scanner-c517d_2015.exe

I had the same experience, also resulting from a visit to the NYT website. I managed to stop the download before it completed, but any advice on how to check whether it's done any damage would be very much appreciated.

One additional piece of information (sorry for not posting this with my earlier message)--

The address given in the Safari History for the download link is:

http://sex-and-the-city.cn/go.php?id=2015&key=ace6725ec&p=1

This locked up my Safari on my iPhone (while reading NYT site), and the only way to get my browser back was to do a hard restart of my phone.

I just had the identical experience as LarsRaggio - NYTimes / Gail Collins. The common thread seems to be the NYTimes. I'm a complete novice in these matters. Should the NYTimes do something about this? Do they need to be told about it? How?

Frank

This thing took control of an unselected tab pretty dramatically. This is the order of URLs leading up to my encounter with this. (The URLs are broken to protect the cat in all of us.)

(1) "Toxic Waters - Clean Waters Laws ...t to Health - Series - NYTimes.com" h ttp://www.nytimes.com/2009/09/13/us/13water.html?pagewanted=2&adxnnlx=1&partner =rss&emc=rss&adxnnlx=1252786066-gReQyo8jPjx%20YSkTYAGTYg

(2) "Toxic Waters - Clean Waters Laws ...t to Health - Series - NYTimes.com" h ttp://www.nytimes.com/2009/09/13/us/13water.html?partner=rss&emc=rss&adxnnlx=12 52786066-gReQyo8jPjx%20YSkTYAGTYg&pagewanted-all

(3) "My computer Online Scan" h ttp://sex-and-the-city.cn/go.php?id=2006-63&key=0522c70666&p=1

The URL in Safari's address bar, which was not listed in History, for the page "My computer Online Scan" was h ttp://best-antivirus03.com/1/?sess=%3DWQ52jDwMi02MyZpcD00LjE1NC4yMzcuMjAzjnRpbW O9MTl1NjcwMk0MaQ%3DN

This authoritative page told me my computer was infected with "431 Probably harmful items". (Is that a standard number or is it customized for each mark?) The threats it warned me of were: Email-worm.Win32.Net, Email-worm.Win32.Myd and Win32:Def=XQ

P.S. I did not get a .exe file; did I do something wrong?

Message was edited by: Mr. Cat

Message was edited by: Mr. Cat

Same problem, but a different name: protection-check07.com. This from a redirect via sex-and-the-city.cn from the Op/Ed index page. It really does look like either nyt.com or one of their advertising partners has been hacked.

While I was browsing around on the internet today, using Firefox 3.5.3. I came across this link which redirected me to this free antivirus thing.. "protection-check07.com",
Looks just like this shown in the photo previously posted http://posterous.com/getfile/files.posterous.com/kevintom/RnR1XK4GBXd1lEU84KXiqA JGt8am8FU1uVXbJaqzxLytBzWGjWUcNb30M0JC/photo.jpg

I saw it scanned about 20% in like 2 seconds... and instantly closed browser. Scanned with antivirus, and Malwarebytes and came up null.

Well the link is (union-pac.camy.myhomeserver.com/xataitopl.html) for those who are interested in checking it out... Be warned, hitting (ok) (cancel) or (x) will auto redirect. And it starts scanning your HDDS, and probably downloads some malware. This is the popup message http://img143.imageshack.us/img143/2920/82945077.png

I saw this, too, on Safari, browsing the NY Times website. I followed a link from Facebook. Did anyone else?

+I did a virus scan (I have intego virusbarrier x5) and it came up null.+

Unsurprising as there are no Mac viruses. How much did you pay for this program to tell you that?

Same thing happened to me. Since, I have never seen a redirect take over like this, I kind of freaked and didn't even think about the fact that is was an .exe file and thus windows directed. This is the history URL RE-DIRECT, that took me back to that site. The actual Safari history entry is NYTimes.

http://protection-check07.com/1/?sess=%3DWQz2jTwMi02MyZpcD02OC41NS4xOTMuMjIxJnRp bWU9MTI1NjgwOQ0MaQ%3DM

Not sure what steps to take to prevent intrusions like this. Any advice out there?

Yes, me too. Three times in the last two days, trying to read the NY Times using Safari. The only way to get around the pop-up is to quit Safari. Somewhat disturbing that this trojan is outwitting both Safari's popup blocker, and the NY Times!

It's baaaack with a new name. Interestingly I was able to navigate all around the NY Times without this happening, but to read the columnists, you have to sign in. I did, and just like yesterday, clicking on a columnist immediately opens up a blank white page with a little window with a blue ? and message: "Warning your system requires immediate anti-virus scan! blah blah with the cancel or OK options. Click either one and it is off and running. I made a screen shot of it today. New faux URL is http://protection-check07.com/1/?sess= then a long string covered up by the little window. Anyone know what this is, and since it is for Windows, why is it even opening in OS X? Also, I opened Safari went to NY Times and columns logged in, and no problem. Anything we can do to get rid of this interruption to morning browsing?

Hey, I don't have any anti-virus program on my mac either, but it hardly seems like this is the time to be bragging about.

NYTimes for me as well, but from and article about the Roberts court. I was pretty impressed that it got control of Safari with unstoppable pop-up windows and redirected me, but then when it started showing Windows graphics in the background it seemed pretty likely it was just running animation. There are no downloads registered on my machine, I think it is just faking us out. Pretty darn well if it can control Safari AND Firefox....

Same as everyone else here, twice in the last two days while reading different stories at NYT in Safari. In my case it was the protection-check07.com variation. I forced quit as quickly as possible and can't find any obvious evidence of malware, but I can't be sure. Hopefully more specific information will be forthcoming soon.

Dunno if you're splitting hairs on trojans vs. viruses or not, but there is indeed malicious code written for Mac. Have a look at the securemac.com site for info on recent trojans. (They were also historically susceptible to Word macros viruses, but those were just cross-platform, not specifically written for Mac.)

As far as prevention, Firefox has a NoScript add-on that limits script execution to whitelisted domains. I'm too lazy to whitelist all the necessaries to use it, so until hijacking from usually reliable places becomes a bigger problem, I'll rely on fast fingers and a slow connection.