Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Strange behavior only with Cnet tonight

Jul 11, 2008 11:56AM PDT

I'm getting a popup about my PC not having internet protection software and the site it directs to is something like internetscannerlive_com (http). I'm deliberately changing the url here. This is happening with both IE and FF and only when entering the Cnet forums site. I've tried browsing all over the web and don't see it. Once I hit Cnet, within a couple of clicks I'm getting the popup. I cannot exit this. Anything I click brings up something about WinDefender and performs a bogus scan of my system finding dozens of threats that Norton, Spybot and Hijackthis don't see...nor does the real Windows defender. I'm hoping this is a problem with Cnet and not my PC. Gonna shut down the rig and try again tomorrow.

Discussion is locked

- Collapse -
Exact same thing.....
Jul 11, 2008 12:39PM PDT

I had the same thing happen to me just a few minutes ago and about an hour ago. I ran my Avast AV, and it didn't show any viruses. Where did WinDefender come from anyway?? I've been trying to find that program on my computer, but can't find it. The only indication that it might be there is when Avast sent an alarm that it found a virus. When I ran Avast, it didn't show that it found anything. Now I don't know what to do. I wonder if this is something to worry about.....Maggie

- Collapse -
Re: Exact same thing.....
Jul 11, 2008 2:09PM PDT

Maggie, I've had the same problem this evening. As long as you didn't download that crappy program you should be OK. Go to Start>Search>All files and folders and type in WDefDemo.exe then click the Search button. If that file isn't found you're OK.

Tufenuf

- Collapse -
It's using multiple filenames...
Jul 11, 2008 2:18PM PDT

Mines was "scanner" followed by a seemingly random series of numbers, so you cannot just go by the filename alone.

Hopefully the engineers can track this one down quickly.

John

- Collapse -
I've called Lee...
Jul 11, 2008 1:39PM PDT

He's notifying the engineers and having them look into it ASAP.

FYI: WinDefender 2008 is ROGUE. Do not believe the results of the fake security scan or download their software.

John

- Collapse -
More information needed from you all...
Jul 11, 2008 2:48PM PDT

Any detail you can provide us would really help out.

Like where you logged in or logged out?
What browser was it happening to you in?
Any specific forums?
Time it occurred? How long was it happening to you.

John has provided me a lot of information already, but the more info we can gather from you folks the better for tracking this issue down. Right now we are coming up empty. I'm currently unable to reproduce this right not 8:30 - 9:46 PST.

Any detail info you can provide will help. Thanks a bunch!!

-Lee

- Collapse -
As of 5:30 EDT Saturday
Jul 11, 2008 7:51PM PDT

I'm not seeing this now but will be watching. I got the same with FF3 and IE7. My browser logs on to Cnet automatically and I've set FF to all cookies to be stored from this site and just a very few others such as my banking institutions and places from which I make purchases. I empty all cache when exiting. What I noticed with FF in the status bar (bottom left) as this was about to happen is that a url flashed very quickly. I could not capture it but knew the popup was coming at this time. I wanted to force this to happen enough times to catch the name. The url that showed with the popup was -http;//internetscannerlive.com- (deliberate semicolon) which, while running, changed to ___-www.windefender-___ or some such. Of course the file search showing didn't match what I actually have on my PC so I know it was fake. I will say this began somewhere late Friday afternoon EDT and the frequency increased until I shut down at 10:PM. If I could reproduce this today, I was going to try another PC or logging on as a different user but nothing yet. The previous night I had problems with FF only showing some sort of redirection error and found that my exception sites such as Cnet were all now showing as blocked. I was able to fix this. I mostly frequent the computer help forums but stray into the darkness of Speakeasy more than I should. Happy

- Collapse -
Seems to be gone...
Jul 12, 2008 12:28AM PDT

I haven't been redirected since last night at around 9:35pm Pacific. Did they fix it or did it go away on its own?

John

- Collapse -
It's gone now, but we will be investigating further.
Jul 14, 2008 1:05AM PDT

It could be an ad, could be anything.

We will continue investigating this issue.

If anyone comes across this again, please email me immediately or mods please call me on my cell phone.

Thanks everyone for the details.

-Lee

- Collapse -
Scannerlive hijack on my Mac
Jul 12, 2008 4:49AM PDT

I took a screen capture, hit cancel and it went to the site where an obviously bogus scan report began to display. I say obviously bogus because of the speed of the diagnosis. I quickly quit Safari and relaunched and did a Google search to see if it was a trojan horse or worm or something else I should be concerned with. The only hits I got were the website itself and one entry in PhishTank. I tried to add an entry to PhishTank but their e-mail validation failed twice.

I checked the registrar of the domain and found it was created only a couple of days ago at GoDaddy. I immediately sent an e-mail to abuse at cnet and godaddy. I got a canned response from cnet and nothing from godaddy. Do you suppose anyone actually read my concern? If this was a serious hijacking with potential harm (to a Mac?) and I was one of the first to be hit (a rare occurence) what other notifications might I have made?

This morning I followed up with another Google search and found this forum. I'm glad it seemed to be isolated to c|net. From my capture, it happened to me Friday night at 9:31 Pacific Time. I was "Loading "Photos: Scenes from the iPhone launch | CNET News.com".

This "rogue malware scan" was very similar to Antivirus2008 that I spent several hours cleaning from a friend's PC laptop last week. It snuck in behind Macafee Antivirus and Comcast's router firewall. I suspect that the user, through inexperience, allowed or gave permission for it to be installed.

- Collapse -
siliken quick clarification needed from you...
Jul 14, 2008 7:25AM PDT

Read your post here:

I was "Loading "Photos: Scenes from the iPhone launch | CNET News.com".

Are you saying that this happened to you on other CNET sites besides the forums here?

And if it did, please provide details of exactly what happened. This will help us out greatly!!

Thanks!
-Lee

- Collapse -
URGENT---DO NOT CLICK ON THE TRAFFICROTATOR.NET...
Jul 14, 2008 1:19PM PDT

<b>...LINK IN THE ABOVE POST...IT IS STILL ACTIVE!!!</b>

After spending some time manually coding the link to my screenshot, i didn't realize that the URLs I was posting would be automatically active.

MODERATOR, PLEASE DELETE THAT POST! While the redirect may be harmless...at least it seemed to be to my iMac...I wouldn't want to inadvertently cause any problems. Being new to forum posting, I now see the value of the <b>Preview post</b> button!

Here is my post again with additional information and disabling of the automatic linking with semi-colons.

[feel free to edit all of the above out of the post and change the Subject title to the original]

I only found the forum the next morning from a follow-up Google search and made my post. I tried to post to PhishTank and iLxor but didn't have any luck registering.

I'm running the latest version of Safari on OS X and was simply moving from photo to photo. Looking at my history, I was somewhere in the photostream of:

http://news.cnet.com/2300-1041_3-6243492-1.html?tag=nefd.lede

I realize now while reviewing the screen capture that it wasn?t a pop-up but Safari had started to load the page in the address bar. It wasn?t all the way in because Safari?s tab hadn?t changed. I still had a back arrow but it wasn?t clickable. I hit the cancel button but the page continued to load.

Here is a link to my screenshot

http://i352.photobucket.com/albums/r359/siliken/internetlivescannerscreenshot.png

I can't tell which picture I was on...well, let me look at the time stamps in my history...hmm, there's no time stamps but I did notice something in the sequence of my history that my help you (semi's added):

http;//news.cnet.com/2300-1041_3-6243492-1.html?tag=ne.gall.pg [my photo story viewing]
http;//trafficrotator.net/MTAwNg==/220096/ [the true redirect?]
http;//internetscannerlive.com/scanner/scanner.php?sid=1006&gid=1006 [the redirect in my grab]

http;//www.phishtank.com/phish_archive.php [the result of a link from a Google search]
https;//www.srsplus.com/cgi-bin/whois.cgi?domain=internetscannerlive&tld=com&x=13&y=11
http;//who.godaddy.com/whoischeck.aspx?Domain=INTERNETSCANNERLIVE.COM [my godaddy query]
http;//news.cnet.com/2300-1041_3-6243492-10.html?tag=ne.gall.pg [and back to where it began]

- Collapse -
Are these domains linked?
Jul 14, 2008 2:22PM PDT

DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http;//www.godaddy.com)
Domain Name: <b>TRAFFICROTATOR.NET</b>
Created on: 24-Apr-08
Expires on: 24-Apr-09

Registrant:
Domains by Proxy, Inc.

AND

DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260

Registered through: GoDaddy.com, Inc. (http;//www.godaddy.com)
Domain Name: <b>INTERNETSCANNERLIVE.COM</b>
Created on: 09-Jul-08
Expires on: 09-Jul-09

and why does GoDaddy let them continue. Wouldn't it be easy just for their DNS service to just yank their DNS credentials?

Registrant:
Special Domain Services, Inc.

14455 N Hayden Rd #219
Scottsdale, Arizona 85260
United States

Registered through: WWDomains.com
Domain Name: DOMAINCONTROL.COM
Created on: 08-Dec-02
Expires on: 08-Dec-09

Well, it looks like the DNS service is a neighbor... at least to the mailboxes (PMB=private mail box=mail drop) of the offending domains. Who can pull DOMAINCONTROL's license?

GoDaddy.com
14455 N Hayden Road Suite 226
SCOTTSDALE, Arizona 85260

Wild West Domains, Inc.
14455 N Hayden Rd #219
Scottsdale, Arizona 85260

Just one big happy family!

...and thanks for pulling my earlier errant post with the hot links so fast!!

- Collapse -
Nothing noticed when I logged in at about ...
Jul 12, 2008 12:05AM PDT

...... 6:00 AM CDT. Safari 3.1.2

Angeline

- Collapse -
Something interesting discovered, happening on other sites 2
Jul 14, 2008 9:23AM PDT
- Collapse -
One commonality...
Jul 14, 2008 1:51PM PDT

As you know, I've long been a fan of how selective Google is in granting advertising deals through its Google Syndication service, and what quality ads they have brought to Cnet and others websites. </sarcasm>

Honestly, I wonder if they aren't to blame here as both Cnet and NME rely on GoogleSyndication through their respective websites. I know that in these forums alone they have pushed out ads for illegal software, pornography, gambling, and malware, for I have reported such in the past. And other sites have chosen to terminate their Google advertising contracts due to graphically explicit ads being displayed. I know that while I haven't always approved of the advertising department's decisions, they have always screened advertisements carefully before accepting them. Google, on the other hand, represents a backdoor which I know they have only been somewhat successful at filtering. Perhaps it is that third-party at fault here? (Though I doubt they'd admit it if it was their fault.)

John

- Collapse -
A side question...
Jul 14, 2008 2:24PM PDT

Do you happen to know why all of the pages across Cnet are automatically adding the query string hhTest=1? It's occurring on download.com, news.com, etc. and is occasionally causing a redirect to occur, but seems to have no purpose at this point.

John

- Collapse -
Happening again this AM...Heads up folks
Jul 15, 2008 10:23PM PDT

Something about scanner (dot) vav-scan (dot) com

Once again, it won't go away. Options "cancel" and "ok" are ambiguous...it continues to scan and/or ask to install a program...even brought up download manager!!! ARGH...had to end FF through task manager. Norton blocked it the first time while in progress. Just had another site pop up...didn't catch the name. Only in Cnet again.

- Collapse -
Additional
Jul 15, 2008 11:30PM PDT

The second "attack" shows up a "spywaredestructor (dot) com". Again, a bogus scan claiming malware found and trying to download "AntiSpy Deluxe. It even brings up the FF download manager when attempting to exit.

- Collapse -
just happened here too
Jul 16, 2008 3:22AM PDT

same link as you and I had to close the browser. I was reading James post about Yankee Doodle when it happened.

- Collapse -
Happened to me in Networking and Wireless
Jul 16, 2008 4:09AM PDT

and a couple other forums as well as SE. This seems to be a "hit and run" process as the storm is over at this point. But....will they be back? Sad

- Collapse -
Steve did this just happen right now 11:00AM pacific?
Jul 16, 2008 4:21AM PDT

Let me know

- Collapse -
I'm in EDT time
Jul 16, 2008 5:13AM PDT

and it happened this AM. Norton history shows 3 blocked attacks within 10 minutes around 9:30 AM. This would be 6:30 AM Pacific, I would presume. There were two separate sites that popped up and Norton caught only one but the bogus scan was already running. I've checked...as best I could...my registry like the other poster but found nothing. During this period I was able to browse anywhere but the Cnet forums. The popups were only a few mouse clicks away each time. No harm done.

- Collapse -
Gotcha ok this happened earlier this morning... I just
Jul 16, 2008 5:20AM PDT

wanted to make sure it wasn't happening at this moment 11AM pST or 2PM EST.

Thanks Steve!
-Lee

- Collapse -
My anti virus scan found this
Jul 16, 2008 4:34AM PDT
- Collapse -
just found it has attached
Jul 16, 2008 4:43AM PDT

Ascetive to my ARC soft program, it seems to be an empty folder, I HOPE!

- Collapse -
(NT) Found Ascentive in 3 registery settings
Jul 16, 2008 4:52AM PDT
- Collapse -
Scan again using any of these 3....
Jul 17, 2008 3:54AM PDT
- Collapse -
Thanks
Jul 17, 2008 4:14AM PDT

I also used CCleaner, will try these others also to be sure

- Collapse -
(NT) Clean now, Thanks
Jul 17, 2008 6:22AM PDT
- Collapse -
me 2 but i need help trying 2 find it and delete it
Jul 27, 2008 8:33PM PDT

can u help me find it and deleted please