I am having trouble with a redirect virus; how to fix?

ComputerUser23483 wrote:

I think I have a virus or spyware on my computer. It redirects me to a third-party site (something like LinkBucks) when I try to visit Facebook, Google or YouTube. This happens in both Safari and in Mozilla Firefox.

I have been seeing a few of these over the past few days, so it could be something new, but let me give you a couple of suggestions for what has been discovered in the last couple of weeks.

Here's an AppleScript written by fane_j which will check for what we know about the last two Flashback Trojans. Open Script Editor (/Applications/Apple Script/) then copy and paste what follows into the window:

--script begins

property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version 2>&1"}

on run

set myClip to ""

repeat with i in theItems

try

do shell script i

set myClip to myClip & result & return & return

on error errText

set myClip to myClip & i & " -- " & errText & return & return

set myClip to result

end try

end repeat

set the clipboard to myClip

end run

--script ends

Press the run button. Results will be on your clipboard which you can paste into a text document, e-mail or back here.

It performs three checks:

The first will identify whether or not you have the Flashback.G Trojan (as well as a couple of earlier versions). If you are infected it will look something like this:

{

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";

}

If it says that, STOP everything and return here for instructions! Do not attempt any file deletions or you can easily lock yourself out of your account.

If it says anything else or cannot find the file, you are OK on this one.

The second test looks for the Flashback.N Trojan, but since we have not been able to find anybody who was infected yet and the information on it is incomplete, there's no assurances for this one.

The third checks to see what version of Java you have. If it says anything less than 1.6.0_29 followed by some other alpha-numerics, you are vulnerable to being infected without any action on your part other than visiting a web site. In such a case use Software Update to get the latest patch.

The other suggestion would be to check for the old DNSChanger by visiting the site http://www.dcwg.org/checkup.html, click on "Mac OSX" in the left box and follow the directions.

If that's OK then click on "Checking Via Browser" and follow those directions.

It's possible that your router is infected, but unfortunately they still have not posted instructions for that.

To fix any problems you find click on the "Cleanup" tab at the top.

Feel free to read anything else on the site you might be curious about.

ComputerUser23483 wrote:

There were no red flags that I could see, though I couldn't make heads or tails of the clipboard text I recieved from running the script. Here is it:

defaults read ~/.MacOSX/environment -- 2012-03-12 22:41:41.871 defaults[166:60f] Domain /Users/USER1/.MacOSX/environment does not exist ls -al /Applications/Safari.app/Contents/Resources/*COAA* -- ls: /Applications/Safari.app/Contents/Resources/*COAA*: No such file or directory java version "1.6.0_26" Java(TM) SE Runtime Environment (build 1.6.0_26-b03-384-10M3425) Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02-384, mixed mode)

"environment does not exist" is pretty much proof positive that you are not infected by the Flashback.G Trojan

"...*COAA*: No such file..." is an indication that you may not be infected by the Flashback.N Trojan, but as I said before, we just don't know enough about it yet.

"1.6.0_26..." indicates that you have have been vulnerable to being infected by either of these Trojans by simply visiting a poisoned site. I don't think we ever confirmed what sites had the "G" version. Only one user had even a guess and it was clean by the time we looked at it.

There is a bit more information about the sites distributing the "N" version. Intego reported that "...tens of thousands of WordPress blogs were infected by code that redirected them to web sites serving fake antiviruses..." caused again by out-of-date software that allowed a malicious plug-in to be installed. If you've been visiting blogs recently, there is a high probability that one of them was one of the poisoned ones. For that reason I would like for you to run one more test that's a long shot, but might tell us something.

Open the Terminal application (in /Applications/Utilities/), copy and paste the following command into a terminal window then press return.

ls -a /Applications/Safari.app/Contents/Resources/ | grep "^\."

If it shows any file names beside "." and "..", copy and paste the results back here.

I am in the process of updating my software, too, in case that was the problem. I am a little worried the redirect will come back; it went away for a short time yesterday, too, but in the meantime, it's nice being able to browse the web again.

Good idea as it would appear that you have not done that since at least November. Note that there is a security update today to the Safari Browser. If you have already updated it, then the above test will probably not find anything. If you updated it and then your problems went away, that's probably why.

Current Best Practices for Safe Computing:

1. Keep your software up-to-date, especially if it involves a security fix.

2. If I told this this before, then it bears repeating. Disable Java in all your browsers. Only if a trusted site that you must access tells you that it's required should you ever re-activate it and turn it back off when you are done.

3. Do all your normal day-to-day computing in a non-admin account and only use your admin account when you need to accomplish administrator tasks.

4. Most people suggest at least one more fix for Safari; in the General Preferences, uncheck "Open 'safe' files after downloading"

ComputerUser23483 wrote:

Arg; it came back and I'm not sure why. My whole computer is slow, and if I try to go to Facebook I am redirected

Did you run that last test I suggested?

We can also go back in time and look for a couple of old re-direct malware's if you'd like.

Has Apple made any progress fixing this bug or isolating what's causing it?

Didn't realize it was a bug, did you report it as such? No way for any of us to know, in any case. Did you update Safari to 5.1.4 yesterday? Intego said "Safari Update Fixes Dozens of Security Flaws".

It is possible that your router has its DNS table messed up, or your internet provider has had its web server DNS table messed up. Does the issue reproduce itself when you go to a WiFi hotspot?

Hi ...

Doubtful it's a virus but your ISP may be redirecting your browser.

Use OpenDNS for better speed, more security, includes anti phishing filters, no more re directs, and it's free.

Open System Preferences / Preferences then select the Network tab. Click the Advanced tab then click the DNS tab.

Click +

Enter these addresses exactly as you see them here.

208.67.222.222

Click +

208.67.220.220

Then click OK.

More about OpenDNS here.

Topic : Manually provided DNS server addresses are higher priority than DHCP's

If this doesn't work for you, just go back to the DNS tab and delete those addresses.

ComputerUser23483 wrote:

To be honest, I am not at all familiar with DNS settings; I've tried reading about them online to fix this problem, but couldn't understand anything.

Have you visited this site http://www.dcwg.org/checkup.html? Click on "Mac OSX" in the left box and follow the directions.

If that's OK then click on "Checking Via Browser" and follow those directions.

To fix any problems you find click on the "Cleanup" tab at the top.

Unfortunately, the Home Router section still hasn't been posted. What type of Router do you have?

Feel free to read anything else on the site you might be curious about.

Weirdly, a friend using a PC e-mailed me and said he was getting a redirect when he Googled a site we both frequent. I tried it on my Mac mini running Firefox 17.0.1 and the same thing happened to me.

I found this and sent it to him http://support.mozilla.org/en-US/questions/754352

• REDIRECT FIX**

This Google Redirect affects Yahoo Search as well. No Malware or Virus scans will find it because it is installed as an Add On in Firefox tools menu. Go to your Add Ons in the tool menu, scroll down untill you find "Google Update" and disable it. I don't know how this was download onto our computer but this ended the redirects using the search bar in the Firefox browser. Matt

It worked for him on his PC, but I couldn't find any such file in my Mac Firefox. Instead, I found a recently installed folder in my Applications directory titled "google" in lower-case letters. It contained an app with "zagat" in the filename, which I did not recall downloading. I deleted the google folder and secure-emptied my trash.

I hope this takes care of it.

crabpaws wrote:

I found a recently installed folder in my Applications directory titled "google" in lower-case letters. It contained an app with "zagat" in the filename, which I did not recall downloading.

I deleted the google folder and secure-emptied my trash.

I hope this takes care of it.

I would be surprised if it does, as I can't thnik of any way such a file could be responsible for a redirect, but there's always a chance.

As you probably know, Google purchased Zagat, the highly regarded restaurant rating service. I'm not aware of any Zagat apps for the Mac, but they did publish them for mobile devices (iPhone and Android). I understand Google has now folded it into something called Google+ Local. But I can't seem to find any current or former such app for the Mac. I suppose it would be a good way to disguise some Malware, but I don't really have a clue as to what it might be.

In the future you might want to consider submitting suspicious files to http://www.virustotal.com/ before you delete it, just to see if any of their scanners pick something up.

Do you know how to get rid of this redirect thing?

crabpaws wrote:

Do you know how to get rid of this redirect thing?

There have probably been a more than a half dozen causes of redirects over the past couple of years. At least four of them were malware (Flashback, DNSChanger, QHost.wb and FkCodec-A) but most are now extinct or the purpatrators sent to jail. A lot has changed since this thread started in the Spring and you have not described any of what you are seeing. It could be cookies or flash cookies or the evercookie. Since the only people that are reading this now are those who responded in the spring, I suggest you start a new thread with a complete description of the problem and that will draw others into the conversation. Please post a link to the new thread here so I know where to find it.

And you might also want to scan with one of the A-V apps out there that are free. I can only recommend ClamXav and Sophos from my testing.

Full disclosure: I do uncompensated tech support for the ClamXav Forum.

Well, my iphone redirects through quite a chain of sites ending at BaDoink.

I have RESET as NEW iPhone, Advanced has ZERO bytes of website data.

My discovery of the problem was visiting disclosureproject.org and clicking on the movie trailer link.

http://sirius.neverendinglight.com/

I get where I am supposed to go on my computers, but on my iPhone I get redirected.

This occurs either through WiFi or E or 3G web data connections.

I reset DNS to 8.8.8.8 on WiFi but it had no effect.

I will likely cease using my iPhone as a result.

January 23, 2013