I know this is my third post on template and blog update related material recently, and that this sort of thing is probably less interesting than, say, naked mole-rats. But since several people did comment in ways suggesting they might be curious about altering or updating their blogs at some point, I figured this was a worthwhile warning to post.
Anyway, I am posting this from my laptop. This in itself is not a bad thing -- it's a very sweet laptop (a Dell Inspiron Mini 9 inch display, running Ubuntu Linux). But the reason I am not working on further template graphic stuff on my desktop at the moment is because my desktop (which runs Windows XP at the moment, though I am seriously considering going to Ubuntu / Kubuntu there) somehow got infected by some particularly vicious bits of malware.
I noticed something funny (not in the amusing sense) was going on last night, when my Google searches appeared to be going to bizarre and nonsensical links. That is, the search results LOOKED normal, but actually clicking on the link would result in some long message including the phrase "clickfraudmanager" in the URL bar. E.g., googling for "kitten" and clicking on a site described as having pictures of cute kittens on it would instead lead me to a random page of real estate listings or a review of Bob's Cheesy Chicken Fries.
I was also getting a lot of pop-under ads, weird little message dialogs telling me to install very sketchy-sounding "protection utilities", and other strange phenomena like folders opening of their own accord. When I realized that I was probably seeing evidence of a virus I quickly shut down my desktop and looked up "google redirect virus" on the laptop (Ubuntu seems to be pretty solidly unlikely to contract malware, though I certainly don't take that for granted). Sure enough, it turns out that there are a whole cadre of nasty hijacking programs whose primary symptom is the redirecting of search results to pages with ads on them.
I can't even fathom how or why anyone would, upon having their search results hijacked, think, "Oh boy, how wonderful for me to have been shown this ad for holistic dog food during my search for video driver updates! I am going to buy that product right away, yes siree!" But I suppose there's enough people actually clicking links in email for \/|agr4 and <|4Li5 such that it's not a total shock that this kind of thing is cost-effective for asshat exploit writers to persist in their tomfoolery.
I managed to clean out some of the worms with something called Spybot Search and Destroy, and I've been looking at the log outputs of another program called Hijack This (I got independent confirmation that these 2 programs were legit before I tried them). Alas, these programs have not yet led to a total solution -- I am not seeing so many popups, but my search results are still being hijacked.
So right now my desktop is attempting to uninstall one virus protection program (Norton, for which the subscription had lapsed anyway) in preparation for installing what is hopefully a better one (Kaspersky Internet Security -- recent Slashdot stories notwithstanding, what I read indicated it was one of the best you could get for dealing with rootkit nonsense, and I am pretty sure I have some of that going on).
I don't necessarily expect that to fully work (right now UNinstalling Norton is turning out to be a bit of a time-consuming nightmare), but hopefully it will at least stop anything new from coming in and causing trouble while I hunt down Files That Should Not Be There in system directories and such.
Oh, and the reason I figure this to be a caveat for people who might be looking to update their own blogs is because I am 99% certain I picked up the malware/viruses/badstuff on some site supposedly dedicated to helping people update blogger templates. There are a LOT of sketchy-looking sites that come up in searches for anything about blog updates and graphics tutorials and such.
I remember at one point last night when I'd opened a series of tabs following a search for something about changing background graphics on web pages having my computer suddenly slow way down and make noises like it was downloading something -- only I hadn't told it to download any files.
And I definitely did not click on any banner ads or popup buttons or dialogs telling me to install [sketchy-sounding software] -- I am pretty good at pattern recognition and sketchiness like that sticks out to me like a gigantic sore thumb. But apparently some of the newer exploits don't actually require you to be fooled -- they just require you to be browsing random websites on an inadequately-protected Windows PC. (For a while I was feeling really stupid for not having updated my Norton, but from what I've been about to find so far, the particular nasties I ended up with can get right through Norton even when it has been updated recently.)
So, here is the caveat: be very very careful browsing sites on blog template upgrades and such. For some reason that whole subject area seems to be an exploit and malware magnet -- I am guessing because of the weird financial stuff that has grown up around the ability to gain revenue through blog ads and search rankings and such.
I am guessing that if I'd had not only an up-to-date virus scanner, but also a few decent adware/malware detectors (Spybot, AdAware, etc.) installed and running regularly, this might not have happened. But in any case, I am definitely not going to take for granted that I will necessarily be able to avoid being invaded by malicious trojans and such just because I don't have a habit of clicking on "free casino slots and hot chicks" ads.
6 comments:
I am having the same problem, and it is awful. Here's what I know about it this far:
There appears to be a new virus on the scene that targets Firefox users. It's a variation of the old "Google redirect"" virus that effects your search results, so that when you click on them it takes you to various ad sites. This variation effects both Google and Yahoo search results, and only seems to work in Firefox.
The redirects themselves take you through a site called "clickfraudmanager.com." The script that is doing this is coming from "adwarefeed.com." I've spent the better part of the weekend researching this, and it appears that this virus is really, really new, and has only been making the rounds for the past three or four days. At present, no antivirus or antimalware software is detecting it. If you do a search on this topic, you will see that no one in any of the computer support forums out there has been able to figure this out yet. You can, however, disable the redirecting by turning off Java or by installing the NoScripts Firefox addon, as I did. Of course, those measures don't treat the underlying problem.
I stumbled across the solution:
It appears that the virus is hidden in the Firefox Folder. You must uninstall Firefox from the control panel, and then delete the Mozilla Firefox Folder off of your hard drive. Then download and reinstall Firefox. The problem is then gone.
To prevent this in the future, I recommend using the following two Firefox Addons: WOT (web of trust) and NoScript. These two addons will effectively stop any more viruses from being installed via the Firefox browser. Good luck!
Anthony: Wow, thanks for the info. Sucks that you got saddled with the virus too, but glad you were able to track down a solution!
Last night I did actually try uninstalling/reinstalling Firefox and that didn't work -- but when I read your comment I realized that I had NOT also deleted the folders that are still left over following an uninstall. So I did that, and so far I've not had any redirects (woot!).
After getting rid of the redirects I still had virtumonde and smitfraud wormlets to deal with -- those turned out to be quite a bit peskier. The most useful thing I discovered in looking to deal with those trojans was a little Microsoft utility (yes, I know, amazing) called Process Explorer. This enabled me to see what .dlls were being used by processes such as explorer.exe and winlogon, and get rid of the sketchy-looking ones.
Two of them I actually had to get rid of by writing down the names and then booting into Linux from a CD -- a big part of the problem was that the malware had attached itself to explorer -- not Internet Explorer but explorer the primary windows GUI. So basically you couldn't kill the dlls from WITHIN windows because just having windows running meant those dlls were being "used" due to where they were resident in memory, etc. But by CD-booting into Linux and then navigating to the windows directory on the hard drive, I was effectively "seeing into" the directories containing the viruses without actually having to be running windows.
So, tentatively (spybot is running on my win machine for the gazillionth time making sure things are really and truly clean before I attempt using the browser on that machine) I think my system could be "cured". Yay!
Or...maybe not. Ugh. That last spybot scan revealed that the worms were somehow back. They must be hiding very well, and probably have redundancies built in. I am this close to reinstalling my OS.
Oh well, in any case I've learned a bit more about operating systems, and have most certainly learned more than one valuable lesson.
You might try running the malicious software removal tool - click start, run, type mrt. select full scan.
It will take a while, but hopefully will do better than spybot.
I've been having the same problem with Firefox. I did download Super Anti Spyware and ran a scan in safe mode and this far appears to have worked. Haven't been redirected yet.
Post a Comment