Ads/Script redirecting to Virus site?

[Roger H. Veteran]

2nd time this has happened to me now. I use inprivate mode at work so i'm not logged in but i'm on the neowin main page then start getting redirected to other site to land at:

 

 

WARNING: Don't be a smarty and go to site below: :punch:

http://usdppvs.myftp.biz/index.php?....................... etc

 

I don't know if it's the same site as last time but it was the same fake Security Essentials thing.

 

It's only happened when not logged in so i'm guessing guests haven't been able to report it.

[SecretAgentMan]

Yes, I am not the only one that has seen the fake Security Essentials windows a few times now when I come to Neowin.  It seems like a bad advert in the rotation I am guessing and the link is different each time. 

 

Warning to not go to the link below!!

 

"http://thpfbez.myftp.biz/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvKheVQzm+YhzfWz1MPnw1S6zBdyf5PIpX2zaZzWwL95qmKyoM="

 

 

And this happens while I am logged in.

[papercut2008uk]

this is what i usually do if i get infected.

 

Malwarbytes

http://www.malwarebytes.org/

 

if you dont have it, download, install, update and then do a full system scan.

 

then once i have used my antivirus to scan (which takes about 2 days, since i have a huge amount of data and space!) and done a malware scan, i then use one or more of these:

 

(these are all online scanners, so do not require you to remove your existing antivirus software)

 

Trendmacro Housecall

http://housecall.trendmicro.com

 

panda active scan

http://www.pandasecurity.com/activescan/index/

 

Bit Defender

http://www.bitdefender.co.uk/scanner/online/free.html

 

Eset online scanner

http://www.eset.com/us/online-scanner/

 

and check startup items and running processes, if i suspect anything i submit it to this site, you can usually judge weather you need to get rid of the file or not

 

Virus total

https://www.virustotal.com/en/

[Atomic Wanderer Chicken]

I am getting this too, I closed my browser immediately when the fake antivirus thing popped up.

[Roger H. Veteran]

I'm not infected.... pssht :p - I run clean shop over here. It's happened on work PC and my home machine which was formatted to install Windows 8.1 preview. SO it's as clean as a bell. Dunno though, haven't seen it yet today.

[SecretAgentMan]

Yep, my system is clean and no damage was done but if people accidentally click through it may be bad.  I am not going to test that however.

[Hum]

Not detected here.

 

MSE running.

[TPreston]

TMG caught it, Eset caught it, smartscreen caught yep that's some good malvertising.

[Steven P. Administrators]

Can someone please screenshot the advert that supposedly triggers this? It's quite serious and I need to be able to report it. Does it happen only on main or also in the forums?

[Steven P. Administrators]

I've reported it, hopefully our guys can sort this with the information provided in this thread.

[cork1958]

  On 12/07/2013 at 23:09, papercut2008uk said:

this is what i usually do if i get infected.

 

Malwarbytes

http://www.malwarebytes.org/

 

if you dont have it, download, install, update and then do a full system scan.

 

then once i have used my antivirus to scan (which takes about 2 days, since i have a huge amount of data and space!) and done a malware scan, i then use one or more of these:

 

(these are all online scanners, so do not require you to remove your existing antivirus software)

 

Trendmacro Housecall

http://housecall.trendmicro.com

 

panda active scan

http://www.pandasecurity.com/activescan/index/

 

Bit Defender

http://www.bitdefender.co.uk/scanner/online/free.html

 

Eset online scanner

http://www.eset.com/us/online-scanner/

 

and check startup items and running processes, if i suspect anything i submit it to this site, you can usually judge weather you need to get rid of the file or not

 

Virus total

https://www.virustotal.com/en/

Over kill to the maximum, even if it is better to be safe than sorry!

 

Malwarebytes and SuperAntiSpyware, are all I need. If those 2 programs haven't gotten everything, I'll use Malwarebytes anti rootkit, which I'm not even sure is any different that regular Malwarebytes! Usually, either of those first 2 programs get's those baddies.

 

Not even using an AV now. Have NEVER had one of those bloated programs block/find/remove anything!

[SecretAgentMan]

  On 13/07/2013 at 07:38, Neobond said:

Can someone please screenshot the advert that supposedly triggers this? It's quite serious and I need to be able to report it. Does it happen only on main or also in the forums?

Not sure which ad was doing it but it only happened to me on the main page and not the forums.

[Roger H. Veteran]

Couldn't screenshot it because it goes by too fast as I'm generally not paying attention to the ads either (:p) - I just go neowin.net then go to try click the login button and it starts going all over the place.

[SecretAgentMan]

Just happened again and with a different link.  Do NOT click the link below!!

 

"http://obtxlov.myftp.biz/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvKheVQzm+YhzfWz1MPnw1S6zBdyf4bI8Ony6MiWQCn56uDyoM="

[Leopard Seal]

Just happened to me about 30 minutes. Fortunately I was browsing on my Surface RT, so no worries about malware and Trojans.

[Steven P. Administrators]

I removed the top ad from main and forums until this gets sorted, no answer from my ad provider yet.

[Steven P. Administrators]

Also added that domain (which is always the same so far) to the ban filter.

[Dane]

This popped up for me now.  

[Leopard Seal]

It's back. Just had it pop up again on my desktop machine.

[Steven P. Administrators]

myftp.biz has been blocked here and at two ad providers that could possibly host such an ad, but it's confusing because we don't even allow popups; the only way we can truly get to the bottom of this is if I know exactly what ads are loaded on the page when the thing pops up.

[Steven P. Administrators]

Also save the page where you see it so I can also check sigs for anything dodgy.

[Roger H. Veteran]

People keep saying pop-ups but it's not, its a whole site redirect and you end up at a white page showing just my capture in the middle of the page.

[Steven P. Administrators]

Hmm maybe disable "Allow sites to redirect you from the page" pretty sure Chrome won't redirect me off Neowin to some other domain just like that!?

[Hum]

I added gooleadsense.com to the Firefox list of sites to block.

 

I still have not seen any bad ads/redirects.

 

Must only be for Chrome users.,

[+Warwagon MVC]

  On 11/07/2013 at 16:57, SHoTTa35 said:

2nd time this has happened to me now. I use inprivate mode at work so i'm not logged in but i'm on the neowin main page then start getting redirected to other site to land at:

 

Fake Virus.png

 

WARNING: Don't be a smarty and go to site below: :punch:

http://usdppvs.myftp.biz/index.php?....................... etc

 

I don't know if it's the same site as last time but it was the same fake Security Essentials thing.

 

It's only happened when not logged in so i'm guessing guests haven't been able to report it.

 

WOW, if MSE detects it just imagine how bad it really is....

 

Also Sandboxie FTW!

 

A good time to remind anyone who is reading this to keep their 3rd party applications and operating system up to date. It's more than likely what ever site it's redirecting to probably has an exploit kit.