RLG

Posting the same words saying "we're looking into it" isn't an update. If you were taking this seriously, there would be something more to report.

This part actually IS an update. Any reason you haven't told us that before?

A lot of people are having this problem and maybe they can help you reproduce it.

living near shamu

Crap. Now I'm getting it too on IE on my laptop. Switched to iPhone but come on guys, you're all exposing us here and if/when someone gets infected you're going to get sued. All for the sake of not killing your ads/revenue while you troubleshoot.

Do what we did in my previous help desk days. Kill all ads, then bring them back one by one. When people scream, you have a winner.

Doug_1970

I'm not at IT person, so apologies if this is of no use at all to the investigation. This is my history from AVG showing the report of each time it stopped IE when I opened Flyertalk.

As you can see - it's an exploit rogue scanner, type 1929. Whatever that means.

"Exploit Rogue Scanner (type 1929)";"reliabilityprotectlow.pl/fq2f8o/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"30/07/2012, 22:58:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"protecttoolsmicrosoft.pl/n7065jpi/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"29/07/2012, 22:06:10";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"testpreventionremedy.pl/wd9ih3904/ss/78dee9e271084cb2/pr2/196/";"Object was blocked";"19/07/2012, 12:46:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

MoneyBagger

The latest redirect site: http://urlquery.net/report.php?id=108921

The redirects appear to be always to *.pl domain with the same Turkish IP address (31.210.109.37). Everyday a new *.pl domain is being used because the existing ones are being closed down - http://support.clean-mx.de/clean-mx/...t=first%20desc

Other forums (http://www.quartertothree.com/game-t....php?p=3182083) on the net have also reported redirect problems to an identical IP address.

Again, I think it is highly unlikely this redirect is coming from an advertisment. It is more likely to be an exploit in a script (java/php) run on this site.

SkeptiCallie

Thanks, Paul. Two issues:

(1) Since your more recent post indicates that you haven't seen the false virus alert yet, and since I gather that not all IE users have seen it, it would be interesting to see if maybe there might be a common denominator?


(2) After you have found and corrected the problem, could you please again issue us an assurance as to the malware question? Appreciate the earlier reassurance, and hope you are right, but since you haven't encountered the problem yourselves, is it possible yet to be certain that this thing is not installing something? (I understand that from the IT standpoint it might be possible to be certain that it isn't. I am definitely not IT-savvy, hence my question.)

Out of my Element

This shouldn't take a week to fix.

Hell, it shouldn't take a day.

swanscn

Now you are moving into the realm of opinion. I like others will not change because one minor site I visit (Flyertalk) is not up to the challenge. I have things that will not work on FF or Chrome and I do not add software to my machines on a whim.

IBobi

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").

Thank you!

Paul

MrHalliday

Since I pay to not see ads,
it seems I am missing out on all the fun.

Therefore, when it comes time to renew...
no more money for IB from me.

RLG

I'm subscribed to this thread and got an email alert about this new posting. Clicking on the link to the thread in the email brought up the ususal virus alert.

MoneyBagger

IE 9

Happens when you manually input the address in the address bar, via google.com, favourites or history.

Can't post the source code when it happens because the redirection is happening before the page loads. Avast is picking it up as URL:Mal - HTTP/1.1 301 but doesn't list the offending problem. I have installed a logger to pick up where the redirecting is originating from.

Jaimito Cartero

Paging Sargent Schultz, paging Sargent Schultz...

SkeptiCallie

I am using Chrome these days but switch to IE to see if the problem is still there. I tested it a few minutes ago and it happened again. This time it happened when I just typed in www.flyertalk.com. I had just clicked on Forums as well, and almost instantly there was the virus-alert screen. This time, however, there was one change to the virus-alert screen. Instead of the FT background, in which we can see the rest of the FT screen, this time the entire screen, except for the alert, was blank. I did a snip-and-save, if you want it, though I don't know how to send a jpg file via PM or to post it online. Unfortunately, the snip didn't save the http: portion of the screen. However, visible on the bottom toolbar are the words, "Viruses were found" in one box and in the next, "Flyertalk Forums."

I tried to right-click on "view source," per your post above, but couldn't. Right-clicking, any clicking, nothing, worked. One more thing changed, however, in addition to the all-white screen background. I was able to shut the screen down with Ctrl Alt Del and in the past even that procedure has not worked.

I think that the posters who say that this screen hits once a day are onto something. I think it usually--but not always--has appeared once/day. Not a hundred percent, however.

There was what might be another possible oddity following my turning the laptop off and turning it back on. After I turned it back on, this time, and opened IE and FT again, FT went blank for a split second, then came back on. So I am wondering if the appearance of the "false virus" screen does do something to the browser or computer, at least for the day?

IBobi

Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?

Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.

Thank you,

Paul

cblaisd

Paul,

I went to http://www.flyertalk.com/forum/usercp.php to try logging in to test your question.

I got the login page and immediately got hit with the "virus warning."

This time, though, my own (real) MSE detected that a virus had been installed (just from going to the page!).

http://www.microsoft.com/security/po...tid=2147638814

So, I couldn't actually login before getting infected.

This is nasty stuff.

I'm not inclined to want to try to test more in case whatever the next re-direct/hijack is manages to actually damage my computer with something that my AV program misses.