WARNING - WinFixer - ErrorSafe - ALERT

I was subjected to a drive by attempt to install WinFixer on my system. XP SP2 and its reluctance to allow such installations saved the situation. I was able to close the download windows by the red crosses but it would probably be quicker to close the process IEXPLORE.EXE in Task Manager.

The only debris left behind was two tracking cookies from winfixer.com and two entries from se.errorsafe.com\... in the browser history.

The web site I was visiting was lostcircuits.com

Christer

 

Interesting. I juset went to lostcircuits.com using Firefox on my linux system. I viewed the source code on the page and there's no code in it that would launch anything other than links and a search form. Is it possible that the drive by attempt was loaded by the site you were previously viewing? The javascript onUnload function can be used to launch something when the page is unloaded from the browser.

 

I did a google search on reviews of the Athlon 64 X2 3800+ and the P4 D820-840 and found a few sites that I visited. I was browsing lostcircuits.com for a while and was reading a multi page review. The attempt occurred when going from one page to the next.

I have restored a Ghost Image which means that my browser history from yesterday is gone but I remember neoseeker.com being one of the sites. Later today, I may find the time to search again and possibly remember more sites.

Christer

 

Same here... I checked the site with IE7 on a VM. Since it looks that people can post opinions, could it have been code posted that way?

 

Dis you go to any other pages than the main page at lostcircuits.com?
I just took a chance and went there a gain using IE on XP.
There's nothing dangerous on the main page, but other pages use:
<!-- FASTCLICK.COM POP-UNDER CODE v1.7 for lostcircuits.com -->
which will get blocked by IE Popup Blocker.

However, the code used by the Fastclick advertising feed is different for each feed sent to the lostcircuits.com pages. It's posssible that an ad feed contained code to launch an additional popup window or contained a drive by script. The code in the ad feed is only partially controlled by Fastclick company, I suspect the advertisers provide their own code for the streamed ads, and a malicious one was used for an ad on a page you viewed.

The Fastclick ad that was supposed to appear when I was there was just a white box at the top of the page and Popup Blocker killed the popup windows before the javascript could execute. Two separate ads, 2 separate javascript objects.

Because I use SpywareBlaster & Spybot, the embedded ad on the page was just an empty white box. <div> IE blocked the popup windows & SpywareBlaster or Spybot prevented the ad feed from appearing.

 

I don't remember being at the main page at all. The link provided by the google search took me directly to the desired review. However, my memory is not what it used to be.

I use Norton Internet Security 2003 and its Ad Blocking / Popup Window Blocking but have unticked Internet Explorer Popup Blocking (and the Windows Firewall) to avoid any possible conflict. NIS seems to work pretty well because I have to disable the Popup Blocking to get the administrator login window on a specific site and on this site (Windows BBS), when clicking "open in a separate window" when notified of a PM, that never happens. I never see any ads (anywhere) but only the occasional empty window.

The yellow "download notification bar" at the top of the browser window was X-ed away and that probably prevented the installation.

Christer

 

Just to clarify: If you could have spotted that the download came from an ad on Fastclick, they would remove the advertiser when you notify them. Its against their TOS, and they are on top of such things AFAIK.

 

As a Ghost user, I wouldn't hesitate going back with Ad and Popup Blocker disabled to find out if I can reproduce the "drive by installation attempt" and if so, find out what Ad is the probable culprit.

However, I'm trying to figure out why my computer BSOD's every two to four weeks and don't want to roll back using Ghost unless I have to. That empirical experiment will have to be put on hold for now.

Christer

 

I was prompted to install FlashPlayer 8 when visitng a site and I accepted but the installation was unsuccessful (the prompt came back). Then, I remembered that I am running Internet Explorer, MailWasher and Outlook Express under DropMyRights. When I opened IE with full administrative privileges and went back, the installation of FP8 was successful.

Maybe running under DMR played a part in rendering the "drive by installation" unsuccessful? Maybe it's a good thing to run web applications under DMR!

Christer

 

Which will be the default for IE in Vista