This thread was archived. Please ask a new question if you need help.
Firefox is being redirected to www.videocop.com
For the past several days WOT has been intercepting random attempts to redirect Firefox 3.6.8 (running on fully up-to-date 64 bit Ubuntu 10.04 LTS) to various dangerous web sites. The most recent attempt was to: http://www.videocop.com/?aff=NGMzNTkwOWY6OjA%3D&src=counter
URL of affected sites
All Replies (10)
"SECURITY WARNING: An actively exploited security hole in Adobe Flash 10.0 r45 and earlier can compromise your computer. Please use these instructions to update to Flash Player 10.1." https://support.mozilla.com/en-US/kb/Firefox+Support+Home+Page
For everyone: http://en.wikipedia.org/wiki/Comparison_of_firewalls
Harder still... http://blog.bodhizazen.net/linux/firewall-ubuntu-servers/
Good grief! :-( http://bodhizazen.net/Tutorials/iptables/
HOWTO: Graphical IP Blocker http://ubuntuforums.org/showthread.php?t=530183
If anyone knows of an effective IP Blocker for Windows or Macintosh, then please post a link.
Modified by JohnGaryB.
Same issue now solved for me. Now trying to clear up my GF's computer. Follow along on this thread and we will get an answer. I did many things to mine to cure it, but did not write down what I was doing. Now that I am doing the GF's puter, I am doing it in a systematic way to nail down this issue. http://www.bleepingcomputer.com/forums/topic337383.html
So the answer seems to be not to use fire fox fornow?
It's not a firefox problem, the problem is in the routers!
It's mentioned by a few previous posts in this thread, and is discussed here as well external link One way or another, the DNS server addresses in our routers have been changed to hard-coded 213.109.XXX.XXX. Look-up domain name server for a little background if you are unfamiliar with the term. The bottom line is that with your router looking to these malicious sites as domain name servers, the sites can redirect you anywhere they want. They have redirected me to other sites that have had other viruses, so you need to scan and fix your computer as well.
Firefox addon "noscript" DID prevent these redirects, but did not solve the root problem. Internet explorer and other machines still had the problem.
As has been mentioned elswhere, you could take your laptop (if you have one) to a different network (friends house, starbucks, etc), and should find that the redirects do not happen any longer.
Thank you, Thank you, THANK YOU. This is the ONLY site that I have found that had a solution to the hijacking. Check your router and change the password.
Rick, great job.... :)
This redirection seems to be a router or DNS problem - buggered up by internet buttheads. Be nice if/when the footprint can get figured out by the antivirus companies and we can get a real fix/pteventive dat for it.
Now, listen closely - in XP go to START/Control Panel/Network Connections/(right mouse on the connection that's malfunctioning(properties)/TCP/IP (Properties) and now, click the "Use the following DNS Server addresses" button. Set Preferred to 126.96.36.199 Set Alternate to 188.8.131.52
Bingo, system shoots around the re-directs and works fine. You may get it back to working status by a hard reset and re-set-up of your router if you use one. Good luck. It worked for me. If you use Vista or Win7 I suppose the same type method would work.
A new threat which can be a consequence of the router hijack issue:
Fake Anti-Virus Launches Legit AV Uninstalls (Originally Posted by Keith Ferrell Aug 23, 2010 11:28 AM)
"A new variation on the Fake Anti-Virus scam actually launches legitimate uninstallers of anti-virus programs from Symantec, Microsoft, AVG and others.
The phony anti-virus scam keeps getting new wrinkles, the latest being a pop-up Anti-Virus alert that warns users that their security program is uncertified and must be replaced. When the alert is clicked, it launches the user's legitimate anti-virus uninstall program.
As Symantec reported, the fake a-v alert box starts the uninstall no matter where the user clicks. The pop-up's close button is as malicious as its OK button.
Symantec notes that the Trojan carries uninstall launchers for "Symantec, Microsoft, AVG, Spyware Doctor, and Zone Labs." I would imagine that it won't be long before other security vendors find their products' uninstallers added to the payload..."
Here are the whois searches of the DNS addresses suggested by 'cheepgeeze...'...
...both of which resolve to OpenDNS... http://www.opendns.com/
...who offer a range of commercial and free DNS services.
And here are some other options offered as Ubuntu how-to's:
How To Change Your DNS Address In Ubuntu 10.04 Lucid Lynx http://www.liberiangeek.net/2010/08/change-dns-information-ubuntu-10-04-lucid-lynx/
Configure Ubuntu 10.04 Lucid Lynx To Use Google Public DNS http://www.liberiangeek.net/2010/07/configure-ubuntu-10-04-lucid-lynx-google-public-dns/
Configure Ubuntu 10.04 Lucid Lynx to Use Comodo Secure DNS http://www.liberiangeek.net/2010/08/configure-ubuntu-10-04-lucid-lynx-comodo-secure-dns/
The Perfect Parental Control For Ubuntu 10.04 Lucid Lynx http://www.liberiangeek.net/2010/05/the-perfect-parental-control-for-ubuntu-10-04-lucid-lynx/
BTW. Under Ubuntu these and any other web pages can be printed to .pdf files from Firefox by:
- Selecting and copying the web page's title to the clipboard (the name can't include '/' or other illegal characters)
- In Firefox click File-->Print
- In the pop-up dialog box's General tab click Print to File
- Output format: PDF
- Paste the web page's name into the name box to the left of the .pdf file name extension
- Click the Print button and your .pdf file will be printed to the root level of your Home folder.
Modified by JohnGaryB.
I was infected by the VideoCop bug, and it took me long time to figure out how to get rid of it. I’m really impressed by the ingenuity of its developers. It’s unlike any Malware I’ve ever dealt with before.
First off, let me go over the symptoms. You will frequently see advertisements for VideoCop on legitimate, well respected web sites that would never allow malicious web sites to advertise on their web pages. Mostly these ads show up on Google ad space. Firefox frequently hangs as it’s trying to contact Google analytics. After doing a Google search, and clicking on a result, you will be taken you to an unrelated, malicious web site, but if you “back arrow” to the results and click the link again, you will go to the correct web site. The root of the problem is not on your computer, it’s on your router. Somehow, and I’m not quite sure how, the DNS entries on your router have been changed. I have a Linksys WRT54G v6.0 with the latest firmware, and the default password was changed the day I turned it on. My Wi-Fi security is enabled, even with MAC filtering. For the record, the DNS servers were 184.108.40.206, 220.127.116.11, 18.104.22.168. I can only think of two ways this happened. Most likely, the Malware used my router’s password that was cached in my browser, or there is a vulnerability in the router that is being exploited. If the VideoCop hackers are using a vulnerability, there’s nothing we can do to prevent this from happening again except wait for Linksys to release a new firmware that fixes the vulnerability. But if it’s using a cached password, the solution is to never cache your router’s password. To resolve this problem, first log into your router and change your password, and log back in with the new password. If IE or Firefox asks you if it should remember your password say “No”. Now clear the DNS servers (all 3) by putting 0’s in the boxes. 0.0.0.0 will tell your router to use your IPS’s DNS settings which are obtained as part of the DHCP protocol. Now fully scan your computer with MalWareBytes, Spybot Search and Destroy, and any other Spyware remover. Also, do a full scan with your resident antivirus since you’ve possibly picked up a few spywares with all of the VideoCop forwards you’ve been experiencing. I hope this helps.