[IMiteBable2help]

Now why do you suppose I would get this while browsing the forums?

Here's a screen shot:

[Phantom010]

Did you click on one of the ads?

[IMiteBable2help]

Absolutely not. I see where the alert says /adv/ but I believe I was editing a post or some other thing I've done a million times before. Instead of loading the next expected page when I finished, I got a blank screen with a bunch of text near the top. I thought, OK, i've seen that before a few times in a few years, and usually a retry of loading the page should get what I was expecting on the screen. Instead I got the virus alert while loading the page you see in the background. It seems to indicate an infected index.html file, but it also seems to give an IP address, as if the infected file was located on the website somewhere, as apposed to an infected file on my PC. Everything is fine on my end, everything comes up clean, so no worries, no problems, and the so-called threat was not located on my PC. I just thought it was strange.

[Phantom010]

Would be interesting to know if anybody else encountered this alert.

[IMiteBable2help]

If we knew where that IP address is, we'd know where the file in question is located. From what I could gather is that the alert was triggered by a html file that was accessed by firefox, and was located at that IP address. All .html files on my computer come up clean. Full system scan of ALL files comes up clean as well.

[lotuseclat79]

Hi IMiteBable2help,

Looking up the IP address in your image, 78.47.132.220, indicates a web site in either Germany or Russia (i.e. a Russian owner, and a web site in Germany) by looking it up with the Net Tool - WhoIs. Looks like your computer may have been hacked to me.

TSG did not generate this popup message, but something on your computer did. i would suggest you do a full scan at one of the online scanner web sites of your computer to find out what may have infected your computer (if it is actually infected). In the meantime, do not click on any links with which you are not familiar or get via email (a social engineering attack may have been in progress on your computer, or perhaps your computer was being spammed by another computer that has been hacked if your computer shows clean - most likely scenario).

When you post images like this please include the thread address at TSG so we can go to that thread - the writing is a bit small to read, but I did find the thread after I used my magnifying glass to read its name. I did not see any adverts on that web page - I use Linux/w Firefox.

-- Tom

P.S. Here is the WhoIs data on that web page site in the message:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '78.47.132.216 - 78.47.132.223'

inetnum: 78.47.132.216 - 78.47.132.223
netname: ALEXEY-TERENTYEV
descr: Alexey Terentyev
country: DE
admin-c: AT3729-RIPE
tech-c: AT3729-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered

person: Alexey Terentyev
address: 4-1-301 Kirovogradskaya
address: 117587 Moscow
address: RUSSIAN FEDERATION
phone: +79035956583
e-mail: office@nkvdteam.ru
nic-hdl: AT3729-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

% Information related to '78.46.0.0/15AS24940'

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
Germany
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: RB1502-RIPE
admin-c: SK2374-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

[IMiteBable2help]

I guess that would be the somewhat paranoid take on what's going on, but I see no such evidence of an attack directed toward me on my end. All possible levels of security are set pretty high here. No evidence of anything unusual by my firewall, no slowdown or problems here, no infected files or any evidence of malware. I think it's just one of those random things, and it might even be a false positive on the part of AVG. I'm thinking the so-called threat might have even been triggered by an unusual advertisement on the page, or something like that, which would now be long gone. I know that sounds oversimplified, but I'm very sure of all my firewall/browser settings. I think the browser simply tried to load content and at some point, that triggered the alert from a remote file or server that my browser accessed. This of course, was not allowed and I couldn't load the page. I think the alert that popped up was somewhat delayed, so it didn't show up until I had already refreshed the page. No biggie. No damage done.

I do run online scans now and then and even go further than that to test my security. No problems or vulnerabilities found.

Thanks for your efforts and the information. If I thought it was important enough, I would have looked it up myself, but thanks.

[blitzkreig]

seems to me like a spyware attack. Did you try running a spyware scan using a separate anti-spyware program?

[blitzkreig]

here is something of interest which I found with regard to this IP
https://safeweb.norton.com/report/sh...=78.47.132.220

[blitzkreig]

Also,
I would recommend running a malwarebytes scan a posting log here

[IMiteBable2help]

Ya, so far spyware/adware/virus scans are clean other than a few tracking cookies which are no big deal and are deleted daily. No unusual behavior or pop ups from my browser other than the already mentioned incident.

Thanks everyone for being so thorough. This has been educational when it comes to enlightening me to the competency of my fellow forum members. You are all right to suggest the things you did. Still, nothing. My machine is clean. Always has been. No system I have owned has been infected with a virus since 1987 (to the best of my knowledge) and I've been online since about 1992. No spyware/adware found since 1999 or so. I know that doesn't make me immune, just trying to demonstrate that I know how to prevent it and I know what to look for.

I did, just for kicks, download and install the latest Malwarebytes and ran a full system scan. Still nothing. For personal reasons, I'm not posting the log, but I assure you, it found nothing.

[Dynamoo]

There's a 300x250 pixel malvertisement for the University of Phoenix that is sometimes displayed on the forum (I think it's a Doubleclick / Google ad). The ad is hosted at perfect-banner.com, takes a hop through enjoyspringtime.com, crustat.com, pnfzetnax.net and ends up on 78.47.132.220 where it tries to download a fake anti-virus application.

VirusTotal's report is here: http://www.virustotal.com/analisis/0...ec74ebb8cc1dc6

So yes, there's a problem. But it doesn't come up all the time.

[TechGuy]

If you see such an ad, be sure to report it by using the "Ads by Google" link. I'm going to set our site to block perfect-banner.com

[Cookiegal]

Thanks for acting so quickly Mike.

[Dynamoo]

Actually I didn't see it myself, I had to go back through proxy logs to see where it was loading. It turns out that several other sites have been hit as well, it's certainly not the fault of anyone here. There's a writeup here: http://msmvps.com/blogs/spywaresucks...3/1690203.aspx