Bogus "Your Computer is Infected" warnings

[bearack]

Space.com being attacked???

I've noticed lately that space.com has been very erratic of late. Working slow at times, sometimes not loading at all. I then noticed an abnormal amount of Trojans and malware being loaded on my system every time I visit here. I was initially thinking maybe it was just my work system, but I noticed a nasty one loaded on my system at home over the weekend.

Has the developers noticed anything out of the ordinary with SDC source code or has anyone else seeing a similar issue? Granted, it could also be just my IP black listed somehow, but all indications point to SDC loading several different malwares and Trojans on my system(s).

Also, sometimes my post never take. This is my thrid attempt to post this concern!

 

[doublehelix]

Re: Space.com being attacked???

Thanks for the feedback, bearack. One of the things that's happened is that we transferred to new servers. A resulting posting bug was discovered and the dev/IT team worked throughout last week trying to fix it. I believe they've figured out a solution and will continue to work on it this week; right now it's patched. Today, for instance, I have been able to successfully post each time, whereas last week I had about a 40% success rate when trying to post the first time.

The new servers should make things faster, too, so you will most likely see an increase in speed this week.

The malware/virus stuff is a concern. Most likely it's ad-related. I would recommend emailing Josh Borglund, one of our IT guys in Utah. He can be reached at jborglund@toptenreviews.com. He would welcome your email, I am sure.

I apologize for the inconvenience, frustration, and if you've lost any hair by pulling it out from the aggravation. I can totally relate. Also, keep posting here with concerns, observations, and the like. I'm going to forward on your post to Josh, too.

-dh

 

[bearack]

Re: Space.com being attacked???

It's no issue DH. I understand the complexity of running a site in today's world and simpythis with your issues. When I get a chance, I'll email Jason with my findings.

Thanks,

Tim

 

[a_lost_packet_]

Re: Space.com being attacked???

...Has the developers noticed anything out of the ordinary with SDC source code or has anyone else seeing a similar issue? Granted, it could also be just my IP black listed somehow, but all indications point to SDC loading several different malwares and Trojans on my system(s)....

Anything specific or just intrusion warnings/attempts?

I noticed SDC was completely down Monday morning. I assumed that was for the addition of the email notifications and such. It was "blank page" down and not just delayed or unresponsive.

I haven't had any issues. But, I don't get ads... I do, occasionally, allow them and click just to do my part though.

 

[bdewoody]

I just got an unsafe website warning in here

Whats up? I was in free space and got a red unsafe website warning.

 

[StarRider1701]

Re: Space.com being attacked???

I then noticed an abnormal amount of Trojans and malware being loaded on my system every time I visit here.
Has the developers noticed anything out of the ordinary with SDC source code or has anyone else seeing a similar issue? Granted, it could also be just my IP black listed somehow, but all indications point to SDC loading several different malwares and Trojans on my system(s).

Also, sometimes my post never take. This is my thrid attempt to post this concern!

I too had a problem with what I guess was some kind of Trojan attacking me as I was looking around the home page reading the articles before logging in. This was Tue or Wed night. Suddenly SDC disappeard and the box kept popping up telling me I had to download this software to prevent intrusion into my computer! My Norton also popped up, telling me it was blocking an attempt to get into my comp. It took me a few minutes to clear that up and when I came back here it was ok. So I guess people can even use SDC to attack other folks' computers?

 

[bdewoody]

Twice now in the last three days I have recieved bogus computer virus warnings after logging onto SDC. It then tries to redirect my computer to a free virus scanning site. Is anybody else experiencing this?

 

[jim48]

Twice now in the last three days I have recieved bogus computer virus warnings after logging onto SDC. It then tries to redirect my computer to a free virus scanning site. Is anybody else experiencing this?

Yes, just a few minutes ago at around 12:30 a.m. EST. Third time for me in just a few days. Checked all my security settings and everything is green. Don't let that program run when it pops up. It looks legit but probably isn't. Send me a PM Woody.

 

[FlatEarth]

Twice now in the last three days I have recieved bogus computer virus warnings after logging onto SDC. It then tries to redirect my computer to a free virus scanning site. Is anybody else experiencing this?

Me too. Happened to me twice and each time I immediately closed the browser. Somehow the program is getting by the firewall. :evil: No ill effects yet...

 

[bdewoody]

Same here, I shut down my browser and rebooted my computer and checked AVG which reported my computer clean. I hate this web hosting outfit that Space.com is now using.

 

[nimbus]

I haven't had a single occurence of this. How are you guys eliminating all other possibilities? If you caught this thing elsewhere, it could be something on SDC that triggers it. Not necessarily an infection from SDC.

Just seems odd that SDC would have such an infection. It's pretty much a death sentence when they seem to hinge on attracting and retaining readers. For no apparent gain.

 

[yevaud]

I've seen and once been infected by a variation of this.

Go to your Task Manager. Is a process named "ctpmon.exe " or some variation on that running?

If so, reboot in safe mode; Then Go to C:\windows\system32\ctpmon.exe and delete the file. Finally, run your anti-virus. This should solve the problem.

Assuming it's the same virus...

 

[nimbus]

ctfmon.exe is an MS Office process.

 

[Mee_n_Mac]

ctfmon.exe is an MS Office process.

A while ago I got a warning from my AV program re: some Trojan downloader being blocked. The details are in the User Feedback forum. I think the warning was legit. Yesterday I had a different event wherein a window popped up and said I was infected and tried to redirect me to a (bogus) AV site. This is some malware I've seen before and you should be careful not to go to the site indicated. Odd thing I did a AV scan and then a malware/spyscan (another program) afterward and came up empty. The problem has not recurred and I'll guess it was tied to some add.

ctfmon.exe is an Office process but it can also be a virus. It depends on where the ctfmon being run is stored. I believe the legit one is in C:\windows\system32. If it exists elsewhere on your PC, it's the virus. I've seen the virus also named cftmon or some other variant that, at a quick glance, appears to be the proper file. I think any of the good malware programs chucks this crap out on it's butt.

 

[yevaud]

ctfmon.exe is an MS Office process.

*Weary Sigh*

ctfmon.exe is a legitimate process if it's source is located in the proper folder. That's the version that Office installs. If you find the same process root program installed and running in another, non-MS Office folder, it's likely been placed there by the virus, and the name is supposed to spoof you into thinking it's legitimate.

Capiche?

 

[a_lost_packet_]

Not sure what the common tactic is today besides using popups. But, it used to be that such tactics used windows network messaging services to send bogus "warning" dialogue message. That service is generally used in office environments to send network notifications. "ie: The server will shut down in 5 mins." But, some Plug-N-Play features use the same system, especially multifunction printers and peripherals. Blocking network messaging, if you security software/firewall allows it, is usually a good idea. Using other open comm ports, which are not necessarily "physical ports" on your system to gain access is a likely route of attack. So, instead of just blocking ranges of comm ports which could also have debilitating effects on legitimate processes, it's best to install a software firewall that lets you customize access to those ports.

I highly recommend a good software firewall. ZoneAlarm works reasonably well and, if they still offer it, you can get a free version. A good software firewall will take care of pesky, uninvited attempts to access your ports and generate stupid "Virus Warning" messages.

Once a good firewall has been installed, test it here: https://www.grc.com/default.htm Navigate down to "Shields Up" and then let it run a port scan. If it detects open ports, that means that those ports can be potentially accessed by unauthorized users/programs. If your firewall isn't blocking that from happening, it's either not configured appropriately or it sucks outright. "Leaktest" is also good as, IIRC, it helps detect your susceptibility from having installed components access the internet without your authorization.

Windows native Firewall is a sieve. Don't rely on it alone.

 

[bushwhacker]

The last several weeks I've gotten that message. I just close the window and start my scanner (AVG) always comes back clean

 

[drwayne]

I have had something similar happen here, but I have never not had another window open on another site when
it happened, so I could not uniquely blame SDC.

It looks like a variant of the faveAV virus. Please do not click on any part of the popup, as this starts the
process.

Wayne

 

[Smersh]

I've not experienced this at SDC (yet) but that might be because I'm a user in the UK and this thing is targetted by country.

I have seen similar warnings pop up on other sites in the past though, and as suggested by others it's a tactic sometimes used by malware criminals to con people into running their bogus "virus scan." On doing so the malware is covertly installed on a user's hard drive.

... It looks like a variant of the faveAV virus. Please do not click on any part of the popup, as this starts the
process.

Wayne

A problem I've found with these popups in the past is there is no obvious way of getting rid of it without clicking on it, (or even clicking on the "X" to try to shut it down, which of course it doesn't,) which then starts the malware process running. What I've done is to surf away from the site completely and either shutting down the browser tab that has the popup or shutting down my browser completely and starting again afresh.

 

[a_lost_packet_]

Sometimes, google advertising gets used by nefarious people looking to make a quick buck. They'll send you false alerts, ask you to install their "Free virus scanner" then it comes back with 10,0000 detections of viruses which they then ask you to pay them $50 for.

However, what happens is that the "Free Virus Scanner" you installed takes over your system, constantly sending you warning messages, locking out your homepage and, in general, being a pain in the butt. Basically, the program usually hijacks your system, refusing to allow normal operation until you buy and install their software. Yet, that software is usually not a decent virus scanner but either an adware hog or, worse, some sort of virus package itself.

This has been a common problem with such types of fake "Virus Alert" scams in the past years. On no condition should anyone, ever, give any money to any company for any anti-virus product that acts like this. Odds are it's a total scam or, worse, it's a permanent way to compromise the security of your system for nefarious use.

What is probably happening on SDC is some marketing company they have signed up with has contracted with one of these scammers to advertise their "product." Usually, they've done so unknowingly and are as just as much an unwilling victim as the end user that gets scammed. But, sometimes they simply don't care. Google will pull advertising that has been shown to be malware like this. But, not all companies will do so readily.

My guess is that any tech/space/science site that has signed with the ad company is getting the same type of scam advertising that some are getting here on SDC.

I get "zero" advertising unless I wish it. Sometimes, I allow advertising so I can click on it and feed SDC a few cents since I pay nothing for being a member here yet get so much from it.

SDC should get a report from the marketers they have signed with and see what advertising has been pushed to their customers/members. Then, get reports from those of you that have been effected, match up the companies and report them to the marketer with a demand to cease pushing those ads.

So, to start - Take screenshots of what you are seeing and email them to DH or post them in the Community Talkback section.

EDIT ADD - I've posted my suggestion in the appropriate thread Space.com being attacked??? including a detailed description of how to take screenshots and post them on the forums. Also, from the thread, DH suggested emailing jborglund@toptenreviews.com with details/concerns about this problem. I'd heavily recommend including a screenpic along with the date and time you experienced it and emailing it to him.

 

[a_lost_packet_]

Re: Space.com being attacked???

Note to those receiving these scam popups:

Just my two coppers but, I think some more info is necessary.

Please take a screenshot of what you are seeing and post it. (Or, you can email it to jborglund@toptenreviews.com as suggested above by DH)

To do that in Windows, hit the "Print Screen" key on your keyboard with the popop in view.

Navigate to <Start><All Programs><Accessories><Paint> and this will open up Microsoft Paint for windows.

Once Microsoft Paint starts, you should have a blank canvas. Go to <Edit><Paste> to paste your screenshot.

Then, save the screenshot by clicking <Edit><Save> (or Save As) and give it a title of the date/time for ease of use later. Remember where you saved it on your disk! Microsoft Paint usually defaults to the "My Pictures" directory which is a standard, Windows Created Directory. c:documents_and_settings/(your username)/my_documents/my_pictures

If you'd like to post it on the forums, I recommend "Tinypic.com" for that. Just go to http://tinypic.com and upload your screenpic there by choosing "Browse" and browse to where you saved your screenpic. So that it can be displayed easily on the forums, resize it to "message board 640x480" using the "Resize" option. Then, click "Upload Now." When it is uploaded, Tinypic will generate a series of strings for different types of codes. Highlight the string of code in the box that say's " Direct Link for Layouts." Then, create a new post here and paste that code into it. Highlight the code and click the IMG button to bracket the image link with the img tags so it will be displayed in your post. Add whatever notes you think are important and Submit it.

(Note: Sometimes, certain types of objects displayed on the screen will not save properly because they are not the active window or coded differently. For instance, sometimes you can't get a mouse cursor to appear on a screenshot. In order to make the popup the active window, you may have to navigate to it by simultaneously hitting <Alt><TAB> and then clicking <TAB> while holding down the <ALT> key until the popup window is highlighted by the brackets. Then, release the <ALT><Tab> keys and hit <Print Screen> to take your screenshot. I have no idea what it is that you guys are seeing so, I just included this note as a possible workaround if you don't see the popup displayed in a screenshot you just took. If it doesn't work, you may need a third-party screenpic proggy to capture it.)

 

[MeteorWayne]

I have only seen this when connected to the main SDC home page, not ever from the forums. So when I check the SDC main site, I just go in, look, then close the tab/window.

 

[a_lost_packet_]

I have only seen this when connected to the main SDC home page, not ever from the forums. So when I check the SDC main site, I just go in, look, then close the tab/window.

IIRC, the forums are hosted on separate servers. Also, there may be different marketers pushing ads on the forums than those on the main SDC site. Not sure how they have that set up.

 

[vogon13]

If the healthcare bill included a 250,000 person capacity ID theft/computer scammer prison complex in western North Dakota the bill would have passed a year ago.


And if the prison is too expensive, giving a few hundred of these creeps the needle would solve the problem too.


Anyone see in The Tudors the scene where one of King Henry the VIII's enemies is boiled alive ? ? ? ?

(The executioner inquiring about head first or not was a nice touch)



something to think about

 

[MeteorWayne]

Re: Space.com being attacked???

Just my 2 pfennig:

This has only happened to me when on the main SDC front page. I have never had it happen from the forum window which (as you can tell) is almost always open.