FALSE Virus alert [there is NO malware on your computer]
#211
Join Date: Aug 2004
Location: Kamuela, Hawaii
Programs: Marriott Titanium, Hilton Diamond, AA Plat, UA Silver, AS MVP, HA premier
Posts: 509
A lot of people are having this problem and maybe they can help you reproduce it.
#212
Join Date: Mar 2010
Programs: AA Plat, Marriott Plat
Posts: 736
Crap. Now I'm getting it too on IE on my laptop. Switched to iPhone but come on guys, you're all exposing us here and if/when someone gets infected you're going to get sued. All for the sake of not killing your ads/revenue while you troubleshoot.
Do what we did in my previous help desk days. Kill all ads, then bring them back one by one. When people scream, you have a winner.
Do what we did in my previous help desk days. Kill all ads, then bring them back one by one. When people scream, you have a winner.
#213
Join Date: May 2005
Location: Near Lichfield, UK
Programs: BMI DC Gold, BA Gold, LH SEN, Priority Club Platinum, Nectar purple
Posts: 949
I'm not at IT person, so apologies if this is of no use at all to the investigation. This is my history from AVG showing the report of each time it stopped IE when I opened Flyertalk.
As you can see - it's an exploit rogue scanner, type 1929. Whatever that means.
"Exploit Rogue Scanner (type 1929)";"reliabilityprotectlow.pl/fq2f8o/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"30/07/2012, 22:58:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"Exploit Rogue Scanner (type 1929)";"protecttoolsmicrosoft.pl/n7065jpi/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"29/07/2012, 22:06:10";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"Exploit Rogue Scanner (type 1929)";"testpreventionremedy.pl/wd9ih3904/ss/78dee9e271084cb2/pr2/196/";"Object was blocked";"19/07/2012, 12:46:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
As you can see - it's an exploit rogue scanner, type 1929. Whatever that means.
"Exploit Rogue Scanner (type 1929)";"reliabilityprotectlow.pl/fq2f8o/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"30/07/2012, 22:58:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"Exploit Rogue Scanner (type 1929)";"protecttoolsmicrosoft.pl/n7065jpi/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"29/07/2012, 22:06:10";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"Exploit Rogue Scanner (type 1929)";"testpreventionremedy.pl/wd9ih3904/ss/78dee9e271084cb2/pr2/196/";"Object was blocked";"19/07/2012, 12:46:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
#214
Join Date: Aug 2010
Posts: 154
The latest redirect site: http://urlquery.net/report.php?id=108921
The redirects appear to be always to *.pl domain with the same Turkish IP address (31.210.109.37). Everyday a new *.pl domain is being used because the existing ones are being closed down - http://support.clean-mx.de/clean-mx/...t=first%20desc
Other forums (http://www.quartertothree.com/game-t....php?p=3182083) on the net have also reported redirect problems to an identical IP address.
Again, I think it is highly unlikely this redirect is coming from an advertisment. It is more likely to be an exploit in a script (java/php) run on this site.
The redirects appear to be always to *.pl domain with the same Turkish IP address (31.210.109.37). Everyday a new *.pl domain is being used because the existing ones are being closed down - http://support.clean-mx.de/clean-mx/...t=first%20desc
Other forums (http://www.quartertothree.com/game-t....php?p=3182083) on the net have also reported redirect problems to an identical IP address.
Again, I think it is highly unlikely this redirect is coming from an advertisment. It is more likely to be an exploit in a script (java/php) run on this site.
Last edited by MoneyBagger; Jul 31, 2012 at 6:30 am Reason: web address
#215
Join Date: May 2005
Posts: 3,944
(1) Since your more recent post indicates that you haven't seen the false virus alert yet, and since I gather that not all IE users have seen it, it would be interesting to see if maybe there might be a common denominator?
(2) After you have found and corrected the problem, could you please again issue us an assurance as to the malware question? Appreciate the earlier reassurance, and hope you are right, but since you haven't encountered the problem yourselves, is it possible yet to be certain that this thing is not installing something? (I understand that from the IT standpoint it might be possible to be certain that it isn't. I am definitely not IT-savvy, hence my question.)
#217
Join Date: Feb 2004
Location: Somewhere between Singapore and the US
Programs: Qantas Platinum, SQ Krisflyer PPS, UA 1p, Marriot Lifetime Platinum, American EXP
Posts: 988
Now you are moving into the realm of opinion. I like others will not change because one minor site I visit (Flyertalk) is not up to the challenge. I have things that will not work on FF or Chrome and I do not add software to my machines on a whim.
#218
No longer with Internet Brands
Join Date: Mar 2011
Location: Los Angeles, CA
Programs: DL DM 1.6MM, Marriott LT Plat
Posts: 5,343
Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").
Thank you!
Paul
Thank you!
Paul
#220
Join Date: Aug 2004
Location: Kamuela, Hawaii
Programs: Marriott Titanium, Hilton Diamond, AA Plat, UA Silver, AS MVP, HA premier
Posts: 509
I'm subscribed to this thread and got an email alert about this new posting. Clicking on the link to the thread in the email brought up the ususal virus alert.
#221
Join Date: Aug 2010
Posts: 154
Happens when you manually input the address in the address bar, via google.com, favourites or history.
Can't post the source code when it happens because the redirection is happening before the page loads. Avast is picking it up as URL:Mal - HTTP/1.1 301 but doesn't list the offending problem. I have installed a logger to pick up where the redirecting is originating from.
#223
Join Date: May 2005
Posts: 3,944
I tried to right-click on "view source," per your post above, but couldn't. Right-clicking, any clicking, nothing, worked. One more thing changed, however, in addition to the all-white screen background. I was able to shut the screen down with Ctrl Alt Del and in the past even that procedure has not worked.
I think that the posters who say that this screen hits once a day are onto something. I think it usually--but not always--has appeared once/day. Not a hundred percent, however.
There was what might be another possible oddity following my turning the laptop off and turning it back on. After I turned it back on, this time, and opened IE and FT again, FT went blank for a split second, then came back on. So I am wondering if the appearance of the "false virus" screen does do something to the browser or computer, at least for the day?
#224
No longer with Internet Brands
Join Date: Mar 2011
Location: Los Angeles, CA
Programs: DL DM 1.6MM, Marriott LT Plat
Posts: 5,343
Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?
Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.
Thank you,
Paul
Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.
Thank you,
Paul
#225
Moderator Hilton Honors, Travel News, West, The Suggestion Box, Smoking Lounge & DiningBuzz
Join Date: Jun 2000
Programs: Honors Diamond, Hertz Presidents Circle, National Exec Elite
Posts: 36,027
I went to http://www.flyertalk.com/forum/usercp.php to try logging in to test your question.
I got the login page and immediately got hit with the "virus warning."
This time, though, my own (real) MSE detected that a virus had been installed (just from going to the page!).
http://www.microsoft.com/security/po...tid=2147638814
So, I couldn't actually login before getting infected.
This is nasty stuff.
I'm not inclined to want to try to test more in case whatever the next re-direct/hijack is manages to actually damage my computer with something that my AV program misses.
Last edited by cblaisd; Jul 31, 2012 at 5:19 pm