Browser Redirects Constantly - macOS

[idkjs]

I have the same problem indicated here,

When I run `

find . -name "$1" 2>&1 | grep -v 'Permission denied'

` in the terminal it seem to keep getting hits in this folder:  " Library/Application Support/Firefox/profiles". I attached the files from this directory.

Redirect domain was hitcpm.com. Searching that on the net gets you references to hitcpm.com/watch?key virus.

Anyone have any experience with this on mac? I attached

Thank you.

 

pkcs11.txt

LICENSE.txt

revocations.txt

SiteSecurityServiceState.txt

pkcs11.txt

LICENSE.txt

revocations.txt

SiteSecurityServiceState.txt

[idkjs]

Running MalwareBytes come back clean.

[alvarnell]

First, confirm that these are only happening with your Firefox on your Mac and not when using any other browser or computer/device.

Then, in Firefox, select "Add-Ons" from the Tools menu or type <Control>-<Shift>-A.

Remove anything that you know you did not intend to install.

If you have questions about any of them, post their names back here.

[idkjs]

I had already gone ahead and uninstalled Firefox Quantum and reinstalled. I want to say it was also happening in Chrome Canary but cant confirm. I will see what happens now and report back if it continues. Thank you for the quick response.

[alvarnell]

Uninstalling Firefox by dragging it to the Trash will not delete any of the Add-Ons, so you will still need to check that.

Also let us know the name of any Extension you decide to remove.

[idkjs]

Of course, you are correct.

The only add on I recently added was GreaseMonkey. Im thinking im going to wait to see if the issue reproduces before I remove it.

Im not sure exactly how it triggers. Also, the hitcpm.com url came up in one of the tools in URL search on https://www.virustotal.com/#/home/url, yesterday but not today. Whatever that means.

Do you think I should go and remove it right away? Is it worth the info to see if it happens agains?

Edited February 11, 2018 by idkjs
img

[alvarnell]

Don't remove anything that you added yet. My primary concern was if you saw anything that you had not added yourself. 

At this point I would just observe and report if it continues. Since you are not using an ad blocker, then I would strongly suspect that redirects are a result of something on a site you are visiting that carries what's known as "malvertising".

The Malwarebytes folks may ask you for a diagnostic next or ask you to start disabling certain add-ons if they see something they aren't familiar with.

[treed]

I'm not sure that I understand the symptoms, what the Unix command you posted is supposed to show or why you attached those files to your original message. Can you clarify exactly what you are seeing, and where? 

The Unix command posted won't do anything as is. If it is part of a shell script, its output would depend on the input arguments provided to that script. In order to say anything about the output of that, we would have to have the full script as well as the context in which it was used.

What was the reason that those files were attached? Without context, those files don't tell us anything.

[idkjs]

Problem has not yet re-occured so I'll have to wait to see if it does and get you all some better details for this kind of report. New to virus reporting here.

Keep you posted.

[idkjs]

And its back. This is the url is redirects to: `http://mysagagame.com/preland-2912_3.html?pid=10&sid=1&nonad=1&s2s=VjN8MTQyNjk4NDh8Nzc4NDU1fDk5OTMzMnwxNTE4NTQ5NTY1fDU3NjgzZWRlLTgzNjAtNDFiMC1hOTZjLTdjNjQzNzVkMWEyN3w4Mi4yNTUuNjguMTA1fDF8NTU5YzBiMjVhOTVjODZmNzFiZTI0MmY5MjYwNTA5ZTY=`

What do you need me to do to get you info you need?

 

[treed]

I would need more information about what you're seeing, such as under what conditions you get this redirect, in what browser, etc.

Does it happen when you are on a particular website? 

[idkjs]

Happening on Firefox. I will do some stuff in Chrome Canary today to see if it happens there.

So

12 hours ago, treed said:

Does it happen when you are on a particular website? 

I'm just coding and looking up stuff on basic code as you can tell from the extensions in the screenshot above so nothing super crazy or exciting. It feels like it mostly happens after i click past the first page of results. Just tried that, did not trigger. Here is the a search result for the redirect url im talking about. Not a new thing, apparently. https://www.google.fr/search?q=how+does+hitcpm.com+work&ie=utf-8&oe=utf-8&client=firefox-b-ab&gfe_rd=cr&dcr=0&ei=VvaDWs-rKufI8gf92aOADg

[treed]

Be cautious with the results of a search like that. All of the top hits except one are scam sites, trying to convince you that what you're seeing is the result of a virus and promoting a piece of scam software to fix it. The one that's not a scam is still borderline... I don't really understand it, because it follows the same scammy formula of the other sites by calling just about everything you might search for a "virus," but it refers to good software (including our own). I'm not sure what benefit that site sees from this, but there has to be something.

Redirects can be caused by malware, but more often they are caused by visiting a site that is shady, has been hacked or has advertising that has been compromised, or they are caused by compromised network hardware. For more information on the latter, see:

https://support.malwarebytes.com/docs/DOC-1296

[MTinMD]

On 2/13/2018 at 2:44 PM, treed said:

I would need more information about what you're seeing, such as under what conditions you get this redirect, in what browser, etc.

Does it happen when you are on a particular website? 

Thomas: I'm experiencing the same thing in Safari (I'm on a new Mac mini running Sierra).  Every time I open a new browser tab, it opens to search.yahoo.com instead of my favorites/frequently visited sites.  Also, when I click on a link in an email from a trusted sender, it will open to the same page and not follow the link.  

My wife wanted to figure out what was going on and wound up at [link removed], which seems sort of scammy to me.

I activated Malwarebytes on this Mac tonight, quarantined two files, and have been declared "clean," but still get redirected to yahoo.

Thanks! Matt

Edited March 1, 2018 by treed
Removed link to scam website

[alvarnell]

Sounds like you failed to reselect your home page and possibly your favored search tool in Safari preferences after that adware changed it. I believe Malwarebytes should have suggested you do that after deleting those two files.

[MTinMD]

Well now...maybe I did forget that.  Thanks for the tip.

Sincerely,

The absolute novice.

Seriously, thanks.  And no, Malwarebytes did not suggest that afterward.

Edited March 1, 2018 by MTinMD

[treed]

I'm glad to hear that you found the solution.

I edited your post to remove that link, as you were quite correct that it was scammy. That page, and all the others on that site, exist solely for the purpose of promoting junk software.