Are non-existent links in web page generated by a virus?

Posted on 2011-05-03
Last Modified: 2013-11-22
A client has sent an email demanding that I remove links from one of her web sites ( , pardon the engine sound) to other web sites. The links she is seeing do not exist in the code for any of the pages. She was able to copy the home page from her browser and send me the code, and there are tags around certain phrases in the copy which contain the IDs FALINK_2_0_1, FALINK_3_0_2, FALINK_1_0_0, all with class= FAAdLink, I've attached a code snippet of what I get in the email. When I mouse over the links in the email she sent, all of them go back to her website, but when she clicks the same links in her browser she gets taken to  None of these links in the body copy actually exist in the AAA site page, and the phrases contain no tags when I view them in a browser from any of my computers.

My guess is that she has a virus or a trojan on her (Windows) machine, but I haven't been able to turn up any mention of the purpose or origin of these IDs or the class in a search, although I can see that the class and IDs are in lots of pages on the web. I've searched the ExpertBase here and have gotten no results, and I've also searched at and CERT ( with no luck.

I guess my specific questions are 1. does anyone know what these IDs are or what generates them and 2. where else should I be looking for this kind of information?

AAA JAPANESE IMPORTS is proud to be the leader in the <a rel=3D"nofollo=
w" id=3D"FALINK_2_0_1" class=3D"FAAdLink" target=3D"_blank" href=3D"http://="><font color=3D"#1c7dff">used engine</font></a=
> and transmission industry.

Open in new window

Question by:TheGrlGeek
    LVL 82

    Accepted Solution

    I'm not seeing 'FAAdLink' in the source or the javascript generated source on that page.  It sounds to me like she has a 'search hijack' virus in her computer.

    Author Comment

    Thanks, DaveBaldwin, knowing what to call the thing has gotten me much better results in my searches.

    Author Closing Comment

    It has been very helpful to know the correct terminology for the type of virus the client has, a link to resources for, or information on, that type of virus would have been icing on the cake.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    Most search hijacks replace Google or Yahoo search results.  Yours isn't doing that exactly so I'm not sure where to tell you to look.  For virus removal in addition to regular anti-virus, I usually download MalwareBytes mbam.exe and run a scan with that.  In cases of Rogue anti-virus, I run ComboFix from Bleepingcomputer but only after I have killed the virus files first cause nothing runs until I do.

    Author Comment

    Thank you, thank you, thank you, DaveBaldwin, these are excellent resources.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
    Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now