No announcement yet.

Fake AV Scanner redirection

  • Filter
  • Time
  • Show
Clear All
new posts

  • Fake AV Scanner redirection

    Before two weeks some users had reported redirection to fake AV scanner while browsing forum or searching .
    All files and folders from FTP have been transfered to local hard drive for scanning with following software :
    • Kaspersky Internet Security 2010
    • Microsoft Secuirty Essentials
    • Avast
    • AVG

    Kaspersky IS 2010 :


    All infected files contained Trojan Downloader JS Gumblar.a

    MS Essentials


    public_html_vietvbb contained Exploit:HTML/iframeRef.1

    Avast and AVG didn't reported anything after finishing with scanning.

    All infected files have been deleted from server but after few minutes redirect appeared again.

    Again all files and folders have been transfered to local disc for scaning (on different PC) and scanned,but there was no result (all files where clean).

    Scan with AV soft in cpanel didn't show anything suspicious.

    Diagnostic tools in admin cp (suspect file version) showed few non vb files (File not recognized as part of vBulletin) but that files are vbseo configuraton files and robots.txt (Note : They where scanner on third PC and no infection was found).

    Template search for suspicious codes didn't gave any result (only header template is modified for expanding).

    All vbulletin files where reuploaded 7 times ,but redirection didn't disapeard.

    Host support has been contacted and they deleted all content from my hosting web space.

    Original vb 3.8.4 where uploaded (and backuped db ),but after few minutes after login to admincp i was redirected to fake AV scanner.

    Example for Fake AV Scanner redirect : ScreenShoot

    Persons who had experienced fake av redirection on my forum where using opera at that time.

    For IE/Firefox/Chrome white page was the only result.

    I had PC Scanning task with few AV (Kaspersky,AVG,MS SE) and antispyware softwares (Spybot S&D and malwarebytes).
    No infected content wasn't found.

    Search for gumblar gaved me following result :

    select template from template where template like '%unescape%';
    Didn't helped.

    FTP password is created from mix of 17 random numbers and letters and every third day is changing .That didn't help.

    Redirect is still there ,

    Any suggestion is appreciated.

    Edit : links with Fake AV redirections where bestantispywarex (x - one number between 0 and 9),super-computer-scanner,my-computer-scanner.
    Note : Don't Open these "AV" links

    Last edited by RedkinGCRO; Sat 10 Oct '09, 10:23am. Reason: Update

  • #2
    I had a redirect issue a couple of days ago. After contacting my host it was cleared up pretty quickly. That would make me think it might be prudent for you to contact your host.


    • #3
      Originally posted by setishock View Post
      I had a redirect issue a couple of days ago. After contacting my host it was cleared up pretty quickly. That would make me think it might be prudent for you to contact your host.
      I did that already (request for inspecting my web disc & scaning files/ folders for spyware / trojans / virus or any infected file),they closed access to my website and scanned,and after few hours i got reply in mail form from their support team ,all files are ok .

      This fake scanners are showing only to users who are on Opera browser ,on firefox ,internet explorer and chrome you don't get any scanner redirection


      • #4
        Update : in images folder there was a file called gifimg.php.
        After opening that file with notepad there was following line .


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.