Is this site safe?

[TuckerX]

Some info first: I use an iMac running chrome and osx version 10.6.8
A few days ago my cousin came over and wanted to go to neopets.com. instead he went to www dot neoepets dot com About 3 seconds later when I saw his mistake, I exited the site. It didnt show to real site and just the plain white screen. I tried looking at different safe site checkers but it came with mixed info. C-sirt says its malicious on virustotal but i dont know if its correct. Could someone tell me if its safe and free of random downloads/malware? I accessed the site on my iPod also but the site looks different then what the image from a url query scan looks like. Help would be appreciated!                                                                                                Edited so the site was not able be visited. Dont want other users getting infected.

[Pondus]

check your urls here

urlvoid.com
urlquery.net
sucuri.net
zulu.zscaler.com

[TuckerX]

I scanned the site. the image of the site from urlquery looks different then what I saw when I visited the site on my iPod though. Also, could you look at the scans?
Links to scan: http://urlquery.net/report.php?id=252189
http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354231995
http://urlvoid.com/scan/neoepets.com/
https://www.virustotal.com/url/5900b0ca0bc7617b4137245dd8f022a96a829e99a26f6d19018f97665abf0b51/analysis/1354232438/
http://www.UnmaskParasites.com/security-report/?page=www.neoepets.com

[TuckerX]

Is that C-sirt  threat warning of CYSC.RED.CLICKFRAUD-1 on virus total a false alarm or what? also what is that threat? Is it just telling me there is a link to a malicious site on that site? Also theres those earlier questions ^

[polonus]

I see an issue here, see: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Puzlice-A/detailed-analysis.aspx  -> this is for:  pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js on that site,

Can anyone confirm?

polonus

[TuckerX]

I have sophos for mac(home edition) on my computer so ill run a local drives scan to see if I have it. I shouldnt though because I never downloaded anything unless it was a drive by download.

[polonus]

See the scan results here for this malvertising site. Not a lot of scanners detect this malvertising, see at the bottom of the post for the frame domain...

Checking:htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA
File size:44 bytes
File MD5:ff20b629c15604ed940eb8542849f3ba   Very poor web reputation

htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - archive JS-HTML
htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - Ok  very poor web reputation
The obfuscation directs to ->
htxp://www.dsparking.com/?design_id=4&domainname=dsparking.com&a_id=14840

Checking:htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A
File size:46.50 KB
File MD5:aa0d660858e12ad1074ba5e25cc16f46

htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - archive JS-HTML
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_1[522][727f] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_2[1064][673d] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_3[665f][1142] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_4[7920][200] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - Ok

Checking:htxp://www.neoepets.com/
Engine version:7.0.4.9250
Total virus-finding records:3424473
File size:1766 bytes
File MD5:96483d751c84dc60b301c7c10c6a31a8

hxp://www.neoepets.com/ - archive JS-HTML
>htxp://www.neoepets.com//JSTAG_1[244][ea] - Ok
htxp://www.neoepets.com/ - Ok

Also placeholder code link: htxp://cdn.dsultra.com/js/main.js This is malvertising hidden in a frame
polonus

[polonus]

Here the malvertising fraud was missed completely. Reported there: http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354318424

polonus

[TuckerX]

So what does this mean/what is it? I never really visited the site except on my iPod and when my cousin visited it accidentally which i quickly exited out of. Am I infected?

[TuckerX]

Do you know if sophos detects this? Also is it just an advertisement that links to a malicious site or does it contain a drive by download or something bad?

[TuckerX]

still wondering about this if anyone can jump in and help

[mchain]

hi TuckerX,

Please be patient.

Polonus is the very next best thing to a wizard we have, and the work he is doing takes some bit of time.  When he is finished analyzing and understands what he is seeing, he will report back here.  User !Donovan is another one.

BTW, if nothing is obviously wrong with your system, try to worry a little less.  It is when things begin not to work as they should, then action is called for to rectify or fix.  I did ask him to have a look here, so far he has come through.

This is new stuff and rare, not looked for elsewhere by others, so...

[polonus]

Hi TuckerX and mchain,

The page is a so-called dsparking dot com hijack. This redirect affects Internet Explorer and Firefox browser, Google Chrome is not vulnerable. Uninstall dsparking.com
1. Open Windows Control Panel.
2. Choose Programs (Uninstall a Program).
3. It will open a list of installed programs, find dsparking.com or any related term and click on ‘Uninstall’.

Remove dsparking.com in Internet Explorer:
1. Open Internet Explorer.
2. Go to Tools > Options.
3. On General tab, proceed to ”Change search defaults” and click the “Settings” button.
4. You will see a list of search providers. Select your desired search provider and click the button “Set as default” to replace dsparking.com.
5. You may now remove dsparking.com from the list.

Remove dsparking.com in Mozilla Firefox:
1. Open Mozilla Firefox Internet Browser.
2. On Google’s Search box, click the “arrow down” beside the logo.
3. Select “Manage Search Engine” from the drop-down list.
4. Choose your desired search default (like Google) and click the button “Move up.” It should be on the top of the list to set it as default.
5. You can now remove other installed search engine.

Remove dsparking.com in Google Chrome:
1. Open Google Chrome.
2. Click on the Wrench icon on top right corner of the browser.
3. Choose “Settings” from the drop down list.
4. Select “Basics.”
5. Click on “Manage search engines” under SEARCH settings area.
6. Hover your mouse to a preferred search engine and click “Make default.”
7. You can now remove dsparking.com by clicking on the X mark.

manual removal information author Xman23

But you could also follow the instructions here: http://forum.avast.com/index.php?topic=53253.0
and let any of our qualified removal expert look into the matter and help you with the removal of this search setting hijacking domain parking  malware. At least one of them was alerted to this thread, so wait for him to come in and look into your provided logs,

polonus

[TuckerX]

Ok well i have google chrome and safari on my imac but i visited the site on chrome. So i just do those 7 steps you gave me to uninstall it? Will it just be one of the search options that i can just clik the x on to delete(looking step 6 and7) Also, so it wont effect me/do anything because I only use chrome and not FF or IE? I dont even have windows on my computer also.  Edit: did it install anything onto my computer or did it just change my search settings?

[polonus]

No the check is safe. And yes it is only the preferred search settings changed,

polonus