X
Tap here to go to the mobile version of the site.

Support Forum

I'm having trouble with the searchguide.level3 browser hijacking malware. I've reinstalled Firefox twice...please help!

Posted

I'm on a mac using the latest OS and I've reinstalled FireFox twice now. Where is this malware coming from? It seems benign enough; it sits in the background and waits for me to mistype a url then it takes me to its search results page...( But I know this means it could also be logging everything I'm doing as well as all my keystrokes. I checked the tutorials on how to remove it but they said I'd have to reset my search preferences and nothing in that panel has been changed. I don't have any weird software installed on my computer and I don't download strange files. Please advise!

PS- It only goes to http://searchguide.level3.com/ when I type in something with .com at the end that won't load. If I type in something that's more of a search term, it goes to google per my settings.

I'm on a mac using the latest OS and I've reinstalled FireFox twice now. Where is this malware coming from? It seems benign enough; it sits in the background and waits for me to mistype a url then it takes me to its search results page...( But I know this means it could also be logging everything I'm doing as well as all my keystrokes. I checked the tutorials on how to remove it but they said I'd have to reset my search preferences and nothing in that panel has been changed. I don't have any weird software installed on my computer and I don't download strange files. Please advise! PS- It only goes to http://searchguide.level3.com/ when I type in something with .com at the end that won't load. If I type in something that's more of a search term, it goes to google per my settings.

Additional System Details

Installed Plug-ins

  • Shockwave Flash 30.0 r0

Application

  • Firefox 60.0.2
  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:60.0) Gecko/20100101 Firefox/60.0
  • Support URL: https://support.mozilla.org/1/firefox/60.0.2/Darwin/en-US/

Extensions

  • LastPass: Free Password Manager 4.17.0.4 (support@lastpass.com)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription:
  • adapterDeviceID: 0x0a26
  • adapterDrivers:
  • adapterRAM:
  • adapterVendorID: 0x8086
  • crashGuards: []
  • driverDate:
  • driverVersion:
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'OpenGL Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OPENGL_COMPOSITING'}, {u'status': u'unavailable', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}], u'name': u'WEBRENDER'}, {u'status': u'available', u'description': u'Off Main Thread Painting', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OMTP'}]}
  • info: {u'TileHeight': 512, u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'ApzAutoscrollInput': 1, u'AzureFallbackCanvasBackend': u'none', u'TileWidth': 512, u'AzureCanvasAccelerated': 1, u'AzureCanvasBackend': u'skia', u'AzureContentBackend': u'skia'}
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • offMainThreadPaintEnabled: True
  • offMainThreadPaintWorkerCount: 1
  • usesTiling: True
  • webgl1DriverExtensions: GL_ARB_blend_func_extended GL_ARB_draw_buffers_blend GL_ARB_draw_indirect GL_ARB_ES2_compatibility GL_ARB_explicit_attrib_location GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader5 GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_occlusion_query2 GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_subroutine GL_ARB_shading_language_include GL_ARB_tessellation_shader GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_vertex_attrib_64bit GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_sRGB_decode GL_APPLE_client_storage GL_APPLE_container_object_shareable GL_APPLE_flush_render GL_APPLE_object_purgeable GL_APPLE_rgb_422 GL_APPLE_row_bytes GL_APPLE_texture_range GL_ATI_texture_mirror_once GL_NV_texture_barrier
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
  • webgl1Renderer: Intel Inc. -- Intel HD Graphics 5000 OpenGL Engine
  • webgl1Version: 4.1 INTEL-10.14.73
  • webgl1WSIInfo: CGL
  • webgl2DriverExtensions: GL_ARB_blend_func_extended GL_ARB_draw_buffers_blend GL_ARB_draw_indirect GL_ARB_ES2_compatibility GL_ARB_explicit_attrib_location GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader5 GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_occlusion_query2 GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_subroutine GL_ARB_shading_language_include GL_ARB_tessellation_shader GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_vertex_attrib_64bit GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_sRGB_decode GL_APPLE_client_storage GL_APPLE_container_object_shareable GL_APPLE_flush_render GL_APPLE_object_purgeable GL_APPLE_rgb_422 GL_APPLE_row_bytes GL_APPLE_texture_range GL_ATI_texture_mirror_once GL_NV_texture_barrier
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
  • webgl2Renderer: Intel Inc. -- Intel HD Graphics 5000 OpenGL Engine
  • webgl2Version: 4.1 INTEL-10.14.73
  • webgl2WSIInfo: CGL
  • windowLayerManagerRemote: True
  • windowLayerManagerType: OpenGL
  • windowUsingAdvancedLayers: False

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
McCoy
  • Top 10 Contributor
589 solutions 5614 answers

Good for you to be on the alert, cause you're dealing with a browser hijacker.

See : https://www.2-spyware.com/remove-searchguide-level-3-virus.html#mac-os-x

Go to the Firefox menu (≡) => Add-ons => Extensions

( Mac  : Command + Shift + A)

Look for anything unfamiliar - if you find one, remove it.

Next step : run malwarescans.

Further information can be found in this article : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no

Run most or all of the listed malware scanners. They all work differently - what one program doesn't pick up, the other might.

Especially for Mac : https://www.malwarebytes.com/mac/

And : https://malwaretips.com/blogs/remove-mac-os-x-virus/

Are things back to normal now  ?

Good for you to be on the alert, cause you're dealing with a browser hijacker. See : https://www.2-spyware.com/remove-searchguide-level-3-virus.html#mac-os-x Go to the Firefox menu (≡) => Add-ons => Extensions ( Mac : Command + Shift + A) Look for anything unfamiliar - if you find one, remove it. Next step : run malwarescans. Further information can be found in this article : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no '''Run most or all of the listed malware scanners'''. They all work differently - what one program doesn't pick up, the other might. Especially for Mac : https://www.malwarebytes.com/mac/ And : https://malwaretips.com/blogs/remove-mac-os-x-virus/ Are things back to normal now ?
FredMcD
  • Top 10 Contributor
4334 solutions 60966 answers

It’s very sad, but many software downloaders/ installers will trick you into installing not only their program, but other programs as well.

You have heard of the fine print in shady contracts, right? Well, some installers you need to look at the itsy bitsy teeny weeny fine print.

You are thinking you are giving the installer permission to install the program you want by using the recommended option. But if you use the Manual Option Instead, you discover all kinds of stuff that you do not even know what it is or what it does.

From now on, everyone needs to Use The Manual Option to put a stop to this.

Note that these programs can also change browser/computer settings.

It’s very sad, but many software downloaders/ installers will trick you into installing not only their program, but '''other programs as well. ''' You have heard of the '''fine print in shady''' '''contracts, ''' right? Well, some installers you need to look at the '''itsy bitsy teeny weeny fine print. ''' You are thinking you are giving the installer permission to install the program you want by using the '''recommended''' option. But if you use the '''Manual Option Instead, ''' you discover all kinds of stuff that '''you do not even know what it is or what it does. ''' From now on, everyone needs to '''Use The Manual Option''' to put a stop to this. '''Note''' that these programs can also change browser/computer settings.
jscher2000
  • Top 10 Contributor
8876 solutions 72624 answers

Do you use CenturyLink for your internet connection? According to http://www.level3.com/en/, "Level3 is now CenturyLink." That makes me think this could be a "service" associated with your ISP.

Some ISPs return site listings and/or ads instead of "server not found" error messages. On the "results" page, there often is a link where you can disable that "feature." With different ISP's, it will look different, but check toward the right edge and bottom for any opt-out or "why am I seeing this" or other links that might lead to a page where you can stop them from doing it. Or you could complain to them.

Edit:

Similar inquiry for Safari from a couple years back: https://apple.stackexchange.com/questions/240000/non-existing-urls-redirect-to-searchguide-level-3-in-safari

Do you use CenturyLink for your internet connection? According to [http://www.level3.com/en/], "Level3 is now CenturyLink." That makes me think this could be a "service" associated with your ISP. Some ISPs return site listings and/or ads instead of "server not found" error messages. On the "results" page, there often is a link where you can disable that "feature." With different ISP's, it will look different, but check toward the right edge and bottom for any opt-out or "why am I seeing this" or other links that might lead to a page where you can stop them from doing it. Or you could complain to them. Edit: Similar inquiry for Safari from a couple years back: https://apple.stackexchange.com/questions/240000/non-existing-urls-redirect-to-searchguide-level-3-in-safari

Modified by jscher2000