It appears that our ad server was compromised by an automated remote exploit sometime in the last 2-3 days, resulting in security exploits being appended to random banner ads. No user data was compromised but if you visited the forums in the last few days on a Windows PC we recommend making sure your antivirus definitions are up to date and running a full system scan. If you don't have antivirus software installed, you can get free Windows antivirus products from AVG:

AVG Free - Download installation files & documentation (http://free.avg.com/us-en/download?prd=afg)

And avast:

avast! Free Antivirus - Download Software for Virus Protection (http://www.avast.com/free-antivirus-download)

I personally use avast on my Windows machines and it seems to work well.

We're in the process of transitioning to a hosted ad platform so that we won't risk further security exploits and have turned off ad serving till that transition is complete. We're very sorry for any inconvenience this has caused.

Thank goodness I have Adblock for Firefox.

For those on Genuine Windows, Microsoft Security Essencials is a excellent alternative to AVG. MSE paired with Malwarebytes Anti-Malware is more than good enough malware protection.

Actually the "No Script" add on for Firefox is much more effective, in conjunction with AdBlock.

We're in the process of transitioning to a hosted ad platform so that we won't risk further security exploits and have turned off ad serving till that transition is complete.

Are you sure?

I got this YieldManager intrusion 40 minutes after you reported "ad serving turned off".

The implicated exploits wouldn't be setting tracking cookies, they would be downloading pdfs or other files to your machine. It would really be helpful if you mention what page you're on when you get these alerts, though.

Full system scan (all drives, including external ones connected) turned up nothing. If I get the alert again, I will make a full page screen capture so you can see the page I'm on.

Thanks,

It appears that our ad server was compromised by an automated remote exploit sometime in the last 2-3 days, resulting in security exploits being appended to random banner ads. No user data was compromised but if you visited the forums in the last few days on a Windows PC we recommend making sure your antivirus definitions are up to date and running a full system scan. If you don't have antivirus software installed, you can get free Windows antivirus products from AVG:

AVG Free - Download installation files & documentation (http://free.avg.com/us-en/download?prd=afg)


Just a note on AVG. I was fully protected by AVG, and the laptop I was using was obliterated by the virus. It did nothing to protect me. This is the second time AVG has failed to protect me in the last 2 years. I'm done with them, and will try Avast from now on.

Remember, antivirus software is always one step behind the attackers. You probably got attacked among the first ones, with AVG not having enough time to shield your computer.

My company pays big bucks for "the best of the best" antivirus - Symantec. For the most part it's OK, but still, every now and then we get hit.

The only way to fully protect yourself is to pull that plug labelled "LAN".

I spent all day Sunday trying to get rid of the virus. I had to dump my anti virus program then reload it then run a deep scan. I had 4 trojan on my system.

The only way my system would work was in safe mode. The virus locked everything down and ran a screen that looked like it was doing a virus scan it then wanted me to pay $50 dollars to fix it. It shuts down your anti virus program then pretends to be your virus software. It shows up in the system tray as a shield. It locks you out of everything until you buy the update. I wonder how many people gave them a credit card number?

I had the same thing several months ago on another computer running both Avast antivirus and Spybot S&D - neither one caught it.

MalwareBytes was unable to clean it, even in Safe Mode.

Googling around I found the name of the actual exe file causing the problem (I forget what it was), shut down Windows, popped in my trusty Linux CD (Ubuntu) and deleted the file.

Switched to AVG.

I don't think that was from this website though...

Amen to Dylan's assessment of AVG. I've been less than impressed lately. I've been using Malwarebytes Free version to great effect to clean systems that AVG allowed to be compromised. (Although, lately, I've been having to boot off a different Hard Drive before scanning for it to work) I think their paid version is pretty economical too, and it's for a lifetime membership. Anyway, Thanks for the heads up DVinfo, and keep up the good work.

That virus you guys mention sounds familiar, one of my boys got it on their machine - it's PC scan 2009 or something like that - it's brutal, I've been unable to find very good documentation on it, it morphs, steaths and generally destroys your ability to do anything with your computer by altering system settings so you can't do anything to cure the computer. It also locks or causes every legit virus scanner I could find to crash or reboot or error out...

Everything you try to do pretty much brings up a screen asking you to go buy their "virus software"...

I couldn't find any indication on the web that anyone had sucessfully eradicated it from an infected system, I "cleaned" it twice, the third time it shut me out completely (like I mentioned, it morphs... making eradication way more fun that any other virus I've ever seen). Finally just disconnected the machine and put it in the reformat and reinstall queue...

It's obviously a scam to get credit card#'s by pretending to be a virus scanner, but if you get it, your machine is toast... makes klez.h look like a walk in the park by comparison. If you get caught by it, you'll know it though...

BTW, I ran housecall virus scan, nothing turned up on my Win7 box.

Dave,
That's the exact same problem I've been using MalwareBytes to deal with, but it won't work if the machine is booting off the disk you're trying to clean. You have to put the HDD into a clean computer and scan it with MalwareBytes (or maybe something else, I've only used MalwareBytes) after booting off the clean Hard Drive. Hope this saves you some trouble! Good luck!

McAfee was able to isolate and delete the virus. But it trashed my version of McAfee I had to go in under safe mode uninstall McAfee then reinstall it and run it in safe mode after that I was able to boot up normally.

I got hit twice this weekend as well while reading posts here. Didn't want to cry wolf as I wasn't sure it came from here but it seems likely now. Got it Saturday morning first and symptoms were as Ron described --- it kills everything including your AV SW. Rebooting into safe mode allowed Malware Bytes Anti Malware to run and clean thoroughly, but I still had to do a system restore to get the browsers working again.

Then after cleaning, I got hit again while here. Same process worked fine.

I've now disabled all Active X and Java/Javascript and things are fine, although the browsing experience is somewhat hindered. Probably being over-paranoid but I killed a whole day.

It's brilliantly evil.

The more I read the better I feel about my free AVG... caught the nasty pest at first try!

I got hit by this yesterday morning as well.

Similar to Alex, here's what I did:

- Removed the hard drive from the laptop
- Took an old computer off-network (no wireless, no wired connection...single, isolated PC only)
- Attached the affected drive using an external HDD housing
- Booted and immediately ran a full scan using the free MS Security Essentials (already installed as we were giving it a try on the old computer) and did the "clean" as directed when it listed two trojans (see picture).
- Once the formerly infected laptop was running again, I deleted all IE temp files. IE loads but won't retrieve web pages, so I'll just do a re-install of IE tomorrow.

I also ran a deep scan with the latest ZoneAlarm afterward, but it came up clean...so those two trojans were all that was to be found. You can get a fully functioning ZA trial for free. I can't know for sure, but I'll bet that Zonealarm would also have taken care of the problem.

Norton corporate is what was on the infected laptop and it obviously didn't stop the infection, so I can't recommend that for cleaning.

Oh, and I want to point out that it was the malware trying to go to adult.com (and viagra.com and porno.org), NOT me. Really!

Pete, I had the same issue with IE not loading pages after cleaning the PC, even after reinstalling, updating and upgrading to later versions than the one I'd been using. Nothing worked until I did a system restore.

Thanks for the heads up, Adam. I'll give re-installing a try tomorrow and if no joy will try a restore. If all else fails and I do end up doing a re-install, at least this has given me the chance to get every single data file and setting I want to keep backed up!

Now that I know my data are safe, the worst part of this is that it is taking away all my free time so I'm delayed in putting my new 980X build through its paces! But that's a topic for a future thread.
;-)

The implicated exploits wouldn't be setting tracking cookies, they would be downloading pdfs or other files to your machine. It would really be helpful if you mention what page you're on when you get these alerts, though.
Here we go, it's happening again - this time I did a full page capture, so Jeff can see what page I'm on.

I've spent the last 15 minutes clicking around the site in safari looking for odd file loads and cookie settings but haven't gotten anything from yieldmanager. The next time you get it if you can see what ads are at the bottom of the page that would help. I've checked with Chris and we don't run any ads that call other vendors ad platforms, we just serve jpgs or swf files directly and they're all supplied by our advertisers directly.

That virus you guys mention sounds familiar, one of my boys got it on their machine - it's PC scan 2009 or something like that - it's brutal, I've been unable to find very good documentation on it, it morphs, steaths and generally destroys your ability to do anything with your computer by altering system settings so you can't do anything to cure the computer. It also locks or causes every legit virus scanner I could find to crash or reboot or error out...

Everything you try to do pretty much brings up a screen asking you to go buy their "virus software"...

I couldn't find any indication on the web that anyone had sucessfully eradicated it from an infected system, I "cleaned" it twice, the third time it shut me out completely

BTW, I ran housecall virus scan, nothing turned up on my Win7 box.


i got this one once (or variant), and i learned a trick when trying to remove it.
i will try and make this short.
it shuts off everything by screwing with registry settings that stop EXE from fuctioning, so without fixing the registrys EXE stuff you cant run stuff, because you cant run stuff you cant fix it.
of course i could boot into the other system and remove the files on the main system, BUT i still had to fix the registry in the OTHER one. and i forget how to load a "hive" for editing.
so my cheap trick beings it had locked out Exe, was to rename (with my one last open window) the registry editor to regedit.com , now that sounds like a web address, but COM are those other executables that DOS like stuff used, because the virus was not messing with the registry setting for Com, i was able to then run the Taskmanager (ctrlaltdel) and run my renamed version of regedit.com
fixed the exe setting, then ran the virus removal program.

B*#&@^$%S , i beat them.

some of these are made by BS virus removal programs, so they keep changing everything so they arent spotted by virus programs. basically its our worse nightmare, virus removal experts MAKING trojans to sell thier virus removal programs.
Class Action Lawsuit time.

I've had good luck following the instructions on bleepingcomputer.com to fix a few PCs with that strain of Scareware that prevents access to task manager to kill the process. [And claims everything you have is infected.]

Of course, it is best to have access to another computer to download the tools and burn the tools you need to fix an infection.

Bleepingcomputer has a great file called rkill.com that when executed, will stop the process.

Here is a pretty good guide:
Remove Antivirus Soft (Uninstall Guide) (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft)

Has anybody scanned that link for viruses?

Not that it matters, I suppose, but I'm curious: I don't understand why some of us (assuming lots of us) got through the weekend unscathed--without even a notice. I came here off and on during that time frame on both a desktop running AVG free and a laptop running Avira (also free). Never knew anything was going on and my PCs appear to be fine.

Is there most likely a shared characteristic amongst those who were affected?

Else I didn't wade in muddy waters, I guess.

No problems here and I'm a regular visitor.

Have noticed their updates are coming in faster than a speeding bullet tho'.

Guess they're on the case.

That's what I pay for.


CS

Not that it matters, I suppose, but I'm curious: I don't understand why some of us (assuming lots of us) got through the weekend unscathed--without even a notice. I came here off and on during that time frame on both a desktop running AVG free and a laptop running Avira (also free). Never knew anything was going on and my PCs appear to be fine.
You probably have your antivirus software set to silently kill the intruders; mine is set to notify me and let me make the decision.

Is there most likely a shared characteristic amongst those who were affected?We're not about to go down the browser war road here, but the commonality might be Internet Explorer.

It is of paramount importance to use all of the security tools available. Use the most recent version of the browser of your choice, the newer the version, the more secure it is.

While some browsers have suffered more defeats than others, the history of cyber attacks has proved that there is no absolutely safe browser. When judging browser safety, keep in mind that IE is still the king with 62%... so if I was a hacker, I would not waste my time trying to attack Safari (4%). See Browser market share (http://marketshare.hitslink.com/browser-market-share.aspx?qprid=0) for February 2010 data.

Sure, you can turn off java, flash, etc, and be less vulnerable, but your browsing experience will suffer.

I think Microsoft has now included safety tools that make IE8 safe; combined with the security options from AVG I feel at peace (see image below) - the proof is that I was the first to detect and report the attack on this site .

It took just a few seconds to fix IE using the "reset" button in advanced options:
How to reinstall or repair Internet Explorer in Windows Vista and Windows XP (http://support.microsoft.com/kb/318378)

All seems to be well.

You probably have your antivirus software set to silently kill the intruders; mine is set to notify me and let me make the decision.
Well now, don't I feel silly...of course that would be the case. I mainly use Firefox but sometimes it acts up on my one machine so I switch to IE.

All interesting info and good to know. Thanks, guys. And if anyone can track it down it will be Jeff.

We're not about to go down the browser war road here, but the commonality might be Internet Explorer.

Possibly, but I'm running IE8 with all current MS "patches" and "updates" to Windows defender, no adverse happenings here at all, that I can see. I know the machine my son was running when he caught that nasty virus (not on DVi) was XP/IE8, but the updates were a little bit behind the curve... sometimes I let the let the "secondary" machines slide on updates (won't be doing that anymore...).

Is there most likely a shared characteristic amongst those who were affected?

You probably have your antivirus software set to silently kill the intruders ...

... the commonality might be Internet Explorer.

I'm not sure it's of any diagnostic use, but I use IE 8 with only the Google toolbar installed, I was on the site over that weekend (again and again and again, the same way I am during every minute of spare time every other day of the week), and I had temporarily set both the on-access and realtime heuristics checks of my copy of Comodo Internet Security to disabled. Even when they're enabled, I have the software set to pop up a notification when something suspicious occurs. Nothing popped up, and a full system scan with first CIS and now MSE--just to try it out, I'll probably be going back to Comodo--showed nothing.

Comodo's firewall was enabled, but again, it displays warnings when something happens. The firewall in my router blocked some TCP SYN flooding on the 15th of this month, but nothing has happened since, as far as its log shows.

I'm on XP SP3, all available updates installed from every category, save the optional Windows Search 4.0 (tried it, huge pain, not worth it) and an updated graphics card driver. I wish I had more to offer, but I have no idea what could have happened here. If the virus was associated with random banner ads I suppose maybe I just got lucky and never hit one carrying the attack.

Not that it matters, I suppose, but I'm curious: I don't understand why some of us (assuming lots of us) got through the weekend unscathed--without even a notice.
Is there most likely a shared characteristic amongst those who were affected?

only can speak for myself.
I have never owned a virus removal program, or protection other than closing all the HOLES that were in microsoft manually, and only opening said holes when on Reliable known sites (umm like this one) for ages. (i didnt get this one this time)

now my system is old, it is smalled down manually for video editing and speed, my browser is aged, the system is so small and frugalised it wont even update. I havent had to re-install XP since it first existed, however long that was.

i will not run a virus program continually, but i can identify EVERY item that is running on my computer, and know almost every Driver item left running (about 76 of 200+)
deep firewall, but that doesnt prevent walking right INTO a virus.

if you sent an attachment i didnt see it , wont open em. (no dancing bunnies for me)
dont preview e-mails, delete first junk without even looking. (why open what i didnt want)
i dont want to see Kernakolbia nakid , so you cant tempt me (well i do, but you still cant make me)
i Avoid crooked sites, warez, cracks, net thieves and conmen. (mostly)
i BUY legal software, and Love good freeware from reliable (virus tested) locations
i dont fall for Faux freeware, has to be real people who worked to help community.
I dont follow links with to good to be true promises
if i was going there, i will get there direct
3rd party (now useless) Browser has Blocker things (years ago) that eventually were put new browsers
nobody is in my MS address book thing (dont keep addesses there)
i dont allow the computer to STORE , secure information, other than local login, so there isnt anything usefull found in "protected (my butt) Storage" on the computer
spyware blaster, and myself, puts evil web sites on restricted
ActiveX is shut off (programs from the web) (untill i am sure)

with OLD MS java they couldnt do much, now i got the new JAVA, which can be scripted and has many more new holes. but Web sites now are a complex pile of Code now , so without scripting , to many of them wont even operate. Open Hole To View ---> enter here.
Sites have the same basic Look they did, just 50times the code, no cleanup, no optimisations. when THEY get a virus they cant even find where it was comming from easily.

More Holes, more Code, more Tricks, less ability to block it out, i got OWNED , have had 2 things get me since Xp came out, and both in the last 2 years.
make that 3, one came on a Drivers disk from china, but it was so lame it didnt even run, more closed holes.

soon to join the "need 5 more programs to keep out Bugs" crowd. Sealing up the holes, or Poisening the whole computer, choices choices.

i do have the virus tools available, so i can scan for them like anybody else, but really NEW things dont have documentation, and exist in the updates for a few days anyways, so i can tell if i got something before they would at times.

i have helped a Few people and customers with thier computers, and they were living with many many addwares, malwares, hacks, trojans, general crud, and it didnt even bother them ??? one computer had over 15 Things controlling them, AND virus removal programs in the corner. everytime i see that i get scared and scan mine :-)

have you seen some of those "hijackthis" logs on the web, where a tech is trying to see what is going on in a persons computer. there is like 4 Pages of STUFF, over 30-40 running things, minus drivers and Dlls. i dont see how anyone could even know what is what anymore. then go back to win98 , 4 things running and 20-30 drivers, everyone could know back then if they looked. Somewhere along the way we all got Owned :-) and i dont see what they got out of it , Dancing 3D bunnies :-)

Hope this isn't too OT...

I'm trying out the free version of Sandboxie right now. Supposedly, I could trap any malware inside this sandbox and my PC is untouchable...

"People who assume their stuff is secure are a hackers best friend" - John Zern, today, on ZDNet, see Pwn2Own 2010: iPhone hacked, SMS database hijacked | TalkBack on ZDNet (http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=77416&messageID=1505368).

Just yesterday, hackers got into the 'untouchable' iPhone and successfully harvested data from it. And it was a fully patched one! Read here: Pwn2Own 2010: iPhone hacked, SMS database hijacked | Zero Day | ZDNet.com (http://blogs.zdnet.com/security/?p=5836). But we digress...

Still, it is secure to declare: there is no such thing as 'secure'! There are only less vulnerable and more vulnerable devices.