If you get hit by malware on the SDMB ...

[Ed Zotti]

If you believe you have been victimized by malware while visiting the SDMB, please post a report to About This Message Board so we can investigate. For best results, malware reports should include the following:

1. Tell us specifically what happened, not just "I got hit by malware." For example: (a) my antivirus software notified me it had blocked an attack and gave me the following report (and then post the report); (b) I got a popup saying [whatever]; (c) my system locked up and the screen turned blue, etc. It's especially helpful for us to know the name of the suspected item of malware.

2. Time/date of occurrence, your geographic location, and browser/operating system you are using.

3. Whether you were looking at an SDMB page or a column archive page. These are hosted on different servers and see different ads.

4. If possible, provide a screen shot of the page you were on when the incident occurred. With WinXP this can be done with Alt-PrintScreen and with Win7 you can use the Snipping Tool. If you can't do this, please describe any ads or popups that were visible.

If you get hit more than once, are at least moderately tech savvy, spend a lot of time on our site, and are willing to run bug tracker software in the background, we'd be grateful if you did so - this has proven to be an effective way to identify the source of rogue software. Let me know if interested.

[robert_columbia]

Removed so that I can make a separate thread.

[Typo Negative]

Each time, I was on this site. The last time, maybe a half hour ago, I was composing a new thread in Cafe Society and hit 'enter', then my IE session closed I got the 'XP Security 2012' fake 'virus removal' instructions. I have Symantic endpoint security and part of the business IE security. I also had MalwareBytes running. I was able to get IE back up but cannot get Malwarebytes to open now .

it put an executable (this one called epu.exe) in C:\Documents and Settings\user name\Local Settings\Application Data. I renamed the .exe then was able to end that task. I am still hosed.

[samclem]

Quote:

Originally Posted by spooje

Each time, I was on this site. The last time, maybe a half hour ago, I was composing a new thread in Cafe Society and hit 'enter', then my IE session closed I got the 'XP Security 2012' fake 'virus removal' instructions. I have Symantic endpoint security and part of the business IE security. I also had MalwareBytes running. I was able to get IE back up but cannot get Malwarebytes to open now .

it put an executable (this one called epu.exe) in C:\Documents and Settings\user name\Local Settings\Application Data. I renamed the .exe then was able to end that task. I am still hosed.

XP exploits are really bad.

Running under an Admiistrative account, or as a user? If as a user, you can probably recover. Running as an Admin, you're probably in big trouble.

[Ed Zotti]

Quote:

Originally Posted by spooje

Each time, I was on this site. The last time, maybe a half hour ago, I was composing a new thread in Cafe Society and hit 'enter', then my IE session closed I got the 'XP Security 2012' fake 'virus removal' instructions. I have Symantic endpoint security and part of the business IE security. I also had MalwareBytes running. I was able to get IE back up but cannot get Malwarebytes to open now .

it put an executable (this one called epu.exe) in C:\Documents and Settings\user name\Local Settings\Application Data. I renamed the .exe then was able to end that task. I am still hosed.

My apologies. We are trying to get to the bottom of this. Will advise of any developments.

[Baron Greenback]

Quote:

Originally Posted by spooje

I also had MalwareBytes running. I was able to get IE back up but cannot get Malwarebytes to open now .

Try renaming the malwarebytes executable from mbam.exe to mbam.scr and double click on it. It might throw up an error dialogue, but it should still run and get you cleaned up.

[johnsonlnl]

I was surfing SD on Friday, 1/6/12, about 11 AM central time. Geographic location = central Minnesota. Browser = Internet Explorer 8, 64 bit edition. Operating system = Windows 7. I would have been in one of the forums at the time. I had Microsoft Security Essentials running, updated and actively monitoring the computer.

I started getting popups that tried to look like an antivirus program....Windows 7 Antivirus, something like that. Sorry I didn't get the exact names. It was a bugger to remove. It disassociated file types with the program that runs them. Any attempt at running malware removal programs would actually erase the program I tried to run.

I finally managed to run ComboFix from a CD that got rid of it, after two runs. Then I was able to do a system restore. In hindsight, I think this has happend two other times in the last three months or so. Never quite so bad, but similiar circumstances.

Hope this helps.

[Ed Zotti]

Sorry to hear you had problems. Since you may have had this happen more than once, you're a good candidate for running the Fiddler debugger in the background and capturing a log if this happens again. Would you be willing to do this? Logs are the one proven method we have of tracing malware. Let me know - you can reply by e-mail to edzotti at aol dot com. Thanks.

[Tripler]

I was surfing a few pages in MPSIMS, and when I clicked to go to a 'last post' in a thread, I got a strange redirect. Come to find out it was a 'Scour Redirect' which also hijacked my google searches. Symantec Endpoint keeps blocking/quarantining a Bloodhound.Exploit.346 trojan (apparently).

I cannot guarantee I picked it up here, but it only first appeared when I went to go to a 'last post'.

I run Symantec Endpoint antivirus, and Malwarebytes' Anti-Malware, both of which I'm running with a barrage of other programs to isolate and kill this particularly sticky little bastard of a virus.

Tripler
I may need to nuke it from orbit.

[Tripler]

Quote:

Originally Posted by Tripler

I was surfing a few pages in MPSIMS, and when I clicked to go to a 'last post' in a thread, I got a strange redirect. Come to find out it was a 'Scour Redirect' which also hijacked my google searches. Symantec Endpoint keeps blocking/quarantining a Bloodhound.Exploit.346 trojan (apparently).

I cannot guarantee I picked it up here, but it only first appeared when I went to go to a 'last post'.

I run Symantec Endpoint antivirus, and Malwarebytes' Anti-Malware, both of which I'm running with a barrage of other programs to isolate and kill this particularly sticky little bastard of a virus.

Tripler
I may need to nuke it from orbit.

I'm gonna post this in a new thread. . .

Tripler
Sorry for the double post. It's early, no coffee at the time.

[da_pope]

res://ieframe.dll/acr_error.htm#worryprocessesdefender.info, http:// worryprocessesdefender.info /2395ccc009752c4a /1/

from the main forum page

http://boards.straightdope.com/sdmb/

gets a pop op windows dialog box spawned by the ie frame.

I use task manager to shut down all instances of IE so it doesnt get further, and I don't click the box. This time IE threw an error that gave me the above frame url. I'll add it to my hosts blacklist. But it IS spawning from SDMB.

[TubaDiva]

I'll pass this on. Sorry you had a problem.

Do you know what ad was displaying at the time this popped up?

That might help us track the culprit -- if it's a rogue ad, which is possible.

[da_pope]

No, the pop up blocked me from scrolling up to the ad display. I assume that's where it's coming from as well.

[TubaDiva]

Again, our apologies.

[da_pope]

No worries, I know it isn't really the board.

[da_pope]

more info:

looks like the banner was "ads by pulse 360"

this time hijacked the page to vulnerabilitytaskstesting. info

and pops a windows dialog box "windows antivirus 2012 has found critical process activity on your PC and will perform fast scan of system files"

this time I X'd out the dialog box, figuring I can clean up any mess, and it landed on the .info page and started a 'scan'

I was able to use the back button to view the banner ad at the top to gather this. Hope that helps.

[David42]

I just got the fake virus messages from the straight dope, about two minutes before this post. It was not an archive

It was a pop-up and it mimicked the look of Microsoft Security Essentials. I'm sorry I did not get a screen shot, but my ahbit is to close the window as soon as this happens lest I accidentally click on something that will really infect my machine.

I am running Vista SP2 and IE 9.

For my location, please PM.

[Busy Scissors]

Just got a re-direct to a porn site when reading the game room, on my ipad (pretty sure I hadn't touched anything on the screen). It sounds like the same redirect that these guys are discussing on another forum (same dodgy site):

http://forums.digitalspy.co.uk/showt...1722515&page=4

My ipad is as pure as the driven snow, in internet browsing terms. Something to do with the SD ads?

[TubaDiva]

Quote:

Originally Posted by Busy Scissors

Just got a re-direct to a porn site when reading the game room, on my ipad (pretty sure I hadn't touched anything on the screen). It sounds like the same redirect that these guys are discussing on another forum (same dodgy site):

http://forums.digitalspy.co.uk/showt...1722515&page=4

My ipad is as pure as the driven snow, in internet browsing terms. Something to do with the SD ads?

Reported to Ed and Jerry.

[Mame]

Hi

I have had the redirect to a porn site twice now, a few weeks apart. Happened while reading the SDMB on my ipad, scrolling through thread titles. Not sure which forum though. I think it was IMHO, but frankly I was so taken aback (the first time it happened I was supervising my daughter tidying her room and didn't want her to see the screen!) I didn't note which forum.

Only part of the screen I was touching was the far left, if that helps any.

[ducati]

Here's something I've been running into for a while:

While browsing a forum, I'll click on a thread, read it, then hit my back button. Nothing happens.
When I look at the previous page dropdown, it's filled with one address 20 or 30 times, as though I went that particular address repeatedly.

the address is http://ad.doubleclick.net/N622/adj/stra

Is this malware on the Dope, on me, or is it some part of the ad system that the Dope has and just goes haywire on occasion?

[TubaDiva]

Yeah, it's some sort of malfunction.

Some think it's an intentional hijack of the back button rather than some miscoding or other error on someone's part somewhere that causes this but we can't tell for sure.

Sorry that this happened to you.

[Smokestack]

There have been a *lot* of people complaining about surprise porn redirects while using iOS on a wide variety of websites. Just google 'iPad porn redirects' and you'll see. It's not just on Straightdope. I haven't seen any solutions yet though and I'm not sure Apple is aware yet in any meaningful way.

[Saint Cad]

Quote:

Originally Posted by TubaDiva

Yeah, it's some sort of malfunction.

Some think it's an intentional hijack of the back button rather than some miscoding or other error on someone's part somewhere that causes this but we can't tell for sure.

Sorry that this happened to you.

Any report yet on if this suspected hijack is related to the other hijack I reported where the atlassolutions malware will go out every 5-10 minutes and connect to 10-15 other sites when a browser is open?

[Colophon]

I just tried to perform a search and got the following Google Chrome malware warning:

Quote:

Danger: Malware Ahead!
Google Chrome has blocked access to this page on boards.straightdope.com.
Content from cm.netseer.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware.
Malware is malicious software that causes things like identity theft, financial loss and permanent file deletion.

I'm running Chrome (obviously) on Windows 7. Location is UK.

[TubaDiva]

Quote:

Originally Posted by Colophon

I just tried to perform a search and got the following Google Chrome malware warning:



I'm running Chrome (obviously) on Windows 7. Location is UK.

I have reported your issue. Anyone else seen this?

[JimNightshade]

Yup, same here. Location currently The Netherlands.

[Anonymous User]

I got a warning from Google Chrome today about that, once this evening.

[TubaDiva]

It's apparently a hack at Netseer and has nothing to do with the Straight Dope.

http://www.denverpost.com/business/c...e-chrome-users

Quote:

Formidoni reported just after 10:30 a.m. Pacific time that Google had removed Netseer from its list of malware-affected websites, clearing up the problems

.

[AuntPam]

Got a "StraightDope is running a survey" pop-up and followed it partway thru (with a rarely used e-mail address) till it started asking questions about my checking account. Time 12:22PM EST, Date 2/22/2013. Location is Bloomfield, NJ.

[rock party]

For about 2 weeks now, when I'm in Cafe Society a security waring pops up but it's not from my computer, it's from a website and won't let me close it

It says Warning! Microsoft Security Essentials has detected the followng:
(then it lists various trojans, malware, ect) then it says "you must click here"
I never do, I close out the screen