X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

page transfer by a.kaytri.com top of page says Firefox

Posted

I am trying to sign into a website and before I can finish - I get a page that overlaps my website that I am trying to sign into. At the top of this overlapped page (for lack of a better word) it reads Mozilla Firefox - the web address of this page is www.a.kaytri.com - says please wait - and when it opens it is an ad for say McDonalds for example. How do I turn off this annoying pop-up page.

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.6 r602
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.02
  • 5.1.20125.0

Application

  • Firefox 19.0.2
  • User Agent: Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20100101 Firefox/19.0
  • Support URL: http://support.mozilla.org/1/firefox/19.0.2/WINNT/en-US/

Extensions

  • DownloadTerms 1.0 (qnecriolahfk@xzqgbwzoamwuwufy.org)
  • iGive Toolbar 3.5.46 ({E68155BA-066F-4CC9-B128-4A2627664264})
  • InboxDollars 1.300.436 ({ceff3aa1-bfdc-f434-c52d-922216a9cdf5})
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Browser Guard Toolbar 4.0.0.1884 ({cb84136f-9c44-433a-9048-c5cd9df1dc16}) (Inactive)
  • DoNotTrackMe 2.2.6.110 (donottrackplus@abine.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Microsoft Basic Display Adapter
  • adapterDescription2:
  • adapterDeviceID: 0x7187
  • adapterDeviceID2:
  • adapterDrivers: Unknown
  • adapterDrivers2:
  • adapterRAM: 0
  • adapterRAM2:
  • adapterVendorID: 0x1002
  • adapterVendorID2:
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'tryNewerDriver', u'10.6']
  • directWriteEnabled: False
  • directWriteVersion: 6.2.9200.16433
  • driverDate: 6-21-2006
  • driverDate2:
  • driverVersion: 6.2.9200.16384
  • driverVersion2:
  • info: {u'AzureContentBackend': u'none', u'AzureCanvasBackend': u'cairo', u'AzureFallbackCanvasBackend': u'none'}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'tryNewerDriver', u'9.6']
  • numTotalWindows: 1
  • webglRendererMessage: [u'tryNewerDriver', u'9.6']
  • windowLayerManagerType: Basic

Modified Preferences

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.search.useDBForOrder: True
  • browser.startup.homepage_override.buildID: 20130307023931
  • browser.startup.homepage_override.mstone: 19.0.2
  • dom.ipc.plugins.enabled.nptnt2.dll: False
  • dom.max_chrome_script_run_time: 0
  • dom.max_script_run_time: 0
  • dom.mozApps.used: True
  • extensions.lastAppVersion: 19.0.2
  • gfx.blacklist.direct2d: 3
  • keyword.URL: http://www.bing.com/search?q=
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1363640837
  • places.history.expiration.transient_current_max_pages: 87194
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • privacy.cpd.sessions: False
  • privacy.donottrackheader.enabled: True
  • privacy.popups.showBrowserMessage: False
  • privacy.sanitize.migrateFx3Prefs: True
  • security.warn_viewing_mixed: False
  • security.warn_viewing_mixed.show_once: False

Misc

  • User JS: Yes
  • Accessibility: No
jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

That is annoying.

You have some unusual sounding extensions in your "More system details" list. Can you recall what they're supposed to do? I suggest this test: disable all of them (except the Troubleshooter), restart Firefox, and test the problem site(s) again.

To disable extensions, you can use this page:

orange Firefox button (or Tools menu) > Add-ons > Extensions category

Any difference?

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

I see you are not alone. There was a post yesterday on these ads: I have been trying to remove this a.kaytri.com from firefox with no luck other then to change browers. Got any help?

Please let us know whether disabling extensions helps, and if it reappears after you restart Firefox the next time.

lestr50 0 solutions 2 answers

Wizards - hit this link - maybe it will help!? Says it is benign... BS - it's a RPITA!

http://jsunpack.jeek.org/?report=1f3829fabdef1a030f7870cede70b7cf61e60f31

3/16 Fresh install of W7/64. Only basic functional progs installed. Had AVG but swapped for Avast free/trial. Also have Malware bytes. CCleaner and MS Security Essentials. Tried the ADblocker listed on the other thread. NOTHING works. Run multiple times.

Add-ons : Extensions - ONLY Avast Ad-blocker 8.0 and Avast Web rep active. Problem could be from Avast DL from C|net. Hate C|net.

Control panel: internet options: security: restricted sites: have 10+ or so listed, including a.kaytri.com. Doesn't stop it. There could be 100's - NONE of the sites will allow anything NEAR an uninstall or method to stop. MOST hated site is Quibids.com. One site asked for my e-mail to unsubscribe - WHY? I never subscribed!! I closed...

I have another PC... NOT affected/infected. This is about 3 days old. Yes, it may be benign but it's still a pain in the ass... both running 19.0.2

I REALLY need to solve this problem as I NEED to create an ISO b/u disc, partition, clone....

I also have IE10, Chrome and AOL - none affected/infected. This is a FF problem.

Thanks - I'll keep reading.

Les

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi lestr50, most of the settings in the Internet Options control panel are for IE only and do not pass through to Firefox. We'll have to solve this another way.

The site http://jsunpack.jeek.org is very handy, but the URL we need to submit is the lengthy URL for the specific ad. I found an example in a Google site search and watched what happened with that URL: it redirected to the intermediate site feed.validclick.com, which is part of an affiliate ad network run by Inuvo. So while it's very invasive advertising, I don't think we can learn how to remove it by looking at the back end.

If you can rule out problems from your extensions -- did you try disabling ALL of them despite their innocent looking names? -- you might also check plugins for anything unexpected or unecessary and disable that as well.

Next issue: have your connection settings been switched? Check here:

(WIN) orange Firefox button (or Tools menu) > Options > Advanced
(MAC) Firefox > Preferences > Advanced
(LINUX) Edit > Preferences > Advanced

On the Network mini-tab, click the Settings button. To use the default connection used by IE, choose "No Proxy" or "Use System proxy settings".

Also, if your external security software runs Firefox in a sandbox or virtual machine, you might want to test with that setting disabled.

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

By the way, in all my responses, I assumed that these were not ads the websites themselves were running. Could either of you supply some URLs to sites where this is happening so volunteers could check for that?

lestr50 0 solutions 2 answers

Yes, I followed the suggestions. No relief. I copied the basic site address to MS security because that is the only place I COULD copy them TO for a double blind. FF doesn't allow this. Additionally, IF it got into FF it could also get into IE which I don't use often, however... it was a precautionary measure, if you will.

Next, I downloaded AVG and within 30-45 seconds on the first scan it let me know in no uncertain terms it found something and told me to reboot immediately.. did it... let it finish the scan after reboot. Have not been able to "draw fire" from the a.kaytri.com affiliates. They may not even KNOW about this crap. One site led to kpm7.com. pull it up.

C:\users.......\TIF\content.IE5\A1AFYU1S\HOSTS_Anti-Adware[1].exe identified as Worm/autoit.AZCH

That's the best I can do. I believe it's gone. some sites: secure.homeownershipgroup.com freedishHD.com Livesearchnow.com freescore360.com rent2own-usa.com There are a cople of others but... unbelivably it took the last of 4 programs to snuff it.

On re-thinking it - I may have got it when I downloaded Macrium Reflect from CNet and got hung into HAVING to try a stupid check up program. Maybe that's it. Not sure but all I can think of. Check your downloads. I simply let the "check up" run its thing and then I uninstalled - then was able to get Reflect to do the disc work I was after. I tried to get Reflect from other sites but was re-directed to CNet. I won't make that mistake again. I also have NOT used reflect. It was recommended as #1 by MaximumPC.

I hope this helps anyone who reads this. In essence FF did ABSOLUTEY NOTHING toward blocking it. Their AD Blocker doesn't work? Screw it.

That's about all I can add. Avast, Malware bytes and MS-SE all failed. VERY surprising. Think I'll keep 'em all.


Thanks for your input. Standard measures did zip.

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi lestr50, thanks for reporting your experience. It sounds as though AVG was useful, and that it found suspicious software in your Internet Explorer cache (Temporary Internet Files). The reason for rebooting most likely is that a malware process resisted termination and could only be removed at boot time before it restarted.

There is some malware which runs externally to Firefox and launches pop-ups in your default browser after you launch it. If this program was based on a similar concept, that might explain why it wasn't affecting IE.

The AVG data on the detected malware flags file sharing sites as the most common source: http://www.avgthreatlabs.com/webthrea.../#analytics. You could check your download history for any files from those sites.

Anyway, whatever real-time antivirus protection you're using, you can reduce your exposure by keeping all internet-facing programs and plugins, and any program used to open email attachments, up-to-date with security patches.

vmarshmellow 0 solutions 2 answers

Helpful Reply

I too have (had ?) this problem.

I installed and ran AVG and it found something but I don't think (?) it was what was causing the a.kaytri.com problem.

I went to the windows 7 software uninstall page and deleted everything I did not recognize. I noticed that there was a software program called "discount buddy" (I think that was the name, it was something similar if not that) that I uninstalled.

I don't seem to have the problem anymore (did this yesterday). Could someone with this problem see if they have "discount buddy" installed on their computer? I did not intentionally install this program and don't know how/when it was installed.

Shautru 0 solutions 3 answers

I'm having this same issue and I don't have "discount buddy". Running my AVG scan now hoping it will do the trick. <edit> BTW I'm using Chrome.

Modified by Shautru

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi Shautru, you might also want to start a thread on the Google Chrome forum here since its menus and settings storage are quite different from Firefox's: http://productforums.google.com/forum/#!forum/chrome

Shautru 0 solutions 3 answers

Thanks, I did start a thread there as well. I do have Firefox too I just was searching and this was the only topic I found so came here first.

My AVG only found corrupted executables named SCC.exe which it deleted. Not sure if it fixed it yet or not as the popup is somewhat sporadic in nature.

vmarshmellow 0 solutions 2 answers

Well it must have been the AVG (free edition) that fixed it then. I haven't had the a.kaytri.com screen since I installed and ran AVG. I am also running MIcrosoft Security essentials which does not catch the problem. My intent was to remove AVG after the problem was fixed but now I'm not so sure ....

Shautru 0 solutions 3 answers

I'm not getting it anymore either.

Question owner

What is AVG and where do I get it so I do not get this popup anymore

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi villageofone, AVG is a popular brand of security software. You can read about the product and download it here: http://free.avg.com/us-en/homepage

Please note that installing AVG may have unexpected consequences in Firefox: it includes add-ons that may add toolbars, change your new tab page, and change your default search provider. There are other threads here on how to remove those if you don't like them.

In addition to AVG, which offers full-time/real-time virus protection, there are some highly regarded supplemental scanners you might want to try:

Malwarebytes Anti-malware : http://www.malwarebytes.org/products/malwarebytes_free

SUPERAntiSpyware : http://www.superantispyware.com/

SparroHawc 0 solutions 2 answers

Helpful Reply

I found a solution.

For me, at least, it was a rogue extension that did it. It wasn't showing up in the extensions until I tried resetting Firefox to defaults, after which it let me disable it but not remove it. The plugin I wound up with was 'downloadterms'. Yours may be different, but the result is the same - javascript injection.

I was only able to resolve it by going into my Firefox extensions directory (for me it was in C:\Program Files (x86)\Mozilla Firefox\extensions) and searching through them.

If an extension folder has a sensible name and you recognize it, you can ignore it. Otherwise, go into the extension folder and open 'install.rdf' in notepad or your favorite text editor. Search through the file for the word 'name' and check in the vicinity of every hit. If it looks suspicious (and not "classic", that's your base theme), take that folder and move it out of the Firefox extensions directory (while Firefox isn't running, mind you). Start Firefox up again, and see if it's fixed. If not, move the folder back into extensions and check another one.

Hope this helps!

Modified by SparroHawc

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi SparroHawc, thank you for your report.

I'm troubled that the extension managed to elude the add-ons page:

orange Firefox button (or Tools menu) > Add-ons > Extensions category

If the extension folder or XPI is in your Recycle Bin, could you post the name? It may be a GUID - a long string of numbers and letters.


Also, for anyone doing disk-level research on installed extensions, you can open this page and use it for comparison:

Help menu > Troubleshooting Information

The order won't match but hopefully it will speed the process of review anyway.

Modified by jscher2000

jscher2000
  • Top 10 Contributor
2347 solutions 20796 answers

Hi villageofone, your original post indicated that you have the DownloadTerms extension mentioned by SparroHawc. Were you able to disable or remove it on the Extensions page?

orange Firefox button (or Tools menu) > Add-ons > Extensions category

If there is a Disable button but no remove button, this indicates that it was installed externally (e.g., as part of a different program) and the uninstaller is somewhere else. In that case, if you can't track down the original source, the manual removal described by SparroHawc might be necessary.

To access your extensions folder, you can use this method:

Help menu > Troubleshooting Information > "Show Folder" button

This should open your currently active Firefox settings folder (AKA your Firefox profile folder) and in there you should see an extensions folder.

Edit: It also makes sense to check the program-level folder mentioned by SparroHawc, but you should hardly find anything there.

Modified by jscher2000

SparroHawc 0 solutions 2 answers

jscher2000: I wish I had, but I was troubleshooting someone else's computer in a hurry and shift-deleted that sucker. I'll know better next time I do something like that.

Astroguy 0 solutions 1 answers

I have disabled it, then removed it. Hopefully this takes care of the issue.