31 total posts
I would give the following a try......
Operating Systems: Microsoft
I would give the following a try......
I got the same popup this morning
I ran this following and all showed clean
Tweakui reg cleaner
Opened HiJack this and do not find any new files
No problems with computer so far but this was rather strange acting popup as it open a new tab in Firefox even when canceled and tried to download scanner
did you happen to get your popup from the same place as I did?
I ran avg free ,ccleaner and spybot and found nothing.
Looks like you ran all things suggested by Marianna with no success.
Forgot to say that I did not download anything from the popup,just xxed it out.Went back later and got the popup again from same place.
Phil & Fish......
Did you happen to SEE this post in Feedback:
Happening again this AM...Heads up folks
by Steven Haninger - 7/16/08 5:23 AM
In reply to: Strange behavior only with Cnet tonight by Steven Haninger
Something about scanner (dot) vav-scan (dot) com
Once again, it won't go away. Options "cancel" and "ok" are ambiguous...it continues to scan and/or ask to install a program...even brought up download manager!!! ARGH...had to end FF through task manager. Norton blocked it the first time while in progress. Just had another site pop up...didn't catch the name. Only in Cnet again.
Do you BOTH have the same?
Additional info from Hijack log
017-hklm\system\ccs\services\tcpip\parameters\b8583ff2-15f1-48d2-8b65-3493e2e99711 reg binary
Trend analysis states that 017 is a domain hijack
These items are in my in my registry
The pop up came from windows XP forum forget which thread have not returned to see if it popups up again
Read Steve's post ???
Same problem as Steve
Show up again only this time from feedback when I closed Firefox it opened on desktop when I x out it opened in firefox and tried to scan had to close firefox to stop scanning
It's all over the forum
Is there any association between 017 and this popup or is that another problem
I am trying to figure it out........
Ray...... 017 Section in HJT.......
This section corresponds to Lop.com Domain Hacks.
When you go to a web site using an hostname, like www.bleepingcomputer.com, instead of an IP address, your computer uses a DNS server to resolve the hostname into an IP address like 192.168.1.0. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want. By adding google.com to their DNS server, they can make it so that when you go to www.google.com, they redirect you to a site of their choice.
What YOU have is different
Did you run CCleaner ? You also could run ATF Cleaner by Atribune:
It seems like the same thing.I only have the situation when on cnet xp forum.Like I said in my first post it happened after clicking on latest post about SP3 in xp forum.
I guess I'll just sit tight for now and keep my eyes open.Thank'a for your info.Fish
I guess I'll just sit tight for now and keep my eyes open.
but...... keep BREATHING
Btw. Are you "cruising the internet" with FF ? I have AdBlock Plus active and disabled all ads + iframes. Also NoScript installed.
Sorry for not mentioning that I use IE. Am now exhaling.
FYI: Known issue on Cnet right now...
Lee and the engineers are looking into it; Most likely a malicious advertisement.
Do NOT believe the results and do NOT download their software. Immediately navigate away from the page.
Hit me at home. . .
and at work. At work NAV said it blocked the "download. . ." Haven't checked my home machine running AVG. But I did immediately close the page. Was using FF3.
If it is a malicious ad will CNet kick the sh** out of someone?
I Certainly Hope So....How Many...
times have posters complained about malware operations advertising on Cnet?? Many,many to be sure! Minimal background/security checks should be done on potential ad clients (in case baddie running under new names) for the protection of all involved. You'd think credit dept. would be checking for financial reputation at least which might catch a few. JMHO. Sad!
I Just Got Hit Also After Linking.....
thru a post here regarding SpyNoMore to outside site (Site Advisor) in Carols post.
Believe my Spybot Tea Timer &/or Immunize prevented full penetration.
Still enough to disable CCleaner, Sys Restore, corrupted a Spybot Update defs (latest detections, last on list above "English language descriptions") prevented normal shut down,etc.
Luckily, a hard reboot followed by immediate system restore to yesterdays known clean point got me going again. Had to do all updates again (S&Ds came down fine this time).
HJT 2.0.2 now shows no NEW entries in report (compared to last scan).
For now, I suggest no-one link to off site from links in posted replies in any forum here (better safe than sorry..). Lets hope techs get this under control quickly. At least it wasn't Intel chip exploit!! Whew!
I Just Got Hit Also After Linking.....
After I got the pop up on my desktop and it opened in Firefox and started scanning eventually I was to slow closing it.Shutdown computer.
Was out of pocket for a few hours and then when I returned I opened Firefox and tried to access cnet.
A menu appeared and everything was bunched up on the left side of the page. None of the forums would load. This only effected Firefox IE and Linux Firefox working properly. Tried safe Firefox got the same results.
I had to system restore and then reload Firefox before I could access Cnet.
I also hope they have found the culprit as I do not wish to have to redo this one more time
This wasn't today was it, Phil?
I just want to make sure. Ad folks removed the compromised ad already. So I wanted to make sure none of this is happening today anymore.
When did this occur?
Last night? Anytime reference would help.
When did this occur?
The last of three occured at 11:00 am cdst on 7/16/2008
As honey do projects were pounding on my head I immediately shutdown my computer after xing the rouge scanner.
I did not return to my computer until about 7:30pm on 7/16/2008 at that time found the problem with accessing cnet forums
There has not been any more rogues since I restored my computer
In Rely to Time of Hit......
This would have been 10:40 P.M. Cnet Board time on the 17th. I was back up to post in about 35 mins due to minimal damage intrusion & fast action. I mistakenly thought, at the time, that the contagion was limited to the XP forum which I usually visit AFTER this forum & so chose not to go there last night.
Could you double-check that?
The time stamp on your reply is 10:30pm on the 17th. Are you sure that the malicious redirect encounter was on the 17th and not the 16th at 10:40pm?
Re: I Just Got Hit Also After..
If you're referring to the post below, it's only a link to SiteAdvisor. And NOT a direct link to SpyNoMore.
I just wanted to make this clear. I've never posted any links which are harmful, nor would I ever. I would have been the first to be hit, if it were the case. And it's not.
Again.. I just wanted to make the above very clear, in case anyone should interpret it otherwise.
>>>I've never posted any links which are harmful, nor would I ever. I would have been the first to be hit, if it were the case. And it's not.
Right Carol. Not any of your link or anyone's link in the said thread but it's the ads/redirection from CNET pages (not only forums) that hit "some members" since July 11.
Glad to see member posted their "findings" after being hit. That made Lee and the CNET team figured out and remove the 'culprit'.
Thanks. I had a gut feeling someone (perhaps Sandy) would point this out. I was aware it was the ads/redirection, which caused all the commotion. To include Sandy's problem. Due to the nature of my post (SpyNoMore), I didn't want to leave ANY room for doubt. Hence, why I added '....in case anyone should interpret it otherwise'. Maybe "misinterpreted" would have been a more appropriate term. Posting "nothing at all" might have been .. even more appropriate! Either way.. thank goodness it's over. <<fingers crossed>>
I'm glad to see this was resolved. And in such a speedy manner! Kudos to Lee, the CNET Team and to those who contributed their findings!
>> thank goodness it's over. <<fingers crossed>>
There's still ads so yes, fingers crossed also
>> Due to the nature of my post (SpyNoMore), I didn't want to leave ANY room for doubt.
I hear you. Some members who is new and not familiar to regular posters and post here might think it's the link and this post needs this posts. I hope you understand what I just wrote ROFL
Sorry, If I Didn't Make That Clear!!!! Absolutely...
NO CHANCE you'd link to a malware site, nor any other regular poster here I would hope. I clicked the link to "safe" Site Advisor that you posted, which is why I felt safe in clicking it. Also why I figured the problem was within Cnet.
Seems outgoing links in general must have been compromised before/during transition from here, before getting to whatever innocent site was linked. I don't believe these linked sites themselves are/were compromised.
Again, sorry if my 4 in the morning post was a bit fuzzy!!! Sandy
No... no.... And no need for apologies..
I really should have known that you of all people, knew I would never post an unsafe link. I'm overly-sensitive about the issue - to a fault. I knew it initially came about due to the ads, but I wanted to make it perfectly clear. I'm the one who should be apologizing to you. (I think I smell a "hug fest" coming on. )
You wrote, "NO CHANCE you'd link to a malware site, nor any other regular poster here I would hope"
I'm glad you clarified it. It's kind of ironic, if you think about it. Although, this specific "regular poster", doesn't seem to be so regular anymore, it happened on more than one occasion where a hyperlink led to an unsafe site. The only reason I posted in the first place, was to make the not-so-regular-member, aware of it. And in so doing, also making other's aware of it. Enough said!!
I hope my (almost) 2:50AM post hasn't created any additional "fuzziness"! If so.. blame the time. Not me.
All is well and..
Enjoy your weekend..
Can you guys do me a huge favor, please post your findings
in this thread here and report any details you have.
Yesterday our ad and security team found a 3rd party ad that was hijacked, redirect users from our site to ad site (known rogue sites) and they have since removed them, but now that this it is occurring again, there must be another ad out there that was compromised.
All info you can provide will help!