Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Redirect Virus

Redirect Virus
Thread Tools
Harvey
Forum Regular
Join Date: Sep 2000
Location: Dracut, MA, USA
Status: Offline
Reply With Quote
Dec 3, 2010, 10:38 AM
 
My wife's new MacBook Air seems to have acquired a "redirect virus" . She can be in facebook or reading email and out of the blue her page is redirected to some other random website. Has anyone come across a fix for this annoyance? I have installed Norton's to NO avail.

Harvey
     
ibook_steve
Moderator
Join Date: Oct 2001
Location: San Jose, CA
Status: Offline
Reply With Quote
Dec 3, 2010, 02:10 PM
 
There's no such thing, especially on a Mac. What web browser is she using? Have you tried emptying the browser's cache? What exactly is she clicking on? Or is it happening without her clicking anything (doubtful)? And what "random website" is it redirecting her to?

Steve
Celebrating 10 years and 4000 posts on MacNN!
     
Harvey  (op)
Forum Regular
Join Date: Sep 2000
Location: Dracut, MA, USA
Status: Offline
Reply With Quote
Dec 3, 2010, 08:16 PM
 
How can you say that. If I have learned anything in my 35 years in computing, it's that anything is possible.

She alternates between Firefox and safari. She can be reading or responding to her email (webmail actually with Yahoo) and with no warning her screen is gone and a new website has opened. I have checked and her pop-up windows are blocked. There are 4 macs on the home network and neither of the others seems to have this problem.
     
seanc
Moderator Emeritus
Join Date: Apr 2005
Location: Cambridge, UK
Status: Offline
Reply With Quote
Dec 3, 2010, 08:19 PM
 
Check the hosts file?
I know the TDSS rootkit can do this on Windows, not aware of anything on the Mac.
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Dec 3, 2010, 08:22 PM
 
Maybe you have the dns trojan from some years back.
First Look: Trojan Horse warning: What you need to know | Utilities | Macworld
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Dec 3, 2010, 09:28 PM
 
Sure she's just not accidentally doing the "Back" multitouch gesture on the trackpad?
Vandelay Industries
     
AKcrab
Moderator Emeritus
Join Date: Apr 2001
Location: Wasilla, Alaska
Status: Offline
Reply With Quote
Dec 3, 2010, 10:35 PM
 
Originally Posted by Art Vandelay View Post
Sure she's just not accidentally doing the "Back" multitouch gesture on the trackpad?
Good call Art.
     
AltecXP
Junior Member
Join Date: Jul 2009
Status: Offline
Reply With Quote
Dec 3, 2010, 11:30 PM
 
Originally Posted by ibook_steve View Post
There's no such thing, especially on a Mac.

Steve

Lines like that are why I sometimes feel ashamed to be a Mac user. People tend to assume I'm as stupid as that sentence.
     
AKcrab
Moderator Emeritus
Join Date: Apr 2001
Location: Wasilla, Alaska
Status: Offline
Reply With Quote
Dec 4, 2010, 12:14 AM
 
Originally Posted by AltecXP View Post
Lines like that are why I sometimes feel ashamed to be a Mac user. People tend to assume I'm as stupid as that sentence.
What is so stupid about that sentence?

There is no "redirect virus". (Except for the trojan Cold Warrior talked about..)
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Dec 4, 2010, 05:39 AM
 
What about that Trojan CW was talking about? (technically not a virus, but that distinction is irrelevant to the user)
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Dec 4, 2010, 06:32 AM
 
Because it doesn't work like that. The OP describes the current site changing after being loaded - the trojan in question just changed the DNS records before loading.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
Thorzdad
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status: Offline
Reply With Quote
Dec 4, 2010, 09:34 AM
 
Originally Posted by Harvey View Post
...I have checked and her pop-up windows are blocked...
FWIW, the "block popup windows" functions in both Safari and FF don't defeat all forms of popups. There are forms of pop-unders, especially, that get around the blocks. Also, on-click scripts get around those blocks. So, if she happens to click on something on a webpage (like a link to a video or something), that can propagate both the link she wants as well as a tiny popunder window that is very easy to not notice. That popunder can then cause all sorts of mischief.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Dec 4, 2010, 09:35 AM
 
Is it possible that some site is opening a pop-under that is scripting a redirect for the frontmost window?
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 4, 2010, 09:37 AM
 
A pop-under that switches window focus might just give exactly the indications Harvey is describing.

Harvey, when this happens, are there other browser windows open? Is it possible to count the windows before and after this happens?

Glenn -----OTR/L, MOT, Tx
     
nowhere
Fresh-Faced Recruit
Join Date: Dec 2010
Status: Offline
Reply With Quote
Dec 5, 2010, 04:15 PM
 
hey guys..

not saying that this is 'the' cause.. but.. I have experienced random 'redirects' while browsing before.

also.. don't want to start a major discussion about the pros / cons / likes / dislikes of this here either...
.. just want to suggest a possible course of action.

ok.

so, apparently, there's this thing called "Flash" that websites use for allowing 3rd party advertising with. (among other things)

there are those who take advantage of some 'features' of this 'flash'.. and cause a redirect to another site as soon as the flash ad is loaded.

many reputable sites have had this issue, and it is sometimes not easy to track down, due to the nature of running ad campaigns.

there's this plugin that blocks flash and stops it from loading, allowing you to selectively load or ignore any flash content.

it is called "ClickToFlash".

Note: This is not a product endorsement or a recommendation. just a point to look at to test the concept.

Install this plugin, disable Flash for all sites, continue surfing, and note whether or not you experience any more random redirects.

If you are clean... and happy with the results.. you can get creative, and selectively click on some of the flash ads to load them.

If you then experience a sudden shift in websites, aka. random redirects, then you have found the culprit, and if you can identify the ad, you could report it to the hosting site if desired.

ymmv..
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 5, 2010, 05:14 PM
 
Originally Posted by Thorzdad View Post
FWIW, the "block popup windows" functions in both Safari and FF don't defeat all forms of popups. There are forms of pop-unders, especially, that get around the blocks. Also, on-click scripts get around those blocks. So, if she happens to click on something on a webpage (like a link to a video or something), that can propagate both the link she wants as well as a tiny popunder window that is very easy to not notice. That popunder can then cause all sorts of mischief.
Or, another way of putting all of this (AFAIK), pop-up blockers block the spawning of new windows or tabs that are not invoked directly by clicking on something.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 5, 2010, 05:19 PM
 
Harvey: does this happen on any website, or particular websites? What DNS servers are you using, and have you tried others? Flash can indeed invoke redirects, so the ClickToFlash Safari extension or the Firefox FlashBlock extension are worth giving a try too.

I would methodically rule out all of these other possibilities before fixating on the possibility of a virus and try to trace additional information that pertains to what you have to do (if any) to cause this to happen and whether you can reproduce this. A virus is frankly at the bottom of my list of possible culprits, I would not start my troubleshooting there.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Dec 6, 2010, 04:15 AM
 
Originally Posted by AltecXP View Post
Lines like that are why I sometimes feel ashamed to be a Mac user. People tend to assume I'm as stupid as that sentence.
That's some way of ingratiating yourself with these forums. You know you just called a guy who designed Apple iBook laptops stupid?

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 6, 2010, 04:43 AM
 
Originally Posted by Big Mac View Post
That's some way of ingratiating yourself with these forums. You know you just called a guy who designed Apple iBook laptops stupid?

It was kind of a dumb thing to say to speak in such absolutes, with all due respect to iBook Steve.

There is nothing special about the Mac that precludes it from getting at least some sort of trojan, if not virus. The distinction is not terribly relevant here, as has been pointed out.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Dec 6, 2010, 05:26 AM
 
95% chance this guy wasn't hit by a "redirecting virus" on OS X. Is it completely out of the realm of possibilities? No. Is it very highly unlikely? Yes.

Many Windows users automatically jump to the conclusion that they've been hit by a virus when something goes wrong. If they're on a Mac, they need to stop making that leap because after nearly ten years malware threats are still basically unheard of on the platform.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
msuper69
Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
Dec 6, 2010, 10:56 AM
 
Originally Posted by besson3c View Post
...
There is nothing special about the Mac that precludes it from getting at least some sort of trojan, if not virus...
That is true for trojans and other types of social engineered malware.

Not true for virii. UNIX vs. Windows. UNIX wins every time.
     
Harvey  (op)
Forum Regular
Join Date: Sep 2000
Location: Dracut, MA, USA
Status: Offline
Reply With Quote
Dec 6, 2010, 12:57 PM
 
Thank you all for your input. All of your ideas seem to work, but only temporarily. I have not tried the Flash Click yet . . . it does sound like a very viable fix.

Hereis the latest: you asked what it was that pops up . . . . . just an hour ago. . . .
http://gotof.com/roadblock.php

security check
complete a 30 sec test below
make Bing your default home page
do you shop at Home Depot?
Play Bobble Boomers


Click any of the links above
and complete the required actions
to continue


http://tmcoi.info
one more thing! ...
Please Click to "OK" to continue.
OK
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 05:01 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,