Hello There, Guest!
View New Posts  |  View Today's Posts
reboot.pro infected?

  • 0 Vote(s) - 0 Average


10-09-2013, 07:03 AM #1
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

reboot.pro infected?
Hello,

I use Windows Vista w/sp2 x32 up-to-date, IE 9, Avast Antivirus.

I "clean up" IE previous data (cookies, browser history, etc.), for example with ccleaner.

Then I open reboot.pro with IE. Since I cleaned up all prior traces, the behavior is equivalent to visiting the site for the first time as unregistered user.

Avast warns me about a malicious url blocked, with the form of (I am intentionally spanning the url in separated lines):

Code:
http:\\
alnera
dot
eu
<some_code>
.js?cp=
reboot.pro


The exact values (numbers and letters) before ".js?cp" change each time.

Checking alnera d o t eu in
Code:
www.virustotal.com/en/#url
I get at least 2 partial warning reports.

The initial warning from Avast only happens once (after each IE "clean up").

Opening additional pages / topics in reboot.pro won't trigger the warning again. Only by cleaning up IE and opening reboot.pro again, I can trigger the Avast warning once again.

The warning only shows up under this situation, so registered users (even those using Avast) won't see the warning.

I don't see such warning in any other site I visit. Not even if I clean up IE again before visiting each and every other site.

This warning showed up in my system for the first time some 3 weeks ago, and I can reproduce the same behavior each time I try it since then.

Is reboot.pro "infected"?

TIA,
Ady.

10-09-2013, 02:11 PM #2
Morpheus
Member
**
Posts: 228 Threads:44 Joined: Sep 2011 Reputation: 5

RE: reboot.pro infected?
I have Kaspersky internet security and have not been reported such a situation


Great coders aren't born. They're compiled and released.
Expert coders do not need a keyboard. They just throw magnets at the RAM chips.

10-09-2013, 06:47 PM #3
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
Do you mean you actually tried to replicate the whole case (IE "cleaned up",...)?

Since I don't have any problems with this system, and reboot.pro is the only site triggering this warning to me, at first I though about some possible false positive. But giving the consistent report in virustotal.com and Avast for at least 3 weeks...

My guess is that a better way to identify the problem would be to log and "read" any and all attempt of network connections when opening reboot.pro "for the first time" with IE. Hopefully, there is someone here with the knowledge and resources to do it and report some feedback.

TIA,
Ady.

10-09-2013, 10:06 PM #4
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: reboot.pro infected?
(10-09-2013, 07:03 AM)Adys Wrote:  Hello,

I use Windows Vista w/sp2 x32 up-to-date, IE 9, Avast Antivirus.

I "clean up" IE previous data (cookies, browser history, etc.), for example with ccleaner.

Then I open reboot.pro with IE. Since I cleaned up all prior traces, the behavior is equivalent to visiting the site for the first time as unregistered user.

Avast warns me about a malicious url blocked, with the form of (I am intentionally spanning the url in separated lines):

Code:
http:\\
alnera
dot
eu
<some_code>
.js?cp=
reboot.pro


The exact values (numbers and letters) before ".js?cp" change each time.

Checking alnera d o t eu in
Code:
www.virustotal.com/en/#url
I get at least 2 partial warning reports.

The initial warning from Avast only happens once (after each IE "clean up").

Opening additional pages / topics in reboot.pro won't trigger the warning again. Only by cleaning up IE and opening reboot.pro again, I can trigger the Avast warning once again.

The warning only shows up under this situation, so registered users (even those using Avast) won't see the warning.

I don't see such warning in any other site I visit. Not even if I clean up IE again before visiting each and every other site.

This warning showed up in my system for the first time some 3 weeks ago, and I can reproduce the same behavior each time I try it since then.

Is reboot.pro "infected"?

TIA,
Ady.

Reboot.Pro is definitely not infected. Understand that even posted images from certain web hosts can cause browsers to trigger such warnings as well. All it takes is one little image from a known attack site, even though it may not pose a threat at all, for you to see a warning.

Code:
<some_code>

Can you post an example of what is really in place of this substitution?


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

10-10-2013, 02:56 AM #5
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
(10-09-2013, 10:06 PM)AceInfinity Wrote:  Reboot.Pro is definitely not infected. Understand that even posted images from certain web hosts can cause browsers to trigger such warnings as well. All it takes is one little image from a known attack site, even though it may not pose a threat at all, for you to see a warning.

Well, the technical, more accurate description might not be that reboot.pro itself is in fact "infected", but from the user's point of view, when reboot.pro is opened, the attempt to connect to some suspicious site is triggered. My intention is for this attempt (to connect) to stop (whatever is triggering it).

Quote:
Code:
<some_code>

Can you post an example of what is really in place of this substitution?

Sure (I am intentionally posting the code in several separated lines):
Code:
http://
alnera
dot
eu/
3D636A12
.js?cp=
reboot.pro

BTW, in virustotal.com, Kaspersky doesn't "catalog" the site in _any_ way, while Comodo and BitDefender have more serious classifications for it (among the 4 engines in virustotal.com that have some level of distrust about it). Just check the mentioned suspicious site in virustotal.com.

TIA,
Ady.
This post was last modified: 10-10-2013, 03:00 AM by Adys.

10-10-2013, 04:10 PM #6
Mazzn
ლ(ಠ益ಠლ)
*******
Administrators
Posts: 198 Threads:16 Joined: Sep 2013 Reputation: 19

RE: reboot.pro infected?
I just tested the same setup you have. Since I don't use Internet Explorer at all it should've like I opened TLF for the first time, avast! didn't do anything. Also cleared cookies to be safe.

However when I open alnera*eu manually, avast! gives me a warning and blocks it.

Make sure it's nothing on your end. A toolbar, some addon, I don't know. Try it on a second computer if you can, and check the source code for the URL, too. I don't have any issues and hope you can get it resolved!

Maybe if you look at the source code we can find out where the URL is coming from and why it is there, since a test didn't reveal anything on my end.

(Sorry I'm kinda drunk (on a Thursday which is even worse) and I hope my sentences are readable) <-- blame the glider pilot's club
This post was last modified: 10-10-2013, 04:11 PM by Mazzn.
Visit me at mazzn.net & blog.mazzn.net!
//This is very important :)

Self.KeepImproving(true);


10-10-2013, 07:59 PM #7
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
I don't have any IE add-ons enabled. The add-ons that are installed but still disabled are the most common ones, from Microsoft, Adobe and Oracle. I don't have toolbars of any sort (not even installed).

I use IE 9 up-to-date. This is not IE 10, but version 9 is still maintained. The OS is up-to-date.

Since I receive this warning only when opening "for the first time", and nowhere else and at any other occasion, my guess is that in order to trigger this warning from Avast, some specific settings are involved.

In this regard, I "clean up" IE with CCleaner (in addition to the normal "delete" options of IE). Other than the version of IE and using CCleaner, perhaps some "higher" (i.e. "stricter") setting in Avast, or some IE setting is different in my system.

Regarding the source, I opened the source of the main page of reboot.pro (3 weeks ago already). I searched for "alnera", but found nothing.

Of course I can't really discard the possibility that this is something in my particular system and not related to reboot.pro in some way. If there were any other symptoms or signs of such case, I would had mentioned it.

Since this warning shows up only in some security tools (not all, according to virustotal), and only "the first time" reboot.pro is opened in IE, registered users of reboot.pro are most likely not seeing this behavior. And some "first-time" unregistered "user" that might see this warning won't report about it (it is more likely for such user to fly away from the site).

As a remainder, this warning was not showing up before, so "something" changed around 3 weeks ago. Either Avast added this detection, or some kind of code changed in the "ads" in reboot.pro, or in some server related to reboot.pro (or, doubly IMHO, in my system).

Unless someone can replicate this behavior, or can "log" all attempt connections under a similar situation and settings (javascript, java, each and all IE settings), I don't see how this can be resolved.

TIA,
Ady

10-11-2013, 09:59 AM #8
Florin
Junior Member
Team Reboot
Posts: 456 Threads:71 Joined: Dec 2011 Reputation: 14

RE: reboot.pro infected?
It occurs when accessing reboot.pro or tech.reboot.pro?

And yeah, a better way for you would be to capture the traffic and upload the capture *.pcap file somewhere here to be analysed. ( maybe Wireshark application ? )

10-11-2013, 09:43 PM #9
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: reboot.pro infected?
Hmm, interesting. Thanks for the mention though Adys. I will take a further look over the weekend, and perhaps raise this threads visibility to Nuno Brito as well.

Right now doing investigative work wouldn't do much good on my end. I had a 14 hour day of work yesterday, only to get up at 4AM again today and start it all over with a 12 hour day full of calls to tech support and issues with integrating old technology with new technology.

Your efforts to help are appreciated however.

cheers


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

10-12-2013, 01:40 AM #10
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
@Florin,
The warning is triggered _only_ when opening "for the first time" reboot.pro. Any other site I visit, including tech.reboot.pro, is OK.
Regarding capturing and analyzing the traffic by myself, I don't have the knowledge.

@AceInfinity,
Nuno knows.

@All
I'm hoping someone can eventually find out what's going on. If there are steps to follow, please let me know.

TIA,
Ady.
This post was last modified: 10-12-2013, 01:41 AM by Adys.




Forum Jump:


Possibly Related Threads...
Thread Author Replies Views Last Post
  Ugh - Infected BreShiE 19 8,839 08-12-2012, 10:38 AM
Last Post: Predator
   Infected, help please. dead 7 3,982 06-20-2011, 11:34 AM
Last Post: dead


Users browsing this thread: 1 Guest(s)