Is this site safe?

Some info first: I use an iMac running chrome and osx version 10.6.8
A few days ago my cousin came over and wanted to go to neopets.com. instead he went to www dot neoepets dot com About 3 seconds later when I saw his mistake, I exited the site. It didnt show to real site and just the plain white screen. I tried looking at different safe site checkers but it came with mixed info. C-sirt says its malicious on virustotal but i dont know if its correct. Could someone tell me if its safe and free of random downloads/malware? I accessed the site on my iPod also but the site looks different then what the image from a url query scan looks like. Help would be appreciated! Edited so the site was not able be visited. Dont want other users getting infected.

check your urls here

urlvoid.com
urlquery.net
sucuri.net
zulu.zscaler.com

I scanned the site. the image of the site from urlquery looks different then what I saw when I visited the site on my iPod though. Also, could you look at the scans?
Links to scan: http://urlquery.net/report.php?id=252189
http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354231995
http://urlvoid.com/scan/neoepets.com/
https://www.virustotal.com/url/5900b0ca0bc7617b4137245dd8f022a96a829e99a26f6d19018f97665abf0b51/analysis/1354232438/
http://www.UnmaskParasites.com/security-report/?page=www.neoepets.com

Is that C-sirt threat warning of CYSC.RED.CLICKFRAUD-1 on virus total a false alarm or what? also what is that threat? Is it just telling me there is a link to a malicious site on that site? Also theres those earlier questions ^

I see an issue here, see: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Puzlice-A/detailed-analysis.aspx → this is for: pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js on that site,

Can anyone confirm?

polonus

I have sophos for mac(home edition) on my computer so ill run a local drives scan to see if I have it. I shouldnt though because I never downloaded anything unless it was a drive by download.

See the scan results here for this malvertising site. Not a lot of scanners detect this malvertising, see at the bottom of the post for the frame domain…

Checking:htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA
File size:44 bytes
File MD5:ff20b629c15604ed940eb8542849f3ba Very poor web reputation

htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - archive JS-HTML
htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - Ok very poor web reputation
The obfuscation directs to →
htxp://www.dsparking.com/?design_id=4&domainname=dsparking.com&a_id=14840

Checking:htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A
File size:46.50 KB
File MD5:aa0d660858e12ad1074ba5e25cc16f46

htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - archive JS-HTML

htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_1[522][727f] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_2[1064][673d] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_3[665f][1142] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_4[7920][200] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - Ok

Checking:htxp://www.neoepets.com/
Engine version:7.0.4.9250
Total virus-finding records:3424473
File size:1766 bytes
File MD5:96483d751c84dc60b301c7c10c6a31a8

hxp://www.neoepets.com/ - archive JS-HTML

htxp://www.neoepets.com//JSTAG_1[244][ea] - Ok
htxp://www.neoepets.com/ - Ok

Also placeholder code link: htxp://cdn.dsultra.com/js/main.js This is malvertising hidden in a frame
polonus

Here the malvertising fraud was missed completely. Reported there: http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354318424

polonus

So what does this mean/what is it? I never really visited the site except on my iPod and when my cousin visited it accidentally which i quickly exited out of. Am I infected?

Do you know if sophos detects this? Also is it just an advertisement that links to a malicious site or does it contain a drive by download or something bad?

still wondering about this if anyone can jump in and help

hi TuckerX,

Please be patient.

Polonus is the very next best thing to a wizard we have, and the work he is doing takes some bit of time. When he is finished analyzing and understands what he is seeing, he will report back here. User !Donovan is another one.

BTW, if nothing is obviously wrong with your system, try to worry a little less. It is when things begin not to work as they should, then action is called for to rectify or fix. I did ask him to have a look here, so far he has come through.

This is new stuff and rare, not looked for elsewhere by others, so…

Hi TuckerX and mchain,

The page is a so-called dsparking dot com hijack. This redirect affects Internet Explorer and Firefox browser, Google Chrome is not vulnerable. Uninstall dsparking.com

  1. Open Windows Control Panel.
  2. Choose Programs (Uninstall a Program).
  3. It will open a list of installed programs, find dsparking.com or any related term and click on ‘Uninstall’.

Remove dsparking.com in Internet Explorer:

  1. Open Internet Explorer.
  2. Go to Tools > Options.
  3. On General tab, proceed to ”Change search defaults” and click the “Settings” button.
  4. You will see a list of search providers. Select your desired search provider and click the button “Set as default” to replace dsparking.com.
  5. You may now remove dsparking.com from the list.

Remove dsparking.com in Mozilla Firefox:

  1. Open Mozilla Firefox Internet Browser.
  2. On Google’s Search box, click the “arrow down” beside the logo.
  3. Select “Manage Search Engine” from the drop-down list.
  4. Choose your desired search default (like Google) and click the button “Move up.” It should be on the top of the list to set it as default.
  5. You can now remove other installed search engine.

Remove dsparking.com in Google Chrome:

  1. Open Google Chrome.
  2. Click on the Wrench icon on top right corner of the browser.
  3. Choose “Settings” from the drop down list.
  4. Select “Basics.”
  5. Click on “Manage search engines” under SEARCH settings area.
  6. Hover your mouse to a preferred search engine and click “Make default.”
  7. You can now remove dsparking.com by clicking on the X mark.

manual removal information author Xman23

But you could also follow the instructions here: http://forum.avast.com/index.php?topic=53253.0
and let any of our qualified removal expert look into the matter and help you with the removal of this search setting hijacking domain parking malware. At least one of them was alerted to this thread, so wait for him to come in and look into your provided logs,

polonus

Ok well i have google chrome and safari on my imac but i visited the site on chrome. So i just do those 7 steps you gave me to uninstall it? Will it just be one of the search options that i can just clik the x on to delete(looking step 6 and7) Also, so it wont effect me/do anything because I only use chrome and not FF or IE? I dont even have windows on my computer also. Edit: did it install anything onto my computer or did it just change my search settings?

No the check is safe. And yes it is only the preferred search settings changed,

polonus

Sorry to ask so many questions(I dont know that much about redirects). But what about the site that soes the redirecting?(the eebsite that i typed in that you said redirects you to a hijack) is that site safe or does it just does te redirecting to the bad site?(the one with the search default changer). And After seeing your post just now, i asked more then two questions and what do you mean by the check is safe?

That site is doing the redirecting, yes, but only if you perform the typo to be redirected to the wrong typo site. So the redirect is only valid there where you go to the typo site. That is how devious it is. A normal domain parked site can be used for parking an undemanded search site to score a couple of additional ad click dollars. This is not so here, this is a domain park for a typo site. If you would have given in the site without a typo, no problem would have occurred. Ask a touchscreen pencil for Xmas and feel safer…
The check is safe is that that redirect only changed your default search settings (without your approval of course), that is all the "malware hijacker"did to let you go to their searchsite and earn on fraudulous clicks. It is all about money, you know…

polonus

thanks for the help polonus! But I also visited a site before that seemed to be malicious. when i scanned the site, it said that there were malicious javascripts. Website is checkwebsitesafe dot com without the www. It also had annoying popups that were probably pay per click ads. All the info was either outdated or wrong also. I visited the site on my Macbook laptop but I spilled coffee/hot chocolate on it and it broke. I dont remember if i visited the site on this iMac so i want to be sure. I also scanned the iMac with sophos and clamxav(i had them on this computer already) and it found nothing. Links to scan of website are first and then links to scan of the websites scan that I visited.(the website does scans to see if a site is safe or not using webutation,google safe browsing diagnostic etc.)
http://urlvoid.com/scan/checkwebsitesafe.com/
http://sitecheck.sucuri.net/results/checkwebsitesafe.com
http://zulu.zscaler.com/submission/show/a13f04f447c7457b42b5378d7d2a75bd-1354372705
http://urlquery.net/report.php?id=265499

and the 2nd one:
http://urlvoid.com/scan/checkwebsitesafe.com/
http://urlquery.net/report.php?id=265540
http://zulu.zscaler.com/submission/show/cb2e443ca64a247e91b0e93f92e550f3-1354372797

Could someone tell me if its safe? It didnt seem safe. I dont know why google would put that site on the second page when i searched for a website that could let me see if a link was safe or not.

Hi TruckerX,

What I get on that site is that it is a known scam and phish: http://www.mywot.com/en/scorecard/checkwebsitesafe.com?utm_source=addon&utm_content=popup-donuts
I get document.writeln(‘’); from htxp://bdv.bidvertiser.com/BidVertiser.dbm?pid%E2%89%88%20451302&bid%E2%89%88%201125316%22%20type%E2%89%88%20%22text/javascript%22 on that site
On BidVertiser hijacker, see: http://forum.avast.com/index.php?topic=98455.0
Read: http://khiaao.blogspot.nl/2011/03/virus-and-malware-in-bidvertiser-ads.html article author khiaao

Suspicious recently and now given clean: http://zulu.zscaler.com/submission/show/6804f063be09fd245f0b61bd8d9ae923-1354380473

Quttera has 1 potentially suspicious file:
Potentially Suspicious files: 1
all-include.js
File size[byte]:
141000
Threat type:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar20438881 = write; (this is linux code malware paths include /tmp, /var/tmp as we see here (remark from polonus)
MD5:
2FBC99E74E3C107DAFB60F637BEB1755
Scan duration[sec]:
1.017000 data from online Quttera scan for above website…

polonus

So what can you figure out about the site? Do you think i might have any malware from it? I never clicked on the bidvertiser ads from what i know