Is this a Virus ?

Discussion in 'malware problems & news' started by John Bull, Jun 14, 2011.

Thread Status:
Not open for further replies.
  1. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I have had an experience that I have never seen before. Can anybody give their opinion on what exactly it is and if they have come across it.

    On posting in another Forum (not a computer Forum), random words become highlighted in blue. If you click them, an ad pop-up about cigarettes comes up and if you go to the site it is about tobacco and cigarettes.

    This occurred even in one of my posts. A screen-shot is :-

    Post.JPG

    Two of the sites are :-
    -vapour-exposed.co.uk-
    -skycig.co.uk/special-offer1/lp/-

    Is it a virus ? I am not trying to solve another Forum`s problems via Wilder`s, I am simply trying to satisfy my own curiosity as to what this strange behaviour is. No need to be precise, just say whether it is a virus infection I have come across for my own education.

    I have already told them it is a virus and to get it sorted out. I will not be going back on the issue.
     
    Last edited by a moderator: Jun 14, 2011
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I don't get that when I visit that site, John...

    dog post.jpg
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Avira isnt flagging them.
     
  4. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I am not an expert by any stretch of the imagination, but my opinion is that, no, these ads are not indicative of an infection.

    Essentially, I believe what you're looking at is a fairly refined javascript operation, which tags supposed 'keywords' to ads elsewhere. I've encountered this behavior before - Both on Windows 7 and OS X - in Opera. When I took the appropriate steps to block the domains associated with the ad networks in question, the behavior stopped.

    So, short opinion: Virus? No. Intrusive, annoying, pointless and irritating ad? Yes. Yes indeed.
     
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Are those "links" with the pop-ups related to intellitext (intellitxt)?
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,916
    Location:
    U.S.A.
    vasa1, looks like Kontera: -kontera.com-
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Okay and thanks! I didn't visit the links provided by JB but the pic reminded me of intellitxt.

    from the ever-"reliable" Wikipedia ;)

    Interesting bit about the context!!!
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,916
    Location:
    U.S.A.
    They all work the same... just different name. :D You're welcome! Take care.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Very slim chance it could be, much more likely to be part of the website. I think NoScript should block it unless you whitelisted kontera.com and/or those two sites.
     
  10. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    What wonderful replies from wonderful people.

    I thought I would have been hit by the 4th Amendment on this one, but I was wrong.

    I have never seen this behaviour before, where innocent posts are hijacked by scam ad sites and I just cannot believe that a reputable Forum would tolerate such a despicable practice to become part of their monetary support.

    J_L mentioned Kontera.com. YES ! This pox on the web is probably the answer to this problem, ABP does show this site as a potential threat.

    Quite frankly, any site that condones such a vile practice is not worth bothering with. I will look at NoScript and ABP to see if I can block this pox on society. If not, then Good-bye Forum. This Forum has already had ads floating all over the pages, which I have blocked with ABP and then I kept getting logged out - a matter that seemed to go away. My patience is running out and with JB that is a very short fuse.

    I sincerely thank my wonderful colleagues at Wilder`s for replying so precisely. One thing about Wilder`s is that I always get an answer and when I deserve it, a kick up the butt. Nevertheless I love you all.

    When will we ever be free of these web pests ? Hopefully never, because if that happened I would lose my valued friendship with all you lovely people on this Forum - we would have nothing to moan and argue about.

    Thank you all.
    John

    PS - Kontera.com was on the NoScript Whitelist - I have deleted it. I have also blocked this site on ABP. I just visited the Forum and so far could not see any of these hijacked words. Not too optimistic, but perhaps the blocks have worked.
     
    Last edited: Jun 15, 2011
  11. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Very, very interesting. I wonder what the "deal" is.
     
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    It is definitely not on my NS whitelist. Wonder how it got there ? :eek:
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Simple. He put it there.
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,916
    Location:
    U.S.A.
    Ocky, I can confirm that as well. Kontera is blocked on my AdBlock+ EasyList filter subscription.
     
  16. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    No I did not. I deleted Kontera.com from the NS Whitelist and when I looked later it was back again !
    Something keeps putting it back and I do not know what.

    It could be that when I log onto that Forum where Kontera rides over everything, THAT puts it on the NS Whitelist, but I find it hard to believe that.

    I have blocked everything Kontera on ABP, but it is making no difference.

    PS - having deleted Kontera from the NS Whitelist yet again - it is back on there and I never put it there. Clue ? The Forum i-love-dogs.com is on the Whitelist. It may be THAT is the cause of Kontera being added.
     
    Last edited: Jun 15, 2011
  17. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    See for yourself.

    I would like somebody else to witness this first hand, so here is the URL - http://www.i-love-dogs.com/forums/, you can visit as a guest. Then go :-
    General Dog Stuff >Dog Questions and Answers>What breed is this pupp>Post No.3 and see "dog" and "puppies" in blue. Put the cursor over each word and a pop-up appears from Kontera loading something. The loading does not finish.

    If you click "puppies" or "dog"a site comes up called Groupon http://www.groupon.co.uk/.

    This happens all over the Forum but not always the same ad.

    Try General Dog Stuff > Dog Questions and Answers>Please help me identify my dog Clover>Post No.5 and see "lol". This is http://www.prolash8.com/ and so it goes on throughout the Forum.

    Just random words selected, mostly animal, but not always, "work" is another.

    I do hope you find this paranormal behaviour on YOUR screens, because if you don`t, I`ll SCREAM and do a bit of head banging.

    John
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Run Firefox outside of Sandboxie. It may be preventing the changes from applying.
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Definitely 3rd party advertising. And I hate those stupid little links. Adblock Plus takes care of them fine for me. :thumb:
     
  20. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    From all the useful posts received, it looks like the following is the case. Without this thread I probably would not have got far in understanding what is going on with this Forum. It is a feature I have never seen before and I hope other readers will benefit.

    When I joined this animal Forum, like all other Forum`s, I trusted it. So when the NS Options button first came up at the bottom right, I fully allowed the site. This in effect disabled NS for the site.

    Firstly, ads kept coming up on every page, floating all over the place and covering the data. After much hacking about, I blocked all these with ABP. Then I kept getting logged out, this disappeared on it`s own or perhaps ABP stopped it, I don`t know.

    THEN I started getting the problem described in this thread. ABP never stopped that although I have blocked all Kontera items listed under the ABP blockable items.

    Kontera.com was on my NS Whitelist - I never put it there myself, but so is i-love-dogs.com. Deleting Kontera made no difference, it kept coming back.

    So, I concluded that if i-love-dogs.com had total clearance on NS, then all the ad garbage for that site including Kontera automatically received clearance and were being added to the NS Whitelist as a package.

    This looks correct. I deleted i-love-dogs.com and of course Kontera from the NS Whitelist, then visited the Forum. NS was active again and the Options box showing. I went to the example posts I gave and the blue words were no longer there ! So, NS had nuked Kontera.

    All this is a pity really. Animal Forums run on a very low budget and serve lots of lovely people only interested in animals. They have to let ad sites in to provide much of their income. It looks like this Forum has vastly over-done it and ad sites are running wild to the point of being aggravating.

    Do you think this matter is now settled and agree with the above assumptions ? If so, I can only again thank all of you for posting and providing yet another Wilder`s solution.

    John

    PS - If you did test out this site as per my post 17, you must either disable NS or give the page/site "temporary allowance". May be as well to disable ABP for the check also.
     
Loading...
Thread Status:
Not open for further replies.