Is Firefox redirecting me to a drive-by site only when using Yahoo?
Hi experts,
This is a very weird thing. I think it is best I TRY to keep it simple, which is hard for me, and if you have questions, I can respond.
I have an eight computer client/domain network. We all use I.E. on Win 7. There are times I.E. has an issue with a certain site, so we have Firefox as well. (something I am considering getting rid of).
Two days ago, I was on my work computer and I was surfing important things with Yahoo (in other words -- good sites I hope). It was fine for an hour or so. I then had to go to Yahoo for a story. It was on it for about 30 seconds, when it instantly switched to the site below.
Firefox.pdf
I am not used to Firefox requesting an upgrade like that and .js scared me a little. So, I simply closed the browser. A minute later, I got one of those popups telling you that a very nice person who monitors all Microsoft computers in the world simultaneously noticed I was infected and offered to help if I called him. Of course, I did not do this.
I ran MBAM and SAS and I have the MBAM endpoint product. I didn't find anything. Yes, I know that once infected, always suspected, but I really don't want to completely reformat this computer.
So, I did what any very intelligent, yet very stupid person would do. I tried to reproduce the problem I ran it once again, and it did the same thing so I closed the web browser. I then tried Chrome and I.E. in a VM on my pc and used Yahoo. Fine. I then used Firefox with Yahoo in the VM on my machine and within about 45 seconds, it redirected. Maybe via DNS or hijack, I don't know. And, I know the VM is connected to the network.
I then uninstalled Firefox given it said critical update (even though no such warning existed on Mozilla's site. But, I certainly didn't want to click on the download. I re-installed figuring any patch would already be added and ran it in my computer and same thing.
I tried on three other machines on the network. Again, I know, dumb. I suppose I was troubleshooting. It didn't happen on them. So, it seemed it was on my computer only with Yahoo with Firefox. (although I can't recall if it may have been one other). I should know to write this stuff down.
Finally, I went home. My home computer is not attached to the network in any way except via RDP. I ran I.E. and Yahoo. I ran Chrome and Yahoo. All fine. I ran Firefox and Yahoo (you have to browse a little, and bam, same thing. OK, then I did something really stupid. I understand unknowing people clicking on bad links. But, I know better. But, I wanted to save the .js file to the desktop and upload it to VirusTotal. When I clicked on it, it disappeared. Ran three A/V scanners and nothing. I have now deleted Firefox from all computers.
Just wondering if anyone has any idea why this behavior is occurring. And, any information on what I should have done and not done is welcome as far as trying to reproduce the problem. Just please no lecturing. :-) In some way, I didn't want to go on forever not knowing if Firefox was not a viable option.
Thanks. Like I said, I can't keep it simple.
This is a very weird thing. I think it is best I TRY to keep it simple, which is hard for me, and if you have questions, I can respond.
I have an eight computer client/domain network. We all use I.E. on Win 7. There are times I.E. has an issue with a certain site, so we have Firefox as well. (something I am considering getting rid of).
Two days ago, I was on my work computer and I was surfing important things with Yahoo (in other words -- good sites I hope). It was fine for an hour or so. I then had to go to Yahoo for a story. It was on it for about 30 seconds, when it instantly switched to the site below.
Firefox.pdf
I am not used to Firefox requesting an upgrade like that and .js scared me a little. So, I simply closed the browser. A minute later, I got one of those popups telling you that a very nice person who monitors all Microsoft computers in the world simultaneously noticed I was infected and offered to help if I called him. Of course, I did not do this.
I ran MBAM and SAS and I have the MBAM endpoint product. I didn't find anything. Yes, I know that once infected, always suspected, but I really don't want to completely reformat this computer.
So, I did what any very intelligent, yet very stupid person would do. I tried to reproduce the problem I ran it once again, and it did the same thing so I closed the web browser. I then tried Chrome and I.E. in a VM on my pc and used Yahoo. Fine. I then used Firefox with Yahoo in the VM on my machine and within about 45 seconds, it redirected. Maybe via DNS or hijack, I don't know. And, I know the VM is connected to the network.
I then uninstalled Firefox given it said critical update (even though no such warning existed on Mozilla's site. But, I certainly didn't want to click on the download. I re-installed figuring any patch would already be added and ran it in my computer and same thing.
I tried on three other machines on the network. Again, I know, dumb. I suppose I was troubleshooting. It didn't happen on them. So, it seemed it was on my computer only with Yahoo with Firefox. (although I can't recall if it may have been one other). I should know to write this stuff down.
Finally, I went home. My home computer is not attached to the network in any way except via RDP. I ran I.E. and Yahoo. I ran Chrome and Yahoo. All fine. I ran Firefox and Yahoo (you have to browse a little, and bam, same thing. OK, then I did something really stupid. I understand unknowing people clicking on bad links. But, I know better. But, I wanted to save the .js file to the desktop and upload it to VirusTotal. When I clicked on it, it disappeared. Ran three A/V scanners and nothing. I have now deleted Firefox from all computers.
Just wondering if anyone has any idea why this behavior is occurring. And, any information on what I should have done and not done is welcome as far as trying to reproduce the problem. Just please no lecturing. :-) In some way, I didn't want to go on forever not knowing if Firefox was not a viable option.
Thanks. Like I said, I can't keep it simple.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The issue is an ad buyer injected the refirect to the fake
It happens, but difficult to identify the triggering ad given they are alternating and the sequence, refirect, spawn are .....
In IE, a site corresponding message you have an issue with ms and there is a 888 number one shoukd call to resolve.
If one falls, the party tries to get the user to grant remote access where they make it appear as thou it is virus infected and then the clincher, for a will fix it for you.
It happens, but difficult to identify the triggering ad given they are alternating and the sequence, refirect, spawn are .....
In IE, a site corresponding message you have an issue with ms and there is a 888 number one shoukd call to resolve.
If one falls, the party tries to get the user to grant remote access where they make it appear as thou it is virus infected and then the clincher, for a will fix it for you.
ASKER
Thanks everyone,
Yes, it is a strange site it was redirected to. I guess not a good idea to open it again.
Arnold thanks for the info on the 888 number. I did have that in my question:
So, I simply closed the browser. A minute later, I got one of those popups telling you that a very nice person who monitors all Microsoft computers in the world simultaneously noticed I was infected and offered to help if I called him. Of course, I did not do this. Fourth paragraph (right below the .pdf. Yeah, a buddy of mine fell for this and pain the money. Lots of IT people on YouTube playing along and jerking the chain of the perpetrators. The ladder get really upset at the end. Must be a sandbox, because they let them in. The IT people or those in the know play dumb at first, lol.
So, my questions are:
Why was this ad inserted only in the Yahoo ads in my office computer, VM and home computer?
I didn't ultimately do anything with the fake call in thing. Did my computer get infected? I am all about security, but a reformat would take a week at least. :(
Speaking of ads, why do I pay $19.99 a month, yes 19.99, not the $9.99 per month new users get, and there are still ads on here. One right below this comment. Not sure how much longer I will remain a member now that EE has ads and charges a subscription. Or is the whitepaper considered good for the community. I don't know.
Yes, it is a strange site it was redirected to. I guess not a good idea to open it again.
Arnold thanks for the info on the 888 number. I did have that in my question:
So, I simply closed the browser. A minute later, I got one of those popups telling you that a very nice person who monitors all Microsoft computers in the world simultaneously noticed I was infected and offered to help if I called him. Of course, I did not do this. Fourth paragraph (right below the .pdf. Yeah, a buddy of mine fell for this and pain the money. Lots of IT people on YouTube playing along and jerking the chain of the perpetrators. The ladder get really upset at the end. Must be a sandbox, because they let them in. The IT people or those in the know play dumb at first, lol.
So, my questions are:
Why was this ad inserted only in the Yahoo ads in my office computer, VM and home computer?
I didn't ultimately do anything with the fake call in thing. Did my computer get infected? I am all about security, but a reformat would take a week at least. :(
Speaking of ads, why do I pay $19.99 a month, yes 19.99, not the $9.99 per month new users get, and there are still ads on here. One right below this comment. Not sure how much longer I will remain a member now that EE has ads and charges a subscription. Or is the whitepaper considered good for the community. I don't know.
Hi,
I understand your reluctance to wipe the machine, but once it has been infected with anything at all, you can never be sure that all infections are gone - all bets are off!
My suggestion is therefore, to wipe back to base OS, run all updates, then image the machine like that, so that you can get back there anytime you like in the future.
I would then often install core apps - not many, perhaps just MS Office or whatever, run those updates, and image again - this is your real base image for most purposes.
On my home machine, I probably wipe it at least once a year, and restore the second image, then run updates, and install anything else I am currently using, and that takes maybe 30 mins of my time at the keyboard, and perhaps an hour or two, depending on the updates, running without me being there, to get back to a completely pristine condition.
You don't have to do the latter :-)
In terms of ads, do you mean ads on the EE site? If so, I guess that is something you would need to take up with EE themselves - we are all volunteers, and have nothing to do with the site owners and admins, or at least I certainly don't.
Alan.
I understand your reluctance to wipe the machine, but once it has been infected with anything at all, you can never be sure that all infections are gone - all bets are off!
My suggestion is therefore, to wipe back to base OS, run all updates, then image the machine like that, so that you can get back there anytime you like in the future.
I would then often install core apps - not many, perhaps just MS Office or whatever, run those updates, and image again - this is your real base image for most purposes.
On my home machine, I probably wipe it at least once a year, and restore the second image, then run updates, and install anything else I am currently using, and that takes maybe 30 mins of my time at the keyboard, and perhaps an hour or two, depending on the updates, running without me being there, to get back to a completely pristine condition.
You don't have to do the latter :-)
In terms of ads, do you mean ads on the EE site? If so, I guess that is something you would need to take up with EE themselves - we are all volunteers, and have nothing to do with the site owners and admins, or at least I certainly don't.
Alan.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Got confused talking about ads in the redirect and on here.
@Alan, thanks for your input. I was never able to reformat even with an image in home computers that quickly. But, my work computer has way, way more programs and stuff on it. Hard to describe. Just a lot to redo.
And as far as EE ads, I wasn't expecting volunteers to do anything about it. I realize it is the admins. Just thought you guys would have some more insight as to whether the Webroot thing is an ad where they are getting clickthroughs, etc. I mean this site should be completely ad-free if it is subscription. Raise the rate. Again, I am not expecting you to do that.
@Alan, thanks for your input. I was never able to reformat even with an image in home computers that quickly. But, my work computer has way, way more programs and stuff on it. Hard to describe. Just a lot to redo.
And as far as EE ads, I wasn't expecting volunteers to do anything about it. I realize it is the admins. Just thought you guys would have some more insight as to whether the Webroot thing is an ad where they are getting clickthroughs, etc. I mean this site should be completely ad-free if it is subscription. Raise the rate. Again, I am not expecting you to do that.
Missed the part about the monthly fee, which I think relates to ads in email access interface, I am uncertain the monthly fee relates to display of ads in site access,.
The other monthly part deals with storage space in mailbox.... Or ..........
I'd disagree with Alan's interpretation that the system is infected thus requiring a reinstall.
I trie dwhen such an ad comes up to track down to which of the many ads on the page it relates without any success as all ads seem from legitimate sources.
And since ads are through out the site page, visible and pages below, it is ...
The other monthly part deals with storage space in mailbox.... Or ..........
I'd disagree with Alan's interpretation that the system is infected thus requiring a reinstall.
I trie dwhen such an ad comes up to track down to which of the many ads on the page it relates without any success as all ads seem from legitimate sources.
And since ads are through out the site page, visible and pages below, it is ...
Hi,
My work machine is similar, but it still only takes about the same amount of time.
Some software gets pushed to the machine via Group Policy - I have my machine in a separate OU,and I have a separate GPO that does it as I like of course :-)
Either way, I would still recommend a wipe and start afresh, as you can never consider that machine to be yours again until you do. The fact that you got a pop-up some time after closing the browser, says to me that there is something on there you don't want and can't trust.
I don't mean to be negative - it is just the reality of malware.
Alan.
My work machine is similar, but it still only takes about the same amount of time.
Some software gets pushed to the machine via Group Policy - I have my machine in a separate OU,and I have a separate GPO that does it as I like of course :-)
Either way, I would still recommend a wipe and start afresh, as you can never consider that machine to be yours again until you do. The fact that you got a pop-up some time after closing the browser, says to me that there is something on there you don't want and can't trust.
I don't mean to be negative - it is just the reality of malware.
Alan.
ASKER
Thanks again. And, it's the reason I come here. Please take this as a compliment, but I am not bad with computers, and can set up Hyper-Vs, etc. But, I am not nearly as good as you guys. It would take me forever. Anyway, given I am on Win 7 and eventually I will have to upgrade all the PCs to Win 10, I just ordered another Samsung Evo 1TB SSD. Yes 1 TB. That's how many programs and such. Of course, part of that is a VM, which could be on a separate drive, but isn't.
But, I will just move this drive over not as a drive letter or boot drive so I have anything I need if I screw up. Install the SSD. Takes seconds. And, install Win 10 Pro. It's free. Then add a program at a time when I realize I need it.
There should be no ads here. I am confused about space. I have a lot of answers, but they are all just type with some attachments.
But, I will just move this drive over not as a drive letter or boot drive so I have anything I need if I screw up. Install the SSD. Takes seconds. And, install Win 10 Pro. It's free. Then add a program at a time when I realize I need it.
There should be no ads here. I am confused about space. I have a lot of answers, but they are all just type with some attachments.
ASKER
And, it does make sense why it may be my computers. I was probably looking at the same pages when it happened.
Unless you got the phone call every time you viewed that warning, I can't see that they are related. Without something you have done in the past there is no way to connect your browser to your phone number, especially on two different computers.
ASKER
I may be missing something. The warning that I wish I I had a printscreen of just has an toll-free number to call. They don't have my number. Or, am I misinterpreting something.
________________
And, I am definitely emailing management tomorrow. They really can't have it both ways. Yes, the site has improved, but I was find with it the way it was. Questions and answers. I have paid for 12 years without missing a month, and it has been well worth it. But, it is quite ironic that this question pertains to nearly every website now having ads, and now EE seems to. Good for them. Just not for me. Sorry. Don't mean to vent. But, everyone will get their points.
________________
And, I am definitely emailing management tomorrow. They really can't have it both ways. Yes, the site has improved, but I was find with it the way it was. Questions and answers. I have paid for 12 years without missing a month, and it has been well worth it. But, it is quite ironic that this question pertains to nearly every website now having ads, and now EE seems to. Good for them. Just not for me. Sorry. Don't mean to vent. But, everyone will get their points.
I think David interpreted your previous post to mean that the 'support scammers' had phoned you, whereas I guess you had their number come up on the popup that appeared on your computer, as you did say that you had not called them.
Or maybe I have misunderstood both of you :-)
Alan.
Or maybe I have misunderstood both of you :-)
Alan.
ASKER
Nope you had it correct. Never heard of one where they have your number. Won't be long I guess. That would be weird.
I potentially misunderstand to what you refer, are you referring to EE site now having ads as well? Though it might be internal ads to ........
Should report those ads to the network if you can, they are probably using flash and the advertising network probably doesn't know about it - the ad is fine but runs unwanted JS on the target machine
Also try AdBlock, freebie
As for the MS Support one - search youtube for some fun laughs
Also try AdBlock, freebie
As for the MS Support one - search youtube for some fun laughs
ASKER
@Nicholas Thanks, I will try that.
@Arnold
"I potentially misunderstand to what you refer, are you referring to EE site now having ads as well?"
Maybe we are all talking about different things. But, for me anyway, it is annoying when I am trying to reply to experts, and there is a large ad directly below. I am guessing that Acronis is paying Experts-Exchange for the link to their website. Again, I may be way off base, and a combination of subscription and ads paying for a site is OK. I have just never been a paid member of a site that has ads as well. Maybe I am paying only for the right to ask unlimited 500 point questions. But, I am not sure it is worth it.
@Arnold
"I potentially misunderstand to what you refer, are you referring to EE site now having ads as well?"
Maybe we are all talking about different things. But, for me anyway, it is annoying when I am trying to reply to experts, and there is a large ad directly below. I am guessing that Acronis is paying Experts-Exchange for the link to their website. Again, I may be way off base, and a combination of subscription and ads paying for a site is OK. I have just never been a paid member of a site that has ads as well. Maybe I am paying only for the right to ask unlimited 500 point questions. But, I am not sure it is worth it.
ASKER
I will award points soon.
As a paying member, I believe you can also post all your questions with high priority which *might* get more responses more quickly, as they attract more points (multiplier). Personally, I try to answer questions I can, rather than looking at points, but there might be some people who target high priority only.
I see no harm in doing so at least.
Alan.
I see no harm in doing so at least.
Alan.
From my vantage point, if the subject matter is interesting, clearly defined..
Such as this one.
The ad is for an EE related research on the subject sponsored by..
The use of limited sponsored items in what I would say is tolerable, though I mainly answer questions, very rarely ask them when I run into a puzzling situation.
Such as this one.
The ad is for an EE related research on the subject sponsored by..
The use of limited sponsored items in what I would say is tolerable, though I mainly answer questions, very rarely ask them when I run into a puzzling situation.
I thought EE always put attachments at the bottom of the post, but that's still no excuse - my bad!
Alan.