idkjs Posted February 11, 2018 ID:1214568 Share Posted February 11, 2018 I have the same problem indicated here, When I run ` find . -name "$1" 2>&1 | grep -v 'Permission denied' ` in the terminal it seem to keep getting hits in this folder: " Library/Application Support/Firefox/profiles". I attached the files from this directory. Redirect domain was hitcpm.com. Searching that on the net gets you references to hitcpm.com/watch?key virus. Anyone have any experience with this on mac? I attached Thank you. pkcs11.txt LICENSE.txt revocations.txt SiteSecurityServiceState.txt pkcs11.txt LICENSE.txt revocations.txt SiteSecurityServiceState.txt Link to post Share on other sites More sharing options...
idkjs Posted February 11, 2018 Author ID:1214569 Share Posted February 11, 2018 Running MalwareBytes come back clean. Link to post Share on other sites More sharing options...
alvarnell Posted February 11, 2018 ID:1214570 Share Posted February 11, 2018 First, confirm that these are only happening with your Firefox on your Mac and not when using any other browser or computer/device. Then, in Firefox, select "Add-Ons" from the Tools menu or type <Control>-<Shift>-A. Remove anything that you know you did not intend to install. If you have questions about any of them, post their names back here. Link to post Share on other sites More sharing options...
idkjs Posted February 11, 2018 Author ID:1214576 Share Posted February 11, 2018 I had already gone ahead and uninstalled Firefox Quantum and reinstalled. I want to say it was also happening in Chrome Canary but cant confirm. I will see what happens now and report back if it continues. Thank you for the quick response. Link to post Share on other sites More sharing options...
alvarnell Posted February 11, 2018 ID:1214577 Share Posted February 11, 2018 Uninstalling Firefox by dragging it to the Trash will not delete any of the Add-Ons, so you will still need to check that. Also let us know the name of any Extension you decide to remove. Link to post Share on other sites More sharing options...
idkjs Posted February 11, 2018 Author ID:1214579 Share Posted February 11, 2018 (edited) Of course, you are correct. The only add on I recently added was GreaseMonkey. Im thinking im going to wait to see if the issue reproduces before I remove it. Im not sure exactly how it triggers. Also, the hitcpm.com url came up in one of the tools in URL search on https://www.virustotal.com/#/home/url, yesterday but not today. Whatever that means. Do you think I should go and remove it right away? Is it worth the info to see if it happens agains? Edited February 11, 2018 by idkjs img Link to post Share on other sites More sharing options...
alvarnell Posted February 11, 2018 ID:1214583 Share Posted February 11, 2018 Don't remove anything that you added yet. My primary concern was if you saw anything that you had not added yourself. At this point I would just observe and report if it continues. Since you are not using an ad blocker, then I would strongly suspect that redirects are a result of something on a site you are visiting that carries what's known as "malvertising". The Malwarebytes folks may ask you for a diagnostic next or ask you to start disabling certain add-ons if they see something they aren't familiar with. Link to post Share on other sites More sharing options...
Staff treed Posted February 12, 2018 Staff ID:1214880 Share Posted February 12, 2018 I'm not sure that I understand the symptoms, what the Unix command you posted is supposed to show or why you attached those files to your original message. Can you clarify exactly what you are seeing, and where? The Unix command posted won't do anything as is. If it is part of a shell script, its output would depend on the input arguments provided to that script. In order to say anything about the output of that, we would have to have the full script as well as the context in which it was used. What was the reason that those files were attached? Without context, those files don't tell us anything. Link to post Share on other sites More sharing options...
idkjs Posted February 12, 2018 Author ID:1214884 Share Posted February 12, 2018 Problem has not yet re-occured so I'll have to wait to see if it does and get you all some better details for this kind of report. New to virus reporting here. Keep you posted. Link to post Share on other sites More sharing options...
idkjs Posted February 13, 2018 Author ID:1215149 Share Posted February 13, 2018 And its back. This is the url is redirects to: `http://mysagagame.com/preland-2912_3.html?pid=10&sid=1&nonad=1&s2s=VjN8MTQyNjk4NDh8Nzc4NDU1fDk5OTMzMnwxNTE4NTQ5NTY1fDU3NjgzZWRlLTgzNjAtNDFiMC1hOTZjLTdjNjQzNzVkMWEyN3w4Mi4yNTUuNjguMTA1fDF8NTU5YzBiMjVhOTVjODZmNzFiZTI0MmY5MjYwNTA5ZTY=` What do you need me to do to get you info you need? Link to post Share on other sites More sharing options...
Staff treed Posted February 13, 2018 Staff ID:1215155 Share Posted February 13, 2018 I would need more information about what you're seeing, such as under what conditions you get this redirect, in what browser, etc. Does it happen when you are on a particular website? Link to post Share on other sites More sharing options...
idkjs Posted February 14, 2018 Author ID:1215340 Share Posted February 14, 2018 Happening on Firefox. I will do some stuff in Chrome Canary today to see if it happens there. So 12 hours ago, treed said: Does it happen when you are on a particular website? I'm just coding and looking up stuff on basic code as you can tell from the extensions in the screenshot above so nothing super crazy or exciting. It feels like it mostly happens after i click past the first page of results. Just tried that, did not trigger. Here is the a search result for the redirect url im talking about. Not a new thing, apparently. https://www.google.fr/search?q=how+does+hitcpm.com+work&ie=utf-8&oe=utf-8&client=firefox-b-ab&gfe_rd=cr&dcr=0&ei=VvaDWs-rKufI8gf92aOADg Link to post Share on other sites More sharing options...
Staff treed Posted February 14, 2018 Staff ID:1215404 Share Posted February 14, 2018 Be cautious with the results of a search like that. All of the top hits except one are scam sites, trying to convince you that what you're seeing is the result of a virus and promoting a piece of scam software to fix it. The one that's not a scam is still borderline... I don't really understand it, because it follows the same scammy formula of the other sites by calling just about everything you might search for a "virus," but it refers to good software (including our own). I'm not sure what benefit that site sees from this, but there has to be something. Redirects can be caused by malware, but more often they are caused by visiting a site that is shady, has been hacked or has advertising that has been compromised, or they are caused by compromised network hardware. For more information on the latter, see: https://support.malwarebytes.com/docs/DOC-1296 Link to post Share on other sites More sharing options...
MTinMD Posted March 1, 2018 ID:1220364 Share Posted March 1, 2018 (edited) On 2/13/2018 at 2:44 PM, treed said: I would need more information about what you're seeing, such as under what conditions you get this redirect, in what browser, etc. Does it happen when you are on a particular website? Thomas: I'm experiencing the same thing in Safari (I'm on a new Mac mini running Sierra). Every time I open a new browser tab, it opens to search.yahoo.com instead of my favorites/frequently visited sites. Also, when I click on a link in an email from a trusted sender, it will open to the same page and not follow the link. My wife wanted to figure out what was going on and wound up at [link removed], which seems sort of scammy to me. I activated Malwarebytes on this Mac tonight, quarantined two files, and have been declared "clean," but still get redirected to yahoo. Thanks! Matt Edited March 1, 2018 by treed Removed link to scam website Link to post Share on other sites More sharing options...
alvarnell Posted March 1, 2018 ID:1220368 Share Posted March 1, 2018 Sounds like you failed to reselect your home page and possibly your favored search tool in Safari preferences after that adware changed it. I believe Malwarebytes should have suggested you do that after deleting those two files. Link to post Share on other sites More sharing options...
MTinMD Posted March 1, 2018 ID:1220370 Share Posted March 1, 2018 (edited) Well now...maybe I did forget that. Thanks for the tip. Sincerely, The absolute novice. Seriously, thanks. And no, Malwarebytes did not suggest that afterward. Edited March 1, 2018 by MTinMD Link to post Share on other sites More sharing options...
Staff treed Posted March 1, 2018 Staff ID:1220522 Share Posted March 1, 2018 I'm glad to hear that you found the solution. I edited your post to remove that link, as you were quite correct that it was scammy. That page, and all the others on that site, exist solely for the purpose of promoting junk software. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now