FALSE Virus alert [there is NO malware on your computer]
 

For those just coming to this thread for the first time, I have taken the liberty of pre-pending IBobi's answer from downstream here. cblaisd, Senior Moderator:

Twice in the last two days while using FT i have had a pop up appear. It is designed to make it look like MS security essentials notice.

http://i5.photobucket.com/albums/y193/Braybuddy/MS.jpg

While I didn't get the specific virus alert that Polar Man mentions, I also noticed unusual virus alert messages while accessing FT the last couple of days, both on my home and work computers.

I, too, have gotten these alerts the past two days. Norton says

Category: Intrusion Prevention
7/20/2012 9:34 AM,High,An intrusion attempt by 173.254.192.44 was blocked.,Blocked,No Action Required,Fake App Attack: Fake AV Website

I got them on FT website (only) for 2-3 days, with wording:

When I tried to close the browser, I couldn't. Had to shut the computer down and restart.

I am also getting the MSE look-alike virus warning, but only with IE, not chrome.

Thank you all, we're looking into this, but FT appears to be clean. No virus found at all.

If someone can post a screen shot, we'll look into whether this is ad-related, or some other possibility?

Thank you!

Paul

I'll remember to grab a screenshot - but I've gotten this virus warning today on separate computers - it just seems to happen randomly but always on the flyertalk site.

I got the pop up yesterday and this morning. I will try to grab a screenshot if I get it again. I wonder if it really came from a banner?

+1 to Polar Man's experience.

I got a different pop-up than Polar Man got. If I get it again, I will post a screen shot.

I also only got this once yesterday and once today, despite numerous visits to FT. Have just assumed it was ad based. Did you check out the IP I posted earlier?

+1 to Polar Man

I got the same message as Skepticallie yesterday. Had to into my task manager to shut it down.

Just got the same.
Have emailed you, IBobi. - I have a screenshot I can send you.

Was going to http://www.flyertalk.com/forum/usercp.php, but the address bar changed, pop-up appeared and Norton antivirus blocked a Fake App attack...

Closed it all, and worked fine this time.

here is the screen shot.

http://i71.photobucket.com/albums/i1..._man/virus.jpg

If you click on the x to close the popup then the " microsoft" warning pops up on a blank screen.

I also received it, I looked at the address bar at the top and this is where it is coming from..but only when I come to flyertalk

http://guarantorqueerprocessinspecti...84cb2/pr2/196/

I've got the same thing in the last couple of days on different computers.

This last time, a few minutes ago, the address bar changed to:

[deleted, per ff post]

A Google search produced nothing for that entire string, though there is evidently an "onlinecleancustodian.pl" but with other numbers in the last part of the string, and even then only one hit on Google.

Just got another hit. Pop-up looked the same as the one Polar Man posted earlier today.

Norton reported

Category: Intrusion Prevention
An intrusion attempt by delivereravshield.pl was blocked.,Blocked,No Action Required,Fake App Attack: Fake AV Website 20,No Action Required,No Action Required,"delivereravshield.pl (96.44.155.85, 80)”

SkeptiCallie, clicking on the link you posted gets you another hit from the fake virus website. Maybe you could remove the hyperlink in the future? Thanks.

Thanks, glad to do so. I hadn't noticed that that was a hyperlink, just thought I was giving the address for IDing it. If mods need the link again, just PM me and I'll supply it to you. (Michelander, just to be thorough, could you also delete it in your quote of my post, and TIA.)

I got the same message earlier today as well as yesterday. But it didn't come as a small message box - rather it took over the entire FT page. When I x out, the whole browser window closes and I have to re-open the browser.

It certainly is annoying.

I received the same message about 2 hours ago. I closed it and ran SuperAntiSpyware and it came up clean.

I had similar notice when I have clicked on FT lately. It sets off my Norton saying they blocked an intrusion by "dangerdefenderdata.pl" at the IP address of 96.44.155.85, 80. I see that is the same IP address as previously posted but a different name.

I tried googling dangerdefenderdata.pl but doesn't bring up anything. I was able to trace the IP address to someplace in California.

Same experience as Vulcan. There's no virus of any kind on my machine, but they are somehow taking over and redirecting traffic from the FT site. Redirects the entire page away to a pseudo-virus message, wanting you to clean your computer (and no doubt buy their bogus anti-virus product).

I've been seeing the same problem for several days, only when I visit FT.

I don't get it in Safari or Chrome.

Me too, only on Flyertalk. Can browse for hours, the minute I come here it sticks on the virus warning. Only on PC, I'm using my iPad now with no problem.

Just happened again. Whatever the issue is, it hasn't been fixed.

I have now had this exact same experience on three separate computers in three separate locations.

XP - IE
Vista - IE
W7 - IE

Each of the computers is clean of virus problems. In each instance, the web page is redirected.

This would appear to be an IBB issue.

Same here. Once a day, last time about a minute ago.

Me too and that's now 3 or 4 times on different computers at home & work.

I've encountered it as well.

http://i1053.photobucket.com/albums/...di/FTVirus.jpg

Second time I have got this warning when opening my bookmark to Flyertalk Forums.

(Hopefully the pic posts.... I really have no clue)

It has happened again, just now. This time the address was changed to (partial listing, to avoid the hyperlink), "http://" followed by the words

utilitywarderdefender.pl \

followed by numbers.

Interesting thing, however, about the numbers in the string. From "/ss/" on--i.e., "/ss/78dee9e271084" (etc.), the numbers are identical as to what they were before.

I.e., what changes now in the address bar are, first, the words, "utilitywarderdefender," and secondly, the numbers following those words, up to the "/ss/--etc," at which point the numbers are the same as in the earlier hyperlink.

[deleted]

Yes I keep getting "Norton has blocked an attack" - seems to have a PL domain - Poland?

So is flyertalk going to do something about this? I'm pretty sure its a rogue banner ad script. They need to alert whoever provides their banner ads that there is a bogus ad causing malware popups. Looks like doubleclick.net to me.

Would that cause the screen to freeze? I have to turn my laptop off whenever the pop-up appears, as nothing works any longer, can't even exit the screen with Ctrl Alt Del.

I'm getting the same thing on two computers. Both running IE on Win7 and as with others only when I visit FT.

I'm at least able to run task manager and then close out the IE windows which are causing the problems.

Running Windows 7

Just happened to me as well.