1389Views88Replies

Author Options:

Virus Problem **Updated Topic - 1/12/2010** Answered


This is the official forum post for the virus problems some users are experiencing with our ad networks.  From now on please post all virus reports here.


One or more of the ad networks that serve advertisements on the site has been loading ads that are infected with a virus.  We have been monitoring the situation for almost two weeks now, working with users to identify the infected networks, and then shutting them down from our ad rotation.

Despite our best efforts, the Instructables Staff has not been able to reproduce the problem locally, either because the viruses are appearing in only certain geographic areas, or because we work on Macs.  As a result, we've been relying on users to help us identify the problem and target the infected ad networks.  Please understand that we are not serving these ads intentionally, nor is there a virus on Instructables directly, or our servers, and that we are doing everything possible to shut down the suspected ad networks that are causing this problem. 


Here's what we know so far

The virus appears to be what Microsoft calls a Rogue Antivirus.  It basically tricks users into thinking that their computer is infected with a virus, when their machines are in fact just fine.  A fake virus scan window alerts users that their computer is infected.  Once alerted with this news, users are misleadingly encouraged to install malicious software on their machine.  The alerts seem to pop up after users are redirected away from Instructables, sometimes immediately after loading a page on the site, or in some reports, just from users dragging their mouse over the ad spot.  The problem appears to have only effected a very small percentage of our users, as hundreds of thousands of people visit the site each day and only a few dozen reports have come in over the last two weeks.


What to do

Don't click on any links that instruct you to install software onto your machine.  Update the definitions for your virus program and install the latest updates for your operating system.  If you should experience any of these redirects or virus screens, please read the section below about how you can help us, and post your information to this forum topic.


How you can help

If you see a pop-up warning you that you are infected, or if you are redirected away from Instructables and onto another page that triggers a virus alert, take a screen shot (command + shift + 3 in mac; print screen button in windows) close the page down, and then come to this forum topic and post as much as you can describing what you were doing before the problem happened, what happened when the virus attacked, and what you did to fix the problem.

Please include the following details with your post if possible - the following information is necessary for us to identify which ad network the virus is coming from:
  • any ads serving on the page that you remember
  • description of malware
  • the URL of the page on Instructables you were viewing
  • direct URLs of malware
  • screenshots
  • city, state and or country you are located in
  • what operating system and browser you are using
If you have Firebug installed, you can use it to inspect the problem pages and gather even more information which you can post to this topic.

Previous forum topics about this problem include "Ad-Problem",  "Virus on Instructables" and "instant start virus alter programme".  While these forum topics are still useful in identifying the problem, we need to congregate all new reports here with the bulleted information above so we can gather the necessary facts to pass along to the ad networks to start attacking this problem as aggressively as we can.

I've aggregated offline screen shots, emails, and other useful comments below that contain useful clues to get the ball rolling.

Please accept our deepest apologies for this unacceptable frustration and continue to work with us so we can completely eliminate this virus problem our ad networks.


****1/12/2010 Update****


There's reason to believe that the virus could have infected your browsers cache, and thus be re-infecting your computer from there.  As per the instructions given in the New York Times Article "What to do if you saw an antivirus pop up ad" please follow the steps below before posting any new virus reports on this forum thread so we can be sure that your computer is not repeatedly infecting itself regardless of the state of the site.

1) Close the screen
2) Clear your browsers cache (directions here)
3) Scan computer with a legitimate anti virus software
4) Run any and all updates to your operating system

If you are then still seeing warning messages and pop ups about the malware, then please do let us know so we can continue to track and fight this problem.

We've shut down all of our ad networks that aren't absolutely essential to the running of the site and are working with the last two remaining networks to troubleshoot this problem.  All data shows that the ad networks are responsible for the virus attacks that many sites have been experiencing around the web recently (this is not just a problem on Instructables ), and we've got to take the fight to them to effectively stop the attacks.


Discussions

0
None
noahw

8 years ago

Not that this is an excuse for the virus problem that Instructables was experiencing a few months ago, but it's nice to know that at least it wasn't just us...

Malware delivered by Yahoo, Fox, Google ads


"Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast..."



0
None
ewilhelm

8 years ago

Thanks everyone for your patience and help!  Tracking this down has been a real nightmare, and we still haven't seen the issue ourselves, which makes fighting particularly difficult. 

If you are able to consistently see it, could you install the Live HTTP Headers add-on for Firefox, set it to capture the headers while you browse Instructables, and send us the results once you see the virus warning?  All other reports are helpful, but this is the only sure way we'll be able to isolate and nail it. 

0
None
grundisimo

7 years ago

It's been a while since anyone was on here but i just got attacked on this very page.

Virus proof.bmp
0
None
kikazz

8 years ago

wow seeing this... a computer virus is just like a real one... sometimes it can even cause panic in a mad scramble to find it and then figure out how to kill it.

0
None
M4industries

8 years ago

 Giant guide is infected.

Ads: Restaurant City, Quaker

0
None
M4industriesM4industries

Reply 8 years ago

 The popup said

Windows wants your permission to install antivirus software. 
Allow, Don't Allow

0
None
KnexFreek

8 years ago

 Please help, Im having troubles with my pro account. I am a pro member, i bought the 2 year 40$ plan in january this year. But, i get tons of ads. Advertisements on every single solitary page i click on. They are big ads that pop up and they just are not going away. The ads themselves are broken too, when i click on the "x" in the corner to close the ads, they close and immediately re-open. I have yet to log onto ibles without being bombed by ads. its ridiculous. its not like every now and then. it is every single page i click on. even right here on your profile page.  
 
Please help.
-kevin
0
None
KnexFreek

8 years ago

 if you hazz a mac then this wont happen. problem solved.

0
None
LoneWolfM4industries

Reply 8 years ago

Dude, nice profile image :) I had found that same pic on google images and I had recommended to somebody else to be their profile image and I had no idea somebody already had it.

0
None
M4industriesLoneWolf

Reply 8 years ago

 Yeah, I've seen at least one person with the same picture on their profile. There is no rule that your image has to be unique. 

0
None
LoneWolfM4industries

Reply 8 years ago

YEah.

and just wondering was your username suppost to have something to do with Mythbusters. If so, mythbusers is M5industries not M4industries.

0
None
M4industriesLoneWolf

Reply 8 years ago

 People have asked that. I did that on purpose to point out that I am similar but inferior to M5 Industries.

0
None
KnexFreekM4industries

Reply 8 years ago

 I was kidding... i just read the forum topic and it had the word virus in it. :)
LOL mac = no viruses : : : forum topic with virus in the title = get a mac 
thats my logic :D

But in all seriousness, you are right .

0
None
M4industriesKnexFreek

Reply 8 years ago

 Sorry if I was too serious, I tend to do that too often.

But that is true, safari can catch viruses, but the actual processor  and firmware are Fort Knox safe.

0
None
rosebud557

8 years ago

I found another fake virus on: Waste Oil Furnace for Melting Metal, posted
rjeblogue on March 5, 2008.   Thanks

0
None
Bobblob

8 years ago

PEN Hack VIDEO Is infected.  A  false virus program it has screwed my  XP machine and got past my AVG protection.  I noticed I didn't recognize the video site just before clicking on it. 

I wrote this original warning a few days ago using my Linux box and put a warning on the "Pen Hack" page .. that has been removed.   Was asked to post it here too.

I booted in safe mode did a restore  then went online to find some recommended registry cleaning and spyware removal programs that worked well.   MalwareBytes Anti-Malware
 
0
None
kelseymhBobblob

Reply 8 years ago

Could you reference the actual URL of the "PEN Hack VIDEO"?  I tried doing an I'ble search for "Pen Hack" and don't find anything with that exact name.  There are a few of "pen gun" I'bles, but none where I saw any sort of video attached.

When you wrote ".. that has been removed" above, do you mean that the I'ble itself has been removed?  The video has been removed from the I'ble?  Or that your comment was flagged and removed?

0
None
Bobblobkelseymh

Reply 8 years ago

The URL:
https://www.instructables.com/id/Save-200-in-2-Minutes-and-have-the-Worlds-Best-W/  This appears on the main page  ( https://www.instructables.com/) among several others in a scrolling group of images of other Instructables. I'm not interested in selecting the video again ....sorry!  I guess my linux box would be safe but going to the 1st URL I posted here will allow you to see the video image.

The Instructable remains there.. As soon as I could get my Linux machine booted I posted a warning in the comment section at that instructable.  I could not and can not find it now after just checking all 3 pages of comments ...So I'm guessung it was removed.   Thanks for following up on this!

0
None
M4industries

8 years ago

 I see them here and there. No correlation to the topic or add that I have noticed.

0
None
lemonie

8 years ago

I just got this one, immediately after logging-in - sorry didn't catch the ad.

L

temp.bmp
0
None
ewilhelmlemonie

Reply 8 years ago

Can you confirm that you are only seeing house ads (ads that link to Instructables)?  Knowing that this is unrelated to an ad network will help me track it down.

0
None
lemonieewilhelm

Reply 8 years ago

I'll confirm that. But before I logged-in I may have had something else.
My default login is via https://www.instructables.com/you?show=DISCUSSIONS so that took me to the "login and we'll take you to you" login page. Click button - that thing popped up.
(I wasn't paying attention past clicking the button I'm afraid)

L

0
None
ewilhelmlemonie

Reply 8 years ago

What browser are you using?  Have a look at
https://www.instructables.com/id/Instructables_Ad_Networks/
to help track it down.

0
None
lemonieewilhelm

Reply 8 years ago

Ah.... there's an idea. I'll try tonight.

L

0
None
ewilhelmlemonie

Reply 8 years ago

Since you're pro, you're not seeing any network ads (and I don't think we're running any direct campaigns right now, but I'll check).  So, you should only be seeing house ads.  So, this is quite strange.  If you can get it consistently, please try Live HTTP Headers mentioned above to help me track it down.

0
None
Hiyadudezlemonie

Reply 8 years ago

I got that! lOOK AT MY NEWEST FORUM.

0
None
JJYork

8 years ago

I come to this site frequently and have not had anymore problems since the 7th

0
None
Tool Using Animal

8 years ago

HTTP Headers

Since I can't get this to occur under Firefox I installed IEwatch, which has a free trial.

Anyways here's what I captured from ctrl r'ing the sweather legging instructable,sorry it's 7 meg.

BTW if I'm abusing the servers by ctrl-r'ing to get the problem to happen, let me know.

0
None
noahwqwertyboy

Reply 8 years ago

All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble? 

0
None
qwertyboynoahw

Reply 8 years ago

So far I havent had any problems. I've been going to some of the more "popular" 'ibles and haven't had any problems (the popup seemed to happen most to me on those).

Thanks and I hope you figure out the culprit!

0
None
noahw

8 years ago

Jan 12, 2010. 6:56 AMwebman3802 says:
I got it just now on this very page.
Jan 12, 2010. 5:27 AMdanstax says:

Now this is a bit too much. This morning 1/12/10, 7:11 AM, I logged in to Instructables, went to this page to see if there were any additional comments regarding this virus stuff, and it hit again. I made a quick screenshot before closing the browser. I have it as a Word file, but can't seem to attach it here. If you want to see it, please contact me, I can send it this evening. Here is the URL off the screenshot, if that is any use to you-

http://clean-your-pcr1.com/scn1/?id=pHT4xTzuMzc0LjIwNS4xOTUmcGlkPTQwczEmdGltZT0xMjYxMAkOPAZO

0
None
noahw

8 years ago

Moved from other topic in bugs...

Jan 11, 2010. 10:43 AMrandcal says:
Happened to me just today.

0
None
noahw

8 years ago

Jan 11, 2010. 2:16 PMdougoutcanoe(author) says:
Just happened again when I tried to look at an instructable from the newsletter dated 07 January 2010 11:59:53.

I hope I managed to stop it in time.

dougoutcanoe
Jan 11, 2010. 1:55 PMPepsi Supreme says:
I'm also having this problem.
Only when opening your ads on my e-mail.
Happened today again. 1-11-10
0
None
noahw

8 years ago

Moved from other topic in bugs...

Jan 11, 2010. 10:17 PMPhotoMaster says:
It appears to be one of the advertisers on the site or else someone has hacked the site. Every time I get on the site it is the first instructable I choose to view, no matter which one choose. I turn off the wireless card and stop IE. Then it reconnect to the internet and contnue using instructables.

0
None
crapflinger

8 years ago

had one today and one yesterday. sorry but i didn't have time to catch the specific alert as trendmicro closes the site immediately. only happening in the forums for me, i've yet to get popped while reading ibles.

0
None
PhotoMaster

8 years ago

I am trying again, as my last comment vanished. For several weeks now, the first instructable I decide to view launches a bogus virus warning and scan, which if I click through will infect my computer. I had it happen on an older computer. On this PC I deactivate my network card, close my internet explorer, re-connect my network card, re-connect to the internet, and finally reconnect to instructables. After this I am fine to use instructables until the next day when I will have the same scenario. I had it happen again this morning (NJ time). My cache was cleared earlier, so I know it is not in my cache. The problem still exists as of around 12:30am, 1/12/10.

Greg

0
None
noahwnewtoon

Reply 8 years ago

All of our ad networks besides Google Adsense have now been turned off.  Can you poke around a bit and let me know if you run into any more trouble?

0
None
Doctor Whatnoahw

Reply 8 years ago

All of your ad networks?  Does that take a hit in the profit area?

0
None
noahwDoctor What

Reply 8 years ago

It sure does, but we've absolutely got to identify which network is causing the problem so we can get rid of it.

0
None
Doctor Whatnoahw

Reply 8 years ago

Sorry to hear that.  I hope you get well soon (instructables being sick and all)!