Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

I am having trouble with a redirect virus; how to fix?

I think I have a virus or spyware on my computer. It redirects me to a third-party site (something like LinkBucks) when I try to visit Facebook, Google or YouTube. This happens in both Safari and in Mozilla Firefox. I have tried scanning with ClamX, MacScan, but they are not finding any viruses. I also downloaded a kit that scans the computer for DNS redirect changer viruses, but it can't find any. What should I do now?

MacBook Pro, Mac OS X (10.6.8)

Posted on Mar 12, 2012 3:08 PM

Best reply

MadMacs0

Level 5

5,221 points

Posted on Mar 12, 2012 4:52 PM

ComputerUser23483 wrote:

I think I have a virus or spyware on my computer. It redirects me to a third-party site (something like LinkBucks) when I try to visit Facebook, Google or YouTube. This happens in both Safari and in Mozilla Firefox.

I have been seeing a few of these over the past few days, so it could be something new, but let me give you a couple of suggestions for what has been discovered in the last couple of weeks.

Here's an AppleScript written by fane_j which will check for what we know about the last two Flashback Trojans. Open Script Editor (/Applications/Apple Script/) then copy and paste what follows into the window:

--script begins

property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version 2>&1"}

on run

set myClip to ""

repeat with i in theItems

try

do shell script i

set myClip to myClip & result & return & return

on error errText

set myClip to myClip & i & " -- " & errText & return & return

set myClip to result

end try

end repeat

set the clipboard to myClip

end run

--script ends

Press the run button. Results will be on your clipboard which you can paste into a text document, e-mail or back here.

It performs three checks:

The first will identify whether or not you have the Flashback.G Trojan (as well as a couple of earlier versions). If you are infected it will look something like this:

{

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";

}

If it says that, STOP everything and return here for instructions! Do not attempt any file deletions or you can easily lock yourself out of your account.

If it says anything else or cannot find the file, you are OK on this one.

The second test looks for the Flashback.N Trojan, but since we have not been able to find anybody who was infected yet and the information on it is incomplete, there's no assurances for this one.

The third checks to see what version of Java you have. If it says anything less than 1.6.0_29 followed by some other alpha-numerics, you are vulnerable to being infected without any action on your part other than visiting a web site. In such a case use Software Update to get the latest patch.

The other suggestion would be to check for the old DNSChanger by visiting the site http://www.dcwg.org/checkup.html, click on "Mac OSX" in the left box and follow the directions.

If that's OK then click on "Checking Via Browser" and follow those directions.

It's possible that your router is infected, but unfortunately they still have not posted instructions for that.

To fix any problems you find click on the "Cleanup" tab at the top.

Feel free to read anything else on the site you might be curious about.

View in context

31 replies

thomas_r.

Level 7

31,989 points

Jan 23, 2013 10:09 AM in response to wheel1975

This is not caused by malware of any kind. Unless you have jailbroken your phone, there is no malware that affects iOS devices.

As to what it could be, I see exactly the same behavior from the URL you provided. What this tells me is that the site has been hacked, but only the mobile version of the site is affected. (A site can deliver different pages depending on the device, and many sites will deliver a different page to mobile devices than to full-fledged computers.)

Thus, there's no need to stop using your iPhone. However, you probably should contact the owner of that site to notify them of the issue.

Jan 31, 2013 6:48 PM in response to thomas_r.

Yes. It replicates on other iPhones, something I could not test by myself.

I have contacted the referring site and the site itsself.

I understand it might be in their htaccess file.

Thanks.

I got the strangest message that I was not allowed to access this resource when I followed the link, but got here via "My Stuff".

r2arthur

Level 1

0 points

Feb 24, 2013 4:48 PM in response to ComputerUser23483

I have the same problem here with the Chrome browser. Sometimes it opens a new tab with a clickbucks url. I can't solve that. The return of the script you provided was:

defaults read ~/.MacOSX/environment -- 2013-02-24 21:37:49.323 defaults[56553:f07]

Domain /Users/arthursilva/.MacOSX/environment does not exist

ls -al /Applications/Safari.app/Contents/Resources/*COAA* -- ls: /Applications/Safari.app/Contents/Resources/*COAA*: No such file or directory

java version "1.6.0_41"

Java(TM) SE Runtime Environment (build 1.6.0_41-b02-445-11M4107)

Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01-445, mixed mode)

r2arthur

Level 1

0 points

Feb 24, 2013 5:14 PM in response to r2arthur

And the following command:

ls -a /Applications/Safari.app/Contents/Resources/ | grep "^\."

Returns nothing 🙂 . Empty (just . and ..)

I just noticed that the URL is also opening at Safari. So both chrome and safari are infected? I haven't been using Safari for a while, opened it today because I noticed that chrome was infected.

and I just checked my DNS and it is ok.

MadMacs0

Level 5

5,221 points

Feb 24, 2013 5:53 PM in response to r2arthur

r2arthur wrote:

I have the same problem here with the Chrome browser. Sometimes it opens a new tab with a clickbucks url. I can't solve that. The return of the script you provided was:

defaults read ~/.MacOSX/environment -- 2013-02-24 21:37:49.323 defaults[56553:f07]

Domain /Users/arthursilva/.MacOSX/environment does not exist

ls -al /Applications/Safari.app/Contents/Resources/*COAA* -- ls: /Applications/Safari.app/Contents/Resources/*COAA*: No such file or directory

Those are very old and had to do with the Flashback Backdoor/Trojan that was in existance almost a year ago and has been declared extinct for several months now by most all of the Anti-Virus experts. If your software is fully up-to-date, and it sounds like it is, then Apple has fully protected you against that malware and would have removed anything that you already had on your hard drive a long time ago. Your problem is almost certainly not malware and clearly not Flashback.

MadMacs0

Level 5

5,221 points

Feb 24, 2013 5:58 PM in response to r2arthur

r2arthur wrote:

I just noticed that the URL is also opening at Safari. So both chrome and safari are infected?

I doubt it. Here's some more current information on how to avoid such things Eliminating browser redirects and advertisements.

ed.b36

Level 1

0 points

Mar 23, 2013 4:34 PM in response to MadMacs0

https://discussions.apple.com/thread/4912510

any help/advice would be great please tried a couple of things from this discussion.

Thanks

sig

Level 8

35,862 points

Mar 23, 2013 5:03 PM in response to crabpaws

Read:

http://www.reedcorner.net/eliminating-browser-redirects-and-advertisements/

ed.b36

Level 1

0 points

Mar 23, 2013 5:13 PM in response to sig

Have done, although i've been unable to check if the problem is just on my internet or if its effecting other computers.

https://discussions.apple.com/thread/4912510

Details of what ive tried.

Cheers

ed.b36

Level 1

0 points

Mar 23, 2013 5:44 PM in response to ed.b36

Sorry I've read it a bit more thoroughly and tried all the links. I changed my DNS servers to 8.8.8.8 and 8.8.4.4, I've also put

more /etc/hosts

into terminal and got the result that is displayed on http://www.reedcorner.net/eliminating-browser-redirects-and-advertisements/.

Where the DNS servers the right thing to do for Safari? are these just for chrome?

Thanks

MadMacs0

Level 5

5,221 points

Mar 23, 2013 5:56 PM in response to ed.b36

Please stop all this and run Software Updates as I said in your original posting. Until you install all the Security and Java updates you are wasting all of our time!

sig

Level 8

35,862 points

Mar 23, 2013 10:10 PM in response to ed.b36

"Where the DNS servers the right thing to do for Safari? are these just for chrome?"

They are for all.

YSLeung

Level 1

0 points

Apr 13, 2013 9:25 AM in response to ComputerUser23483

I got rid of my Firefox redirect problem by removing eveything related to Firefox.app and re-download and reinstalled the software again. Make sure you also remove the ~/Library/Applicaiton Support/Firefox. I think there's where the virus hiding because when I did the first clean reinstall, the problem was still there. It was until I removed the "Application Support" stuffs, the problem then went away and firefox looked like a new born baby with none of my customizations. It's a shame that I have to redo all the add-ons and things, but at least I can still use Firefox as my broswer.

thomas_r.

Level 7

31,989 points

Apr 13, 2013 9:58 AM in response to YSLeung

Be careful what add-ons you put back, because one of the add-ons you added was causing the problem. That's why the problem went away when you deleted the Firefox folder in Application Support.

Nov 14, 2013 10:40 AM in response to ComputerUser23483

Update Java - www.java.com.

Jenes

I am having trouble with a redirect virus; how to fix?