Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting, audio playing in background


  • Please log in to reply
33 replies to this topic

#1 cgg

cgg

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 15 December 2012 - 11:35 AM

Hello. I seem to have the exact same problem as was posted by the user in this forum: http://www.bleepingcomputer.com/forums/topic470346.html

Firefox is redirecting almost all of my searches to random sites with ads, and often times music will start playing in the background, although no pop ups seem to be hosting the music. I've been running a number of anti-virus/malware searches, including Kaspersky, Flashfake Removal Tool, Sophos Anti-Virus, and iAntivirus to try to take care of this problem. Sometimes they find threats and I delete or quarantine them, but the problem persists. Sometimes they don't even find any threats, but it's clear there is still a virus as the web browser is still messed up. I've been working on this for days and can't figure out the solution.

Can anyone help? I'm running an iMac OS X 10.6.8. I'm not incredibly tech-savvy, but can follow directions and would really appreciate assistance resolving this problem. Thank you!

BC AdBot (Login to Remove)

 


#2 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 15 December 2012 - 11:43 AM

Also, I'm not sure how to run and post the DDS logs on a Mac, but am happy to do so if someone can provide me with directions. Thanks again-- looking forward to your response(s)!

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 15 December 2012 - 06:40 PM

Hi,

you can't run DDS on a mac. In fact none of our tools will work on a Mac. You say you get redirected on Firefox, does that mean this doesn't happen when you use a different browser?

Could you also please let me know if you remember any of the infections found and if so by which program it was found.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 16 December 2012 - 12:08 AM

Thanks for your reply. I only use Firefox, so I'm not 100% sure about other browsers, but I did some tests today with Safari and it doesn't seem to be redirecting using that browser. I did have some random audio advertisement for Motorola playing in the background while using Safari, though.

When I run Kaspersky, it tells me Trojan Flashfake has been detected. I go through the processes to disinfect and it tells me the infection has been removed, but when I restart the computer and run Kaspersky again, the same infection shows up.

I ran a 4-hour scan using avast! Antivirus and it found a number of infections. I'm not sure of the names but the infection details included:

Win32: HotBar-BL[ADW]
Win32: ClickPotato
Java:CVE-2010-0094-C

Also, when I have avast! Antivirus running in the background and I use Firefox, I get this warning with every new search or page opened:

Infection detected! Web shield has detected a threat:
Infection: URL:Mal
URL: hxxp://imnjuhost.com/search/anticheat6/php?username=mc0012

In the history of viruses detected, avast! says the virus name is: URL:Mal

Finally, iAntiVirus found the threat: Quarantine.File.qtn

I've run a number of other antivirus programs, but unfortunately didn't write down any of the threats or viruses found. I can run other programs and let you know what they say if that would be helpful. I'm not sure if any of these names will help find a solution... Also worth noting that Firefox is very slow, and I'm being redirected not only when I use Google, but also when I type a web address into the web browser.

Clearly something is wrong here. Hopefully you can help me! Thanks so much.

Edited by myrti, 16 December 2012 - 12:13 PM.
disabled link


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 16 December 2012 - 12:15 PM

Hi,

ok, let's look into more detail with Firefox. Could you please install this extension: https://addons.mozilla.org/en-US/firefox/addon/extension-list-dumper/ Then use it to create a list of all extensions installed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 16 December 2012 - 04:27 PM

Hopefully I did this right. The names of the extensions listed are:

Extension List Dumper 1.15.2
Flash Player 11
avast! WebRep 7.0.4185 (disabled)
DivX HiQ 2.1.0.900 (disabled)
DivX Plus Web Player HTML 5 ,video. 2.1.0.900 (disabled)

I'm attaching a screen shot here that shows the extensions that I found from entering about:support in the web browser, in case that is helpful. In the screen shot you'll see the avast! web shield infection warnings that pop up in the upper right corner when I'm using the internet.

Also of note: I just ran the Dr. Web Light antivirus program from the Apple App Store and it found the following threats:

Threat: Adware.InstallCore.3
Name: WhiteSmokeInstaller_9128.txt

Threat: Adware.Downware.21
Name: SoftonicDownloader_for_stream-torrent.exe

Threat: Adware.Downware.21
Name: SoftonicDownloader_for_foxtorrent.exe

Threat: Adware.Downware.544
Name: FirstRowSportApp_setup(31a).ede

Threat: Adware.Downware.97
Name: Codec-V.exe

I deleted them all manually by searching for these names in my download folder, but it did ask me for my admin password before deleting. That's unusual, as typically I can delete anything without entering my password.

Let me know what else you need from me. Thanks again for your help!

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 16 December 2012 - 04:43 PM

Hi,

I don't see anything unusual in there.

Could you please start firefox in safe mode as described here: http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Let me know if you also get redirected in safe mode.

regards myrt

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 16 December 2012 - 05:23 PM

Hi. Just restarted Firefox in safe mode and it does not seem to be redirecting at all. I'm also not getting those infection warning pop ups from avast! that I was getting with every new web search or tab opened.

Let me know what the next steps are. I assume I'll be redirected again and all of those virus and threat warnings will still be there once I exit safe mode...

Edited by cgg, 16 December 2012 - 05:24 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 17 December 2012 - 07:53 AM

Hi,

it would seem that the add-on Flash Player is a fake one. Could you please disable this addon and see if your problems stop.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 17 December 2012 - 07:45 PM

Thanks. I disabled Flash Player and I am no longer getting redirected in Firefox. Also no audio playing, which is great. I just restarted the computer and ran Kaspersky Flash Fake Removal Tool again, though, and it once again detected a Trojan Flashfake. The other antivirus programs I'm using take 3-4 hours to do a full scan, but I'm assuming they'll find the same viruses again, as well. I can run them and let you know if that will help.

Let me know what I can do next to get rid of these viruses, and thanks yet again!

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 18 December 2012 - 05:39 AM

Hi,

yes, please let me know if they find anything. It is normal that it would find something now, since the addon was active until recently. The really interesting question is whether the files return again now that htey have been removed or if they stay removed.

This being said the detections you listed are all tools you downloaded and installed yourself but that have adware functionality.
  • Threat: Adware.InstallCore.3
    Name: WhiteSmokeInstaller_9128.txt
    The WhiteSmokeToolbar is considered adware. The whitesmoke website has also a very bad rating because of this: http://www.mywot.com/en/scorecard/WhiteSmoke.com
  • Threat: Adware.Downware.21
    Name: SoftonicDownloader_for_stream-torrent.exe
    and
    Threat: Adware.Downware.21
    Name: SoftonicDownloader_for_foxtorrent.exe
    These are detected because the Softonic installer ads adware to each download it offers. This being said, I hope you do not plan to use these tools for illegal purposes as a) this will get you infected again and B) this will stop support on my end.
  • Threat: Adware.Downware.544
    Name: FirstRowSportApp_setup(31a).ede
    FirstRowSportApps also installs an adware toolbar, namely yontoo. For more info see here: http://www.systemlookup.com/CLSID/56875-YontooIEClient_dll_YontooIEClient_2_dll.html
  • Threat: Adware.Downware.97
    Name: Codec-V.exe
    Fake Codec and also the yontoo toolbar.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 18 December 2012 - 09:33 AM

Ok, thanks. I will run them all now while I'm at work and let you know when I get home this evening.

I have no idea what the Softonic installer is, but I definitely don't do anything illegal with my computer. All I can think of is live streaming TV shows, but I always do so from the show website (i.e. NBC, Bravo, etc.). Hopefully that is fine...

Thanks again-- I'll let you know what the virus scans reveal tonight.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 19 December 2012 - 08:31 AM

Hi cgg,

are other people using your PC too? You could check where the files where found and this should help you identifyat least from which user account they were downloaded.

What did the scans say?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 cgg

cgg
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Jersey City, NJ
  • Local time:11:04 PM

Posted 19 December 2012 - 08:40 AM

Hi. I was just typing this reply! Sorry I didn't get back to you last night: my computer froze during the day so I had to restart the scans and they ended up running into the night.

I ran Sophos, avast! and Dr Web Light, and they all came up clean with no infections, which is great. avast! did reveal 5 files with threats, but I think I can just delete them-- 4 are Firefox caches and one is in an application folder that I don't use.
c
I also ran Kaspersky Flashfake Removal Tool, and it once again did detect a Trojan Flashfake. I even uninstalled and reinstalled Kaspersky to make sure there wasn't something strange happening with the program, and when I restarted and ran again, it still detected the Trojan Flashfake. I'm not sure what to do to get rid of this.

Also, does this mean that all of those other viruses that used to be detected are no longer on my machine?

A few of the viruses I detected earlier did show paths to an old account that someone else had been using on my computer. I had previously deleted that account, though, so no one should be able to access it now.

Thanks again for your help and patience!

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:04 AM

Posted 20 December 2012 - 07:21 AM

Hi,

could you please tell me in which file and in which path Kaspersky is detecting this?
These detections:

Java:CVE-2010-0094-C

Also, when I have avast! Antivirus running in the background and I use Firefox, I get this warning with every new search or page opened:

Infection detected! Web shield has detected a threat:
Infection: URL:Mal
URL: hxxp://imnjuhost.com/search/anticheat6/php?username=mc0012

Are detections of malicious websites that you were visiting. These visits were caused by the malicious addon we disabled (and that you should probably uninstall correctly. now that these redirects have been disabled you should no longer get the detections either.
The other should've been one time detections, meaning that after you deleted them, the should not reappear unless you download the files again yourself.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users