A possible hijacking?

Cheers! I enabled that now that I’m home, and we’ll see what happens.

A friend said it might be a part of a firefox addon, and that I should dump/reform a profile. Thoughts?

Also, this fellow seems to be having the exact same problem, here on Avast!

http://forum.avast.com/index.php?topic=145718.0

Should we try anything from there?

If it is not a constant thing then I would tend to attribute it to an infected website rather than an FF addon

Additionally if it was an addon then Avast would alert every time you started FF… Does it do that

It does not! Since we’ve tinkered around, it hasn’t come back yet, either. I’m watching my event logger very carefully, though. I find it kinda weird that it keeps poking my DNS whenever it comes around.

I have seen this issue on 2 computers the last day and it also happened to my friend. The common link between all 3 computers was that they were all running Skype. After some Googling today, I found these Skype blog posts.

http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251

http://community.skype.com/t5/Windows-desktop-client/Popup-Advertisements/td-p/2896167

It seems like the new ad service Skype rolled out last week has been compromised. Not good.

Hi DarthSnoopyFish,

Thanks for reporting this back to base. Malcode very much undefined as yet, reported here: http://support.clean-mx.de/clean-mx/viruses.php?id=19947446
Seems that avast! Webshield is now blocking this malcode as JS:ScriptPE-inf[Trj] in in Chrome Browser/AppData - as it blocking access to this report: htxp://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fe324rfds.bf-microdefender.nl%2Findex.php%3Fkey%3D541738592e6ce4d770cb2cf261a510b9 (probably showing off too much of the real code to avoid a live shield alert - but good enough for us checking detection here).

Good we have protection against this!

greets,

polonus

Thanks for the information! I had a hunch it was skype, but asking around, none of my other friends except one have had it.

I have Avast running all th etime now, and I keep looking at its shield to watch what’s coming in.

@OhDearMe &
@DarthSnoopyFish,

Another good reason to block all ads forever
(read: http://www.reddit.com/r/technology/comments/1wqudh/skypes_ads_may_be_compromised_with_malware/ )
A good and decent Adblocker extension like ABP for instance is a must nowadays to play an anti-malware role next to your resident av solution,
which for us all is avast!

polonus

What troubles me is that supposedly the site didn’t actually have an internal 500 error and was using that as a sort of facade while it did evil stuff in the background?

I wonder if my system is compromised at all, considering things are coming back totally clean?

With the 500 error it would suggest that the site was taken down. There was no apparent malware on the logs so I feel you are clean

I was reading that the 500 error was actually a part of the ruse of the site, and wasn’t actually shut down. Someone was poking around in the webpage data to come to such a conclusion.

The main thing though is how is your computer behaving ?

Computer is behaving fine, so far. Nothing weird, but I haven’t been logged onto skype since we determined that was the cause.

Do you think it was an actual virus,or more just like an attack from outside? My logs and stuff are all still clean.

Do you think Skype is safe again?

Looking through event viewer again. Apparently yesterday, ( 2/1/2014 ) at 10:31 AM it happend again, without my knowledge.

“Name resolution for the name e324rfds.rp-microdefender.nl timed out after none of the configured DNS servers responded.”

It shows up as a network warning there.

AFAIK, though, that’s the last time it’s shown up.

It’s really kinda scaring me.

Just disable the skype ads http://www.reddit.com/r/technology/comments/1wqudh/skypes_ads_may_be_compromised_with_malware/cf4tdle?context=3

That didn’t seem to work. I did as it said, and I’m still getting the

“Call mobile with great new pay-as-you-go rates” advertisement at the top of my skype.

Although that does seem to be the only one that displays, now.

Nevermind, getting ads about M&Ms and cars and other random crap, still.

Unfortunately there is little I can do about Skype ads as that is down to MS. I believe the ad addresses are stored on their servers

Hmm, that fix on redit worked for me. Did it to 2 computers, no ads are showing up. You have to use the information from both commentor links in that post. First link is instructions, second link has a list of all possible ad services.

Do I leave them at 0.0.0.0.0, or change them to 127.0.0.1like the others? I did the latter, and they’re still showing up.

Here’s what’s coming up, the first one is from the home page, the second is in a chat window with someone.

Set them at 127.0.0.1