Groups »
Forums »
Answers »

Featured Groups

  • Bare Conductive
  • Drawing and Art
  • Sustainability
  • 123D
  • Fenix Intl, Ready Set Off The Grid
  • Featured Authors
  • 3D Printing

COMMUNITY : HELP : BUGS

New Forum Topic

Virus Problem **Updated Topic - 1/12/2010**


This is the official forum post for the virus problems some users are experiencing with our ad networks.  From now on please post all virus reports here.


One or more of the ad networks that serve advertisements on the site has been loading ads that are infected with a virus.  We have been monitoring the situation for almost two weeks now, working with users to identify the infected networks, and then shutting them down from our ad rotation.

Despite our best efforts, the Instructables Staff has not been able to reproduce the problem locally, either because the viruses are appearing in only certain geographic areas, or because we work on Macs.  As a result, we've been relying on users to help us identify the problem and target the infected ad networks.  Please understand that we are not serving these ads intentionally, nor is there a virus on Instructables directly, or our servers, and that we are doing everything possible to shut down the suspected ad networks that are causing this problem. 


Here's what we know so far

The virus appears to be what Microsoft calls a Rogue Antivirus.  It basically tricks users into thinking that their computer is infected with a virus, when their machines are in fact just fine.  A fake virus scan window alerts users that their computer is infected.  Once alerted with this news, users are misleadingly encouraged to install malicious software on their machine.  The alerts seem to pop up after users are redirected away from Instructables, sometimes immediately after loading a page on the site, or in some reports, just from users dragging their mouse over the ad spot.  The problem appears to have only effected a very small percentage of our users, as hundreds of thousands of people visit the site each day and only a few dozen reports have come in over the last two weeks.


What to do

Don't click on any links that instruct you to install software onto your machine.  Update the definitions for your virus program and install the latest updates for your operating system.  If you should experience any of these redirects or virus screens, please read the section below about how you can help us, and post your information to this forum topic.


How you can help

If you see a pop-up warning you that you are infected, or if you are redirected away from Instructables and onto another page that triggers a virus alert, take a screen shot (command + shift + 3 in mac; print screen button in windows) close the page down, and then come to this forum topic and post as much as you can describing what you were doing before the problem happened, what happened when the virus attacked, and what you did to fix the problem.

Please include the following details with your post if possible - the following information is necessary for us to identify which ad network the virus is coming from:
  • any ads serving on the page that you remember
  • description of malware
  • the URL of the page on Instructables you were viewing
  • direct URLs of malware
  • screenshots
  • city, state and or country you are located in
  • what operating system and browser you are using
If you have Firebug installed, you can use it to inspect the problem pages and gather even more information which you can post to this topic.

Previous forum topics about this problem include "Ad-Problem",  "Virus on Instructables" and "instant start virus alter programme".  While these forum topics are still useful in identifying the problem, we need to congregate all new reports here with the bulleted information above so we can gather the necessary facts to pass along to the ad networks to start attacking this problem as aggressively as we can.

I've aggregated offline screen shots, emails, and other useful comments below that contain useful clues to get the ball rolling.

Please accept our deepest apologies for this unacceptable frustration and continue to work with us so we can completely eliminate this virus problem our ad networks.


****1/12/2010 Update****


There's reason to believe that the virus could have infected your browsers cache, and thus be re-infecting your computer from there.  As per the instructions given in the New York Times Article "What to do if you saw an antivirus pop up ad" please follow the steps below before posting any new virus reports on this forum thread so we can be sure that your computer is not repeatedly infecting itself regardless of the state of the site.

1) Close the screen
2) Clear your browsers cache (directions here)
3) Scan computer with a legitimate anti virus software
4) Run any and all updates to your operating system

If you are then still seeing warning messages and pop ups about the malware, then please do let us know so we can continue to track and fight this problem.

We've shut down all of our ad networks that aren't absolutely essential to the running of the site and are working with the last two remaining networks to troubleshoot this problem.  All data shows that the ad networks are responsible for the virus attacks that many sites have been experiencing around the web recently (this is not just a problem on Instructables ), and we've got to take the fight to them to effectively stop the attacks.



infected_instructables_link.png
mse_av2009_detection.png
Screen shot 2010-01-06 at 9.09.50 AM.jpeg
sort by: active | newest | oldest
143
ewilhelm says: Jan 12, 2010. 12:59 PM
Thanks everyone for your patience and help!  Tracking this down has been a real nightmare, and we still haven't seen the issue ourselves, which makes fighting particularly difficult. 

If you are able to consistently see it, could you install the Live HTTP Headers add-on for Firefox, set it to capture the headers while you browse Instructables, and send us the results once you see the virus warning?  All other reports are helpful, but this is the only sure way we'll be able to isolate and nail it. 
133
noahw (author) says: Mar 23, 2010. 3:25 PM
Not that this is an excuse for the virus problem that Instructables was experiencing a few months ago, but it's nice to know that at least it wasn't just us...

Malware delivered by Yahoo, Fox, Google ads


"Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast..."



1
grundisimo says: Aug 4, 2011. 7:22 AM
It's been a while since anyone was on here but i just got attacked on this very page.
Virus proof.bmp
1
grundisimo in reply to grundisimoAug 4, 2011. 7:23 AM
IT says Trojan horse blocked in the red box.
1
grundisimo in reply to grundisimoAug 4, 2011. 7:27 AM
Hopefully this is a better picture.
Better.bmp
kikazz says: Oct 18, 2010. 9:04 PM
wow seeing this... a computer virus is just like a real one... sometimes it can even cause panic in a mad scramble to find it and then figure out how to kill it.
5
M4industries says: Mar 28, 2010. 11:08 AM
 Giant guide is infected.

Ads: Restaurant City, Quaker
5
M4industries in reply to M4industriesMar 28, 2010. 11:11 AM
 The popup said

Windows wants your permission to install antivirus software. 
Allow, Don't Allow
14
KnexFreek says: Mar 25, 2010. 1:18 PM
 Please help, Im having troubles with my pro account. I am a pro member, i bought the 2 year 40$ plan in january this year. But, i get tons of ads. Advertisements on every single solitary page i click on. They are big ads that pop up and they just are not going away. The ads themselves are broken too, when i click on the "x" in the corner to close the ads, they close and immediately re-open. I have yet to log onto ibles without being bombed by ads. its ridiculous. its not like every now and then. it is every single page i click on. even right here on your profile page.  
 
Please help.
-kevin
14
KnexFreek says: Feb 8, 2010. 6:46 PM
 if you hazz a mac then this wont happen. problem solved.
30
DJ Radio in reply to KnexFreekMar 11, 2010. 2:18 PM
Or use adblock...
5
M4industries in reply to KnexFreekMar 6, 2010. 12:26 PM
 au contraire...

I have a mac and it does happen on this site.

Here's the forum topic I posted
6
LoneWolf in reply to M4industriesMar 6, 2010. 3:01 PM
Dude, nice profile image :) I had found that same pic on google images and I had recommended to somebody else to be their profile image and I had no idea somebody already had it.
5
M4industries in reply to LoneWolfMar 8, 2010. 6:36 PM
 Yeah, I've seen at least one person with the same picture on their profile. There is no rule that your image has to be unique. 
6
LoneWolf in reply to M4industriesMar 9, 2010. 12:38 PM
YEah.

and just wondering was your username suppost to have something to do with Mythbusters. If so, mythbusers is M5industries not M4industries.
5
M4industries in reply to LoneWolfMar 10, 2010. 4:25 PM
 People have asked that. I did that on purpose to point out that I am similar but inferior to M5 Industries.
6
LoneWolf in reply to M4industriesMar 10, 2010. 4:33 PM
Oh ok. That's cool.
14
KnexFreek in reply to M4industriesMar 6, 2010. 1:24 PM
 I was kidding... i just read the forum topic and it had the word virus in it. :)
LOL mac = no viruses : : : forum topic with virus in the title = get a mac 
thats my logic :D

But in all seriousness, you are right .
5
M4industries in reply to KnexFreekMar 6, 2010. 2:58 PM
 Sorry if I was too serious, I tend to do that too often.

But that is true, safari can catch viruses, but the actual processor  and firmware are Fort Knox safe.
14
KnexFreek in reply to M4industriesMar 6, 2010. 3:51 PM
 No you werent !!! Trust me :) 
rosebud557 says: Mar 10, 2010. 7:29 PM
I found another fake virus on: Waste Oil Furnace for Melting Metal, posted
rjeblogue on March 5, 2008.   Thanks
1
Bobblob says: Mar 9, 2010. 9:30 AM
PEN Hack VIDEO Is infected.  A  false virus program it has screwed my  XP machine and got past my AVG protection.  I noticed I didn't recognize the video site just before clicking on it. 

I wrote this original warning a few days ago using my Linux box and put a warning on the "Pen Hack" page .. that has been removed.   Was asked to post it here too.

I booted in safe mode did a restore  then went online to find some recommended registry cleaning and spyware removal programs that worked well.   MalwareBytes Anti-Malware
 
9
kelseymh in reply to BobblobMar 9, 2010. 9:48 AM
Could you reference the actual URL of the "PEN Hack VIDEO"?  I tried doing an I'ble search for "Pen Hack" and don't find anything with that exact name.  There are a few of "pen gun" I'bles, but none where I saw any sort of video attached.

When you wrote ".. that has been removed" above, do you mean that the I'ble itself has been removed?  The video has been removed from the I'ble?  Or that your comment was flagged and removed?
1
Bobblob in reply to kelseymhMar 10, 2010. 8:22 AM
The URL:
http://www.instructables.com/id/Save-200-in-2-Minutes-and-have-the-Worlds-Best-W/  This appears on the main page  ( http://www.instructables.com/) among several others in a scrolling group of images of other Instructables. I'm not interested in selecting the video again ....sorry!  I guess my linux box would be safe but going to the 1st URL I posted here will allow you to see the video image.

The Instructable remains there.. As soon as I could get my Linux machine booted I posted a warning in the comment section at that instructable.  I could not and can not find it now after just checking all 3 pages of comments ...So I'm guessung it was removed.   Thanks for following up on this!
1
chotii says: Mar 7, 2010. 10:27 AM
I just navigated directly to my own Instructable. MSE flagged a trojan: Trojan:JS/Redirector.

I went to this page http://www.instructables.com/you/backtalk/?action=reply&commentId=CPFA9HWG69MUWGV

However, returning to that page did not create the same flag. I'm sorry, I don't know what ad came up the first time, as I was too alarmed to notice.

I am running Windows 7. I am in Seattle, WA
5
M4industries says: Mar 6, 2010. 12:29 PM
 I see them here and there. No correlation to the topic or add that I have noticed.
5
M4industries in reply to M4industriesMar 6, 2010. 12:30 PM
 PS. I work on a Mac too and I get them.
49
lemonie says: Feb 14, 2010. 7:42 AM
I just got this one, immediately after logging-in - sorry didn't catch the ad.

L

temp.bmp
143
ewilhelm in reply to lemonieFeb 15, 2010. 11:54 AM
Can you confirm that you are only seeing house ads (ads that link to Instructables)?  Knowing that this is unrelated to an ad network will help me track it down.
49
lemonie in reply to ewilhelmFeb 15, 2010. 12:23 PM
I'll confirm that. But before I logged-in I may have had something else.
My default login is via http://www.instructables.com/you?show=DISCUSSIONS so that took me to the "login and we'll take you to you" login page. Click button - that thing popped up.
(I wasn't paying attention past clicking the button I'm afraid)

L
143
ewilhelm in reply to lemonieFeb 15, 2010. 7:02 PM
What browser are you using?  Have a look at
http://www.instructables.com/id/Instructables_Ad_Networks/
to help track it down.
49
lemonie in reply to ewilhelmFeb 15, 2010. 11:18 PM
Ah.... there's an idea. I'll try tonight.

L
143
ewilhelm in reply to lemonieFeb 15, 2010. 11:47 AM
Since you're pro, you're not seeing any network ads (and I don't think we're running any direct campaigns right now, but I'll check).  So, you should only be seeing house ads.  So, this is quite strange.  If you can get it consistently, please try Live HTTP Headers mentioned above to help me track it down.
75
Hiyadudez in reply to lemonieFeb 14, 2010. 11:52 AM
I got that! lOOK AT MY NEWEST FORUM.
JJYork says: Jan 17, 2010. 7:13 AM
I come to this site frequently and have not had anymore problems since the 7th
69
Tool Using Animal says: Jan 13, 2010. 4:21 PM
HTTP Headers

Since I can't get this to occur under Firefox I installed IEwatch, which has a free trial.

Anyways here's what I captured from ctrl r'ing the sweather legging instructable,sorry it's 7 meg.

BTW if I'm abusing the servers by ctrl-r'ing to get the problem to happen, let me know.
7
qwertyboy says: Jan 10, 2010. 2:26 PM
Got the virus scanner again. I was looking at SaskView's Useless Machine 'Ible. I run Win XP and am using IE8, also, I use AVG.

Link: http://online-spyware-killl1.com/scn1/?id=%3Dnm39jTuMzA5LjEyNi4yMSZwaWQ9NDBzMSZ0aW1lPTEyNjIxOYENNAkM

Photo 1: http://www.flickr.com/photos/34888294@N02/4263351251/
Photo 2: http://www.flickr.com/photos/34888294@N02/4264103222/in/photostream/
133
noahw (author) in reply to qwertyboyJan 11, 2010. 11:00 AM
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
7
qwertyboy in reply to noahwJan 13, 2010. 2:55 PM
So far I havent had any problems. I've been going to some of the more "popular" 'ibles and haven't had any problems (the popup seemed to happen most to me on those).

Thanks and I hope you figure out the culprit!
133
noahw (author) says: Jan 12, 2010. 10:49 AM
Jan 12, 2010. 6:56 AMwebman3802 says:
I got it just now on this very page.
Jan 12, 2010. 5:27 AMdanstax says:

Now this is a bit too much. This morning 1/12/10, 7:11 AM, I logged in to Instructables, went to this page to see if there were any additional comments regarding this virus stuff, and it hit again. I made a quick screenshot before closing the browser. I have it as a Word file, but can't seem to attach it here. If you want to see it, please contact me, I can send it this evening. Here is the URL off the screenshot, if that is any use to you-

http://clean-your-pcr1.com/scn1/?id=pHT4xTzuMzc0LjIwNS4xOTUmcGlkPTQwczEmdGltZT0xMjYxMAkOPAZO
133
noahw (author) says: Jan 12, 2010. 10:49 AM
Moved from other topic in bugs...

Jan 11, 2010. 10:43 AMrandcal says:
Happened to me just today.

133
noahw (author) says: Jan 12, 2010. 10:48 AM
Jan 11, 2010. 2:16 PMdougoutcanoe(author) says:
Just happened again when I tried to look at an instructable from the newsletter dated 07 January 2010 11:59:53.

I hope I managed to stop it in time.

dougoutcanoe
Jan 11, 2010. 1:55 PMPepsi Supreme says:
I'm also having this problem.
Only when opening your ads on my e-mail.
Happened today again. 1-11-10
133
noahw (author) says: Jan 12, 2010. 10:47 AM
Moved from other topic in bugs...

Jan 11, 2010. 10:17 PMPhotoMaster says:
It appears to be one of the advertisers on the site or else someone has hacked the site. Every time I get on the site it is the first instructable I choose to view, no matter which one choose. I turn off the wireless card and stop IE. Then it reconnect to the internet and contnue using instructables.

2
crapflinger says: Jan 12, 2010. 5:42 AM
had one today and one yesterday. sorry but i didn't have time to catch the specific alert as trendmicro closes the site immediately. only happening in the forums for me, i've yet to get popped while reading ibles.
PhotoMaster says: Jan 11, 2010. 11:19 PM
I am trying again, as my last comment vanished. For several weeks now, the first instructable I decide to view launches a bogus virus warning and scan, which if I click through will infect my computer. I had it happen on an older computer. On this PC I deactivate my network card, close my internet explorer, re-connect my network card, re-connect to the internet, and finally reconnect to instructables. After this I am fine to use instructables until the next day when I will have the same scenario. I had it happen again this morning (NJ time). My cache was cleared earlier, so I know it is not in my cache. The problem still exists as of around 12:30am, 1/12/10.

Greg
newtoon says: Jan 9, 2010. 11:52 AM
Since a couple of days something leads me to this adress when I visit instructables.com.

I´m not logged, when this happens.

Here`s the link:  http://antispywareonlinel6.com/scn1/?id=%3D3G09DDuMzcxLjc4LjEzMiZwaWQ9NDBzMSZ0aW1lPTEyNjEwNYYOMAkM
133
noahw (author) in reply to newtoonJan 11, 2010. 11:26 AM
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble?
16
Doctor What in reply to noahwJan 11, 2010. 12:30 PM
All of your ad networks?  Does that take a hit in the profit area?
133
noahw (author) in reply to Doctor WhatJan 11, 2010. 4:03 PM
It sure does, but we've absolutely got to identify which network is causing the problem so we can get rid of it.

16
Doctor What in reply to noahwJan 11, 2010. 4:05 PM
Sorry to hear that.  I hope you get well soon (instructables being sick and all)!
Brick Moon in reply to noahwJan 11, 2010. 12:28 PM
After one occurrence yesterday, so far so good this afternoon. No problem after viewing about 20 various Instructibles pages. Apparently no evil from Google.
JJYork says: Jan 7, 2010. 3:19 PM
Happened to me. Had done a search on "magnets" and clicked on the instructable "how to obtain cheap rare earth magnets". Had not clicked on an outside site but one is contained within the instructable. Just closed out
133
noahw (author) in reply to JJYorkJan 11, 2010. 11:26 AM
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble?
133
noahw (author) in reply to JJYorkJan 7, 2010. 3:32 PM
Just to be clear - this just happened to you and you saw screens similar to what are shown in the screen grabs above?
JJYork in reply to noahwJan 7, 2010. 4:15 PM
Yes
8
Frivolous Engineering says: Jan 9, 2010. 9:43 PM
A viewer of my youtube video left a comment tonight about a virus after clicking a link to my 'ible.  I had a couple earlier but didn't think they were real.

This REALY sucks, cause a hefty percentage of the traffic here lately has been because of my 'ible.

Instructables should have contacted all the members and alerted them to this problem.  Not sweep the issue under the rug, and continue letting rogue ads slip though.

NOT HAPPY AT ALL! 
133
noahw (author) in reply to Frivolous EngineeringJan 11, 2010. 11:25 AM
Hey SaskView.  I'm sorry that you are not happy and I'm also sorry that one of your viewers was affected with our virus issue. 

I hear that you feel that the issue was swept under the rug, but I really do think that we've been doing everything we can to try and work with users to understand the problem and work as fast as we can to resolve the problem.

We've had a pretty active discussion about the problem here on the bug section of the forums and the Instructables Staff has been working hard to pinpoint the ads causing the problem and shut down those networks.  The search was a bit like finding a needle in a haystack because we couldn't reproduce the problem locally at our offices and because we work with many different ad networks and their affiliates.

After turning off some suspected ad networks last week, and then learning of a few more reports over the weekend, we decided to take the strongest approach we can and shut down all of our networks besides Google Adsense. 

Please let me know if you continue to hear reports come in from your viewers.  We rely on our advertising to survive, so shutting almost all of them down is no small decision or response to this problem.

I'm the lead person to talk to about this problem.  Please do let me know if you hear of any more reports.


Brick Moon says: Jan 10, 2010. 1:26 AM
The problem continues. On viewing random Instructables pages (which I usually open in a new tab), an average of perhaps one out of eight times, the rogue antispyware warning immediately appears. I just run the task manager and shut down IE browser. So far, restoring the session afterwards has not resulted in the same occurrence.
Running IE8, XP.
133
noahw (author) in reply to Brick MoonJan 11, 2010. 11:07 AM
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
1
chotii says: Jan 10, 2010. 10:28 AM

Doggone it, the "antivirus" ad popped up when I was reading THIS page, about the virus!!

It redirects me to onlineantivirust5.com, but I don't know what ad was showing at the top of the screen when that happened, because boom it was gone and I was redirected.

I am not a Pro member, but I was logged in. I am running IE8, with Windows 7.

133
noahw (author) in reply to chotiiJan 11, 2010. 11:00 AM
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
6
katmckee says: Jan 7, 2010. 8:23 PM
sorry to bear the bad news. i went into the home page not signed in, clicked on next page of popular ibles, clicked on the crocheted moustache hat ible, and bam... warning I have viruses, fake scanner, attempt to save a .exe
instructables-virus1-jan7.jpginstructables-virus2-jan7.jpginstructables-virus3-jan7.jpg
143
ewilhelm in reply to katmckeeJan 8, 2010. 12:27 PM
As a pro member, you shouldn't be seeing any ad networks.  Can you confirm that you were logged in when you saw this?
16
Doctor What in reply to ewilhelmJan 8, 2010. 12:29 PM
Quote, " i went into the home page not signed in".
1
cylonics says: Jan 7, 2010. 6:33 PM
 I have not seen it again recently. Have been surfing ibles and hitting F5 with impunity.  I have noticed however, the ads no longer change with refresh. Will just surf more and tempt fate. 
1
cylonics in reply to cylonicsJan 7, 2010. 6:45 PM
Correction: If the page is allowed to load fully, F5 will load a new Ad.  Just refreshed 10x at 3 different ibles, the problem did not reappear.  Also noticed the ads before were the tall vertical type, and are now square, and mostly "Ads by google".   Will post if  it shows again, but feeling warmer and fuzzier... 
69
Tool Using Animal says: Jan 6, 2010. 3:36 PM
Hey Noawh I don't know if it's any use to you but I captured my temporary internet files when this happened.

I set my temp dir to my ram disk, restarted to flush everything, loaded ie, navigated to Christy's eggnog instructable and ctrl-r'd until the fake scanner came up, copied and zipped the dir.


133
noahw (author) in reply to Tool Using AnimalJan 7, 2010. 2:11 PM
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again...Thanks!
69
Tool Using Animal in reply to noahwJan 7, 2010. 2:57 PM
I'll go mess around and let you know
69
Tool Using Animal in reply to Tool Using AnimalJan 7, 2010. 4:13 PM
Looks like you got it, an hour of random walking instructables and nothing happened.
133
noahw (author) in reply to Tool Using AnimalJan 7, 2010. 10:59 AM
Thanks for helping us to figure this problem - giving us your temp directory = awesome.
6
katmckee says: Jan 6, 2010. 7:51 PM
using IE and MS Vista on my laptop at home in Gainesville FL on the Dell laptop.

I logged in, navigated to my profile, clicked on one of the groups I'm in - Outrigger Canoe  - and then 2 seconds later the little dialogue box was there, I x'd out of it, then the big fake windows browser pops up with counters flying about all my trojans etc. I closed IE, then the other dialogue box was there again. I x'd out of that. that was it.

sorry I didn't see what ad was on the page at the time. It happened about 6 min ago! good luck...
instructables-virus1.jpginstructables-virus2.jpg
133
noahw (author) in reply to katmckeeJan 7, 2010. 2:11 PM
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again?  Thanks!
133
noahw (author) in reply to katmckeeJan 7, 2010. 10:32 AM
Thanks for posting your info - it's a huge help to us!
2
Berkin says: Jan 6, 2010. 3:33 PM
My Norton software detected an Infostealer.Gampass trojan located at

"http://www.instructables<DOT>com/files/orig/FQW/G5Y1/F4L2T7N8/FQ
WG5Y1F4L2T7N8.tmp"
133
noahw (author) in reply to BerkinJan 6, 2010. 3:37 PM
Kiteman also reported this infected file just minutes ago.  Copied from my reply to him...

Rachel reports that that particular file was uploaded by a user back in July of 2007.  It has just been deleted and the user has been warned, so hopefully this case is closed. 

Strange that it just popped up for your now though, I guess something triggered it to turn up on the site.

We're assuming that the user did not know that their file was infected and don't suspect that has anything to do with what we've been experiencing related to the virus on our ad networks.
2
Berkin in reply to noahwJan 6, 2010. 6:13 PM
Okay, thanks.
32
=SMART= says: Jan 6, 2010. 3:20 PM
I havent experienced this, I'm on a mac too, running FF 3.7.

Really well handled though, im sure this will get  sorted quickly :)
231
randofo says: Jan 6, 2010. 1:36 PM
I suspect the "slow script" bug in Safari is the malware ineffectively trying to load itself and getting caught in an recursive loop. This happens before the page has time to load and has frozen my browser more times than I care to think about. It is very frustrating.
slowscript.jpg
133
noahw (author) says: Jan 6, 2010. 1:30 PM
"It was Internet Security 2010 Software.
It dumps the following virus on on to the host root,
Trojan.FakeAlert, Broken.OpenCommand and gaopdxserv.sys. Once they get into the
registry they seam to multiply allowing you to delete one or two copies so you think you destroyed
them when in fact they duplicated and moved to a hidden directory.
There is more to it than this as my McAfee's is totally disabled even in safe mode and its Online Technical Advisor something
else is in this virus that takes over wireless systems and routers because something has liked my wife's
and daughters computer to mine and all are are acting the same now."
133
noahw (author) says: Jan 6, 2010. 12:58 PM
"I and a friend both repeatably get FakeAlert-KW in IE on http://www.instructables.com/id/DIY-Soda-Water-%26-Home-Carbonation---Pays-For-Itsel/

It puts up a 'scan your computer now' dialog that won't accept 'no' for an answer.

Doesn't occur in firefox with noscript and adblock, of course.

I also tried to send this to your specified contact email (info at instructibles dot com) but got a 550 #5.1.0 Address rejected error."
133
noahw (author) says: Jan 6, 2010. 12:56 PM
"I've encountered it several times since Jan 1st.  Just hit it again 5 mins ago on the Hans Solo Carbonite Wooden Cabinet instructable.

It pulls up McAfee screens showing infections everywhere.  It pops up another alert screen from MICROSOFT or similar - all very real looking.   It also tries to prevent you from closing out the browsers, keeps poppingup new ones.  First time I was so startled I pulled the LAN cable out, power out, and popped the battery as quickly as I could."
133
noahw (author) says: Jan 6, 2010. 12:55 PM
"Hmmm.... I only had this problem with other computers than my own, and I recognized it right away, mainly because I had a virus before called "antivirus 2009".  Fun little virus, essentially popped up a nice little screen that told me that my computer was infected, and I should download their software.

Strange though, I never encountered it at home.  Firefox?"
133
noahw (author) says: Jan 6, 2010. 12:15 PM
(removed by author or community request)
133
noahw (author) in reply to noahwJan 6, 2010. 12:21 PM
1) 

Just popped up while looking at one of my 'ables'.
 
http://antywiramericabox.com/index.php?affid=91107
image001.gif
133
noahw (author) in reply to noahwJan 6, 2010. 12:23 PM
This is the link that gets launched:
 
http://an-ty-software-list.com/index.php?affid=91107
 
As you can see, it is a fake animation of a virus scan that then redirects you to their web page and attempts to lure you into downloading and installing their spyware.
 
This is hard to capture the events because I think the fake virus page only launches occasionally (or once a day).
 
Does that affid=91107 correspond to instructables.com?
 
 
I accessed instructables.com from the link about the Sonicare toothbrush referenced below:
 
http://www.instructables.com/id/Sonicare_Elite_7300_Battery_Replacement/
 
Only thing I noticed was a Samsung phone ad in the upper right.
I didn't notice the banner ad across the top.
 
When I clicked Internet Explorer "refresh" that was enough to trigger the fake virus scan.
 
Sorry this is not enough, but I will attempt to log more for you later.
 
Here's some pics of the fake screens:
 
While this screen attempts to look like a Windows system screen, it is a fake:
FakeVirus1.pngFakeVirus2.png
133
noahw (author) in reply to noahwJan 6, 2010. 12:37 PM
To Whom It May Concern:

Your website appears to be compromised and is hosting virus/malware distribution.  It appears to be a redirect to a scamware site.  I sent yo notification on Saturday regarding this problem.  While I do not believe your servers themselves are infected, it could very well be one of your banner ads that is causing the problem. 

Today I attempted to visit a link on your site and the infection is still there.  This has been confirmed by infecting a sacrificial VM instance of Windows XP.

The following link has the infection as well.  I have included the <DOT> to prevent accidental following of the link. 

       http://www.instructables<DOT>
com/id/Windows-7-Starter-Easy-way-to-change-wallpaper/

Per Virus Total the following scanners detect this as a virus (with name)

AntiVir      Worm/Koobface.aeg
Comodo    TrojWare.Win32.FraudTool.TS
F-Prot       W32/FakeAlert.DX3
F-Secure   Suspicious:W32/Malware!Gemini
McAfee

Repeated attempts do not always infect a computer which leads me to believe that this infection is in one of the banner ads.  I have not been able to isolate what ad or section of the page is causing the problem; just that it happens when visiting instructables<DOT>com pages.
133
noahw (author) in reply to noahwJan 6, 2010. 12:50 PM
Can't delete that comment above - so here it is reproduced with correct margins

****

AntiVirus 2009 trojan on Instructables web page -
 
While browsing at home this morning to the Instructables web site (using Firefox on my Windows Vista desktop), I picked up a variant of the "AntiVirus 2009" trojan. Fortunately, this was immediately detected and quarantined by Microsoft Security Essentials.
 
Here's what happened (with some screenshots):
 
1. I had finished a Google search and clicked on the following first result to Instructables.Com:
 
2. The Instructables page opened for a few seconds, but I was immediately redirected to a "Windows Security Center" (or similar) page that started displaying the usual popups about several viruses and infected files being discovered on my computer. From past experience with this type of Trojan, I knew they were false alarms.
 
3. Within a second or two, a virus alert appeared from Microsoft Security Essentials stating that the following "TrojanDownloader:HTML/Renos" item had been detected and successfully quarantined. Here's the results on the History tab in MSE:
 
4. The "Get more information about this item online" link on the History tab goes to the following Microsoft page (safe):
Microsoft Malware Protection Center
TrojanDownloader:HTML/Renos
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3aHTML%2fRenos&threatid=2147575298
 
Analysis -- TrojanDownloader:HTML/Renos is Microsoft's generic detection for a trojan HTML script that attempts to download executable rogue security software when a user visits a malicious Web site and moves the mouse cursor over certain graphics or images.
Installation -- TrojanDownloader:HTML/Renos does not install locally. However, it may be cached in the temporary Internet files folder when viewing a malicious Web page.
Payload -- Downloads rogue security program. Viewing a malicious Web page containing this trojan script moves the mouse cursor over certain graphics or images. The trojan script could also invoke a dialogue box requesting that the user save or run a rogue security program.

5. I didn't see any other symptoms after MSE caught it, but I had to leave for work. I left a full MSE scan going, and will also run a Malwarebytes scan later to make sure all is OK.
 
Thought you'd like to know,

Pro

Get More Out of Instructables

Already have an Account?

close

PDF Downloads
As a Pro member, you will gain access to download any Instructable in the PDF format. You also have the ability to customize your PDF download.

Upgrade to Pro today!