Bogus "Your Computer is Infected" warnings

[bearack]

i've posted this concern abbout 2 weeks ago and it's apparently getting worse. I've added a but load of security features to my system, so hasn't been much of a problem of late, however, there is deffantely something nasty imbedded in the SDC source code.

Everytime I enter, I get an IP block from MWB from a trojan or malware, and then when I enter a thread, ZoneAlarm (firewall) goes crazy with about 5 to 10 files trying to be loaded onto my system.

SDC needs to get this resolved quickly because many systems not protected are going to get hammered by this bug!

 

[MeteorWayne]

Re: Space.com being attacked???

I'd like to reemphasize one important clue. This has never happened from the forum page to me. It has only happened on the main SDC home page. SO whatever is different about the ad content should point you toward the source where the attck is coming from.

 

[Mee_n_Mac]

OK the pop-ups saying I might be infected and I should go to some (their) AV site just happened ~5 mins ago. I was at the SDC home page, read the article on the BBT and then clicked on the "Moon has 3 water types" article when the browser was redirected to the 1'st pop-up window. X-ing to close that brought me to some other site that claimed to be running an AVscan. I didn't record the IP addy but it was something like 98.x.x. X-ing that window got me to another pop-up say I might still be infected and X-ing that window closed the set (and left me out of SDC). I'll run MWB again but I'll guess that like before nothing will show up. It's not a virus or spyware perse but an add run amok.

EDIT: a quick scan w/MWB revealed nothing.

 

[bearack]

OK the pop-ups saying I might be infected and I should go to some (their) AV site just happened ~5 mins ago. I was at the SDC home page, read the article on the BBT and then clicked on the "Moon has 3 water types" article when the browser was redirected to the 1'st pop-up window. X-ing to close that brought me to some other site that claimed to be running an AVscan. I didn't record the IPaddy but it was something like 98.x.x. X-ing that window got me to another pop-up say I might still be infected and X-ing that window closed the set (and left me out of SDC). I'll run MWB again but I'll guess that like before nothing will show up. It's not a virus ofspyware perse but an add run amok.

BTW, this is a common fakealert malware that has been more and more frequent of late. What ever you do, don't purchase the crap they are selling. More than likely, they are the ones who created this SOB!

I need to make a correction to my above post. I made another claim that the issue is SDC source code. Per Josh's responce on my other thread, it appears to have nothing to do with SDC source code, however, it has everything to do with their advertising portal. Also, MWB's was able to resolve the redirect issue previously, not now. My work lap top has an extremely bad version of this rediect and I'll post a solution as I come up with it here.

 

[Couerl]

For me, MWB cleaned a lot of it, but I also had to resort to Norman Malware to get some of the rest,
in addition, I had to go edit a system file to get rid of the redirects it put in for most major search engines
to the malware site. (It didn't get AltaVista interestingly enough).

Note that Malware Bytes works better when it is NOT launched in safe mode, unlike most cleaners, including
Norman Malware.

The variety of payload it downloaded for me by the way - one of the first things it did was disable the task manager.

Hi and thanks, I didn't know about Norman and just downloaded it.. Great little app and yes, you can't run these things in safe mode. There is also a little proggy called R-Kill that temporarily disables whatever process in the tsk manager is going crazy so that the malware programs can actually run and get rid of them.

 

[nimbus]

I just did what Mee-n-Mac did. Went to SDC homepage, opened the Big Bang article (one of three feature articles), then went to the three moonwater flavors article. No popups or AV warnings.

I'm using XP SP2 with windows firewall on normal settings, the latest version of Google Chrome, and ESET AV.

 

[MeteorWayne]

The occurence does appear at first glance to be random. So it's not surprising that just repeated the preceeding evnts would not make it occur again.

I suspect these two threads should be merged so the latest input winds up in one place, so will probably do that.

 

[a_lost_packet_]

Re: Space.com being attacked???

I've asked someone from the IT/helpdesk area to come and respond to the complaints, and have forwarded the thread to them. Apologies for the continued frustration.

-dh

I understand completely. It is not your fault. Thank you very much for communicating this to TPTB.

 

[a_lost_packet_]

Re: Space.com being attacked???

Morning readers,

There has been a recent abundance of malicious software attacks all across the internet. These attacks that may appear to be coming directly from Space.com I can assure you are not coming from our source code. However, the malicious software that is circulating on the net is usually pushed through the ad networks of which nearly every major website contain. While we control the location of the ad network on the page, we do not control the content they push. Unfortunatly, if there is a bug coming through an ad network, it is impossible to figure out which one is doing it, as it is VERY intermittent and random.
We have been working frantically to figure out where its coming from, as you guys here on SDC are reporting it, but we are getting reports from many other sites across the net as well. I have a PC at my desk that continually refreshes the home page for all of out sites within the TechMediaNetwork, and have not gotten a popup, but again, its so intermittent, even if I did get one, I couldn't tell which ad network is causing the issue only the site. It seems the the Malicious software is not dropping cookies on the system. Also, while it could be coming from an ad network, sometimes the popup/redirect can be result of previously installed malicious software.

I can assure you this, the servers hosting these sites are our own, and were a serious upgrade to the system they previously were on. The hardware is faster, more powerful and can serve up much more content than the previous system was capable of. On the downside, the cost of those servers, as well as the bandwidth, personnel to maintain them would be impossible without the Ad networks to help bring revenue to pay for this. You figure a SDC article hits the homepage of Yahoo and suddenly 5 million views generate in 3 hours.... That is a lot of bandwidth.


I will ask this. Those of you that are experiencing issues while visiting SDC, please run a complete scan of your system with your AV software, and save a log file. Those log files are crucial in helping us determine a location of the infection. You can submit those to my e-mail address - jborglund@toptenreviews.com.

Thank you for your patience during this transition.

Thank you very much for communicating the efforts of SDC to address this problem. I do understand your own frustration and can understand the complexities of trying to isolate the problem. Unfortunately, it is an all too common side-effect of malware to directly effect the revenue stream of those companies that may rely on the continued safe functioning of the product, site or delivery system under attack. Malware costs the IT/Comm/Internet industry billions of dollars a year in lost revenue and additional expense. The manhours encompassed by both private and public concerns combating malware are incalculable.

You are in a difficult position. The route of attack is obviously through one of your contracted advertising agencies. However, you can not discover the exact source because the problem is sporadic. Further, unilaterally halting advertising services does not contribute towards solve the long-term problem and results in a direct impact upon your continued existence. It is also true you can not contribute towards reporting the problem to the appropriate agency should those services be halted. And, given the nature of such agencies, while they are certainly interested in maintaining the security of their own services, the likelihood of a rapid resolution to the problem is reduced if none have access to the mechanisms causing it. Efforts at communicating the nature of the problem are not helped by a lack of information regarding it being directly passed to those agencies with compromised advertising...

Unfortunately, that's the nature of such things. They're unpleasant, all the way around, and unpleasant choices will sometimes have to be made. Nobody likes it. That's why people don't intentionally install malware for the joy of having to deal with the myriad problems it causes.

Good luck. The community will do its best to contribute towards a solution. But, there will be those who do not understand the nature of the problem. Continued communication of SDC's response to this problem is critical.

Thank you for your efforts.

 

[a_lost_packet_]

OK the pop-ups saying I might be infected and I should go to some (their) AV site just happened ~5 mins ago. I was at the SDC home page, read the article on the BBT and then clicked on the "Moon has 3 water types" article when the browser was redirected to the 1'st pop-up window. X-ing to close that brought me to some other site that claimed to be running an AVscan. I didn't record the IP addy but it was something like 98.x.x. X-ing that window got me to another pop-up say I might still be infected and X-ing that window closed the set (and left me out of SDC). I'll run MWB again but I'll guess that like before nothing will show up. It's not a virus or spyware perse but an add run amok.

EDIT: a quick scan w/MWB revealed nothing.

What browser are you using?

 

[Mee_n_Mac]

If it happens again someone note the IP of the supposed AV site. It appears in the address bar so instead of the

http://www.space.com

you'll see

http://98.x.x

I suspect that with this bit of info the culprit can be thrawted.

 

[a_lost_packet_]

...Also, MWB's was able to resolve the redirect issue previously, not now. My work lap top has an extremely bad version of this rediect and I'll post a solution as I come up with it here.

I'm sorry to hear that. What browser are you using?

Hopefully, once this problem is resolved, we can help members recover the functionality of their compromised systems. In the meantime, if you wish to work towards freeing your laptop from its enslavement, I would suggest updating all your antivirus programs, of course, if possible. If that is not successful or possible, do the following:

Follow the instructions on this page: http://www.whatthetech.com/hijackthis/

Download, install and run hijackthis to generate a log file which will hopefully help others help you solve your problem.

You may post your hijackthis logs in a great many forums dedicated towards helping members fix their malware problems. Whatthetech forum requirements may be a bit different but, they may be able to help as well: http://forums.whatthetech.com/you_Infected_t106388.html

Or, post your hijackthis log to here: http://forums.malwarebytes.org/index.php?showforum=7

Good luck.

 

[a_lost_packet_]

..I suspect that with this bit of info the culprit can be thrawted.

Or, it's spoofed.

A quick screenshot by pressing <Print Screen> while that window is active could help.

 

[a_lost_packet_]

For those who are interested in how such problems like the ones you are experiencing occur in the first place, here's a sort of case-study article on one of Doubleclick's experiences:

DoubleClick Serves Up Vast Malware Blitz

Because large advertising companies like Doubleclick or Google can act as a route to compromise machines viewing their advertising, very large and well respected sites can become unwitting accomplices.

The article is on "winfixer" which uses a common tactic of installing annoyware/scareware attempting to get you to buy a software package.

 

[abq_farside]

Running IE 8 and just got the computer is infected malware after logging and clicking on the Can Life Exist on Titan article on the front page. Guess I should have capture a screen shot or two. Next time it happens, I will make sure I do.

 

[doublehelix]

Running IE 8 and just got the computer is infected malware after logging and clicking on the Can Life Exist on Titan article on the front page. Guess I should have capture a screen shot or two. Next time it happens, I will make sure I do.

Thanks, abq. If you could please forward screenshots and log files to Josh at jborglund@toptenreviews.com

Apologies again for the inconvenience.

-dh

 

[drwayne]

Re: Space.com being attacked???

I'd like to reemphasize one important clue. This has never happened from the forum page to me. It has only happened on the main SDC home page. SO whatever is different about the ad content should point you toward the source where the attck is coming from.

Actually Wayne, my experience is 180 degres from this - for me it has always comes from the forum.

(Can you tell I do not spend enough time out on the main page).

I assume the firewall here at work is squelching it here.

Wayne (the upside down and backwards one)

 

[a_lost_packet_]

Re: Space.com being attacked???

I'd like to reemphasize one important clue. This has never happened from the forum page to me. It has only happened on the main SDC home page. SO whatever is different about the ad content should point you toward the source where the attck is coming from.

Actually Wayne, my experience is 180 degres from this - for me it has always comes from the forum.

(Can you tell I do not spend enough time out on the main page).

I assume the firewall here at work is squelching it here.

Wayne (the upside down and backwards one)

Are you absolutely sure? No other windows were up? If so, that could help narrow down the range of advertisers.

 

[a_lost_packet_]

Note: I was going to put together some security stuff and try to help find a solution to the problem. However, I can't do that in any expedient fashion right now by myself.

I CAN help people who have been infected. But, gladly enough, that appears to be a small number as most seem to be catching this before it has a chance to infect their machine. So, I can do that much for my fellow SDC'ers, at least.

I have thought about setting up a machine to catch this virus and take a look at it but, I don't have one available and I don't have the time to mess with it on my main box. Obviously, dropping my pants and macro'ing page hits to sdc is not something high on my priority list right now. However, that's the only way I could truly be effective at helping to identify this particular problem. I feel bad about that because I want to help keep my fellow SDC'ers safe but, I'm hamstrung. It simply ain't in my job description and, as a result, I don't have the power necessary to be efficient at it.

So, given the above, me dedicating a lot of energy to the task is really me just spinning wheels for little reason despite my zealousness earlier.

I will, however, put together something to help people with general security that is "user friendly" and doesn't require any more knowledge than the level necessary to operate a web browser. That will take a little bit of time as I don't have a lot of energy to devote to it at the moment.


So, If anyone here does have a problem caused by this malware, you can PM me and let me know and I will try to walk you through solving the problem. If anyone wants to do their best to not be susceptible to this problem, PM me and let me know and I will try to help. If I have the chance to get an additional box up and running, I will try to catch this thing in action and submit logs to the admin for analysis. But, the only other complete box I have available for that is sitting in the garage right now where it has been for the last year. It's probably bricked by now.

 

[Couerl]

Well if it helps, my experience is like MW, I only get the pop up on the main page and then only sometimes. The sometimes bit is puzzling to me since it should be easily reproducible and happen every time. Perhaps that is part of the reason the bug is successful, it may have a script that makes it run only on a random basis or with a very small mouse-over window such as a few pixels on an ad banner.. Whatever the case, it has not happened today and perhaps the web admins have identified and dealt with it already.

 

[a_lost_packet_]

Well if it helps, my experience is like MW, I only get the pop up on the main page and then only sometimes. The sometimes bit is puzzling to me since it should be easily reproducible and happen every time. Perhaps that is part of the reason the bug is successful, it may have a script that makes it run only on a random basis or with a very small mouse-over window such as a few pixels on an ad banner.. Whatever the case, it has not happened today and perhaps the web admins have identified and dealt with it already.

It's part of the ad stream from whoever is serving it. So, it all depends on what type of advertising is supposed to be appearing during your particular page hit. IOW, it's kind of random. It's like loading a site page several different times and getting several different ads that appear. They might all be part of a stream of ads that get randomly pushed by the same marketer. However, sometimes it's more than that. Sometimes a marketer may have tracking cookies out there that have recorded the websites you visit and previous ads you've seen of theirs. Those ads then pull in those cookies and send you relevant advertising that matches what they think your interests are. So, it can be different for many people even if they're hitting the page at the exact same time. Depending upon who is serving the ad and how they have it setup, of course.

Note: So, let's say someone complains that there's a pornographic ad on a site that isn't really related to porn. Nine times out of ten, it's not the site's fault.. it's the tracking cookie on the user's end that has proudly informed the marketer that this user is very interested in pornography. Though, usually that's unintentional as marketers carefully setup their advertising to focus on the interest of the site and should (but not always) never push pornographic advertising to non-pornographic sites in the first place... Too many legal problems with some of that stuff. Not a few here have voiced a couple of concerns over somewhat sexually focused ads they've seen displayed on the forums even though the forums should only be getting tech/space/science and general internet interest type ads. But, I don't think it's a big mystery why they see those ads from time to time...

 

[bearack]

a_l_p, I post a solution for the google redirect issue and as a side note to that resolution, I also found that the GMER removal tool also removes the security disabler that prevents MWB and your AV from updating. Once I ran GMER, MWB removed the fake alerts.

 

[a_lost_packet_]

a_l_p, I post a solution for the google redirect issue and as a side note to that resolution, I also found that the GMER removal tool also removes the security disabler that prevents MWB and your AV from updating. Once I ran GMER, MWB removed the fake alerts.

Do you know if MSRT is as effective in the same way as GMER?

 

[bearack]

a_l_p, I post a solution for the google redirect issue and as a side note to that resolution, I also found that the GMER removal tool also removes the security disabler that prevents MWB and your AV from updating. Once I ran GMER, MWB removed the fake alerts.

Do you know if MSRT is as effective in the same way as GMER?

I'm not for sure. A little update, however, the redirect came back shortly after a reinitiated my registry. Granted, the fake alert was totally wiped.

As of right now, the only fix I can find for the redirect issue is to reimage unless anyone else has found a sound solution to the redirect. I'm going to post this in my Google redirect fix.

 

[a_lost_packet_]

..As of right now, the only fix I can find for the redirect issue is to reimage unless anyone else has found a sound solution to the redirect. I'm going to post this in my Google redirect fix.

There's got to be a better way. But, since you're tasked with "fixing" the problem, expediency is probably your best bet right now.

Since it has yet to be identified, I looked around for likely culprits. Check for wdmaud.sys and see if it is in the C:\Windows\System32 folder or, anywhere else but in the /drivers folder. It is NOT supposed to be there.

wdmaud.sys rootkit/stealthed on CNet

Also check for TDSSserv.sys problem found here and here. For a "fix" for this problem, use the following submitted by poster Marianna Schmudlach: (post 4 in second link)

There has been a rash of the TDSS malware that might be the culprit of not being able to install or run MBAM.
If it is then this solution below might help. If it does then start in Normal Windows mode and try to update MBAM and do a scan.

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE - NOT uninstall.
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Quick Scan and allow MBAM to fix anything found.