Firefox is being redirected to www.videocop.com
For the past several days WOT has been intercepting random attempts to redirect Firefox 3.6.8 (running on fully up-to-date 64 bit Ubuntu 10.04 LTS) to various dangerous web sites. The most recent attempt was to: http://www.videocop.com/?aff=NGMzNTkwOWY6OjA%3D&src=counter
URL of affected sites
More insight into naughty cookies courtesy of a fellow forumite...
Lawsuit Tackles Files That ‘Re-Spawn’ Tracking Cookies http://blogs.wsj.com/digits/2010/07/30/lawsuit-tackles-files-that-re-spawn-tracking-cookies/
"A lawsuit filed in U.S. district court last week against several media and technology companies is the latest in a series of legal attempts to counteract the use of tracking software employed on the Web..."
Yet another tip...
I think this Flash stuff may be heading down the wrong path-
I just got this second got redirected to videocop on my iPhone.
That can't be flash related!
Sent from my iPhone
This Ghostery thingy might actually be working. The one site that was giving me problems loaded properly after I BLOCKED GOOGLE ANALYTICS. Now I'm blocking all the basterds and their nasty scripts. Thanks John Gary B!
So far so good for me too. Yeay Ghostery! :-)
Currently, my short list of Add-ons whose authors I'll be making a well-earned donation to includes:
- Ghostery - Adblock Plus - NoScript - Beef Taco - Flagfox - WOT - Xmarks
I've been following this thread and had good success with ghostery all day yesterday but just got my first redirect to videocop today - from an address that I typed into the brower myself! I haven't installed Adblock plus or NoScript yet, so I'm hoping that will take care of it. I am no longer having all the browser hang-ups with Google Analytics, though, so at least ghostery seems to have eliminated that problem.
Has anyone used the combofix method? Thanks John for all of your input; firefox is behaving better on my infected user. I received a Microsoft update to day.
It is interesting that IPhone and Linux have the same problem.
What if RealPlayer is used to play flash? Mark
Combofix did nothing for me on an xp box.
Btw the iPhone link I clicked was in an email from a trusted user to a trusted site- although I admit I didn't check to make sure the html for the URL wasn't somehow obfuscated... Which I kind of doubt.
Since it is happening on my iPhone I no longer suspect it's any kind of conficker remnant- which means it's almost definitely related to the scripting on the target website. Surely we can find the common scripts??
I submit what is killing us is google analytics and surveys.cnet and other big name players... Since this isn't national news yet, every single one of us and all of our various machines must have something unusual in common... The only thing Linux, iPhones, xp, vista, safari, and firefox have in common perforce has gotta be something in these advertiser/trackers code and our mozilla settings.
What's the "combofix method"?
I'm not an iPhone user so hopefully Anonymous will chime in with some details.
This browser hijacking phenomenon doesn't appear to be OS-specific. Google search results indicate that it's affecting a diversity of Internet users who employ various browsers.
I don't know about using any alternate Flash players. The above listed Firefox Add-ons and Flash Player Help instructions seem to have ended the browser redirect issues on my PC..., for now. If it crops up again I will experiment with Open Source replacements for Flash Player. But honestly, I don't know enough about computers to understand what's going on. So, one step at a time for me...
The point about mentioning the iPhone is that iPhones don't use flash.
All of the browsers mentioned have a mozilla base source code.
Everyone of us shares an add on or a setting that is unusual- but I can't imagine what it would be- I've never changed anything on my iPhone browser that I can recall. On windows the only thing special is adblock.
...And it's unlikely that everyone here has visited a common web site... *cue the Twilight Zone theme* :D
I just use the Add-ons mentioned above with the latest version of Firefox (3.6.8, Mozilla Firefox for Ubuntu canonical - 1.0) running default settings.
Thanks Everybody Keep adding your input. Actually you can trace this problem on the web under most of the unwanted URLs and the word redirect or hijack. Right now there doesn't appear to be a universal way to log viral problems, any suggestions?
Norton used to be number one... but all of these malware teams are competing against each other.
But this is a growing problem with no current solution. Firefox with addons deals with the problem well, Opera seems to be needing some tracking blocking so it is still suffering.
You can go to any flash movie and use the flash storage settings and set it 0 then press okay and it will empty it or CCleaner can have the flash cookie cleaner. For Fire Fox check the options the out for Ghostery and Beef Taco to block trakers. For Ghostery you can block the 100 tracking companies and add more. Better Privacy will allow you to delete them before using flash or when leaving firefox.
So if there is a single URL to collect all malware list it, otherwise keep adding description and URL information to this blog, then people will find it when they search. Granted Firefox is the safest.
Videocop ad appeared on Opera http://www.brothersoft.com/combofix-292397.html But not on Firefox http://www.brothersoft.com/combofix-292397.html Could be coincidence? After cleaning(via firefox) not on Opera?
There is still shockwave player and any number of non-adobe products that could be used in the same way.
Hi, I have had all the same problems that are described here for the past few weeks. I've cleaned my laptop with several antivirus programs and have found a few infections and got rid of them, but the redirects still occur. I have not tried the various firefox addons yet, but I will. I am also having redirect problems with IE 8.
A major thing I have noticed is that this only occurs on my laptop when it is on my home network. Whenever I am on the network at my parents' home or at the coffee shop down the street, the redirects stop. I have reset my linksys router by holding the reset button for 45 seconds and have also changed the router password and the wireless access password.
Another thing I have noticed is that ads on some pages are different when I'm on my home network, such as normal movie ads on rottentomatoes.com changing to various cheap-looking clicksor ads. The ads return to normal when I am on a different network.
Has anyone else noticed any of these problems? Has anyone had the same problems when on a network other than their own?
Actually, it DOES seem possible we've all visited the same site to me.
By the way, when Google analytics freezes your browser, has anyone else had the instances where it also pops-under a screen sized blank white browser window? That's not 100% of the time, but I've noticed it on occasion.
I have this problem too.
1) it seemed to start with Defence Center. I used Malwarebytes to get rid of that, but the problem persists
2) Some sites suggest that this is a rootkit virus. These are very stubborn and hard to get at. I am sure I have the virus, but I have tried about 6 virus tools and none have found the problem. Is it new?
3) Additional issue: I have tried to roll back to a previous Restore Point for MS XP Pro. I cannot get the Restore Point feature to work.
I just checked my e-mail and found that there had been a half dozen or so replies to this thread. So I deleted all of the notifications of said replies save for the most recent one, and then proceeded to this thread with the expectation of reading all of the replies.
When I arrived I found only two replies which I hadn't seen before (one from TonyTonyTony, Posted August 4, 2010 9:29:41 PM PDT, and one from numberzguy, Posted August 6, 2010 9:21:12 AM PDT). The rest were missing. :-(
Fortunately I have the text of the one post that I didn't delete from my e-mail notifications. As this post contains info which IMO is useful to resolving what's behind this ongoing browser redirect issue, here is the text of said post in its entirety:
""Cochango" has posted a reply to a thread you're watching. You can view the thread and reply at the following URL:
Same problem on three devices - non-networked. When it showed up on my Ipad I knew something screwy was up and it had to be with the router. Looked at DNS config and saw three static DNS addresses that I never put in. Set back to Zeros and so far so good. It's in the router Watson because that's the only thing ALL THREE my devices have in common. No print or file sharing with the Pad but I get redirected using Safari browser. Slam Dunk."
In the wake of the missing posts in this thread - and given that, for the first time ever, I had to register as a user of this forum to submit a (this) post - is there a new moderation policy in place on the Firefox Support Forum, and if so, does it include deleting posts such as the one from 'Cochango' cited here?
I was experiencing the occasional frozen blank page similar to what you've described before installing and using the Firefox Add-on Ghostery in addition to the Add-ons: Adblock Plus, NoScript, Beef Taco, Flagfox, WOT, and Xmarks.
In a belt & suspenders approach to further combating browser redirects I' ve since installed the Ff Add-on BetterPrivacy as well.
I managed to defeat this thing finally. As someone suggested, it is in the router. I ran Sophos Anti-Rootkit, MalwareBytes, superAntispyware, ComboFix and avast. First, MalwareBytes would not connect for an update. That I found odd. So I went and grabbed the manual update. I was getting the same issues as everyone else. First, hanging on Google Analytics, then surveys.cnet.com, the video cop and other redirects. I got so annoyed, I reformated.,,,AND IT WAS STILL THERE!! Not possible, I thought. If this was a BIOS infection, I may as well toss the thing out. Then someone suggested i check my router config since I never did change the default linksys admin password. I logged into the router and KABAM...the entire GUI page was mangled, I could not alter any settings. I hit the reset button, and got the interface back. I uploaded a new firmware update. I swept my computer one more time to be sure I still had nothing, and connected. Everything works perfect now. I did the same to my GF's computer before I let her connect to my router...found 74 various tracking cookies none of which stuck out more than the other. We connected and even her computer..which was the first infected, worked fine. I had her reset her modem at home...and finally no issues there either. So my best guess is that some type of low level malware opened the door for something more complex which began altering my router and sending me to places I did not want to go and also stopped outgoing traffic to websites that would help. I couldn't get on to most help sites without major difficulty. MalwareBytes now updates via the update button, window updates again, and I can get to sites like bleepingcomputer.com or majorgeeks.com without being redirected to their 404 error page. I don't know which one of these steps in particular killed the computer portion of the malware, but resetting hte router seemed to kill that part. I have no idea how to stop it from happening again. Judging by the other sites, all kinds of people are having the same issue. This may be a rewritten variant of the ZLOB trojan...but I don't have the experience or knowledge to say for sure.
Good post Rick! :) Thanks for sharing your experience and insight.
As for preventing a repeat of the browser redirect problem? It would appear that resetting one's router to its factory defaults, entering in the settings which one needs, and then protecting it with a secure password would be prudent.
On the software side of taking preventative measures, I am pleased to report that, for the past several days, my Ubuntu 10.04/Firefox 3.6.8 rig has not experienced any further browser redirect problems since I began using the Firefox Add-ons I mentioned earlier.
There is one new wrinkle though. In Ghostery-->Freferences-->Ghostery Options-->Blocking I had enabled web bug blocking and selected All for the list of items which appears there. However, since then a few new ones have crept into said list as I've surfed the Internet, so I've had to re-click the All option to include these intrusive newcomers. I expect that this is something I'll have to do after each Internet session from now on in order to maintain an enhanced level of security.
What began as a moment of mirth on another forum soon produced (perhaps by coincidence as this browser redirect problem has been dragging on for a while now) an intrusion attempt alert in Firestarter (a firewall commonly employed by Ubuntu users):
Time: Aug 11 00:26:10 Source: 184.108.40.206 Destination: :p In IF: wlan0 Out IF: Port: 53 Length: 88 ToS: 0x00 Protocol: ICMP Service: DNS
So I checked out the source of said attempt...
http://www.ip-adress.com/whois/220.127.116.11"]18.104.22.168 IP Whois / Whois IP
...and got this:
22.214.171.124 IP: 126.96.36.199 188.8.131.52 server location: Russian Federation 184.108.40.206 ISP: ProLite Ltd.
220.127.116.11 Whois Information
% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See [url]http://www.ripe.net/url[Who Is Domain][trace][Reverse DNS Search]/db/support/db-terms-conditions.pdf
% Note: This output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '18.104.22.168[Who Is IP][trace][Reverse IP Search] - 22.214.171.124[Who Is IP][trace][Reverse IP Search]'
inetnum: 126.96.36.199[Who Is IP][trace][Reverse IP Search] - 188.8.131.52[Who Is IP][trace][Reverse IP Search] netname: PROLITE-NET descr: ProLite Ltd. country: RU org: ORG-PL83-RIPE admin-c: NF1275-RIPE tech-c: NF1275-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: MNT-PROLITE mnt-routes: MNT-PROLITE mnt-domains: MNT-PROLITE source: RIPE # Filtered
organisation: ORG-PL83-RIPE org-name: ProLite Ltd. org-type: OTHER address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12 e-mail: [Who Is Domain][trace][Reverse DNS Search] mnt-ref: MNT-PROLITE mnt-by: MNT-PROLITE source: RIPE # Filtered
person: Nikolay N. Filimonov address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12 phone: +7 831 4284242 nic-hdl: NF1275-RIPE source: RIPE # Filtered mnt-by: MNT-PROLITE
% Information related to '184.108.40.206[Who Is IP][trace][Reverse IP Search]/20AS49727'
route: 220.127.116.11[Who Is IP][trace][Reverse IP Search]/20 descr: ProLite origin: AS49727 mnt-by: MNT-PROLITE mnt-routes: MNT-PROLITE source: RIPE # Filtered
% Information related to '18.104.22.168[Who Is IP][trace][Reverse IP Search]/21AS49727'
route: 22.214.171.124[Who Is IP][trace][Reverse IP Search]/21 descr: ProLite origin: AS49727 mnt-by: MNT-PROLITE source: RIPE # Filtered
Can anyone shed further light on Nikolay N. Filimonov's antics?
"Poisoned" Router DNS Settings http://www.technibble.com/forums/showpost.php?p=144318&postcount=1
Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers "poisoned" by viruses that can modify router settings when the user has NOT changed the default password. Y'all be sure to change your default passwords on customer routers (I usually do this).
Background: Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.
So I gave the laptop a "clean up/tune up" afterward. Customer picks up laptop, goes back home, and calls me within hours: "it's still going to the wrong web sites". So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it's clean. The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it's clean. He calls while I have it and says: "now my wife's laptop is hijacked!". I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is 126.96.36.199 (which resolves to a Russian network!) Wow!
Go into his Netgear router and low and behold the DNS setting has been changed from "Get Automatically from ISP" to "use these DNS Servers" with the above numbers typed in. Bingo. Change it to "Get Automatically from ISP" and it's all good.
It is a good reason to always change the default password."
由 JohnGaryB. 於 修改