Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Are non-existent links in web page generated by a virus?

Posted on 2011-05-03
5
Medium Priority
?
1,292 Views
Last Modified: 2013-11-22
A client has sent an email demanding that I remove links from one of her web sites (http://www.aaajapaneseimports.com/ , pardon the engine sound) to other web sites. The links she is seeing do not exist in the code for any of the pages. She was able to copy the home page from her browser and send me the code, and there are tags around certain phrases in the copy which contain the IDs FALINK_2_0_1, FALINK_3_0_2, FALINK_1_0_0, all with class= FAAdLink, I've attached a code snippet of what I get in the email. When I mouse over the links in the email she sent, all of them go back to her website, but when she clicks the same links in her browser she gets taken to http://www.internetcorkboard.com/search.php?q=used%20engine.  None of these links in the body copy actually exist in the AAA site page, and the phrases contain no tags when I view them in a browser from any of my computers.

My guess is that she has a virus or a trojan on her (Windows) machine, but I haven't been able to turn up any mention of the purpose or origin of these IDs or the class in a search, although I can see that the class and IDs are in lots of pages on the web. I've searched the ExpertBase here and have gotten no results, and I've also searched at dmoz.org and CERT (www.us-cert.gov) with no luck.

I guess my specific questions are 1. does anyone know what these IDs are or what generates them and 2. where else should I be looking for this kind of information?

Thanks!
AAA JAPANESE IMPORTS is proud to be the leader in the <a rel=3D"nofollo=
w" id=3D"FALINK_2_0_1" class=3D"FAAdLink" target=3D"_blank" href=3D"http://=
www.aaajapaneseimports.com/#"><font color=3D"#1c7dff">used engine</font></a=
> and transmission industry.

Open in new window

0
Comment
Question by:TheGrlGeek
  • 3
  • 2
5 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1500 total points
ID: 35637532
I'm not seeing 'FAAdLink' in the source or the javascript generated source on that page.  It sounds to me like she has a 'search hijack' virus in her computer.
0
 

Author Comment

by:TheGrlGeek
ID: 35691178
Thanks, DaveBaldwin, knowing what to call the thing has gotten me much better results in my searches.
0
 

Author Closing Comment

by:TheGrlGeek
ID: 35695519
It has been very helpful to know the correct terminology for the type of virus the client has, a link to resources for, or information on, that type of virus would have been icing on the cake.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35696053
Most search hijacks replace Google or Yahoo search results.  Yours isn't doing that exactly so I'm not sure where to tell you to look.  For virus removal in addition to regular anti-virus, I usually download MalwareBytes mbam.exe http://www.malwarebytes.org/products/malwarebytes_free and run a scan with that.  In cases of Rogue anti-virus, I run ComboFix from Bleepingcomputer http://www.bleepingcomputer.com/download/anti-virus/combofix but only after I have killed the virus files first cause nothing runs until I do.
0
 

Author Comment

by:TheGrlGeek
ID: 35703676
Thank you, thank you, thank you, DaveBaldwin, these are excellent resources.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question