PDA

View Full Version : Goodby spinquad!!



prometheus
07-23-2010, 12:45 PM
Iv had it..Im Fed up with getting malware warnings browsing hijacks etc when visiting spinquad...I guess Im just one in the row?

I feel really sad about it, and I feel for all those involved in spinquad and I wish there was a way to catch these guys and file a law suite against them to ruin them completly, but unfortunatly I dont believe that will happen.

I do hope that someday spinquad will have better resources to deal with
these malware attacks.

after the latest days of attacks I was trying again a few minutes ago and got an instant avast malware warning..so now Im quite fed up with it
and Im sorry to say I find no use of going there anymore the nearest future
so Ill keep away for a couple of months not even visiting the site.

I urge the spinquad masters to try and solve it(if they can?) and please do post information about it here at newtek so people once again can
feel the urge to visit the otherwise wonderful spinquad community.

Any contacts to me regarding older post or mails in spinquad should be posted here at newtek or through personal messages here since Im leaving the spinquad community for a while.

Michael

OnlineRender
07-23-2010, 01:25 PM
remember antivirus data logs once flagged , stayed flagged for several months even if the site is clean . .

colkai
07-23-2010, 01:28 PM
Not the only one, I've had one virus warning after another if I go to the SQ or Kurv websites so likewise, I'm seriously considering avoiding them from now on.
It is, at best, disconcerting, especially as the last one when I went to the kurv website tried to load Java and execute something virus infected, I closed my browser as fast as possible, killed Java and thankfully my virus checker blocked the action from continuing.

Been only in the last week for me, so something is definitely screwy.
Like you say though, think I'll be giving it a WIDE berth for a while.

Tobian
07-23-2010, 01:29 PM
You know I haven't had a single bug or hijack whenever people mention this?! Maybe it's because I use FF with Noscript?

OnlineRender
07-23-2010, 01:29 PM
what is the warning exactly ? ? ? ? ,correction ,what is the string / excact error . . . . ??

OnlineRender
07-23-2010, 01:31 PM
is it wingn.exe running somewhere ?

Cageman
07-23-2010, 01:36 PM
I usually have a warning when visiting SpinQuad, but it seems that Avast is now taking care of it and not warning me?

OnlineRender
07-23-2010, 01:42 PM
there is something . . . . looks embedded into java somewhere , hang on !

Kuzey
07-23-2010, 01:43 PM
Yeah...basically it tells you that a plugin is required to view content on the page and starting downloading :

http://www.newtek.com/forums/showthread.php?t=110680&page=3

Kuzey

OnlineRender
07-23-2010, 02:11 PM
HTML / Malicious.PDF.Gen
Entdeckt am: Discovered: 27/05/2009 05/27/2009
Art: Type: AHeAD Heuristik Spezialerkennung AHeAD Heuristic special detection
In freier Wildbahn: In the wild: Ja Yes
Gemeldete Infektionen: Reported infections: Niedrig Low
Verbreitungspotenzial: Distribution Potential: Niedrig Low
Schadenspotenzial: Damage: Niedrig Low
Statische Datei: Static file: Nein No
Engine Version: Engine version: 7.09.00.180 7.09.00.180

Just for Reference " openx , the virus name has no other connection with pdf ,other than it also writes a pdf on the host somewhere "ASWELL " .

Its a varient of that , which athough is low risk too the client its bad for the host, nasty and super fast . . . .


if your going on I suggest doing what tobian does , and if possible disable java .

Kuzey
07-23-2010, 02:23 PM
I'll do that the next time I boot up in XP...just to be safe.

Kuzey

OnlineRender
07-23-2010, 02:36 PM
killed Java and thankfully my virus checker blocked the action from continuing.


Your virus scanner probably did block it , but remember to take into consideration that some viruses/coders like to be found , and its for a good reason ,mainly it open loopholes .

I knew something was wrong the other day when I posted on spinquad ,because commodo closed down . then restarted . . . .which means it's on my laptop , even though eset didnt find the actual virus, it's hiddin in the registery files ,but tbh its just another virus to add to my ever growing collection ,after all I have Windows !

Tobian
07-23-2010, 02:58 PM
Well with No-script I barely ever get any dodgy website problems, as it, by default, almost completely blocks everything, till you enable it :D That's invaluable to help with the internet in general!

Andrewstopheles
07-23-2010, 03:04 PM
scary

jrandom
07-23-2010, 04:27 PM
Well with No-script I barely ever get any dodgy website problems, as it, by default, almost completely blocks everything, till you enable it :D That's invaluable to help with the internet in general!

I use Firefox, AdBlock, NoScript, and browse from a Mac. Guess I'm pretty well covered for the time being. :agree:

probiner
07-23-2010, 04:42 PM
Sandboxie is great for that matter too.
Any changes to the register and system are done inside a deletable box wether you are using a browser, checking your mail with email manager or using an application.
http://www.sandboxie.com/

Tonttu
07-23-2010, 05:12 PM
I wonder if this project would help Spinquad: http://spambotsecurity.com/
I have it installed on a forum.. It provides hack protection in addition to spam protection.

OnlineRender
07-23-2010, 05:52 PM
Sandboxie is great for that matter too.
Any changes to the register and system are done inside a deletable box wether you are using a browser, checking your mail with email manager or using an application.
http://www.sandboxie.com/



I have Commodo it also runs sandbox , but again , as soon as they packets are sent , your gimped

VicMackey
07-23-2010, 05:57 PM
I followed a link from the spinquad gallery of work email to the "Regen" project and a Java 6 window popped up. Shortly after a fake adware scanner ran (looked like it was checking my computer) I closed it and it diverted my browser to an adware scanner purchasing site. After I dealt with the infection with malware bytes, it had changed the proxy settings on my PC, took me a half hour or so of fiddling to finally get the internet working again in my browser (I had to use Hijack This to remove the false registry entry that changed my proxy settings).

It was a bloody nightmare. Having seen that this isn't the first and only occurence, I'm afraid I will be avoiding SQ for the foreseeable future. Not really fun when you can't use your PC or the internet properly because of some nasty infection, when all you did was click one link!

erikals
07-23-2010, 06:10 PM
no problems here, i use Firefox, AdBlock, BetterPrivacy.

Java, can't stand it, if i absolutely need it i install it and uninstall it.

VicMackey
07-23-2010, 06:12 PM
This was in Internet Explorer. If anyone from SQ is reading this, these are the files two seperate scans in malware picked up after the infection: (unnecessary info edited out)

Scan type: Quick scan
Objects scanned: 672
Time elapsed: 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Users\TheHoff\AppData\Local\bfawqnpvs\alkwonuts sd.exe (Trojan.Dropper) -> Unloaded process successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\enyradbw (Trojan.Dropper) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\TheHoff\AppData\Local\bfawqnpvs\alkwonuts sd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



Scan type: Quick scan
Objects scanned: 132453
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\TheHoff\AppData\Local\Temp\0.006076164158 102526.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

jrandom
07-23-2010, 06:47 PM
This was in Internet Explorer.

Well there's your problem right there.

AAAHHHH don't hit me!

(Seriously, though. Never ever ever browse the internet with IE. That's just asking for trouble. At a bare minimum you should be using Firefox + NoScript + AdBlock.)

djlithium
07-23-2010, 06:48 PM
Some removal instructions..

http://www.spywareremove.com/removesdexe.html

Tobian
07-23-2010, 06:50 PM
You used Internet Explorer... Oh dear, that explains a lot :D

Still, the people at Spinquad are trying their best to sort this out! :D

djlithium
07-23-2010, 06:58 PM
You used Internet Explorer... Oh dear, that explains a lot :D

Still, the people at Spinquad are trying their best to sort this out! :D

To be fair, its not really spinquads fault. From what I understand any site that runs ads from a service can be exposed to this problem without their knowledge and it can happen over and over again. The best you can do is report the ad in question I guess (regen?) and then try and have it blocked from the ad service that feeds the site. that may be a process all on its own that takes time.

Tobian
07-23-2010, 07:05 PM
Yeah Indeed, It's very annoying, as it's not entirely within their control! Hopefully the adds service sort it out as it'll damage their revenue stream potential (if people don't want to click on their links!)

Jim M
07-23-2010, 07:08 PM
Firefox + AdBlock here. Never had a problem.
Although had problems with Java in the past... crashing and so forth. I wonder if the country could sue the makers of 'Java' for defamation?

Used NoScript a while back but it caused issues. Will try it again.

Jim M
07-23-2010, 09:15 PM
I just installed NoScript. Now spinquad is reported as a site attack page. UNinstalled NoScript, still being reported as bad....

Silkrooster
07-23-2010, 10:25 PM
I just installed NoScript. Now spinquad is reported as a site attack page. UNinstalled NoScript, still being reported as bad....

Yeah i sent an email to Kurv and Aurrora about it. I started geting the blocked message today. I think the message is a hoax, but I am not that familar with firefox's blocking. As spinquad is not listed in the options - blocked list.
So it will be figured out one way or another.

aurora
07-23-2010, 10:31 PM
Its also in FF. I just reported the issue. But we have already talked about these problems. Wes has contacted the people at VB and we are updating the current site to VB4 along with a few other changes. This in response to a report issue with our older version that has a known exploit leading to these issues. We are also at work on a MUCH better long term solution that will prevent this issue in the future.

We deeply apologize for all the insanity this has/is causing all of us. This problem will shortly be fixed completely and all for the better in the long run. If you do so choose not to attempt to hit SQ right now I can not blame you I find all this mess a royal pisser too. But I promise SQ is about to go all Phoenix like and when risen from the ashes it will be worth the torturing flames.

erikals
07-23-2010, 10:36 PM
it better! hehe! http://erikalstad.com/backup/anims.php_files/biggrin.gif good luck. http://erikalstad.com/backup/anims.php_files/smile.gif

aurora
07-23-2010, 10:41 PM
Just so you guys know I believe you I get these issues with it with FF right now.

We are hoping we can get VB4 installed this weekend. I'll be talking with Wes again tomorrow afternoon and he or I will update you as soon as we know more.

3dWannabe
07-23-2010, 10:59 PM
With javascript and other vectors disabled, and security settings in lockdown, using IE isn't certain suicide, but I wouldn't recommend it to anyone I liked.

Definitely use NoScript and FireFox.

If you'd like to get up to speed on security issues, I highly recommend this weekly podcast, which also has mp3, pdf, txt, etc. downloads for the hundreds of past podcasts.

http://www.grc.com/securitynow.htm

The real worry should be insuring that Acrobat (don't get me started on Acrobat, you have to disable a lot of 'features' by hand to get secure), Quicktime and Flash are updated.

Firefox even has a web page that can be used with IE to insure that it's plug-ins are updated (outlined on a recent Security Now podcast).

But, don't worry. All is not lost. In the end, given enough time, your anti-virus will turn against you and start eating enough important files to disable you (happens to several vendors a few times a year).

And if you do get infected, you won't even know it. You will have taken the 'Blue Pill' http://en.wikipedia.org/wiki/Blue_Pill_%28malware%29.

It will just sit there patiently waiting for bank account access. It's not there to crash your machine or cause you problems. Think of the virus as your friend, you'll never be alone anymore.

Cheers!

Matt
07-24-2010, 01:45 AM
If Google Adsense doesn't monitor their content then pull 'em.

VicMackey
07-24-2010, 09:09 AM
Some removal instructions..

http://www.spywareremove.com/removesdexe.html

Cheers :) Malware Bytes took care of it in conjunction with Hijack This in the end!

I never really have any problems with IE, and this problem actually started in the AOL browser first after clicking the link. I closed AOL when the java thing popped up, and pasted the link in IE, which was when I was certain it was the SQ page that caused it.

3dWannabe
07-24-2010, 09:21 AM
Some removal instructions..

http://www.spywareremove.com/removesdexe.html

BTW - it's a false sense of security to think that you can 'remove' anything that gets on your machine.

Once you've been compromised, it's not your machine anymore (it's their machine) as they can get control at a very, very low level that allows them to hide. The spyware removal tool is talking to a routine that they control to read/write from the hard disk.

Safest thing is to re-format.

Tobian
07-24-2010, 09:25 AM
AOL browser.......

*shakes head*

:D

Tobian
07-24-2010, 09:47 AM
Sadly I am getting it now, I can't actually browse SQ now - oops!

I doubt it now, but did you see my link to the news story about the VB exploit patch on SQ? May have been relevant.. if you can get to it through the big warnings LOL

VicMackey
07-24-2010, 09:58 AM
AOL browser.......

*shakes head*

:D

Everyone's poking fun at my choice of browsers... You wouldn't be poking fun if you saw the size of my cache :D

But seriously, I don't use AOL for web browsing, just for email and IM, but if you click email links they open up in AOL's resident browser!

warrenwc
07-25-2010, 07:36 AM
But I promise SQ is about to go all Phoenix like and when risen from the ashes it will be worth the torturing flames.[/B][/SIZE]

"The Torturing Flames" is a GREAT name for a rock band:)
Seriously though, good luck.

kurv
07-25-2010, 11:30 AM
We are definitely working on this right now and I think you all will be impressed with the fix.

kurv
07-25-2010, 11:32 AM
BTW we narrowed it down to one advertiser, we are in talks with them now. Basically we were serving up their compromised AD, not something on our site. :)

We have nuked the ads for the moment and were still working on the site making sure we have the issues fixed.

OnlineRender
07-25-2010, 12:40 PM
BTW we narrowed it down to one advertiser, we are in talks with them now. Basically we were serving up their compromised AD, not something on our site. :)

We have nuked the ads for the moment and were still working on the site making sure we have the issues fixed.
get RID of the adds Wes ,full stop dude ! honestly .............get private adds , IR ect ......ditch the rest . . . .

aidenvfx
07-25-2010, 12:54 PM
BTW we narrowed it down to one advertiser, we are in talks with them now. Basically we were serving up their compromised AD, not something on our site. :)

We have nuked the ads for the moment and were still working on the site making sure we have the issues fixed.

Why did you not turn off the ads as soon as this became a problem?

kurv
07-25-2010, 02:02 PM
If we knew it was an ad issue we would have :). We were checking everything.

OnlineRender
07-25-2010, 02:04 PM
BTW - it's a false sense of security to think that you can 'remove' anything that gets on your machine.

Once you've been compromised, it's not your machine anymore (it's their machine) as they can get control at a very, very low level that allows them to hide. The spyware removal tool is talking to a routine that they control to read/write from the hard disk.

Safest thing is to re-format.



totally agree dude , but even C: format / c dosnt get rid of it , it will lay dormant .........even in the cmos or bios if it wants :D

OnlineRender
07-25-2010, 02:05 PM
Why did you not turn off the ads as soon as this became a problem?

that's like asking , why did you stop your blood supply "

CharlieL
07-25-2010, 03:43 PM
OK, this may explain why I got the same type of attac like VicMackey. I have recently
visited both SpinQuad and Kurv. But my antivirus program did not react but I noticed
that it was inactive when I discovered the curious behaviour of my XP-computer.
I was also redirected to a page that said I had a virus and I could be free from it by
bying their antivirus solution. I did not do that but called my consultat that came over.
He tried to cope with the problem. XP did not accept my login any more and now all
files in My Documents are blocked even if the virus is deleted. It looks like that I will
loose all my logins to lots of websites, and a lot of other things.

As I not have had a serious attac during the 21 years I have run my business, I maybe
felt too safe with Firefox on XP.

Good you wrote about this because I was so confused from where I got it.

OnlineRender
07-25-2010, 05:54 PM
OK, this may explain why I got the same type of attac like VicMackey. I have recently
visited both SpinQuad and Kurv. But my antivirus program did not react but I noticed
that it was inactive when I discovered the curious behaviour of my XP-computer.
I was also redirected to a page that said I had a virus and I could be free from it by
bying their antivirus solution. I did not do that but called my consultat that came over.
He tried to cope with the problem. XP did not accept my login any more and now all
files in My Documents are blocked even if the virus is deleted. It looks like that I will
loose all my logins to lots of websites, and a lot of other things.

As I not have had a serious attac during the 21 years I have run my business, I maybe
felt too safe with Firefox on XP.

Good you wrote about this because I was so confused from where I got it.

firstly the virus will not take over account loggin........full stop .....it's not designed that way ......infact most viruses will never stop you ..........FULL STOP .....infact the more you are active it ,the better it is ......

secondly , SQ virus , is nothin , and when I mean nothin , I mean nothing ! fairlplay it will own computer , but so will M$ . here is a tip never do online bankin and never enter your CC details into a computer .......end of

VicMackey
07-25-2010, 07:05 PM
OK, this may explain why I got the same type of attac like VicMackey. I have recently
visited both SpinQuad and Kurv. But my antivirus program did not react but I noticed
that it was inactive when I discovered the curious behaviour of my XP-computer.
I was also redirected to a page that said I had a virus and I could be free from it by
bying their antivirus solution. I did not do that but called my consultat that came over.
He tried to cope with the problem. XP did not accept my login any more and now all
files in My Documents are blocked even if the virus is deleted. It looks like that I will
loose all my logins to lots of websites, and a lot of other things.

As I not have had a serious attac during the 21 years I have run my business, I maybe
felt too safe with Firefox on XP.

Good you wrote about this because I was so confused from where I got it.

It wouldn't let me load AVG or anything once it installed, it even crashed Malware Bytes.

Recommend you run Malware Bytes (free) in SafeMode. Then after it has detected and deleted the infections run a full virus scan of your PC with whatever software.

After this download Hijack This (also free) and run a registry scan. Delete any entry that has changed your proxy setting or refers to a file that no longer exists.

Those are the steps I went thru. I'm on Vista 64 but the pesky thing did lock out my access to various software programs and wouldn't let me use the internet until I deleted the faulty registry settings.

CharlieL
07-26-2010, 03:50 AM
Thanks a lot VicMackey,

Great to get hands-on insights from someone that have been there! I have forwarded this
info to my consultant that now have my computer. Thank you.

VicMackey
07-26-2010, 09:46 AM
Thanks a lot VicMackey,

Great to get hands-on insights from someone that have been there! I have forwarded this
info to my consultant that now have my computer. Thank you.

You're most welcome. Best of luck getting it sorted :thumbsup:

Silkrooster
07-27-2010, 10:50 PM
Just to keep all of you up to date. The spinquad forum has been updated. It has a new look. Not all of the Css is done yet, but is getting there. The google block that firefox uses has been lifted.
For those of you that are shy to check it out, I understand and we (spinquad team) will be waiting for your return.
Thanks for your patients and understanding. See you all soon.

MentalFish
07-27-2010, 11:21 PM
Not sure about the theme, the orange is burning my eyes! :D

How about this one:

http://www.vbskin.net/vbcart.php?do=product&productid=1
http://www.vbskin.net/vbcover/vbcart/screenshots/ambient-forumhome.png


Many great ones here:
http://www.justskins.com/vbulletin-styles-skins/20-brilliant-vbulletin-themes/217

and a very nice and simple one here: http://www.completevb.com/demo/index.php?styleid=46

Silkrooster
07-28-2010, 10:49 PM
As I mentioned the CSS is not done yet. So I am not sure at this point what the theme will actually look like when it is done. I am assuming the orange will stay, but not positive.

colkai
07-29-2010, 05:41 AM
Gawd I hope not, I physically cannot stand to read it, it actually knocks me sick if I spend more than a few seconds looking at it. Sounds daft I know, but actually, I'm not exaggerating. :(

erikals
07-29-2010, 08:25 AM
Gawd I hope not, I physically cannot stand to read it, it actually knocks me sick if I spend more than a few seconds looking at it. Sounds daft I know, but actually, I'm not exaggerating. :(

yep, the colors must change.
(other than that it's alright...)

Tobian
07-29-2010, 10:11 AM
I actually like the colours, everyone has different preferences I guess :D It's taking em time to get used to it but the new CSS for SQ looks pretty good, it just needs some tweaks for the bits which are broken! :D

erikals
07-29-2010, 10:17 AM
it's not that i don't like the colors, it's more of an issue with using an intense layout design.
the eye (my eye) tends to loose focus.
the main problem is the intense orange section bar. (and the beige divider bars)

Tobian
07-29-2010, 10:26 AM
I think the orange is actually a nice colour, but the beige is a bit off, sort of looks a little green and weird as a colour-space-contrast thing to my eyes (how some colours make their neighbouring colours look different) so yes I do agree, it could be tweaked. But I do like the contrast of a bit of amber orange.. maybe it's just because I love those colours? :) (and I am no fan of beige hehe)

MentalFish
07-29-2010, 11:17 AM
Here is a quick doodle I did in Firebug. I'd say just tone down the amount of orange, and try to keep it consistent across all orange elements. Right now it is too many different orange tones, from peach to alarm orange and brown. If the logo is orange and green, then perhaps the green can be used in some elements too?

GandB
08-01-2010, 11:50 PM
I'll take your word about the color-scheme. I'm not touching either site right now; had my fill of malware attacks in the past. Hope Wes and Crew gets it taken care of; but I'm not willing to take the chance.

Tobian
08-02-2010, 05:33 AM
Not so keen on the green buttons, but that looks nice Petter! :)

GandB: the site has been clean for about a week now, it's completely free of the malware exploit it was suffering so far as anyone knows. It was to do with some advert feeds, which used an exploit. The adverts are currently offline, while the Site owners fix up the code/find alternatives, so there shouldn't be any danger.

inquisitive
08-02-2010, 12:33 PM
fyi looks like SQ is still infected or got reinfected and now indirectly affecting kurvstudios via openx.. see my post in the [Earth to Kurv] thread.

Looks like more active sys admin needs to be done at your end, and really secure your installs.

mattclary
08-02-2010, 01:42 PM
You know I haven't had a single bug or hijack whenever people mention this?! Maybe it's because I use FF with Noscript?

Probably. :agree:

Tobian
08-02-2010, 05:57 PM
Hmm looking at my source code on SQ reveals none of the stuff you show in your earth to kurv thread, and since there's no adds, I can't see what's causing the infection.. it's an exploit, from off site, not a virus?

and yeah so far no problems *touch wood* with any nasty viruses or anything :D

inquisitive
08-03-2010, 01:50 AM
ok, lets simplify the issue I see.
Kurv's forum has an ad campaign displaying in the home page (appears to be an ad but its not), the ad server is located in SQ, the ad campaign is serving an HTML web page (appears to be bogus - with the code to launch (in appearance) a toolbar install.. who knows maybe it spits a virus instead (not about to fully open my security to find out).

If you install the web developer plugin, visit Kurv's forum with FF, ignore the warning so the forum displays, Then click on [View Source > View FrameSource > spinquad.com/openx......] There appear to be two ad campaigns.

A new window opens up that only displays the source for that ad.
Do a search for 'wibi' and there you have it.

Either SQ is still vulnerable or the site is yet to be fully clean (if the ad server is deliverying that sneaky code), to me it seems it can be one or the other... they should definitely check all of their ad campaigns, upgrade to the latest version and for the time being disable ads in kurv's forum.

Hopefully this is clear for all and enough info so they fix the issue.

A sidenote to this whole issue, is that it seems most visitors of Kurv are blocking javascript so they are not seeing the ads they have on their site anyways.

Note: Personally I wish people would not block ads, as it is a small source of revenue for most site owners, on the other hand site owners need to be responsible and be on top of their installs to minimize their users exposure to virus, etc. - It is obviously a trust issue, were one can take care of the other.

GandB
08-03-2010, 08:15 AM
GandB: the site has been clean for about a week now, it's completely free of the malware exploit it was suffering so far as anyone knows.
It appears this may not be the case, unfortunately. So I'll decline from visiting or ordering anything. Don't need my bank details going to some idiot hacker half a world away. No thanks. I do feel for Wes though.

kurv
08-03-2010, 10:40 PM
ok, lets simplify the issue I see.
Kurv's forum has an ad campaign displaying in the home page (appears to be an ad but its not), the ad server is located in SQ, the ad campaign is serving an HTML web page (appears to be bogus - with the code to launch (in appearance) a toolbar install.. who knows maybe it spits a virus instead (not about to fully open my security to find out).

If you install the web developer plugin, visit Kurv's forum with FF, ignore the warning so the forum displays, Then click on [View Source > View FrameSource > spinquad.com/openx......] There appear to be two ad campaigns.

A new window opens up that only displays the source for that ad.
Do a search for 'wibi' and there you have it.

Either SQ is still vulnerable or the site is yet to be fully clean (if the ad server is deliverying that sneaky code), to me it seems it can be one or the other... they should definitely check all of their ad campaigns, upgrade to the latest version and for the time being disable ads in kurv's forum.

Hopefully this is clear for all and enough info so they fix the issue.

A sidenote to this whole issue, is that it seems most visitors of Kurv are blocking javascript so they are not seeing the ads they have on their site anyways.

Note: Personally I wish people would not block ads, as it is a small source of revenue for most site owners, on the other hand site owners need to be responsible and be on top of their installs to minimize their users exposure to virus, etc. - It is obviously a trust issue, were one can take care of the other.

When we updated the forums and cleaned the site, we also moved all the ad software to a folder outside the sites domain.

There is no way the site is still infected.

The ads are also off of KURV ATM as well and it is also clean.

I don't know what your seeing... please post some proof of the issues you are mentioning here :)

inquisitive
08-03-2010, 11:34 PM
The ads are off at KURV ATM but they were not off early today, yesterday or at least on 7/31 which when I bumped into the issue after trying to help one of your customers (I am also your customer). Frankly I want to visit the site as much as everybody else but as you may understand... :)

His screen cap
http://www.newtek.com/forums/showpost.php?p=1043412&postcount=21
That displays what appears to be a banner but its not (its an HTML page) - see how it reads spinquad (I took my own screenshot and have highlighted the area with red lined boxes).

The next post contains the proof you want (another image), check the URL on that image - it is the HTML source of one creative of two that I saw.
http://www.newtek.com/forums/showpost.php?p=1043504&postcount=22
Initially it appeared to me that the toolbar code call was in some js file on SQ upload directory (as I had mentioned in that post), but it seems that may not be the case.

My gut tells me that some bad person may have cut/paste the HTML source of some SQ webpage in the creative placement and then plant their toolbar html call in there, but only you guys can tell if that is what was done by reviewing the ad campaign creatives.

Please take a look at the ad campaign URL in that screencap, locate the campaign in your ad server, and view the actual ad, if the bad person wasn't too sneaky you will probably find a creative with a bunch of html code that matches up that screen capture. If the bad guy got crafty who knows.

I have seen spammers do something similar with posts.. they will quote someone's post with a comment below it, but then they stick a spam link in the message they quote, thinking that the board admins will miss it.

The other thing that comes to mind is what someone else suggested, make sure that your backups are not infected (that would also include your campaigns too).

Also folder/file permissions and ownerships are important, so even if openx has a hole (known or unknown) they cant get too far.

kurv
08-04-2010, 12:06 AM
Actually no, the ads have been gone... that HTML is a default 404 page from the new SpinQuad site... and it has no ads yet either :)

inquisitive
08-04-2010, 12:29 AM
so your default SQ 404 page for some odd reason was displaying in the banner area of kurv forums? and are you then on purpose delivering that wibiya toolbar? or did someone edit your 404 error page and added that call?

Strange also that your 404 got delivered via openx (unless a campaign was looking for some image no longer found in SQ, thus generating a 404)

Perhaps this may be your issue then:
http://community.wibiya.com/wibiya/topics/wibya_toolbar_recongnized_as_virus

kurv
08-04-2010, 12:33 AM
so your default SQ 404 page for some odd reason was displaying in the banner area of kurv forums? and are you then on purpose delivering that wibiya toolbar? or did someone edit your 404 error page and added that call?

Strange also that your 404 got delivered via openx (unless a campaign was looking for some image no longer found in SQ, thus generating a 404)

Perhaps this may be your issue then:
http://community.wibiya.com/wibiya/topics/wibya_toolbar_recongnized_as_virus

Your not understanding me... nothing is being sent via OpenX. The 404 page is being seen because the script is hitting nothing and the default folders 404 page is loading instead.

Yes I installed the Wibiya toolbar and it is perfectly safe. It is loading because of the 404 page :)

Jim M
08-04-2010, 04:12 AM
I had something come up yesterday eve (UK time), where SQ was trying to do something, Some trojan was attempting to be Dloaded. AVG active surf shield blocked it. I have just tried to find a way of getting the log but cant find it.

inquisitive
08-04-2010, 01:20 PM
Actually I am understanding what you are saying, however for some odd reason I was presented with that 404 error page via openx per the openx url listed in the HTML source screencap, strange.

Thanks