Should I be concerned for having visited this site?

[VicVegas]

I clicked on a link for adfly from a semi-reputable source (just some deviantart artist trying to make money from their art i suppose) and upon arriving to the site I noticed that it had a bad Avast rating and it appeared to be redirecting like mad. I checked it's WOT rating and there seems to be Malware reports fairly recently. I use AdBlock Plus and NoScript for every site I'm not familiar with, should I be at all concerned that I may have been infected? I'm also somewhat curious as to why Avast didn't just blacklist and block it by default.

http://zulu.zscaler.com/submission/show/5e8e6423f110a0bf88d5ab183252bde4-1356626548

[kls490]

Hello VicVegas,

     Until some of our more knowledgeable forum members can arrive to offer their input, may I ask if you are currently experiencing any problems with your computer which lead you to believe you might have a malware infection?

Regards,

[polonus]

Malvertising to > Ransomware Sacem / Police Nationale
Because of your protection with NoScript it might not be able to infest. Else give us the logs according to http://forum.avast.com/index.php?topic=53253.0  and one of our qualified removal experts may have a look. But I think you are OK,

polonus

[!Donovan]

Hi Polonus,

There could be some conditionals in the headers, as with urlQuery (http://urlquery.net/report.php?id=530607) there is no return, whilst visiting the site in a VM [Firefox 17] returns http://sta.sh/024jl6wifk00, which is another domain associated with deviantArt.

~!Donovan

[polonus]

Hi !Donovan,

Look here: http://webcache.googleusercontent.com/search?q=cache:fp7qBO6NSL0J:http://www.malekal.com/2012/03/13/malvertising-adf-ly-ransomware-sacem-police-nationale/%2Bhttp://adf.ly/3market.php%3F&client=flock&channel={flock%3Acontext}&oe=utf-8&hl=en&ct=clnk
Looks like the very URL scanned at zulu Zscaler by the victim. Remember the malware redirect may go on while we are kept happy at DeviantArt, won't that be a possibility? So that is why I asked essexboy to look into the eventual victim's logs. Better safe than sorry. On the other hand a ransomware infection would not go unnoticed and remember NoScript in the browser is one of the best and most safeproof forms of in-browser protection a user can have against malware all sorts,

polonus

[VicVegas]

Indeed. Since I've had NoScript on my machines I've almost never experienced an infection that was not a false positive. I assume it even helps in blocking any offsite scripts that may try to load on legitimate sites. I've seen to it that the site is in my personal Avast block list, just in case I accidentally click on a link to it again as, sadly, it's used rather commonly it seems.

I've scanned my machine with Super Anti Spyware and an Avast complete scan to no results. Regardless, I think I'll leave some logs in a bit, if only to make sure the site hasn't found a way to worm something past my security (unlikely).

[VicVegas]

Here are all the logs. (aswMBR in next post, because I can't have more than four attachments.)

[VicVegas]

aswMBR.

As for how the computer is acting, I'd say it seems normal. Nothing abnormal seems to be munching CPU or memory, though my firewall is noticing outbound connections from a PMB.exe, which judging from when it was created on my laptop, it was probably installed alongside League of Legends. It just confuses me that it seems to always be making connections when LoL isn't running. It seems like a nuisance more than anything bad, I might wanna figure out how to stop it from running at startup.

Reference here: http://en.wikipedia.org/wiki/Pando_%28application%29

Edit: Eww... It uses P2P... I DON'T WANT THAT.

Seriously, instantly uninstalled.

[polonus]

My prediction is "nothing out of the ordinary there", but wait for the final word from our qualified removal expert,

pol

[essexboy]

Just Pando and bestbuy to clear .. Otherwise it looks good

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKU\S-1-5-21-4159443991-512847242-1124234837-1001..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

[VicVegas]

PC seemed to reboot on it's own when it was done.  Here's the log (not that it's all that relevant). Thanks for the help, really don't like all the junk stores like BB put on the computer, next time I'll be buying my computer/parts either online or from a local guy.

[essexboy]

No problem .. Run OTL and press the cleanup button to remove it

[VicVegas]

Hrrgh. I just keep having bad luck finding new sites I shouldn't visit. I don't understand why, but the specific page I viewed had a good Avast rating, where as the main site gets a yellow one. http://zulu.zscaler.com/submission/show/c32a59c625e111c337e5b0889cef0a16-1356753595 http://urlquery.net/report.php?id=546775

Board Reader is a site which takes posts from other websites, manipulates searches and uses them to generate traffic. Not sure if it's anything to worry about it beyond that.

Correction: It does show the site as yellow. It must have glitched out just at the right moment.

Eh, it's hosted in America and most of the info provided here looks legit: http://whois.domaintools.com/boardreader.com

Perhaps I should not be so paranoid.