Forum Feedback & Announcements forum

General discussion

Strange behavior only with Cnet tonight

by Steven Haninger / July 11, 2008 11:56 AM PDT

I'm getting a popup about my PC not having internet protection software and the site it directs to is something like internetscannerlive_com (http). I'm deliberately changing the url here. This is happening with both IE and FF and only when entering the Cnet forums site. I've tried browsing all over the web and don't see it. Once I hit Cnet, within a couple of clicks I'm getting the popup. I cannot exit this. Anything I click brings up something about WinDefender and performs a bogus scan of my system finding dozens of threats that Norton, Spybot and Hijackthis don't see...nor does the real Windows defender. I'm hoping this is a problem with Cnet and not my PC. Gonna shut down the rig and try again tomorrow.

Post a reply
Discussion is locked
You are posting a reply to: Strange behavior only with Cnet tonight
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Strange behavior only with Cnet tonight
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Exact same thing.....
by maggiea43 / July 11, 2008 12:39 PM PDT

I had the same thing happen to me just a few minutes ago and about an hour ago. I ran my Avast AV, and it didn't show any viruses. Where did WinDefender come from anyway?? I've been trying to find that program on my computer, but can't find it. The only indication that it might be there is when Avast sent an alarm that it found a virus. When I ran Avast, it didn't show that it found anything. Now I don't know what to do. I wonder if this is something to worry about.....Maggie

Collapse -
Re: Exact same thing.....
by Tufenuf / July 11, 2008 2:09 PM PDT
In reply to: Exact same thing.....

Maggie, I've had the same problem this evening. As long as you didn't download that crappy program you should be OK. Go to Start>Search>All files and folders and type in WDefDemo.exe then click the Search button. If that file isn't found you're OK.


Collapse -
It's using multiple filenames...
by John.Wilkinson / July 11, 2008 2:18 PM PDT

Mines was "scanner" followed by a seemingly random series of numbers, so you cannot just go by the filename alone.

Hopefully the engineers can track this one down quickly.


Collapse -
I've called Lee...
by John.Wilkinson / July 11, 2008 1:39 PM PDT

He's notifying the engineers and having them look into it ASAP.

FYI: WinDefender 2008 is ROGUE. Do not believe the results of the fake security scan or download their software.


Collapse -
More information needed from you all...
by Lee Koo (ADMIN) CNET staff/forum admin / July 11, 2008 2:48 PM PDT

Any detail you can provide us would really help out.

Like where you logged in or logged out?
What browser was it happening to you in?
Any specific forums?
Time it occurred? How long was it happening to you.

John has provided me a lot of information already, but the more info we can gather from you folks the better for tracking this issue down. Right now we are coming up empty. I'm currently unable to reproduce this right not 8:30 - 9:46 PST.

Any detail info you can provide will help. Thanks a bunch!!


Collapse -
As of 5:30 EDT Saturday
by Steven Haninger / July 11, 2008 7:51 PM PDT

I'm not seeing this now but will be watching. I got the same with FF3 and IE7. My browser logs on to Cnet automatically and I've set FF to all cookies to be stored from this site and just a very few others such as my banking institutions and places from which I make purchases. I empty all cache when exiting. What I noticed with FF in the status bar (bottom left) as this was about to happen is that a url flashed very quickly. I could not capture it but knew the popup was coming at this time. I wanted to force this to happen enough times to catch the name. The url that showed with the popup was -http;// (deliberate semicolon) which, while running, changed to ___-www.windefender-___ or some such. Of course the file search showing didn't match what I actually have on my PC so I know it was fake. I will say this began somewhere late Friday afternoon EDT and the frequency increased until I shut down at 10:PM. If I could reproduce this today, I was going to try another PC or logging on as a different user but nothing yet. The previous night I had problems with FF only showing some sort of redirection error and found that my exception sites such as Cnet were all now showing as blocked. I was able to fix this. I mostly frequent the computer help forums but stray into the darkness of Speakeasy more than I should. Happy

Collapse -
Seems to be gone...
by John.Wilkinson / July 12, 2008 12:28 AM PDT

I haven't been redirected since last night at around 9:35pm Pacific. Did they fix it or did it go away on its own?


Collapse -
It's gone now, but we will be investigating further.
by Lee Koo (ADMIN) CNET staff/forum admin / July 14, 2008 1:05 AM PDT
In reply to: Seems to be gone...

It could be an ad, could be anything.

We will continue investigating this issue.

If anyone comes across this again, please email me immediately or mods please call me on my cell phone.

Thanks everyone for the details.


Collapse -
Scannerlive hijack on my Mac
by siliken / July 12, 2008 4:49 AM PDT

I took a screen capture, hit cancel and it went to the site where an obviously bogus scan report began to display. I say obviously bogus because of the speed of the diagnosis. I quickly quit Safari and relaunched and did a Google search to see if it was a trojan horse or worm or something else I should be concerned with. The only hits I got were the website itself and one entry in PhishTank. I tried to add an entry to PhishTank but their e-mail validation failed twice.

I checked the registrar of the domain and found it was created only a couple of days ago at GoDaddy. I immediately sent an e-mail to abuse at cnet and godaddy. I got a canned response from cnet and nothing from godaddy. Do you suppose anyone actually read my concern? If this was a serious hijacking with potential harm (to a Mac?) and I was one of the first to be hit (a rare occurence) what other notifications might I have made?

This morning I followed up with another Google search and found this forum. I'm glad it seemed to be isolated to c|net. From my capture, it happened to me Friday night at 9:31 Pacific Time. I was "Loading "Photos: Scenes from the iPhone launch | CNET".

This "rogue malware scan" was very similar to Antivirus2008 that I spent several hours cleaning from a friend's PC laptop last week. It snuck in behind Macafee Antivirus and Comcast's router firewall. I suspect that the user, through inexperience, allowed or gave permission for it to be installed.

Collapse -
siliken quick clarification needed from you...
by Lee Koo (ADMIN) CNET staff/forum admin / July 14, 2008 7:25 AM PDT

Read your post here:

I was "Loading "Photos: Scenes from the iPhone launch | CNET".

Are you saying that this happened to you on other CNET sites besides the forums here?

And if it did, please provide details of exactly what happened. This will help us out greatly!!


Collapse -
by siliken / July 14, 2008 1:19 PM PDT


After spending some time manually coding the link to my screenshot, i didn't realize that the URLs I was posting would be automatically active.

MODERATOR, PLEASE DELETE THAT POST! While the redirect may be least it seemed to be to my iMac...I wouldn't want to inadvertently cause any problems. Being new to forum posting, I now see the value of the <b>Preview post</b> button!

Here is my post again with additional information and disabling of the automatic linking with semi-colons.

[feel free to edit all of the above out of the post and change the Subject title to the original]

I only found the forum the next morning from a follow-up Google search and made my post. I tried to post to PhishTank and iLxor but didn't have any luck registering.

I'm running the latest version of Safari on OS X and was simply moving from photo to photo. Looking at my history, I was somewhere in the photostream of:

I realize now while reviewing the screen capture that it wasn?t a pop-up but Safari had started to load the page in the address bar. It wasn?t all the way in because Safari?s tab hadn?t changed. I still had a back arrow but it wasn?t clickable. I hit the cancel button but the page continued to load.

Here is a link to my screenshot

I can't tell which picture I was on...well, let me look at the time stamps in my history...hmm, there's no time stamps but I did notice something in the sequence of my history that my help you (semi's added):

http;// [my photo story viewing]
http;// [the true redirect?]
http;// [the redirect in my grab]

http;// [the result of a link from a Google search]
http;// [my godaddy query]
http;// [and back to where it began]

Collapse -
Are these domains linked?
by siliken / July 14, 2008 2:22 PM PDT
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through:, Inc. (http;//
Domain Name: <b>TRAFFICROTATOR.NET</b>
Created on: 24-Apr-08
Expires on: 24-Apr-09

Domains by Proxy, Inc.

15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260

Registered through:, Inc. (http;//
Created on: 09-Jul-08
Expires on: 09-Jul-09

and why does GoDaddy let them continue. Wouldn't it be easy just for their DNS service to just yank their DNS credentials?

Special Domain Services, Inc.

14455 N Hayden Rd #219
Scottsdale, Arizona 85260
United States

Registered through:
Created on: 08-Dec-02
Expires on: 08-Dec-09

Well, it looks like the DNS service is a neighbor... at least to the mailboxes (PMB=private mail box=mail drop) of the offending domains. Who can pull DOMAINCONTROL's license?
14455 N Hayden Road Suite 226
SCOTTSDALE, Arizona 85260

Wild West Domains, Inc.
14455 N Hayden Rd #219
Scottsdale, Arizona 85260

Just one big happy family!

...and thanks for pulling my earlier errant post with the hot links so fast!!

Collapse -
Nothing noticed when I logged in at about ...
by Angeline Booher / July 12, 2008 12:05 AM PDT

...... 6:00 AM CDT. Safari 3.1.2


Collapse -
Something interesting discovered, happening on other sites 2
by Lee Koo (ADMIN) CNET staff/forum admin / July 14, 2008 9:23 AM PDT
Collapse -
One commonality...

As you know, I've long been a fan of how selective Google is in granting advertising deals through its Google Syndication service, and what quality ads they have brought to Cnet and others websites. </sarcasm>

Honestly, I wonder if they aren't to blame here as both Cnet and NME rely on GoogleSyndication through their respective websites. I know that in these forums alone they have pushed out ads for illegal software, pornography, gambling, and malware, for I have reported such in the past. And other sites have chosen to terminate their Google advertising contracts due to graphically explicit ads being displayed. I know that while I haven't always approved of the advertising department's decisions, they have always screened advertisements carefully before accepting them. Google, on the other hand, represents a backdoor which I know they have only been somewhat successful at filtering. Perhaps it is that third-party at fault here? (Though I doubt they'd admit it if it was their fault.)


Collapse -
A side question...

Do you happen to know why all of the pages across Cnet are automatically adding the query string hhTest=1? It's occurring on,, etc. and is occasionally causing a redirect to occur, but seems to have no purpose at this point.


Collapse -
Happening again this AM...Heads up folks
by Steven Haninger / July 15, 2008 10:23 PM PDT

Something about scanner (dot) vav-scan (dot) com

Once again, it won't go away. Options "cancel" and "ok" are continues to scan and/or ask to install a program...even brought up download manager!!! ARGH...had to end FF through task manager. Norton blocked it the first time while in progress. Just had another site pop up...didn't catch the name. Only in Cnet again.

Collapse -
by Steven Haninger / July 15, 2008 11:30 PM PDT

The second "attack" shows up a "spywaredestructor (dot) com". Again, a bogus scan claiming malware found and trying to download "AntiSpy Deluxe. It even brings up the FF download manager when attempting to exit.

Collapse -
just happened here too
by oldie and goody / July 16, 2008 3:22 AM PDT

same link as you and I had to close the browser. I was reading James post about Yankee Doodle when it happened.

Collapse -
Happened to me in Networking and Wireless
by Steven Haninger / July 16, 2008 4:09 AM PDT
In reply to: just happened here too

and a couple other forums as well as SE. This seems to be a "hit and run" process as the storm is over at this point. But....will they be back? Sad

Collapse -
Steve did this just happen right now 11:00AM pacific?
by Lee Koo (ADMIN) CNET staff/forum admin / July 16, 2008 4:21 AM PDT

Let me know

Collapse -
I'm in EDT time
by Steven Haninger / July 16, 2008 5:13 AM PDT

and it happened this AM. Norton history shows 3 blocked attacks within 10 minutes around 9:30 AM. This would be 6:30 AM Pacific, I would presume. There were two separate sites that popped up and Norton caught only one but the bogus scan was already running. I've best I registry like the other poster but found nothing. During this period I was able to browse anywhere but the Cnet forums. The popups were only a few mouse clicks away each time. No harm done.

Collapse -
Gotcha ok this happened earlier this morning... I just
by Lee Koo (ADMIN) CNET staff/forum admin / July 16, 2008 5:20 AM PDT
In reply to: I'm in EDT time

wanted to make sure it wasn't happening at this moment 11AM pST or 2PM EST.

Thanks Steve!

Collapse -
My anti virus scan found this
by oldie and goody / July 16, 2008 4:34 AM PDT
Collapse -
just found it has attached
by oldie and goody / July 16, 2008 4:43 AM PDT

Ascetive to my ARC soft program, it seems to be an empty folder, I HOPE!

Collapse -
(NT) Found Ascentive in 3 registery settings
by oldie and goody / July 16, 2008 4:52 AM PDT
Collapse -
Scan again using any of these 3....
by Donna Buenaventura / July 17, 2008 3:54 AM PDT
Collapse -
by oldie and goody / July 17, 2008 4:14 AM PDT

I also used CCleaner, will try these others also to be sure

Collapse -
(NT) Clean now, Thanks
by oldie and goody / July 17, 2008 6:22 AM PDT
Collapse -
me 2 but i need help trying 2 find it and delete it
by yami829 / July 27, 2008 8:33 PM PDT

can u help me find it and deleted please

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


Free trip to the Grand Prix

Don't miss your chance to win a trip to the Formula 1 Grand Prix in Monaco for you and a plus-one.