I'm using FireFox and IE8 to use these forums and I'm getting re-routed more and more (this is from two seperate PC's one with very high level security and the other with something more normal).

Scenario:

1) I’m reading the forms and BAM…auto re-routed to online Bingo.
2) More serious. Reading the forum and BAM get re-routed to a fake Control Panel image with warning stating the PC has virus’s

I haven’t clicked any pop-ups, indeed no pop-ups are showing or even showing as blocked. I can only assume the code for the forums has been compromised and tampered with. Happens on various threads and appears random.

Just thought you ought to know really and see if you can take action. The on-line bingo isn’t a major issue as you can just “back” and you’re where you started but the newer one…the fake Control Panel with fake virus warning is much more worrying for some users who are not PC savvy to know about it being fake and it disables your browser window as well.

Luckily as I use IE8 and Firefox, I normally have the forum open on a separate tab so can close it ok but this morning the 2nd one got me on the first session so I had to force FF to close via Task Manager.

What sites do they redirect you to?

I haven't taken the time to note down the URL's but as I said above the most common one is a simple on-line Bingo website (which seems genuine) but the other one doesn't have a URL as its quite a sophisticated website which looks EXACTLY like a Windows XP standard Control Panel complete with icons for hard drive etc etc.

Only difference is that it has a "mock" antivirus scan running on it and a large announcement stating your PC is infected...it also has several pop-up windows asking you to "ok" or "cancel" requests for antivirus updates.

It it was just my PC at home then I'd say I'd picked up that virus that copies XP's built in antivirus (can't recall the name of it) but its happened on a work PC which is seriously locked down with firewalls and antivirus active scans galore so it's website related I believe.

I've seen mock-AV sites before, and it's usually local drive-related, and often involve rather complicated cleaning processes, hence my asking for the sites. Without knowing what they are, it's hard to know what to do.

I know, which is why I was more concerned when it:

1) only happened when on these forums
2) happened on two seperate PC, from two seperate locations with two seperate security measure templates installed

I will attempt to get more info if possible next time it happens.

I never had it happen with Firefox. But you could get Adblock Plus to make sure it doesn't for Firefox.

As for IE8, just don't bother using it.

You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.

Autorouting link for 2nd issue:

http://protect-yourselfb.com/1/?sess=%3DGW19jDxOC0zJmlwPTgwLjQ3LjE0My4zNyZ0aW1lPTEyNTU1McQMMQkN

Like I said, if it occured on one PC I'd agree with all of you and say its a virus issue on the PC in question but with two seperate and one is a work based PC with corporate firewalls etc etc as well as many non-work sites blocked I assumed it may be something embedded in the forums.

Not saying I'm right though by a long shot! :laugh4:

Interestingly enough:


wget -O ~/dltestfile -c http://protect-yourselfb.com/
file ~/dltestfile

The result is: dltestfile: very short file (no magic); not surprising since wget reports an amazing content-length of: Length: 1 [text/html]. (1 byte). Guess what that single byte is? 0x0A. (Newline.)

Someone else (http://forums.mangafox.com/showthread.php?p=3025196) seems to have the same problem on another forum. Googling doesn't find anything else on it yet, and the site itself isn't on my DNS. Try tracerting that host and noting down what IP it produces.

The other possibility is that a DNS server has been either compromised or poisoned.

I still say scan the crap out of both of your machines with those programs I listed. If it's clean, then they're clean, and the problem is ISP related.

Yup, going with that option for now. Posted this mainly as a warning for the forum Admin, can't actively scan the work PC as that's done by our national IT department on a regular basis (multinational company) but will go down hard on my home one as soon as I have the 2hr+ it'll take.

If it helps, I have experienced the same problem with the bingo redirect just recently.

I have been given a brand new Windows laptop for running games. The OS is Windows 7. The only programs installed on the machine are Baldur's Gate, STW, MTW, M2TW, ETW with Steam connection. There is AVG anti-virus and Firefox with Ad Block.

I have used Firefox to visit one site only, and that is the Org. A couple of days ago, I got the redirect as described above.

My usual machines are a MacBook Pro and a MacBook Air, both running Snow Leopard. I use Safari to visit the Org and the rest of the web, and occasionally Firefox.

There has never been this issue with the Mac set-up. Given that I have a pretty clean Windows machine, I might venture that this is a problem with something on the Org, and that uses a Windows vulnerability.

I don't know whether this information helps the more technically knowledgeable, but I hope so.

Add NoScript to your Firefox. It's a little annoying since you have to enable scripts for sites, but it prevents a lot of mischief.

You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.
Definitely. That is what I first thought. Usually such symptoms are usually malware-induced. But Windows Defender and Adware are near useless, I used them a long time ago. Now, Spybot is a different thing. It actually works quite well. But not nearly as well as the fully-functional 30-day trial of the best AV package ever made - Kaspersky Internet Security 2010. It even has a feature called Safe-Run where you can run any program in a virtual, closed environment, which protects you from virtually any malware you can pick up from surfing the web.

So get it. It is free, for 30 days. Fully functional - it scans, protects, and neutralises any infections. I never got why they have such permissive trials, but whatever - take advantage of it. Here is the download link (http://usa.kaspersky.com/trials/home-users/internet-security/).

I'm doubting its something on the PC's now as the issue is very specifically related to these forums and only ever happens whilst i'm here...and I use a lot of other forums and even host my own one.

I'm with drone Try installing NoScript for FF. If it is something embedded on the the site, that should take care of it. It's free, it updates fairly regularly and its painless.

You may also try http://www.safer-networking.org/en/mirrors/index.html; spy-bot search & destroy.
Immunize function is handy.

Okay, first of all, this looks absolutely nothing like an already activated virus, trojan or rootkit. Why in the world would such a thing blatantly show itself, almost yelling "Hey, you're infected!" at the user? What would it possibly have to gain? Neither does DNS-poisoning seem to be all that likely - but, none the less, you could try setting your DNS to be something unlikely to be poisoned, such as your work DNS-server or (if possible) the RNS.

Now, as to what I'd guess this is:
The image it displays looks silly, at best. It is either trying to keep the user focused on it (at the risk of alerting the user to it being malicious) or wants to give the user some sort of choice. The second, although unlikely, is possible - something like "If you're stupid enough to agree to what we're suggesting, we'll rootkit you, but we'll spare the smart ones." Ethics? Meh.

Either way, you are not of any true influence on the process. If it can run arbitrary code on your machine, it will do so as it pleases, and does not need your permission. If it cannot, I see little point in it existing... A prank? Unlikely.

Thus, what we know about the program:
1. It shows up while, and only while, you are browsing the Guild from a Windows machine.
1.1. Thus, it likely has a check about whether your browser claims you're using Windows - try changing this variable, and see if it vanishes. If you post your current one, I can try it under Linux.
2. It shows up on both Firefox and IE.
2.1. Kudos for making it browser independant >.>
3. Neither antivirus is alarmed by it.
3.1. Now this is the interesting bit. The high-security one should be tipped off by just about anything. Could you specify which one it is that you use at home and at work, please? No need to include firewalls - I'm guessing this is purely http.

I would advise scanning at least your home system fully, to make sure it didn't cause you to get infected. Further, NoScript was already mentioned - it's a great thing, although not all that necessary now that AdBlock can block .js files. When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.

Sure.

I have browsed many...many forums etc and this occurs only here. So, we can confirm some association.

Antivirus kits

Home - Avira (using IE8)

Work - Mcafee (using Firefox)

Both machines are using Windows XP with the latest service packs etc making them fully upto date.

I don't get much facetime with my home PC so a full scan is planned just not executed yet. I can't self-scan my work based PC but this is done every night by automatic IT executable and I have not been notified of anything amiss.

I now use the Tabs functions more to help prevent this annoyance. Always having two tabs active means that when this occurs it occurs on only one tab so I just manually close that tab (it displays another fake warning which I "X" close down rather than using its "OK" to close).

When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.

Done a little research and I think you may have found the issues here...but I'll still scan my PC, always good practice.

So much for the 'checks OS' theory. :laugh4:

https://img3.imageshack.us/img3/8971/yada.jpg

2) More serious. Reading the forum and BAM get re-routed to a fake Control Panel image with warning stating the PC has virus’s

This has been happening lately

http://magnum-defence33.cn/1/?sess=pWT1wjjxMC03JmlwPTU4LjE2OS4xNjEuMTkmdGltZT0xMjY4MUAMPQJN

is the site

FF3. No adblock/noscript though, it doesnt install for me.

Only seems to happen from main page, currently scanning with AVG.

So much for the 'checks OS' theory. :laugh4:

https://img3.imageshack.us/img3/8971/yada.jpg

Well, that is Windows, judging by the look of it. Might not check OS version number, simply the name.

EDIT: Aha! Instead of giving a pop-up with the choice of continuing the 'repair' or aborting, it suggests you download something... Interesting, let me give that site a go.

EDIT2: Went to the page manually. No matter what you click, it gets to the point where it offers you to repair. If you press the screen anywhere at that time, it'll try to download an "install.exe" - against which Firefox is safe, but I'm not sure if IE is. Until that comes up, there was no sign of any intrusion.