Hi all,

I was browsing some sites today and had two red warning boxes appear, since I have many tabs open its hard to be sure which site these were from, but at the time of the first warning I was browsing hxttp://wxw.nzxt.com/new/products/crafted_series/guardian_921_rb and the other pc case pages.

Second warning came up when I was on hxttp://wxw.novatech.co.uk/products/components/cooling/fans/100mmplus/r4-lus-07ab-gp.html

Note: had multiple novatech pages open when both warnings came up, however was actively browsing nzxt when the first showed up.

Here are some logs I found:

09/12/2012 12:41:16 hxttp://static.nrelate.com/common_b/0.04.0/nrelate-panels-all.min.css [L] URL:Mal (0)
09/12/2012 12:42:44 hxttp://static.nrelate.com/ [L] URL:Mal (0)
09/12/2012 12:42:44 hxttp://static.nrelate.com/favicon.ico [L] URL:Mal (0)
09/12/2012 12:43:21 hxttp://static.nrelate.com/common_b/0.04.0/nrelate-panels-all.min.css [L] URL:Mal (0)
*

• avast! Real-time Shield Scan Report
• This file is generated automatically
• Started on: Sunday, December 9, 2012 1:18:49 PM

09/12/2012 14:03:55 hxttp://c5.static.nrcdn.com/common_js/0.52.0/nr_loader.min.js [L] URL:Mal (0)
09/12/2012 14:04:49 hxttp://c5.static.nrcdn.com/common_js/0.5… [L] URL:Mal (0)
09/12/2012 14:04:49 hxttp://c5.static.nrcdn.com/favicon.ico [L] URL:Mal (0)
09/12/2012 14:05:57 hxttp://c5.static.nrcdn.com/common_js/0.52.0/nr_loader.min.js [L] URL:Mal (0)

I looked up nrelate and it seems to be to do with ads, stylesheet scripts maybe.

Anyone know if these are just false positives and what they may have done, thanks in advance.

Tonco.

Page has moved to htxp://nrelate.com → http://urlquery.net/queued.php?id=5136519
Also see: http://quttera.com/detailed_report/www.nzxt.com given as clean
as is http://zulu.zscaler.com/submission/show/a2e523d3b05dc5962d81dd2139f1a426-1355067004

For c5.static.nrcdn dot com/js/0.52.0/loader.min.js benign
[nothing detected] c5.static.nrcdn dot com/js/0.52.0/loader.min.js
status: (referer=http:/www.ask dot com/web?q=puppies)saved 39739 bytes 47a65f2f231eb1e2bc1021f11617dff1fd3d6ee2
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: unterminated string literal:
error: line:3: ;var d=document;nRelate=window.parent.nRelate;'+c.js+
error: line:3: …^
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 0 bytes
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 69 bytes
info: [decodingLevel=1] found JavaScript
I get a /*** called setTimeout with function () {b.acs({}); }, 5000 */ which is suspicious and the referer ask dot com is
suspicious…
My verdict you got crappy search engine malware called “Ask dot com”
File logs, see: http://forum.avast.com/index.php?topic=53253.0
and wait for a qualified removal expert to look into the logs you have filed.
He has been informed by me, you await his removal expertise…

polonus

It may well be as polonus suggests some search redirect, as I have visited both the nzxt and novotech links you gave using firefox 17.0.1 and no avast alerts. I couldn’t find any off-site reference to hxttp://static.nrelate.com or hxttp://c5.static.nrcdn.com/common_js/.

So it will require further investigation to see if you have some search engine malware.

Thank you both for looking into this for me.

Since they showed up I have run Malwarebytes and Avast full scans and neither found anything.

You’re welcome, but it certainly wouldn’t hurt to run the analysis tools as these things can be well hidden.

Hi tonco,

You are welcome. Do as also DavidR suggests. Both essexboy and I think you could have some code left-overs of an unwanted toolbar crap install attempt.
Provide essexboy with the logs requested as via the link I gave you and wait for the analysis. Better safe than sorry, as we always say,

polonus