Did NBR give me a virus on my Mac?!?!

Of course they gave you a virus, they're evil, and want SS number, credit card password(they already have the number), and your PayPal password.
BEWARE OF NBR, THEY ARE TRYING TO STEAL OUR LIVES

Naw, just kidding, maybe NBR is infected or something

 

I knew it!!!!

No but seriously i click on nbr and that dialog box pops up, hit cancel and the fake scan happens.

 

That isn't NBR. it has the wrong IP.


mbp:~ Daniel$ ping _www.notebookreview.com_
PING _www.notebookreview.com_ (75.126.235.189): 56 data bytes
64 bytes from 75.126.235.189: icmp_seq=0 ttl=113 time=51.862 ms
64 bytes from 75.126.235.189: icmp_seq=1 ttl=113 time=50.021 ms
64 bytes from 75.126.235.189: icmp_seq=2 ttl=113 time=49.965 ms
64 bytes from 75.126.235.189: icmp_seq=3 ttl=113 time=50.288 ms
64 bytes from 75.126.235.189: icmp_seq=4 ttl=113 time=49.689 ms
64 bytes from 75.126.235.189: icmp_seq=5 ttl=113 time=56.774 ms
64 bytes from 75.126.235.189: icmp_seq=6 ttl=113 time=50.096 ms
^C
--- _/www.notebookreview.com_ ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 49.689/51.242/56.774/2.353 ms
mbp:~ Daniel$

 

If I was you... and your serious.. and that picture is really from your computer... and you didn't go to that IP address and port on purpose... I'd check to see if I had some malware changing my DNS settings to hacker server.

 

mac and virus ? i thought id never see the day !

 

You need to ping forum.notebookreview.com to get the IP address for the forum. That being said I'm reporting this thread to see if we can get any input from the admins.

 

good call. this me pinging forum.notebookreview.com


Last login: Thu Sep 23 19:10:07 on console
mbp:~ Daniel$ ping _forum.notebookreview.com_
PING forum.notebookreview.com (67.228.47.50): 56 data bytes
64 bytes from 67.228.47.50: icmp_seq=0 ttl=52 time=56.256 ms
64 bytes from 67.228.47.50: icmp_seq=1 ttl=52 time=57.109 ms
64 bytes from 67.228.47.50: icmp_seq=2 ttl=52 time=59.593 ms
64 bytes from 67.228.47.50: icmp_seq=3 ttl=52 time=59.505 ms
64 bytes from 67.228.47.50: icmp_seq=4 ttl=52 time=54.638 ms
^C
--- _forum.notebookreview.com_ ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 54.638/57.420/59.593/1.911 ms
mbp:~ Daniel$

I inserted underscores before and after the url so it doesnt change it to links.

 

How do i go about pinging? i mean what do i do?

I use a linksys wrt54g route/wireless point. the thing popped up when it was plugged in

 

Pinging forum.notebookreview.com [67.228.47.50] with 32 bytes of data:
Reply from 67.228.47.50: bytes=32 time=43ms TTL=51
Reply from 67.228.47.50: bytes=32 time=46ms TTL=51
Reply from 67.228.47.50: bytes=32 time=44ms TTL=51
Reply from 67.228.47.50: bytes=32 time=43ms TTL=51

 

You're kidding right? Mac's aren't virus free anymore lol.

 

^ so cool,right?

 

Its fake people! A scam to get you to download a piece of spyware. I see these sometimes on other users machines, don't know how they appear but can do when you visit sites.

Besides.... Since when does a mac call its disks Local Disk C, Local Disk D, etc?!

 

I also noticed that the trojans are Windows ones (Win32). Typical scare tactic to trick people into a scam. I know a few people who have fallen for it.

 

Code:

fernando@Gielow:~$ nslookup 187.36.73.182

Non-authoritative answer:
182.73.36.187.in-addr.arpa	name = bb2449b6.virtua.com.br.

Authoritative answers can be found from:

Apparently it is a scam hosted by someone from brazil (not me lol), who uses NET Virtua as their ISP.

Or is my guessing wrong?

 

Yeah it's a fake. My Network Places? Control Panel??? This is one of those fake popups for Windows, you click on it and THEN your system will be infested. Many people fall for this - I've had to help a few clean their systems.

Whoever wrote it wasn't sophisticated enough to detect OSX and show a popup "customized" for the Mac

 

I had one pop up one time that made it look like a Windows Xp Explorer window and a test virus scan that ran through saying it found all types of problems... funny since I was on OSX and had no VM running or anything, but if I had been on XP it would have looked real.

 

People use this kind of scam for two things, generally.
1) try to sell you an anti-virus
2) try to infect you

But I think it cannot do harm to Mac OS X, since it is obviously intended to affect Windows

 

what i wonder how it got there. I clicked on my NBR bookmark and it popped up.

 

It sounds like a redirect spyware or virus.
I don't know if there are free scanners for Macs but you might want to err on the side of safety. Never get too comfortable.

 

Actually, it doesnt seem a reason for much concearn to me..

This website was intended to attack windows, the only weird thing is how it popped up on your screen This kind of websites has appeared several times to me, but I am currently running Linux, so, whatever.

I don't think that whoever hosts this website would do a DNS attack so that they get other names to point to their IP address. Also, I don't know how feasable it is for anyone to change the hosts file in the Mac OS X.

Normally (I THINK, not entirely sure, but I am pretty convinced lol), SOs have a file in which you can store a name and its corresponding IP, so that that this configuration is checked before consulting the DNS - if someone can mess with that file, it would be easier and as effective as a DNS attack. If I am talking bull, someone please correct me.


And sorry if I was unclear, my english was getting rusty. lol xD




Fernando

 

If his bookmark has the correct URL (forum.notebookreview.com), then something redirected him to that page. Sounds like something on his end, since no-one else is reporting this.

 

Are you on wifi? Is it secure? It could of been a posible MiTM attack.

 

it popped up when i was plugged into the router, but never popped up when i was using the wifi.

 

you really should check if your router or computer has compromised DNS servers set, and not your ISPs default.

 

no idea on how to do that

 

Just happened again... right after I hooked up to the router.

 

It popped up from nothing, or did you try entering a website, then it appeared?

 

Does this happen on wireless networks?
If it happens regardless of the network, it appears you have a deeper problem.

I blame Facebook.

 

I clicked the facebook bookmark and it happened.

I just shut off the wireless router and hooked up my mac to the CLEAR modem directly.

 

I was at my college, used the Wifi, no pop up.
This pop up happens, i believe, only when i use the router.

 

If you can, try a different network, like a McDonalds if there's one near you.
Unless there's a better way to determine what's going on here, which I'm sure there is.

 

You know how to enter your router configuration and change its DNS?
Try using OpenDNS.

Use 208.67.222.222 as primary mirror
and 208.67.220.220 as secondary

(source: OpenDNS | Internet Navigation And Security)

Just remember to take note of the IPs you were using as DNS before, in case you want to switch back.

If it is your ISP that provides your DNS and you can't change it, then it is either their DNS fault, or, it is nothing related to DNS (I say this because before this website appeared as NBR, and now it appeared as facebook, ?).



Ah, another think.
are you able to access facebook if you try again, or you end up accessing this website EVERYTIME you try to access facebook?

 

Why are you worried, the pop up is for a PC and you have a Mac

 

I think that this thing will do no harm, either. Buuut. It is annoying xD If it happened to me I would try to get rid of it too hahahaha

 

If it's not his network that's causing the issue, obviously it's something on his computer.
Regardless of what it looks like, it can still be harmful.

Nothing has been ruled out by the OP, far as I can tell.

I googled that message from the screenshot:
http://forums.cnet.com/5208-6122_102-0.html?threadID=341855
https://www.microsoft.com/security/...edia/Entry.aspx?Name=Worm:Win32/Prolaco.gen!B

Seems like you have the symptoms of a scam thing. I'm slightly confused.
http://answers.yahoo.com/question/index?qid=20090131191758AAjsqmG

I guess it won't hurt you, but I still wouldn't be comfortable leaving it alone. Eradicate it!

 

Just play more Starcraft 2. Looks like one of those "YOU 34789 VIRUS' CLICK HERE TO REMOVE!" things.

 

Let me get this straight, when you go straight into the Clear modem you have no pop up ad? But when you hook up to YOUR wireless router you get the pop up ads?

If that's the case someone managed to get into your wireless router and change the routing of the DNS server that is provided by Clear.

layman terms your router was hacked into and they changed the DNS server ip address. So no matter what site you go to it provides there crap that they have linked to. (this is only if its with YOUR wireless router)

If that is the problem do a hard reset on your wireless router. push the reset button for 30 seconds keep holding and unplug the power and keep holding it for another 30 sec, then plug in the power and still keep holding it for another 30 seconds. total of 90 seconds holding down the reset button to do a Hard reset

If it does this on other wireless networks ex. starbucks (now free) friends house, school campus's and any other place you can get internet then you have a problem internally. Either its a trojan or a program that you installed that can change you DNS setting in your system preferences.

 

That's kinda where I was going, but no-one seems to think it's a big deal. I figured if it's something on his computer that's changing settings or something, it doesn't matter if you have OS X or not, you have a problem, the problem is evident. Something has already gone wrong.

Of course, if it's just the router, you're fine. Do the reset if you can and see if it goes away, or try a different network.

 

Why So Serious?

 

compromised DNS server on your set up is always a big deal.

a DNS server is where address look up happens. When you type something in like "http://www.notebookreview.com" it has no idea what that means or how to get there... it checks with your DNS server, and the DNS server says... oh heres the actual real address to there... so you can get there. If your DNS server is compromised, your life can get a mess. They can redirect to phishing sites and steal all types of info from you. Say you go to your bank website, or paypal or anything directly by typing in the right URL... it can be a totally fake website that looks real... as soon as you type in a user name and password... its stolen. Now some criminals have your log ins and do whatever they want with them.

 

and that's why it is always necessary to check if a website's identity is verified. Websites with https encryptions must have their identities checked by third ones, such as verisign. So, if your browser says that something is wrong with the HTTPS encryption, go away! specially in case of bank accounts or whatever. There are cases in which websites use https but aren't really verified by any entity, but I can assure you that this is not the case of paypal, email accounts, or any bank websites

 

I reset the router. What should I do next to set it up properly that way it does not happen again? Any way I can only allow certain laptops, wii, ps3, ipod touch, or phones to hook up to my router. An old friend of mine, who i have lost contact with, was able to write down my laptops adress, go into his router, add my laptops address, and only then would i be able to access the web.
my router is a wrt54g

 

sure.. most routers have options to limit by MAC address...
That slows down a hacker a couple of minutes or more as they have to figure out a valid MAC and spoof it.... which isn't too hard to do, but you may have to monitor the network for awhile for a machine with a valid MAC to connect.

make sure its all locked down WPA2 encryption as well.

Not really a whole lot you can do if someone really really wants in... but people driving around hacking WIFI routers for DNS attacks isn't exactly common... just make sure you have your firmware updated on the router in case there is any remote exploits that have been fixed.... and use your ISPs issued DNS server, or OpenDNS is decent.

 

also, check your bookmarks to see where they are pointing to.

i see you are using safari, so follow these instructions

1) open safari.
2) on the menu bar, go to bookmarks -> bookmark manager
3) once that opens, go to the folder you put your bookmarks in, and look at the bookmarks in question. to the right shows the address they are going to. you can right click on them, and edit the address.

if it still doesnt work, you there is a bigger problem...

 

i did the router reset. havent had the problem since.

 

Another lesson to learn: never, NEVER click on a pop-up. Ever!

 

I am glad to here that!

 

Glad to see that the problem went away, which appears that your router was hacked. The problem is that this is a wireless router in a "static" location. Is it safe to assume that whoever hacked it is most likely "local"?

 

He did say it was at college, right?
Not surprising, honestly.