cdn.w55c.net Tries to download from AW.

I've just scanned the server. Three scanners say it's clean.

Were you looking at the YA board at the time?

This is malware that's usually propagated via link, that is, it's not residing on AW itself, so knowing the board or thread will help in locating the link.

Typically, it infects your Web browser.

Here are some removal instructions:

http://www.keepbrowsersafe.com/cdn-w55c-net-removal-guide-complete-solution

AdAware and MalwareBytes are both reputable; I'd install them on a keychain device and run them from that device.

https://www.malwarebytes.org/

Adaware is from Lavasoft: http://www.lavasoft.com/

Make sure you're downloading the free version, and that you don't agree to purchase the paid version, unless that's your intent.

Stiger05 said:

It did it in YA, Old People Writing for Teens, as well as the Movies, TV, etc board. Both when I click the original link and when I click the specific thread link. I've run Malwarebytes and my computer is clean. I hit cancel every time it pops up.

Click to expand...

It's not even a kind of malware that can propagate on our server.

Please:

Log off AW
Make sure you know your logins
Delete cookies, especially those you don't recognize (i.e. Amazon or other sites are likely safe; I'd probably delete 'em all, personally)
Clear your browser cache and history
Completely close all windows and shut down your browser.

This is malware that propagates via the cache and cookies that are passed by an infected site.

It then attempts to hijack windows, especially those with iframes, and insert malware/adware.

Please see the link I posted with removal instructions.

This was driving me mad. I got it only by clicking the User CP. The odd thing is I ran CCleaner and Malware Bytes and neither picked it up. Regardless, I did AWAdmin's protocols and the manual remove so keeping fingers crossed.

Adding my thanks for the assist.

ETA: After going thru the steps above, I got the download again first time back. I suspect the manual remove was simply insufficient, so I went the automated SpyHunter program suggested by keepbrowsersafe. Again, Malware Bytes didn't catch any of the stuff SpyHunter is catching.

ETA2: Annnnnd, do I feel stoopid! I waited for over 45 minutes while SpyHunter scanned my computer, caught 549 threats and when I clicked "Fix Threats" it tells me I have to purchase the software. I'm a bit miffed there was nothing about this in the keepbrowsersafe post. In fact it says: "Just download and install the free scanner provided below and leave rest to it." So for the sake of warning others, scanning is free, "leave the rest to it" means buying the software for $39.95 (for 1 computer for 6 months!). CNet reveals this "scan then charge" tactic is a common complaint about SpyHunter

So...I ran MalwareBytes again. It didn't catch the stuff SpyHunter did, so I'm trying Ad Aware. I used to use it but I opted for CCleaner on my new computer. *sigh*

ElaineA said:

So...I ran MalwareBytes again. It didn't catch the stuff SpyHunter did, so I'm trying Ad Aware. I used to use it but I opted for CCleaner on my new computer. *sigh*

Click to expand...

I suggest running MalwareBytes and AdAware sequentially.

If one catches something the first time through, run it again. Then run the other, and if it catches something run it again.

Other things that are important to do:

1. Follow the procedure to delete cookies, clear cache and history
2. Completely shut down the browser. This is a crucial step.

It's not on our server. My current concern, and time sink, is making sure it's not on a server someone links to in a post or in a sig.

The reason you see it on your CP is because the user CP opens new windows via JavaScript, and script is hijacked by the malware lurking and waiting on your computer.

This is happening to me, too--and only on AW. The download comes at random when I click on threads or on New Posts. Since I'm on a Chromebook, I don't think it can actually be doing anything to my machine, but it is annoying to see that download all the time.

ETA: I got yet another download when I posted this.

We're in the middle of one of the regular scans of the server, but I do not think this is on AW's server.

In the meantime:

Please

1. Make sure you know your logins
2. Log off AW
3. Delete cookies, especially those you don't recognize (i.e. Amazon or other sites are likely safe; I'd probably delete 'em all, personally)
4. Clear your browser cache and history
5. Completely close all windows and shut down your browser.
6. Log back in

Marlys said:

This is happening to me, too--and only on AW. The download comes at random when I click on threads or on New Posts. Since I'm on a Chromebook, I don't think it can actually be doing anything to my machine, but it is annoying to see that download all the time.

ETA: I got yet another download when I posted this.

Click to expand...

It isn't on AW; there's malware on the Chromeback, in your browser cache, and cookies.

And even on a Chromebook, this kind of malware (adware) can be a PITA.

Clean your cache, cookies, and history, and then do a hard shutdown/reboot of your Chromebook.

This will mean your local RAM data will be purged; make sure you know your logins and have backups of current document data.

I've locked this thread for several reasons, primarily because my colleagues who are admins elsewhere have asked me to—the Google ranking of AW is such that as we try to research and share information and resources this thread keeps being the first or second hit.

Please do feel free to PM me. I'm actively working on this.

It is not on AW's servers. That's positive.

What I'm working on now is finding if there's a link (or an image) in a post or in someone's sig that goes to a malware site/infected site.

That is quite possible, and the member would not even be aware that that is a problem or happening.

As you can understand, this is time consuming, and I appreciate any help.

If you get a request to download a file from AW, deny it, and please tell me where were you on AW? What thread or board?

The file isn't actually from AW; it's a request from another server that's hijacking the normal functions and windows on AW and inserting itself.

The file itself is not inherently dangerous; it's an html file with two JavaScripts. Just delete it.

Please feel free to PM me.