". Will post if it shows again, but feeling warmer and fuzzier...
Hey Noawh I don't know if it's any use to you but I captured my temporary internet files when this happened.
I set my temp dir to my ram disk, restarted to flush everything, loaded ie, navigated to Christy's eggnog instructable and ctrl-r'd until the fake scanner came up, copied and zipped the dir.
I set my temp dir to my ram disk, restarted to flush everything, loaded ie, navigated to Christy's eggnog instructable and ctrl-r'd until the fake scanner came up, copied and zipped the dir.
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again...Thanks!
Looks like you got it, an hour of random walking instructables and nothing happened.
Thanks for helping us to figure this problem - giving us your temp directory = awesome.
Jan 6, 2010. 7:51 PMkatmckee
says:
using IE and MS Vista on my laptop at home in Gainesville FL on the Dell laptop.
I logged in, navigated to my profile, clicked on one of the groups I'm in - Outrigger Canoe - and then 2 seconds later the little dialogue box was there, I x'd out of it, then the big fake windows browser pops up with counters flying about all my trojans etc. I closed IE, then the other dialogue box was there again. I x'd out of that. that was it.
sorry I didn't see what ad was on the page at the time. It happened about 6 min ago! good luck...
I logged in, navigated to my profile, clicked on one of the groups I'm in - Outrigger Canoe - and then 2 seconds later the little dialogue box was there, I x'd out of it, then the big fake windows browser pops up with counters flying about all my trojans etc. I closed IE, then the other dialogue box was there again. I x'd out of that. that was it.
sorry I didn't see what ad was on the page at the time. It happened about 6 min ago! good luck...
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again? Thanks!
Thanks for posting your info - it's a huge help to us!
Jan 6, 2010. 3:33 PMBerkin
says:
My Norton software detected an Infostealer.Gampass trojan located at
"http://www.instructables<DOT>com/files/orig/FQW/G5Y1/F4L2T7N8/FQ
"http://www.instructables<DOT>com/files/orig/FQW/G5Y1/F4L2T7N8/FQ
| WG5Y1F4L2T7N8.tmp" |
Kiteman also reported this infected file just minutes ago. Copied from my reply to him...
Rachel reports that that particular file was uploaded by a user back in July of 2007. It has just been deleted and the user has been warned, so hopefully this case is closed.
Strange that it just popped up for your now though, I guess something triggered it to turn up on the site.
We're assuming that the user did not know that their file was infected and don't suspect that has anything to do with what we've been experiencing related to the virus on our ad networks.
Rachel reports that that particular file was uploaded by a user back in July of 2007. It has just been deleted and the user has been warned, so hopefully this case is closed.
Strange that it just popped up for your now though, I guess something triggered it to turn up on the site.
We're assuming that the user did not know that their file was infected and don't suspect that has anything to do with what we've been experiencing related to the virus on our ad networks.
I havent experienced this, I'm on a mac too, running FF 3.7.
Really well handled though, im sure this will get sorted quickly :)
Really well handled though, im sure this will get sorted quickly :)
I suspect the "slow script" bug in Safari is the malware ineffectively trying to load itself and getting caught in an recursive loop. This happens before the page has time to load and has frozen my browser more times than I care to think about. It is very frustrating.
"It was Internet Security 2010 Software.
It dumps the following virus on on to the host root,
Trojan.FakeAlert, Broken.OpenCommand and gaopdxserv.sys. Once they get into the
registry they seam to multiply allowing you to delete one or two copies so you think you destroyed
them when in fact they duplicated and moved to a hidden directory.
There is more to it than this as my McAfee's is totally disabled even in safe mode and its Online Technical Advisor something
else is in this virus that takes over wireless systems and routers because something has liked my wife's
and daughters computer to mine and all are are acting the same now."
It dumps the following virus on on to the host root,
Trojan.FakeAlert, Broken.OpenCommand and gaopdxserv.sys. Once they get into the
registry they seam to multiply allowing you to delete one or two copies so you think you destroyed
them when in fact they duplicated and moved to a hidden directory.
There is more to it than this as my McAfee's is totally disabled even in safe mode and its Online Technical Advisor something
else is in this virus that takes over wireless systems and routers because something has liked my wife's
and daughters computer to mine and all are are acting the same now."
"I and a friend both repeatably get FakeAlert-KW in IE on http://www.instructables.com/id/DIY-Soda-Water-%26-Home-Carbonation---Pays-For-Itsel/
It puts up a 'scan your computer now' dialog that won't accept 'no' for an answer.
Doesn't occur in firefox with noscript and adblock, of course.
I also tried to send this to your specified contact email (info at instructibles dot com) but got a 550 #5.1.0 Address rejected error."
It puts up a 'scan your computer now' dialog that won't accept 'no' for an answer.
Doesn't occur in firefox with noscript and adblock, of course.
I also tried to send this to your specified contact email (info at instructibles dot com) but got a 550 #5.1.0 Address rejected error."
"I've encountered it several times since Jan 1st. Just hit it again 5 mins ago on the Hans Solo Carbonite Wooden Cabinet instructable.
It pulls up McAfee screens showing infections everywhere. It pops up another alert screen from MICROSOFT or similar - all very real looking. It also tries to prevent you from closing out the browsers, keeps poppingup new ones. First time I was so startled I pulled the LAN cable out, power out, and popped the battery as quickly as I could."
It pulls up McAfee screens showing infections everywhere. It pops up another alert screen from MICROSOFT or similar - all very real looking. It also tries to prevent you from closing out the browsers, keeps poppingup new ones. First time I was so startled I pulled the LAN cable out, power out, and popped the battery as quickly as I could."
"Hmmm.... I only had this problem with other computers than my own, and I recognized it right away, mainly because I had a virus before called "antivirus 2009". Fun little virus, essentially popped up a nice little screen that told me that my computer was infected, and I should download their software.
Strange though, I never encountered it at home. Firefox?"
Strange though, I never encountered it at home. Firefox?"
1)
Just popped up while looking at one of my 'ables'.
http://antywiramericabox.com/index.php?affid=91107
Just popped up while looking at one of my 'ables'.
http://antywiramericabox.com/index.php?affid=91107
This is the link that gets launched:
http://an-ty-software-list.com/index.php?affid=91107
As you can see, it is a fake animation of a virus scan that then redirects you to their web page and attempts to lure you into downloading and installing their spyware.
This is hard to capture the events because I think the fake virus page only launches occasionally (or once a day).
Does that affid=91107 correspond to instructables.com?
I accessed instructables.com from the link about the Sonicare toothbrush referenced below:
http://www.instructables.com/id/Sonicare_Elite_7300_Battery_Replacement/
Only thing I noticed was a Samsung phone ad in the upper right.
I didn't notice the banner ad across the top.
When I clicked Internet Explorer "refresh" that was enough to trigger the fake virus scan.
Sorry this is not enough, but I will attempt to log more for you later.
Here's some pics of the fake screens:
While this screen attempts to look like a Windows system screen, it is a fake:
http://an-ty-software-list.com/index.php?affid=91107
As you can see, it is a fake animation of a virus scan that then redirects you to their web page and attempts to lure you into downloading and installing their spyware.
This is hard to capture the events because I think the fake virus page only launches occasionally (or once a day).
Does that affid=91107 correspond to instructables.com?
I accessed instructables.com from the link about the Sonicare toothbrush referenced below:
http://www.instructables.com/id/Sonicare_Elite_7300_Battery_Replacement/
Only thing I noticed was a Samsung phone ad in the upper right.
I didn't notice the banner ad across the top.
When I clicked Internet Explorer "refresh" that was enough to trigger the fake virus scan.
Sorry this is not enough, but I will attempt to log more for you later.
Here's some pics of the fake screens:
While this screen attempts to look like a Windows system screen, it is a fake:
To Whom It May Concern:
Your website appears to be compromised and is hosting virus/malware distribution. It appears to be a redirect to a scamware site. I sent yo notification on Saturday regarding this problem. While I do not believe your servers themselves are infected, it could very well be one of your banner ads that is causing the problem.
Today I attempted to visit a link on your site and the infection is still there. This has been confirmed by infecting a sacrificial VM instance of Windows XP.
The following link has the infection as well. I have included the <DOT> to prevent accidental following of the link.
http://www.instructables<DOT>
Your website appears to be compromised and is hosting virus/malware distribution. It appears to be a redirect to a scamware site. I sent yo notification on Saturday regarding this problem. While I do not believe your servers themselves are infected, it could very well be one of your banner ads that is causing the problem.
Today I attempted to visit a link on your site and the infection is still there. This has been confirmed by infecting a sacrificial VM instance of Windows XP.
The following link has the infection as well. I have included the <DOT> to prevent accidental following of the link.
http://www.instructables<DOT>
com/id/Windows-7-Starter-Easy-way-to-change-wallpaper/
Per Virus Total the following scanners detect this as a virus (with name)
AntiVir Worm/Koobface.aeg
Comodo TrojWare.Win32.FraudTool.TS
F-Prot W32/FakeAlert.DX3
F-Secure Suspicious:W32/Malware!Gemini
McAfee
Repeated attempts do not always infect a computer which leads me to believe that this infection is in one of the banner ads. I have not been able to isolate what ad or section of the page is causing the problem; just that it happens when visiting instructables<DOT>com pages.
Per Virus Total the following scanners detect this as a virus (with name)
AntiVir Worm/Koobface.aeg
Comodo TrojWare.Win32.FraudTool.TS
F-Prot W32/FakeAlert.DX3
F-Secure Suspicious:W32/Malware!Gemini
McAfee
Repeated attempts do not always infect a computer which leads me to believe that this infection is in one of the banner ads. I have not been able to isolate what ad or section of the page is causing the problem; just that it happens when visiting instructables<DOT>com pages.
Can't delete that comment above - so here it is reproduced with correct margins
****
AntiVirus 2009 trojan on Instructables web page -
While browsing at home this morning to the Instructables web site (using Firefox on my Windows Vista desktop), I picked up a variant of the "AntiVirus 2009" trojan. Fortunately, this was immediately detected and quarantined by Microsoft Security Essentials.
Here's what happened (with some screenshots):
1. I had finished a Google search and clicked on the following first result to Instructables.Com:
2. The Instructables page opened for a few seconds, but I was immediately redirected to a "Windows Security Center" (or similar) page that started displaying the usual popups about several viruses and infected files being discovered on my computer. From past experience with this type of Trojan, I knew they were false alarms.
3. Within a second or two, a virus alert appeared from Microsoft Security Essentials stating that the following "TrojanDownloader:HTML/Renos" item had been detected and successfully quarantined. Here's the results on the History tab in MSE:
4. The "Get more information about this item online" link on the History tab goes to the following Microsoft page (safe):
Microsoft Malware Protection Center
TrojanDownloader:HTML/Renos
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3aHTML%2fRenos&threatid=2147575298
Analysis -- TrojanDownloader:HTML/Renos is Microsoft's generic detection for a trojan HTML script that attempts to download executable rogue security software when a user visits a malicious Web site and moves the mouse cursor over certain graphics or images.
Installation -- TrojanDownloader:HTML/Renos does not install locally. However, it may be cached in the temporary Internet files folder when viewing a malicious Web page.
Payload -- Downloads rogue security program. Viewing a malicious Web page containing this trojan script moves the mouse cursor over certain graphics or images. The trojan script could also invoke a dialogue box requesting that the user save or run a rogue security program.
5. I didn't see any other symptoms after MSE caught it, but I had to leave for work. I left a full MSE scan going, and will also run a Malwarebytes scan later to make sure all is OK.
Thought you'd like to know,
****
AntiVirus 2009 trojan on Instructables web page -
While browsing at home this morning to the Instructables web site (using Firefox on my Windows Vista desktop), I picked up a variant of the "AntiVirus 2009" trojan. Fortunately, this was immediately detected and quarantined by Microsoft Security Essentials.
Here's what happened (with some screenshots):
1. I had finished a Google search and clicked on the following first result to Instructables.Com:
2. The Instructables page opened for a few seconds, but I was immediately redirected to a "Windows Security Center" (or similar) page that started displaying the usual popups about several viruses and infected files being discovered on my computer. From past experience with this type of Trojan, I knew they were false alarms.
3. Within a second or two, a virus alert appeared from Microsoft Security Essentials stating that the following "TrojanDownloader:HTML/Renos" item had been detected and successfully quarantined. Here's the results on the History tab in MSE:
4. The "Get more information about this item online" link on the History tab goes to the following Microsoft page (safe):
Microsoft Malware Protection Center
TrojanDownloader:HTML/Renos
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3aHTML%2fRenos&threatid=2147575298
Analysis -- TrojanDownloader:HTML/Renos is Microsoft's generic detection for a trojan HTML script that attempts to download executable rogue security software when a user visits a malicious Web site and moves the mouse cursor over certain graphics or images.
Installation -- TrojanDownloader:HTML/Renos does not install locally. However, it may be cached in the temporary Internet files folder when viewing a malicious Web page.
Payload -- Downloads rogue security program. Viewing a malicious Web page containing this trojan script moves the mouse cursor over certain graphics or images. The trojan script could also invoke a dialogue box requesting that the user save or run a rogue security program.
5. I didn't see any other symptoms after MSE caught it, but I had to leave for work. I left a full MSE scan going, and will also run a Malwarebytes scan later to make sure all is OK.
Thought you'd like to know,
 |
Vancouver Mini Maker Faire 2012
Rebuilding NordicTrack ski machine drive rollers
Looking for New Zealand-based Instructables authors for conference on August 27 in Wellington
Call to makers - Brighton Mini Maker Faire
Milk Crates - not as green as you think
TEDxBaghdad - Iraq - violence, dust storms and open sourced manufacturing
UK Mini Maker Faire - The Derby Silk Mill - New Poster to Share!
