Hey guys,

Love the site but there's an advert coming through today which is redirecting my browser to www.systemdoctor.com with no choice after showing a popup telling me my computer needs 'cleaning'.

Here's the culpret on the main page:
(I'm not sure this helps but..)

<div id="googleblock300">
<!-- BEGIN: AdSolution-Website-Tag 4.3 : MacRumors.com / Home Page Rectangle Dynamic -->
<script language="javascript" type="text/javascript">
Ads_kid=0;Ads_bid=0;Ads_xl=0;Ads_yl=0;Ads_xp='';Ads_yp='';Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_wrd='[KeyWord]';Ads_par='';Ads_cnturl='';
</script>
<script type="text/javascript" language="javascript" src="http://a.as-us.falkag.net/dat/cjf/00/15/54/84.js"></script>
<!-- END:AdSolution-Tag 4.3 -->
</div>

You're not the only website to have got this advert but it's pretty offensive to have javascript popups telling me I need to clean my computer and taking me away from the page I'm on.

Cheers

that ad is a pain in the a**. it is a windows only *adware* program.

Hey guys,

Love the site but there's an advert coming through today which is redirecting my browser to www.systemdoctor.com with no choice after showing a popup telling me my computer needs 'cleaning'.

You're not the only website to have got this advert but it's pretty offensive to have javascript popups telling me I need to clean my computer and taking me away from the page I'm on.

Cheers

A screenshot might help too.

will look into it.

arn

Hey guys,

Love the site but there's an advert coming through today which is redirecting my browser to www.systemdoctor.com with no choice after showing a popup telling me my computer needs 'cleaning'.
Cheers

What country are you in? and were you using a Mac at the time?

arn

Yeah, that happened to me to today, and before you all start flogging Windows - I am using Safari Version 2.0.4 (419.3) on a MacBook Pro...

Strange thing!

Later on on my other Mac, I was automatically redirected here from the front page of the main site:

http://www.amaena.com/securityworm58/index.php?ex=1&ax=1&h=10&mpt=%5BCACHEBUSTER%5D&aid=sonearby&lid=sw3

Both of these sites result in an .exe download so I'm not too worried...

Is it possible that these sites are confusing Intel for Windows.

Yep, I have got the same problem, and it kinda got me worried for a little bit. So I did a search for "systemdoctor" on this site. I am using Safari 2.04 on OSX on a G4 and I am currently in france. So it has nothing to do with Intel processors. Macrumors isn't the first site where I have had something similar occur. The other was ArsTechnica.

Some one has figured out a way to get around the Popup ad blocking function of safari and even worse forces you to press an "ok" button. I had to force quit Safari to avoid this. I have no idea what the OK does.

If I get this again I'll post a screen shot.

PS. Hi every body... super long time lurker/forum surfer, first time poster. :D

PS. Hi every body... super long time lurker/forum surfer, first time poster. :Dhttp://deephousepage.com/smilies/welcome.gif

Country's may help. It seems many of these are targeted at users in Norway alone.

arn

Thanks for the welcome Macnut. I feel as though I have been here a long time... altho I have been rather discreet.

Does this ad have anything to do with the recent security gaps in OSX? I haven't installed the most recent security update which was yesterday or something.

Thanks for the welcome Macnut. I feel as though I have been here a long time... altho I have been rather discreet.

Does this ad have anything to do with the recent security gaps in OSX? I haven't installed the most recent security update which was yesterday or something.

No, it's probably just bad banner ads in the mix somewhere.

arn

Country's may help. It seems many of these are targeted at users in Norway alone.Quite possible, just fired up Safari, logged out and went to the front page. This is what happened:

63005

And I was sent to another site when I pressed "Cancel".

Test cases...

Can people who have had this problem try the following pages in random order and let me know if it happens on them. Be sure to take a screenshot of the ad under the front story when it happens, and be sure to note which url caused the ad.

Thanks

http://www.macrumors.com/test2_tf.php
http://www.macrumors.com/test1_ns.php
http://www.macrumors.com/test3_g.php

arn

Norton spun up some virus dialogues when I arrived at MacRumors this morning (as a guest), met by that same dialogue box. I didn't click anything (well, I don't think I did), but just thought I'd mention that it downloaded a virus onto my PC. It's all okay though because Norton saw it coming. :)

Test cases...

Can people who have had this problem try the following pages in random order and let me know if it happens on them. [...]Didn't have any problems on either page, just "nice" Google ads using all three links...

63040 63041 63042

Didn't have any problems on either page, just "nice" Google ads using all three links...


Try it again in a day or so. I suspect there's a cookie and IP timeout for it.

arn

Is this (http://forums.macrumors.com/showthread.php?t=256612) the same thing?

Ok, I resat Safari and tried again, and that second link (which I tried last this time, after 1 and 3) sent me directly here:

63043

The pop-up didn't even come up until I tried going back to see what might have caused this:

63044

...and it was even a double pop-up, this time :rolleyes:

63045

When I finally got back to the test-page, there wasn't anything apparently suspicious there, though:

63046

Any help in any of this...?

I've also been getting this, most recently yesterday.

I don't know where any of this is coming from. But It happened to me at work just now on my G4 powerbook (don't ask me why I am browsing macrumors at work ;) ). And the same thing happened to me at home from another computer. It seems at least that the ads are perhaps european. But Here we see that it isn't Systemdoctor but another one. You can see also that the adspace is empty...

Ok, I need people to test this url

http://www.macrumors.com/test2_tf.php

Clear cookies, new browser, etc... let me know if it happens with this url specifically

thanks
arn

Tried it in Shiira (emptied cache/removed all cookies), Safari (resat Safari) and Webkit (resat Safari, again). Reloaded page several times. No sign of any problems... :)

Tried it in Shiira (emptied cache/removed all cookies), Safari (resat Safari) and Webkit (resat Safari, again). Reloaded page several times. No sign of any problems... :)

Keep trying, maybe after 24 hours. And if others with the same problem can try to, it will help.

arn

I cleared the cache. and I tried a few times using the link you provided, but nope. The ad or mal-ad is intermittant enough that it is a hard thing to catch perhaps.

I'll keep you informed if I see it again. But it will probably be on the main page again, when I least expect it.

MacRumors is not the only site that is suffering from this malware ad. A quick Google search gives these results...

http://www.google.com/search?client=safari&rls=nb-no&q=errorsafe+ad&ie=UTF-8&oe=UTF-8

Seems like users in Norway, Denmark, France and Spain are affected the most.

BTW. I have seen the ad here at MR and over at AppleInsider today. I have cleared the cache and all cookies, but have seen the ad since. If I do, I will post pictures and other details...

...and the ad was there again... And yes I am also in Norway... See attached pics...

EDIT: This machine has not been used to access MR in the last couple of days or so... I'm not able to replicate the ad on this machine even after clearing cookies...

it'd really help if you use the test urls posted above, specifically the last one

http://www.macrumors.com/test2_tf.php

on a computer that hasn't visited macrumors lately.

arn

it'd really help if you use the test urls posted above, specifically the last one

http://www.macrumors.com/test2_tf.php

on a computer that hasn't visited macrumors lately.

arn

Logged in to new user (that haven't been on MR), erased all cookies and typed in www.macrumors.com/test2_tf.php. Nothing happened. I erased all cookies again, and went to www.macrumors.com, again nothing. Erased all cookies again, and reloaded page. The ErrorSafe ad was then displayed. Attached you will see a log of all cookies immediately after beeing redirected to the errorsafe site. Hope it helps...

Logged in to new user (that haven't been on MR), erased all cookies and typed in www.macrumors.com/test2_tf.php. Nothing happened. I erased all cookies again, and went to www.macrumors.com, again nothing. Erased all cookies again, and reloaded page. The ErrorSafe ad was then displayed. Attached you will see a log of all cookies immediately after beeing redirected to the errorsafe site. Hope it helps...

Hi all, I appreciate the effort. Getting the ad on macrumors.com doesn't help me much... though the cookies might.

It would very much help to know if its reproducable on http://www.macrumors.com/test2_tf.php

update: Actually, the cookies may be very helpful. Based on what you said you had NO cookies, loaded the page which showed the ad and these are the only cookies there - right?

I'm going to have my adnetwork block workhomecenter

arn

Hi all, I appreciate the effort. Getting the ad on macrumors.com doesn't help me much... though the cookies might.

It would very much help to know if its reproducable on http://www.macrumors.com/test2_tf.php

arn

New user account (just to be sure). Typed www.macrumors.com/test2_tf.php directly into the url field. Nothing. Reloaded page 20-25 times. Nothing. Erased cookies. Reloaded again, maybe 20 times. Nothing. Typed in www.macrumors.com, and BOOOOM... ErrorSafe on first load. Seems to me like test2_tf.php is fine... Can try again on a another comp. with new user account if you want more testing...

EDIT: Regarding last post. Yes I erased all cookies before loading macrumors.com the second time, when the errorsafe ad was displayed. The screenshot with the cookies was taken immediatly after Safari was hijacked (after I pressed cancel)

This sounds like it could be it:

http://chattyfig.figleaf.com/pipermail/flashcoders/2006-September/173134.html

thanks for the help, it should be gone soon
arn

Just to let you know, Im from Australia and Ive been getting a popup on macrumors.com for a couple of days for a product called drivecleaner.

Running safari 2.0.4 on iBook G3.

But when I go to http://www.macrumors.com/test2_tf.php I dont get any popups.

Hope this helps.

This sounds like it could be it:

http://chattyfig.figleaf.com/pipermail/flashcoders/2006-September/173134.html

thanks for the help, it should be gone soon
arn

Great! :)

here's some more details on this works, and how it gets snuck in

http://chattyfig.figleaf.com/pipermail/flashcoders/2006-September/173142.html


Not quite sure what the 'prior errorsafe javascript' implementation is.
User experience is as follows:

- User visits his favorite website, say, www.joesblog.com
- Joesblogs puts some ads on his site and sell his inventory to an
adnetwork
- Adnetwork doesn't know this "matchservice.com" ad is a scam, and
serves the user a nice 468x60 flash banner of rmatchservice.com
- If the user's IP & timezone & (mysterious other reasons) match some
parameters in the actionscript, flash file opens a popup without a click
to errorsafe.com/...
- New errorsafe page tries to install active-x and also initiates an
.exe download to try to get the user to install the program.
- User accidentally clicks install, or "open" on the exe and is now
infected w/ spyware.

post all new replies to:
http://forums.macrumors.com/showthread.php?t=257138