malware link

unitspybookukset.net/?subid=21521&subid1=16072409344365618767&subid2=1060&px.pluginh=1&tid=7&red=1&subid3=mnhadz&k=My%20Drive%20%20%20Google%20Drive%20more%20%2Bcandice%20drive%20account%20play%20news%20gmail%20bytes%20calendar%20shortcut%20youtube%20translate%20books%20blogger%20finance%20photos%20business%20docs%20search%20from%20google%20change%20photo%20maps%20privacy

Could one of you net gurus check this out for me

Multiple redirections, therefore hard to follow. :wink:
http://zulu.zscaler.com/submission/show/7e6ce6a64e5ef8fd4fc8b81ffe850c11-1428312010
http://zulu.zscaler.com/submission/show/505b22baff2599197f35b641fa42410c-1428312110
http://zulu.zscaler.com/submission/show/edce2d03078354c927bbe30e4d96e0e3-1428312359 b[/b]
http://zulu.zscaler.com/submission/show/e8cdf021c7b31f86186d7cfad8ae667c-1428312385

Aye I have avictim who has this attached to his Google drive… Good old Google allows the bad boys to proliferate. I followed the link myself and it tried to install a fake flash player

It seems to give a new redirect evry time you enter, among sites you get are fake scan site saying your comp is infected and need to call a tech support number

see attached screenshot

Yep Pondus, tricky (social engineering) stuff.

This is a project (campaign) for POP adware developers BHO’s, posing as a flashplayer install etc.
Cleaning should be performed in SafeMode, taskmanager processes should be cleansed as wel as registry entries.
This could be be performed under guidance of a qualified remover, because computer may have malware hiding in memory that prevents normal start-up, also an IE proxy should be disabled. This is ADWARE/InstallCore.Gen7 for ye or Adware.InstallCore.
Or this is also launched from there: Adware/InstallCore.PK.5 (another variant of InstallCore).
Also known to install SearchBuddy aka ConduitSearch junkware.

Re redirects via 13 name servers: htxp://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fpayn.me%2F%3Fgroup_id%3D4%26dist_id%3D455%26channel%3Dssqf%26v%3Dicrs%26c%3D3abb50d1f219ba48bc664946d9d1b92a%26CID%3D04_35148568_57c36ca9-7b79-480a-a078-31d6f84bb12a%26AFID%3D106193_1955&useragentheader=&acceptheader=

htxp://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=htxp://staticem3afasf2fsafjlahshjfasfc7em.s3-website-us-east-1.amazonaws.com/lps/FlashTea2/images/dlm_test_security_icon1.gif&acceptheader=&useragentheader=

htxp://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=htxp://www.adobe.com/products/xmp/&acceptheader=&useragentheader=

This where it finally gets to download: htxp://wwwimages.adobe.com/include/style/default/SearchBuddy.css"/> eventually leading to system failure. SearchBuddy aka ConduitSearch - you need removal assistence of a qualified removal expert.

Only the main domain could be made to resolve and here we see loads of nameservers from both Russia and Canada.
Name servers are without AAAA records. Maybe also zonetransfers. Working on 7 different C class networks: so hard to tell where the nasties are served up from, see: http://network-tools.com/default.asp?prog=express&host=inlineonlinesafeupdates.org.
The Netcraft Website Report is clear with a risk rate of 9 reds out of 10: http://toolbar.netcraft.com/site_report/?url=+inlineonlinesafeupdates.org
It therefore should be blocled by google safebrowsing etc. -inlineonlinesafeupdates.org,ns1.reg dot ru,Ghosted,
ns1.reg dot ru is known to host Zeus and Feodo tracker, so it is being abused by criminals.

polonus

Turns out that Chrome was yet again subverted. Only a full uninstall, cleanup and re-install fixed it… Methinks Chrome should be avoided now until they clean up their act

I uninstalled Chrome long ago, along with all my security software with exceptions for MCShield and Malwarebytes (ODS).

Security starts and ends with you :-). And I’m still not affected by anything :-).

Agreed.

"Bottom line. Anything that makes large numbers of Internet users decide that clicking online advertisements could be a bad or dangerous thing threatens the current business model of almost every company that does business online."
In the light of all this who will any longer use a browser without a decent adblocker, that also can block compromised Google ads!

Quote from IT Security’s Michael Kassner