Instructables

Virus Problem **Updated Topic - 1/12/2010**


This is the official forum post for the virus problems some users are experiencing with our ad networks.  From now on please post all virus reports here.


One or more of the ad networks that serve advertisements on the site has been loading ads that are infected with a virus.  We have been monitoring the situation for almost two weeks now, working with users to identify the infected networks, and then shutting them down from our ad rotation.

Despite our best efforts, the Instructables Staff has not been able to reproduce the problem locally, either because the viruses are appearing in only certain geographic areas, or because we work on Macs.  As a result, we've been relying on users to help us identify the problem and target the infected ad networks.  Please understand that we are not serving these ads intentionally, nor is there a virus on Instructables directly, or our servers, and that we are doing everything possible to shut down the suspected ad networks that are causing this problem. 


Here's what we know so far

The virus appears to be what Microsoft calls a Rogue Antivirus.  It basically tricks users into thinking that their computer is infected with a virus, when their machines are in fact just fine.  A fake virus scan window alerts users that their computer is infected.  Once alerted with this news, users are misleadingly encouraged to install malicious software on their machine.  The alerts seem to pop up after users are redirected away from Instructables, sometimes immediately after loading a page on the site, or in some reports, just from users dragging their mouse over the ad spot.  The problem appears to have only effected a very small percentage of our users, as hundreds of thousands of people visit the site each day and only a few dozen reports have come in over the last two weeks.


What to do

Don't click on any links that instruct you to install software onto your machine.  Update the definitions for your virus program and install the latest updates for your operating system.  If you should experience any of these redirects or virus screens, please read the section below about how you can help us, and post your information to this forum topic.


How you can help

If you see a pop-up warning you that you are infected, or if you are redirected away from Instructables and onto another page that triggers a virus alert, take a screen shot (command + shift + 3 in mac; print screen button in windows) close the page down, and then come to this forum topic and post as much as you can describing what you were doing before the problem happened, what happened when the virus attacked, and what you did to fix the problem.

Please include the following details with your post if possible - the following information is necessary for us to identify which ad network the virus is coming from:
  • any ads serving on the page that you remember
  • description of malware
  • the URL of the page on Instructables you were viewing
  • direct URLs of malware
  • screenshots
  • city, state and or country you are located in
  • what operating system and browser you are using
If you have Firebug installed, you can use it to inspect the problem pages and gather even more information which you can post to this topic.

Previous forum topics about this problem include "Ad-Problem",  "Virus on Instructables" and "instant start virus alter programme".  While these forum topics are still useful in identifying the problem, we need to congregate all new reports here with the bulleted information above so we can gather the necessary facts to pass along to the ad networks to start attacking this problem as aggressively as we can.

I've aggregated offline screen shots, emails, and other useful comments below that contain useful clues to get the ball rolling.

Please accept our deepest apologies for this unacceptable frustration and continue to work with us so we can completely eliminate this virus problem our ad networks.


****1/12/2010 Update****


There's reason to believe that the virus could have infected your browsers cache, and thus be re-infecting your computer from there.  As per the instructions given in the New York Times Article "What to do if you saw an antivirus pop up ad" please follow the steps below before posting any new virus reports on this forum thread so we can be sure that your computer is not repeatedly infecting itself regardless of the state of the site.

1) Close the screen
2) Clear your browsers cache (directions here)
3) Scan computer with a legitimate anti virus software
4) Run any and all updates to your operating system

If you are then still seeing warning messages and pop ups about the malware, then please do let us know so we can continue to track and fight this problem.

We've shut down all of our ad networks that aren't absolutely essential to the running of the site and are working with the last two remaining networks to troubleshoot this problem.  All data shows that the ad networks are responsible for the virus attacks that many sites have been experiencing around the web recently (this is not just a problem on Instructables ), and we've got to take the fight to them to effectively stop the attacks.



Picture of Virus Problem **Updated Topic - 1/12/2010**
mse_av2009_detection.png
Screen shot 2010-01-06 at 9.09.50 AM.jpeg
noahw (author) 4 years ago
Not that this is an excuse for the virus problem that Instructables was experiencing a few months ago, but it's nice to know that at least it wasn't just us...

Malware delivered by Yahoo, Fox, Google ads


"Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast..."



ewilhelm4 years ago
Thanks everyone for your patience and help!  Tracking this down has been a real nightmare, and we still haven't seen the issue ourselves, which makes fighting particularly difficult. 

If you are able to consistently see it, could you install the Live HTTP Headers add-on for Firefox, set it to capture the headers while you browse Instructables, and send us the results once you see the virus warning?  All other reports are helpful, but this is the only sure way we'll be able to isolate and nail it. 
grundisimo2 years ago
It's been a while since anyone was on here but i just got attacked on this very page.
Virus proof.bmp
IT says Trojan horse blocked in the red box.
Hopefully this is a better picture.
Better.bmp
kikazz3 years ago
wow seeing this... a computer virus is just like a real one... sometimes it can even cause panic in a mad scramble to find it and then figure out how to kill it.
 Giant guide is infected.

Ads: Restaurant City, Quaker
 The popup said

Windows wants your permission to install antivirus software. 
Allow, Don't Allow
KnexFreek4 years ago
 Please help, Im having troubles with my pro account. I am a pro member, i bought the 2 year 40$ plan in january this year. But, i get tons of ads. Advertisements on every single solitary page i click on. They are big ads that pop up and they just are not going away. The ads themselves are broken too, when i click on the "x" in the corner to close the ads, they close and immediately re-open. I have yet to log onto ibles without being bombed by ads. its ridiculous. its not like every now and then. it is every single page i click on. even right here on your profile page.  
 
Please help.
-kevin
KnexFreek4 years ago
 if you hazz a mac then this wont happen. problem solved.
Or use adblock...
 au contraire...

I have a mac and it does happen on this site.

Here's the forum topic I posted
Dude, nice profile image :) I had found that same pic on google images and I had recommended to somebody else to be their profile image and I had no idea somebody already had it.
 Yeah, I've seen at least one person with the same picture on their profile. There is no rule that your image has to be unique. 
YEah.

and just wondering was your username suppost to have something to do with Mythbusters. If so, mythbusers is M5industries not M4industries.
 People have asked that. I did that on purpose to point out that I am similar but inferior to M5 Industries.
Oh ok. That's cool.
 I was kidding... i just read the forum topic and it had the word virus in it. :)
LOL mac = no viruses : : : forum topic with virus in the title = get a mac 
thats my logic :D

But in all seriousness, you are right .
 Sorry if I was too serious, I tend to do that too often.

But that is true, safari can catch viruses, but the actual processor  and firmware are Fort Knox safe.
 No you werent !!! Trust me :) 
rosebud5574 years ago
I found another fake virus on: Waste Oil Furnace for Melting Metal, posted
rjeblogue on March 5, 2008.   Thanks
Bobblob4 years ago
PEN Hack VIDEO Is infected.  A  false virus program it has screwed my  XP machine and got past my AVG protection.  I noticed I didn't recognize the video site just before clicking on it. 

I wrote this original warning a few days ago using my Linux box and put a warning on the "Pen Hack" page .. that has been removed.   Was asked to post it here too.

I booted in safe mode did a restore  then went online to find some recommended registry cleaning and spyware removal programs that worked well.   MalwareBytes Anti-Malware
 
Could you reference the actual URL of the "PEN Hack VIDEO"?  I tried doing an I'ble search for "Pen Hack" and don't find anything with that exact name.  There are a few of "pen gun" I'bles, but none where I saw any sort of video attached.

When you wrote ".. that has been removed" above, do you mean that the I'ble itself has been removed?  The video has been removed from the I'ble?  Or that your comment was flagged and removed?
The URL:
http://www.instructables.com/id/Save-200-in-2-Minutes-and-have-the-Worlds-Best-W/  This appears on the main page  ( http://www.instructables.com/) among several others in a scrolling group of images of other Instructables. I'm not interested in selecting the video again ....sorry!  I guess my linux box would be safe but going to the 1st URL I posted here will allow you to see the video image.

The Instructable remains there.. As soon as I could get my Linux machine booted I posted a warning in the comment section at that instructable.  I could not and can not find it now after just checking all 3 pages of comments ...So I'm guessung it was removed.   Thanks for following up on this!
chotii4 years ago
I just navigated directly to my own Instructable. MSE flagged a trojan: Trojan:JS/Redirector.

I went to this page http://www.instructables.com/you/backtalk/?action=reply&commentId=CPFA9HWG69MUWGV

However, returning to that page did not create the same flag. I'm sorry, I don't know what ad came up the first time, as I was too alarmed to notice.

I am running Windows 7. I am in Seattle, WA
 I see them here and there. No correlation to the topic or add that I have noticed.
 PS. I work on a Mac too and I get them.
lemonie4 years ago
I just got this one, immediately after logging-in - sorry didn't catch the ad.

L

temp.bmp
Can you confirm that you are only seeing house ads (ads that link to Instructables)?  Knowing that this is unrelated to an ad network will help me track it down.
I'll confirm that. But before I logged-in I may have had something else.
My default login is via http://www.instructables.com/you?show=DISCUSSIONS so that took me to the "login and we'll take you to you" login page. Click button - that thing popped up.
(I wasn't paying attention past clicking the button I'm afraid)

L
What browser are you using?  Have a look at
http://www.instructables.com/id/Instructables_Ad_Networks/
to help track it down.
Ah.... there's an idea. I'll try tonight.

L
Since you're pro, you're not seeing any network ads (and I don't think we're running any direct campaigns right now, but I'll check).  So, you should only be seeing house ads.  So, this is quite strange.  If you can get it consistently, please try Live HTTP Headers mentioned above to help me track it down.
I got that! lOOK AT MY NEWEST FORUM.
JJYork4 years ago
I come to this site frequently and have not had anymore problems since the 7th
HTTP Headers

Since I can't get this to occur under Firefox I installed IEwatch, which has a free trial.

Anyways here's what I captured from ctrl r'ing the sweather legging instructable,sorry it's 7 meg.

BTW if I'm abusing the servers by ctrl-r'ing to get the problem to happen, let me know.
qwertyboy4 years ago
Got the virus scanner again. I was looking at SaskView's Useless Machine 'Ible. I run Win XP and am using IE8, also, I use AVG.

Link: http://online-spyware-killl1.com/scn1/?id=%3Dnm39jTuMzA5LjEyNi4yMSZwaWQ9NDBzMSZ0aW1lPTEyNjIxOYENNAkM

Photo 1: http://www.flickr.com/photos/34888294@N02/4263351251/
Photo 2: http://www.flickr.com/photos/34888294@N02/4264103222/in/photostream/
noahw (author)  qwertyboy4 years ago
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
qwertyboy noahw4 years ago
So far I havent had any problems. I've been going to some of the more "popular" 'ibles and haven't had any problems (the popup seemed to happen most to me on those).

Thanks and I hope you figure out the culprit!
noahw (author) 4 years ago
Jan 12, 2010. 6:56 AMwebman3802 says:
I got it just now on this very page.
Jan 12, 2010. 5:27 AMdanstax says:

Now this is a bit too much. This morning 1/12/10, 7:11 AM, I logged in to Instructables, went to this page to see if there were any additional comments regarding this virus stuff, and it hit again. I made a quick screenshot before closing the browser. I have it as a Word file, but can't seem to attach it here. If you want to see it, please contact me, I can send it this evening. Here is the URL off the screenshot, if that is any use to you-

http://clean-your-pcr1.com/scn1/?id=pHT4xTzuMzc0LjIwNS4xOTUmcGlkPTQwczEmdGltZT0xMjYxMAkOPAZO

noahw (author) 4 years ago
Moved from other topic in bugs...

Jan 11, 2010. 10:43 AMrandcal says:
Happened to me just today.

noahw (author) 4 years ago
Jan 11, 2010. 2:16 PMdougoutcanoe(author) says:
Just happened again when I tried to look at an instructable from the newsletter dated 07 January 2010 11:59:53.

I hope I managed to stop it in time.

dougoutcanoe
Jan 11, 2010. 1:55 PMPepsi Supreme says:
I'm also having this problem.
Only when opening your ads on my e-mail.
Happened today again. 1-11-10
noahw (author) 4 years ago
Moved from other topic in bugs...

Jan 11, 2010. 10:17 PMPhotoMaster says:
It appears to be one of the advertisers on the site or else someone has hacked the site. Every time I get on the site it is the first instructable I choose to view, no matter which one choose. I turn off the wireless card and stop IE. Then it reconnect to the internet and contnue using instructables.

crapflinger4 years ago
had one today and one yesterday. sorry but i didn't have time to catch the specific alert as trendmicro closes the site immediately. only happening in the forums for me, i've yet to get popped while reading ibles.
PhotoMaster4 years ago
I am trying again, as my last comment vanished. For several weeks now, the first instructable I decide to view launches a bogus virus warning and scan, which if I click through will infect my computer. I had it happen on an older computer. On this PC I deactivate my network card, close my internet explorer, re-connect my network card, re-connect to the internet, and finally reconnect to instructables. After this I am fine to use instructables until the next day when I will have the same scenario. I had it happen again this morning (NJ time). My cache was cleared earlier, so I know it is not in my cache. The problem still exists as of around 12:30am, 1/12/10.

Greg
newtoon4 years ago
Since a couple of days something leads me to this adress when I visit instructables.com.

I´m not logged, when this happens.

Here`s the link:  http://antispywareonlinel6.com/scn1/?id=%3D3G09DDuMzcxLjc4LjEzMiZwaWQ9NDBzMSZ0aW1lPTEyNjEwNYYOMAkM
noahw (author)  newtoon4 years ago
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble?
All of your ad networks?  Does that take a hit in the profit area?
noahw (author)  Doctor What4 years ago
It sure does, but we've absolutely got to identify which network is causing the problem so we can get rid of it.

Sorry to hear that.  I hope you get well soon (instructables being sick and all)!
After one occurrence yesterday, so far so good this afternoon. No problem after viewing about 20 various Instructibles pages. Apparently no evil from Google.
JJYork4 years ago
Happened to me. Had done a search on "magnets" and clicked on the instructable "how to obtain cheap rare earth magnets". Had not clicked on an outside site but one is contained within the instructable. Just closed out
noahw (author)  JJYork4 years ago
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble?
noahw (author)  JJYork4 years ago
Just to be clear - this just happened to you and you saw screens similar to what are shown in the screen grabs above?
JJYork noahw4 years ago
Yes
A viewer of my youtube video left a comment tonight about a virus after clicking a link to my 'ible.  I had a couple earlier but didn't think they were real.

This REALY sucks, cause a hefty percentage of the traffic here lately has been because of my 'ible.

Instructables should have contacted all the members and alerted them to this problem.  Not sweep the issue under the rug, and continue letting rogue ads slip though.

NOT HAPPY AT ALL! 
noahw (author)  Frivolous Engineering4 years ago
Hey SaskView.  I'm sorry that you are not happy and I'm also sorry that one of your viewers was affected with our virus issue. 

I hear that you feel that the issue was swept under the rug, but I really do think that we've been doing everything we can to try and work with users to understand the problem and work as fast as we can to resolve the problem.

We've had a pretty active discussion about the problem here on the bug section of the forums and the Instructables Staff has been working hard to pinpoint the ads causing the problem and shut down those networks.  The search was a bit like finding a needle in a haystack because we couldn't reproduce the problem locally at our offices and because we work with many different ad networks and their affiliates.

After turning off some suspected ad networks last week, and then learning of a few more reports over the weekend, we decided to take the strongest approach we can and shut down all of our networks besides Google Adsense. 

Please let me know if you continue to hear reports come in from your viewers.  We rely on our advertising to survive, so shutting almost all of them down is no small decision or response to this problem.

I'm the lead person to talk to about this problem.  Please do let me know if you hear of any more reports.


Brick Moon4 years ago
The problem continues. On viewing random Instructables pages (which I usually open in a new tab), an average of perhaps one out of eight times, the rogue antispyware warning immediately appears. I just run the task manager and shut down IE browser. So far, restoring the session afterwards has not resulted in the same occurrence.
Running IE8, XP.
noahw (author)  Brick Moon4 years ago
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
chotii4 years ago

Doggone it, the "antivirus" ad popped up when I was reading THIS page, about the virus!!

It redirects me to onlineantivirust5.com, but I don't know what ad was showing at the top of the screen when that happened, because boom it was gone and I was redirected.

I am not a Pro member, but I was logged in. I am running IE8, with Windows 7.

noahw (author)  chotii4 years ago
All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 
katmckee4 years ago
sorry to bear the bad news. i went into the home page not signed in, clicked on next page of popular ibles, clicked on the crocheted moustache hat ible, and bam... warning I have viruses, fake scanner, attempt to save a .exe
instructables-virus1-jan7.jpginstructables-virus2-jan7.jpginstructables-virus3-jan7.jpg
As a pro member, you shouldn't be seeing any ad networks.  Can you confirm that you were logged in when you saw this?
Quote, " i went into the home page not signed in".
cylonics4 years ago
 I have not seen it again recently. Have been surfing ibles and hitting F5 with impunity.  I have noticed however, the ads no longer change with refresh. Will just surf more and tempt fate. 
Correction: If the page is allowed to load fully, F5 will load a new Ad.  Just refreshed 10x at 3 different ibles, the problem did not reappear.  Also noticed the ads before were the tall vertical type, and are now square, and mostly "Ads by google".   Will post if  it shows again, but feeling warmer and fuzzier... 
Hey Noawh I don't know if it's any use to you but I captured my temporary internet files when this happened.

I set my temp dir to my ram disk, restarted to flush everything, loaded ie, navigated to Christy's eggnog instructable and ctrl-r'd until the fake scanner came up, copied and zipped the dir.


noahw (author)  Tool Using Animal4 years ago
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again...Thanks!
I'll go mess around and let you know
Looks like you got it, an hour of random walking instructables and nothing happened.
noahw (author)  Tool Using Animal4 years ago
Thanks for helping us to figure this problem - giving us your temp directory = awesome.
katmckee4 years ago
using IE and MS Vista on my laptop at home in Gainesville FL on the Dell laptop.

I logged in, navigated to my profile, clicked on one of the groups I'm in - Outrigger Canoe  - and then 2 seconds later the little dialogue box was there, I x'd out of it, then the big fake windows browser pops up with counters flying about all my trojans etc. I closed IE, then the other dialogue box was there again. I x'd out of that. that was it.

sorry I didn't see what ad was on the page at the time. It happened about 6 min ago! good luck...
instructables-virus1.jpginstructables-virus2.jpg
noahw (author)  katmckee4 years ago
We just shut down yet another ad network and hour ago - can you let me know if it happens to you again?  Thanks!
noahw (author)  katmckee4 years ago
Thanks for posting your info - it's a huge help to us!
Berkin4 years ago
My Norton software detected an Infostealer.Gampass trojan located at

"http://www.instructables<DOT>com/files/orig/FQW/G5Y1/F4L2T7N8/FQ
WG5Y1F4L2T7N8.tmp"
noahw (author)  Berkin4 years ago
Kiteman also reported this infected file just minutes ago.  Copied from my reply to him...

Rachel reports that that particular file was uploaded by a user back in July of 2007.  It has just been deleted and the user has been warned, so hopefully this case is closed. 

Strange that it just popped up for your now though, I guess something triggered it to turn up on the site.

We're assuming that the user did not know that their file was infected and don't suspect that has anything to do with what we've been experiencing related to the virus on our ad networks.
Berkin noahw4 years ago
Okay, thanks.
=SMART=4 years ago
I havent experienced this, I'm on a mac too, running FF 3.7.

Really well handled though, im sure this will get  sorted quickly :)
randofo4 years ago
I suspect the "slow script" bug in Safari is the malware ineffectively trying to load itself and getting caught in an recursive loop. This happens before the page has time to load and has frozen my browser more times than I care to think about. It is very frustrating.
slowscript.jpg
noahw (author) 4 years ago
"It was Internet Security 2010 Software.
It dumps the following virus on on to the host root,
Trojan.FakeAlert, Broken.OpenCommand and gaopdxserv.sys. Once they get into the
registry they seam to multiply allowing you to delete one or two copies so you think you destroyed
them when in fact they duplicated and moved to a hidden directory.
There is more to it than this as my McAfee's is totally disabled even in safe mode and its Online Technical Advisor something
else is in this virus that takes over wireless systems and routers because something has liked my wife's
and daughters computer to mine and all are are acting the same now."
noahw (author) 4 years ago
"I and a friend both repeatably get FakeAlert-KW in IE on http://www.instructables.com/id/DIY-Soda-Water-%26-Home-Carbonation---Pays-For-Itsel/

It puts up a 'scan your computer now' dialog that won't accept 'no' for an answer.

Doesn't occur in firefox with noscript and adblock, of course.

I also tried to send this to your specified contact email (info at instructibles dot com) but got a 550 #5.1.0 Address rejected error."
noahw (author) 4 years ago
"I've encountered it several times since Jan 1st.  Just hit it again 5 mins ago on the Hans Solo Carbonite Wooden Cabinet instructable.

It pulls up McAfee screens showing infections everywhere.  It pops up another alert screen from MICROSOFT or similar - all very real looking.   It also tries to prevent you from closing out the browsers, keeps poppingup new ones.  First time I was so startled I pulled the LAN cable out, power out, and popped the battery as quickly as I could."
noahw (author) 4 years ago
"Hmmm.... I only had this problem with other computers than my own, and I recognized it right away, mainly because I had a virus before called "antivirus 2009".  Fun little virus, essentially popped up a nice little screen that told me that my computer was infected, and I should download their software.

Strange though, I never encountered it at home.  Firefox?"
noahw (author) 4 years ago
(removed by author or community request)
noahw (author)  noahw4 years ago
1) 

Just popped up while looking at one of my 'ables'.
 
http://antywiramericabox.com/index.php?affid=91107
image001.gif
noahw (author)  noahw4 years ago
This is the link that gets launched:
 
http://an-ty-software-list.com/index.php?affid=91107
 
As you can see, it is a fake animation of a virus scan that then redirects you to their web page and attempts to lure you into downloading and installing their spyware.
 
This is hard to capture the events because I think the fake virus page only launches occasionally (or once a day).
 
Does that affid=91107 correspond to instructables.com?
 
 
I accessed instructables.com from the link about the Sonicare toothbrush referenced below:
 
http://www.instructables.com/id/Sonicare_Elite_7300_Battery_Replacement/
 
Only thing I noticed was a Samsung phone ad in the upper right.
I didn't notice the banner ad across the top.
 
When I clicked Internet Explorer "refresh" that was enough to trigger the fake virus scan.
 
Sorry this is not enough, but I will attempt to log more for you later.
 
Here's some pics of the fake screens:
 
While this screen attempts to look like a Windows system screen, it is a fake:
FakeVirus1.pngFakeVirus2.png
noahw (author)  noahw4 years ago
To Whom It May Concern:

Your website appears to be compromised and is hosting virus/malware distribution.  It appears to be a redirect to a scamware site.  I sent yo notification on Saturday regarding this problem.  While I do not believe your servers themselves are infected, it could very well be one of your banner ads that is causing the problem. 

Today I attempted to visit a link on your site and the infection is still there.  This has been confirmed by infecting a sacrificial VM instance of Windows XP.

The following link has the infection as well.  I have included the <DOT> to prevent accidental following of the link. 

       http://www.instructables<DOT>
com/id/Windows-7-Starter-Easy-way-to-change-wallpaper/

Per Virus Total the following scanners detect this as a virus (with name)

AntiVir      Worm/Koobface.aeg
Comodo    TrojWare.Win32.FraudTool.TS
F-Prot       W32/FakeAlert.DX3
F-Secure   Suspicious:W32/Malware!Gemini
McAfee

Repeated attempts do not always infect a computer which leads me to believe that this infection is in one of the banner ads.  I have not been able to isolate what ad or section of the page is causing the problem; just that it happens when visiting instructables<DOT>com pages.
noahw (author)  noahw4 years ago
Can't delete that comment above - so here it is reproduced with correct margins

****

AntiVirus 2009 trojan on Instructables web page -
 
While browsing at home this morning to the Instructables web site (using Firefox on my Windows Vista desktop), I picked up a variant of the "AntiVirus 2009" trojan. Fortunately, this was immediately detected and quarantined by Microsoft Security Essentials.
 
Here's what happened (with some screenshots):
 
1. I had finished a Google search and clicked on the following first result to Instructables.Com:
 
2. The Instructables page opened for a few seconds, but I was immediately redirected to a "Windows Security Center" (or similar) page that started displaying the usual popups about several viruses and infected files being discovered on my computer. From past experience with this type of Trojan, I knew they were false alarms.
 
3. Within a second or two, a virus alert appeared from Microsoft Security Essentials stating that the following "TrojanDownloader:HTML/Renos" item had been detected and successfully quarantined. Here's the results on the History tab in MSE:
 
4. The "Get more information about this item online" link on the History tab goes to the following Microsoft page (safe):
Microsoft Malware Protection Center
TrojanDownloader:HTML/Renos
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3aHTML%2fRenos&threatid=2147575298
 
Analysis -- TrojanDownloader:HTML/Renos is Microsoft's generic detection for a trojan HTML script that attempts to download executable rogue security software when a user visits a malicious Web site and moves the mouse cursor over certain graphics or images.
Installation -- TrojanDownloader:HTML/Renos does not install locally. However, it may be cached in the temporary Internet files folder when viewing a malicious Web page.
Payload -- Downloads rogue security program. Viewing a malicious Web page containing this trojan script moves the mouse cursor over certain graphics or images. The trojan script could also invoke a dialogue box requesting that the user save or run a rogue security program.

5. I didn't see any other symptoms after MSE caught it, but I had to leave for work. I left a full MSE scan going, and will also run a Malwarebytes scan later to make sure all is OK.
 
Thought you'd like to know,

Pro

Get More Out of Instructables

Already have an Account?

close

PDF Downloads
As a Pro member, you will gain access to download any Instructable in the PDF format. You also have the ability to customize your PDF download.

Upgrade to Pro today!