Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Address bar searches going to searchezy.com or ads.pureleads.com


  • Please log in to reply
8 replies to this topic

#1 echovictor

echovictor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 February 2013 - 11:21 AM

Hi.  I'm hoping you can help with an issue I've been having, as this is the first time I've encounter what appears to be spyware on a non-Windows system.

I'm on a MacBook running OSX 10.6.8.   It appears to also have a Bootcamp partition, but I have never attempted to boot with it.  (I recently inherited this computer this year after my father passed away and I was put in charge of his online accounts.)  

Within the past week, when I type anything into the address bar on Firefox or Safari, it has been taking me not to Google but to searchezy.com OR to ads.pureleads.com which then serves an ad (usually for TurboTax).  It started by simply taking me to searchezy.com.

I ran a ClamXav scan, which found nothing.  

I then downloaded Intego VirusBarrier and ran a full scan, which found the following:

Infected (JS/Redirector.gen): Macintosh HD > Users> {dad} > Library > Mail > IMAP-{dad}@imap.gmail.com > INBOX.impambox > Messages > 1338.emlx > open.htm
Infacted (JS/Redirecotr.gen): Macintosh HD > Users > {dad} > LIbrary > Mail > IMAP-{dad}@imap.gmail.com > [Gmail] > All Mail.imapmbox > Messages > 7598.emlx > open.htm
Infected (JS/Redirector.gen): Macintosh HD > Users > {dad} > Library > Mail > IMAP-{dad}@imap.gmail.com > [Gmail] > All Mail.imapmbox > Messages > 7595.emlx > open.htm
Infected (W97M/Sin.C): Home > Desktop > Old Work Junk > Old Work Mail > POP-{me}@smtp.{workserver}.com > INBOX.mbox > Messages > 605.emlx > ONION

All four files were quarantined, and I told VirusBarrier to delete them.

I also downloaded and ran OSX Rootkit Hunter as an extra precaution, but it didn't find anything out of the ordinary.

I restarted my computer and the problem SEEMED to be fixed -- address bar searches went to Google as usual across all browsers.  But about 24 hours later, they started taking me to searchezy.com again AND started serving ads from ads.pureleads.com.  

I ran another full scan with VirusBarrier, but this time it didn't find anything at all.  I double-checked both browsers for add-ons or extensions I didn't recognize -- but there was nothing out of the ordinary.  I tried clearing my cookies on both browsers, and both were able to do so successfully but both times this error popped up behind the browser window:

Unable to copy the font testgenrg.otf to the Fonts folder.
Please copy this file from your Program folder to your System Fonts folder.

I searched for the file testgenrg.otf through Finder, and found nothing.

 

Address bar searches now take me to Google the first time the browser is launched, then to searchezy.com or ads.pureleads.com thereafter.  (ETA: Address bar searches have started intermittently taking me to Google even when the browser hasn't been relaunched -- the mystery deepens.)

So basically, I'm stumped.  I haven't downloaded anything strange or visited any unusual sites in the past week.  I don't appear to have any toolbars or other suspicious add-ons installed in my browsers.  Anti-virus software says my system is clean.  The only thing that changed prior to the problem starting was me bringing my computer to my mother's house, where I'm staying for the week.  I also have an old Macbook running OSX 10.4 at my mom's house, that I occasionally use when I visit her, and it started having the searchezy.com problem a few weeks before my current Macbook.  The ONLY thing the two computers have in common is that they're on my mom's wireless network right now.

I don't know where to go from here.  Looking up "searchezy" on Google hasn't turned up anything useful, and all of the tricks I know / advice I can find for getting rid of spyware is for Windows systems -- there doesn't appear to be a Malwarebytes or Superantispyware equivalent for Mac systems.  Any suggestions?  Do I boot Windows through Bootcamp and run the usual Windows tools -- and if so, how do I do that?  Or should I focus on the router now, given that the one thing the infected computers have in common is their wireless network?


Edited by echovictor, 18 February 2013 - 11:32 PM.


BC AdBot (Login to Remove)

 


#2 echovictor

echovictor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 21 February 2013 - 02:38 PM

ADDITIONAL INFO HERE:

 

I have since traced the problem to the router. 

 

When the computer is connected directly to the modem, the re-direct does not happen.  Similarly, when my phone is connected to the wireless network, searches in the address bar re-direct -- but when I disconnect my phone from the wireless network and force it to access the Internet thought the cellular data network, the re-direct does not happen. 

 

I've never encountered an issue in a router before -- anyone know how to fix this?  I unfortunately cannot seem to access the router through the default IP address in the manual to check the DNS settings, and I cannot find the configuration CD the manual says is necessary to configure it, so I'm reluctant to jump in and reset it to the default settings.  (Like the computer I'm currently using, the router was my father's and became my responsibility after he passed away, and I have no idea what he did when he configured it.)

 

Thanks!



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 21 February 2013 - 08:37 PM

It is possible the router is infected.

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings
  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords
  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)"

  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.
  • Please make sure of the following settings:
  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
  • Under General tab:
  • Select "Obtain an IP address automatically".
  • Select "Obtain DNS server address automatically".
  • Click OK twice to save the settings.
  • Reboot if you had to change any setting.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 echovictor

echovictor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 22 February 2013 - 01:06 PM

Thanks so much for this!  I have one question before I get started, though.  Your post includes the following instructions for making sure my computer is properly configured after the router is reset:

 

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
  • Under General tab:
  • Select "Obtain an IP address automatically".
  • Select "Obtain DNS server address automatically".
  • Click OK twice to save the settings.
  • Reboot if you had to change any setting.

 

As I mentioned in my first post, I'm on a Mac running OSX (10.6.8), so I don't have Start > Control Panel > Network Connections.  I have System Preferences > Network > Airport > Advanced and then two tabs that seem to be relevant here: TCP/IP and DNS.  The options available in these tabs don't quite match up to the options you instructed me to choose -- do you know how I would go about configuring this on OSX?  I can provide screenshots of the options under the TCP/IP and DNS tabs, if necessary.

Thanks again!
 



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 22 February 2013 - 02:05 PM

Oh yeah let me ask  a Mac person so I get it correct.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 echovictor

echovictor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 22 February 2013 - 06:29 PM

Cool, thanks!  I mean, I'm pretty sure I know which options correspond to the Windows options -- but my experience with Macs and network configuration is pretty limited, so some input from someone who knows this stuff better than I do would be good.



#7 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:43 AM

Posted 22 February 2013 - 09:32 PM

Hello,

For the drop down "configure IPv4" it should be set to "Using DHCP". As for DNS, it should have the routers ip only, since that would be where it gets the DNS address for. http://support.apple.com/kb/HT5304 also http://support.apple.com/kb/HT1714 smile.png
animinionsmalltext.gif
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |

#8 echovictor

echovictor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 March 2013 - 01:49 AM

Thanks, guys!  Your advice worked, and the router reset seems to have solved the redirect problem.  I really appreciate everything you do here.



#9 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:43 AM

Posted 03 March 2013 - 12:13 PM

Hey, glad to have been of some help. :)
animinionsmalltext.gif
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users