Previous 1 2 3 Next 43 Replies Latest reply: Feb 22, 2009 1:05 AM by innovate Go to original post
  • Kevin S. Level 1 Level 1 (85 points)
    bugmore wrote:
    It is your wi-fi router. The infection blocks windows update and re-directs searches to god-knows-where, mainly msn.com to start. Reset it, replace it, whatever. I found it without any forum help. Just what to "gift" this info to the world.


    Could anyone confirm if this indeed WAS a router issue?

    Sorry to keep this thread going, but I'm trying to diagnose an issue remotely for a family member. It seemed to first infect his computer (he installed something), and then his room mates (on xp pc's) ended up seeing the same ads... very strange..
  • Tim Kraan Level 1 Level 1 (40 points)
    It seems more likely that it's something like this:
    New variant of RSPlug trojan making the rounds
    http://www.tuaw.com/2008/11/18/new-variant-of-rsplug-trojan-making-the-rounds/
  • JW in IN Level 1 Level 1 (0 points)
    12th Root,

    I followed your instructions. MacScan did find DNSChanger 1.1, so thanks for that clean-up, but the problem persists. I ran MacScan again, and the 2nd time it did not find DNSChanger 1.1, but it found 1 tracking cookie. I'm still getting Vimax ads everywhere I look, and it's getting more frustrating by the minute. I too thought (for about a week or two) that it was just an aggressive marketing campaign, but now realize it's more insidious than that. Any other suggestions?
  • GuitarWolf101 Level 1 Level 1 (0 points)
    Okay, here's my problem.

    A long while ago, I downloaded a free trial of VirusBarrier X5, and it expired.

    Thinking it would fix the ad takeover, I downloaded it a second time - forking over 60 dollars in the process.

    I ran a complete scan of my hard drive, only to find out I had no infection - what a surprise.

    So now, I'm sixty dollars poorer, and the ads are STILL there. They're invincible!

    I've tried everything on this page in an effort to fix this takeover problem, and still the ads remain.

    How do I make them go away? I've tried EVERYTHING! Help me out!
  • JW in IN Level 1 Level 1 (0 points)
    Guitar,

    This article posted by Kraan solved it for me and I didn't have to get VirusBarrier. Good luck.


    http://www.macworld.com/article/60823/2007/10/trojanhorse.html
  • holsmith Level 1 Level 1 (0 points)
    this pithhelmet is great, thanks so much for helping keep me sane
  • Whit555 Level 1 Level 1 (0 points)
    Thanks for posting this article. I went through all the terminal tasks and as far as I can see I don't have a trojan horse on my system. Yet, I still have the ads! very frustrating. I've run all of the anti-spyware/virus apps recommended and they have found nothing. I am on a wireless network with my roommates (Netgear router connected to a PC). Is it possible I've gotten this through the network?
  • KyleMac Level 1 Level 1 (0 points)
    I'm in the same boat as Whit555. These ads started popping up this morning. Since then I've deleted all cookies in both Firefox and Safari (I have the latest versions of both browsers Firefox 3.0.4 and Safari 3.2.1). I downloaded MacScan and VirusBarrier, but neither of them have detected anything. Similarly the DNSChanger Removal Tool did me no good. I did the terminal work suggested in the cited macworld article (http://www.macworld.com/article/60823/2007/10/trojanhorse.html) and it looks like I'm clean of a root cron job "no crontab for root" and my DNS servers match my GUI. (Of note the article about the new variant of the RSPlug trojan (http://www.tuaw.com/2008/11/18/new-variant-of-rsplug-trojan-making-the-rounds/) was published on 11/18, the day the makers of VirusBarrier sent them an alert about the trojan horse. I only downloaded the trial version of VirusBarrier. It's definitions were installed on the 7/15 and I cannot update them without purchasing the application. So it is definitely possible (if not likely) that the full version of VirusBarrier has a solution for this... it would be nice if they would update the trial version)

    As everyone has deduced this is very clearly not an issue with the websites themselves and is some sort of malware on my computer. The New York Times, MLB.com, macworld.com, and countless other respectable sites were not simultaneously compromised. On top of that I have visited these sites simultaneously with a friends computer and my own and on his computer they are completely clean. I hope everyone can take this as a definitive test that this is a problem of malware and my compromised computer -- not compromised websites. (Although, curiously I did see the ads on nytimes.com this morning but can't seem to get them again). And for clarity's sake I will mention that the ads are always replacing the spaces on websites where normal ads would sit and I have yet to see one in a pop-up window and they certainly aren't spawning pop-up windows of their own.

    Also, the ads show up in every browser you try, including obscure ones (did anyone else know that RealPlayer has a web browser?). Perhaps of note, Firefox has slowed to an absolute crawl. While Safari runs fairly normal, Firefox will take 5 minutes to load a page (probably a Javascript battle going on?) and by the time it actually loads the Vimax ads do not appear -- the normal ones do. (Note: this is not due to ad-blocking which I will discuss below. When the ads are blocked a blank spot appears where the Vimax ad would be. In my super slow running Firefox after the 5 minute load, the real ads appear. Yet I believe the slow load times are directly owing to the malware as Safari runs at approximately normal speed). Safari is my primary browser, so I can't give a very accurate account if Firefox was actually showing the ads or has been running slow the whole day, but it certainly has been running extremely slow for the past few hours and I think, but I'm not sure, that it was showing the ads as well earlier in the day.

    Like Whit555 I'm curious how this ended up on my computer. I just noticed it this morning, but I haven't really downloaded anything in the past few days. I do recall updating VLC media player, but I'm sure I was prompted to download an update from within the application itself. And I certainly haven't downloaded p*rn.

    I'm not very interested in blocking these ads -- I'm interested in removing the malware from my computer. A month ago a strategy for blocking these ads was mentioned here: (http://aalaap.blogspot.com/2008/10/block-annoying-vimax-ads.html) where you add a fake DNS entry for the host of the images: "127.0.0.1 b1.adv.net". I think it is important to note that this seems to be a new version of the malware as the host of the images seems to change depending upon when you open a website and which website. I have gotten images from hosts "b2.adv.net", "b4.adv.net", "b12.adv.net", "b13.adv.net" and "b18.adv.net" and that is just in the last 10 minutes since I've been checking. (Also perhaps of note, the ads on any one page can be sent from different host servers -- so b2 and b13 could both be displaying on mlb.com).

    If someone is only interested in blocking these adds they can incrementally just add a new fake DNS entry for every single host they encounter. (You can find this by right clicking on the image and select "Copy Image Address". For example one of my adds yielded this: http://b18.adv.net/wim/300x250/300x250_10.gif. Obviously the host you input to block this ad is "b18.adv.net"). One could probably live with the malware by just blocking everything from b1 to b20. But like I said I want this off of my computer.

    I am slightly concerned that this could be more harmful than just offensive ads. A minute ago when I was testing the fake DNS stuff with my horribly slow Firefox Max OS X force quit. The screen slowly dimmed and then it froze and said I needed to manually restart by holding the power button. No matter what, it seems clear that this problem existed a month ago and the solutions to fix that version of the malware exist with MacScan or the DNSChanger Removal Tool. However, considering that these ads are now served up by variable hosts and it doesn't seem as if that was documented before and considering that no plugin.settings or cron job exists (see linked macworld article), it seems as if this is a new and different version of the malware.

    Like Whit555 I would appreciate any help resolving this issue. I've tried to document it as accurate as possible. Hopefully this will help.
  • jupzchris Level 1 Level 1 (0 points)
    If anyone here is currently infected and currently getting vimax popups PLEASE email me csy@i2g.net
    We are trying to get to the bottom of this. We at vimax ARE NOT personally doing this. We want to out what reseller of ours is doing this and the only for us to do this is with someone who is infected to help me.

    Please email me or message me on aim at "jupzchris"

    Regards
    Chris
  • dwc2100 Level 1 Level 1 (0 points)
    Just fix the problem!!!!!!!!!
  • dwc2100 Level 1 Level 1 (0 points)
    I downloaded a trail copy of ProtectMac AntiVirus, the site said it could find malware and Trojan Horses too.
    I have not had any of the vimax ads since I ran it.
    I was seeing them at kcstar.com/sports, cnn.com, and columbiadailytribune.com, but not anymore.
    I didn't see the ads at www.bbc.com after I ran the software.
    The ProtectMac AntiVirus software took several hours to scan everything after I downloaded it.
    I was getting the ads in October and used the macscan software I think someone mentioned in a previous post. It worked in October but they came back a couple of days ago and the macscan software didn't work.
    I have an e-mail address I use to register at various websites. I don't check it very often because I get a lot of junk mail at it, especially ads for vimax type products. Both times I started seeing the vimax ads came shortly after I downloaded e-mail from that address. I'm assuming a virus, a malware, or a trojan horse got on my computer that way.
    Anyhow, I won't be checking that address anymore.
    Hope this helps someone.
  • Limnos Level 8 Level 8 (40,715 points)
    If you are still having problems with this then check a possible solution posted [in this discussion|http://discussions.apple.com/message.jspa?messageID=8546999#8546999] .
  • Wavimus Prime Level 1 Level 1 (0 points)
    I have the same problem too. After looking up information on it, I found it can be fixed. But methods of fixing this malware vary from different people (Probably because the malware changes for each computer). I suggest you and anybody else who has this problem go to bleepingcomputer.com, make an account (its free), and run the DDS thing so that they can diagnose the problem. It takes a while for an expert to help you (I'm still waiting), but as far as I know, everyone who went there to fix this problem got rid of it.
  • innovate Level 1 Level 1 (0 points)
    I have the same situation as KyleMac it seems. Didn't do the root cron job thing though as I am a bit unskilled in these matters and took great heed to the warning by terminal that I could delete critical files. I did however download the 30 day ProtectMac antivirus and run it. It found and deleted suspect files, but the ads remain in Firefox at least as I have an adblocker in Safari which still runs painfully slowly before it starts to download a site (therefore I suspect that it is taking the time to do something that I rather it didn't). Possibly the folks at ProtectMac will come up with something yet.
    Can anybody else help??? Please. I am concerned as I find out about this, just what all has been compromised.

    Message was edited by: innovate
Previous 1 2 3 Next