Thanks for the clarification, Clicksor.
I can't help you, sorry. When I could, I would.
At my work desk, I never get malware, due to the very strict security policy. Only signs I see are the scans I was talking about.
When at home, I use Linux, while the malware affects only Windows.

I am also very sorry to inform you that I can't give you any feedback about the absence of security scans (as a sign the block works) until Monday.
As an exception, I leave early today (in 5 minutes) and won't be here tomorrow.

Thanks for your efforts!!

Hi Clicksor, Nabi Capo and others. There seem to be two types of attacks taking place here.

1) Just redirecting you to a fake windows explorer like interface with fake virus scanning trying to get you install some software. This is pretty harmless given the fact that you can simply close the browser window.

2) Installs malware through Java applets silently, without any interaction what so ever from the user. So user could get infected by just visiting navitotal.


All the malware belongs to a specific breed notoriously known as scareware ( basically installs fake antivirus, disables legitimate antivirus and tries to scare the user and extort money by forcing him to purchase fake antivirus). These products come from the same source and is masterminded by a guy called Sam Nair. He is a fugitive and beleived to be hididng in Ukraine ([Please Register or Login to download file] ). Their business seems to be two fold. Write these scareware and setup front end marketing companies to run ads infested with these malware.

But in my opinion, clicksor being reputed ad-host, should not wait for the end user to come up with all the details. Clicksor should have some mechanism in place to check if the ads are infested with malware.

What do you think????

Having said that, I sincerely appreciate everyones genuine effort to get this matter resolved ASAP, including clicksors.

@ Clicksor Support,
I am back at my office desk and I am sorry to say that the security scans are still a fact.
I am not sure if the IT people have enforced the security - and the scans do react on the ads - or the malware is still present. (I can't ask the IT ;) )
It's a fact that 2 months back, the scans stopped together with the malware.

One week without problems, but today this ...



Attachment
2862
NB

I use FireFox with:
[Please Register or Login to download file] ...you have to learn which scripts to allow but for most sites it just the script with the sites name on and normally only then if you want to use some of the sites features. Here you have to allow Navitotal.com and Yahooapis.com, the other 8 I leave blocked.
[Please Register or Login to download file] ...set it to auto delete contents of sanboxie and have a thin coloured boarder round the edge so you know it's running. Remove the icon for the unsandboxied browser and hide it in the hidden part of the bar at the bottom of the screen so you don't accidentally use the unsandboxed browser (you need to open your undanboxied browser and copy and past safe sites links into it to save them as sanboxie will remove any changes at close. This is a small price to pay for the huge security gain)
After a month, if you don't buy it, it makes you wait 5 seconds? before opening the browser.
I also use a virtual operating system so if I'm stupid enough to DL a virus I can reset my PC and it's gone (free trials last forever with this, reset PC and reinstall, because it is like it was never there. :o )

I use Privatefirewall 7 (free) (it has a process monitor that you can train and use or turn off) . I don't like suites because if it crashes you lose all protection, I've had Comodo and NOD32 suites crash before.
[Please Register or Login to download file]
[Please Register or Login to download file]
.. neutral site not connected with any software house (as far as I know) and so the results can be trusted.

NOD32 antivirus is what I like and if you can't afford to buy it you can make an e-mail address up and have them send a new 'trial' code there, you can do this every month, you don't even have to reinstall it(the security suite is different and this can't be done)
[Please Register or Login to download file]

I also use a router, which helps. All of these could probably be circumvented but you would have to really, really want to infect/access my PC to put all the time and effort into it to do it. I run in Admin mode, which is very bad for security, but I haven't had a virus for over 5 years which is because of the setup I have.
I have never had any security warnings from this site, even when it had problems with the adverts, this is down to NoScript.

My Norton has just blocked an WEB ATTACK called "Malicious Toolkit Website 10" (High Risk) Source Address 192.168.2.5. This happened when I was looking at voices within the TT section and I had no other windows or pages open... Must have been from this SITE...Just as well I am protected by Norton Internet 2011..... Yes this is a good site but make sure you are protected !!!

Sure about that? Then your own PC or one of them is the source according to Norton.
Why?
Because IP range 192.168.*.* is reserved to home networks !! Check it out, 192.168.2.1 is probably your router itself!

Don't believe me? [Please Register or Login to download file]

From a other Forum to this topic:

Source: Avast Forum

[Please Register or Login to download file] [Please Register or Login to download file]
« on: May 02, 2011, 11:16:48 AM »

Using a PC with a Windows install you don't care about, aim your browser at navitotal.com The advertisements on it are doing a bang-up job at drive-by infestation.

It started with amatuerish attempts with automatic redirects to spam sites. Then it escalated to fake virus warnings. Next up came the sneak attacks but with easily cleaned malware. A few weeks ago I got nailed with a rootkit that sailed right past Avast and MSE. That took quite a bit of work to hunt down and remove.

I went back Sunday, May 1, 2011 and got nailed again. This time with malware that's blocking Microsoft Security Essentials from running and it's redirecting Yahoo and Google results through annogigheort.com which bounces through two or more additional sites that vary. Avast and MSE were alerting like crazy (for the first time on navitotal, they'd been completely silent on it previously) but at least one still got past.

Nothing I've scanned with, TDSSKiller, Avast, Malware Bytes, ComboFix finds a bleeping thing. Spybot S & D twigs to a registry entry with a notice about MSE being disabled, but it can't fix it. HitMan Pro found rsopn.dll in Windows\System32 as a trojan but it's 30 day free trial on the current download is pre-expired.

I used Unlocker to force-delete it then I used attrib to remove its system, hidden and read only attributes then put it in Avast's chest to submit. From what little I could dig up on it, it appears to be from Russia.

Anyway, I think it'd be a good thing for the Avast people (and all other AV companies) to visit that site and allow it to massively infect a PC just to collect what's new in nastiness. Going by reports by users of the navitotal forum, the drive-by attacks may be set to be for specific IP ranges. I'm in the USA.

Edit: Forgot to mention this malware also deleted all my System Restore points so I couldn't just kick it back to last Friday or Saturday.

NB

Clicksor already knows that. Or should know that. when he reads his PM.

Clicksor Support last activiti 05-26-2011 (5 weeks ago)

NB

Look on the German site who is online. Clicksor.com (5 bots) is among them.
On the English board, the plug-in to see bots is not installed. We can't see them.

I can see the spider on the English board, why you not ?
But, the spider (bot) is not the clicksor service, this is a search engine like Google and has nothing to do with our problem. We have to much of them on the German Bord (some time more then 20 spiders/bots)

NB

NorbertBL wrote:I can see the spider on the English board, why you not ?
But, the spider (bot) is not the clicksor service, this is a search engine like Google and has nothing to do with our problem. We have to much of them on the German Bord (some time more then 20 spiders/bots)

NB

Yes, I see the the spider too,and no, I do not see all the spiders. There are more spiders here than just one (at this moment), but only google (and some others) show in the list. It's impossible to see if Clicksor is now "botting".

Clicksor uses bots to check the content of the threads/posts and then shows ads about the same things...in theory...
But the Clicksor story will be finished soon, we will stop cooperating with them forever.

Hi all,

I apologize for the lack of activity on this post. I have reviewed the messages and followed up on the provided Fiddler logs. We will have the ads removed.

Thank you again for all your cooperation.
Clicksor Support