Stopping Redirect Ads

[myBad]

Lately, I've encountered a plethora of redirection ads that are bugging the hell out of me. They'll only happen the first time I enter one of these particular sites on the session, though. Upon the first time in a session I visit a site hosted by Imagine Games Network(ign.com), I'll be redirected to some site hosted by ezgamegear.com with an Xbox360/RE:6 ad. Upon the first time in a session I visit a Torrent site(usually BTJunkie), I'm redirected to some site called amazing-live-tv.com. Upon the first time in a session I try to watch a video on either YouTube or Dailymotion, I'm redirected to the "Terminator Salvation Screensaver" video hosted on YouTube/DailyMotion. I've scanned my system for Spyware/Adware, and nothing has been found.

[Giorgio Maone]

As far as I know this kind of behavior is caused by a recent malware strain called Gumblar.
Malwarebytes' Anti-Malware is known to detect and remove this pest.
You may want to try it.

[myBad]

Thanks for the suggestion, but neither Anti-Malware nor Ad-Aware were able to find any infections.

[therube]

How are you accessing those sites?
From a bookmark or typed into the URL bar or from the URL dropdown? Or from a Google search?

Do you have Adobe (Acrobat) Reader installed? Is it up to date, i.e. v9.1.1?
Do you have JavaScript enabled in Adobe Reader?

"Lately". When did lately start?

[myBad]

How are you accessing those sites?
From a bookmark or typed into the URL bar or from the URL dropdown? Or from a Google search?

Do you have Adobe (Acrobat) Reader installed? Is it up to date, i.e. v9.1.1?
Do you have JavaScript enabled in Adobe Reader?

"Lately". When did lately start?

It's different links. Some are bookmarks. It's ANY video on YouTube/DailyMotion. As far as IGN.com goes, I'll typically go to a main page(ie games.ign.com), click any article, and then the redirect happens. I have a Firefox search engine plugin for BTJunkie, the redirect happens after a search. There's also one whenever I go to a Twitter page has a pop-under ad for twittertrafficmachine.com

I currently have Reader 9.0.

Lately? Ehh...probably about a month or two.

[myBad]

Opps...I forgot, Javascript is enabled.

[GµårÐïåñ]

Please note, that there are embedded ads appearing in YouTube videos and similar that will have this behavior as well. Originally these were Google based ads using their API but they have been expanded to work with other things. NoScript has been effectively crippling this by disabling the script, but when its enabled on a given page, it bypasses its protection and this was actually a topic of discussion on the ABP forum regarding blocking those scripts or ad engines that appear INSIDE the video streams delivered by the flash app and apparently the new ABP DOES catch those if there is a filter established and the list has been pretty successful in stopping them. In addition, some people are using this API to also tumble sites which makes it harder to block all and to create a broad antidote for it and if you have JS enabled, they WILL function. So far they are not malicious, like the previous versions that required a beacon on the user's PC to execute, mostly annoying and disruptive, but someone might figure out a way to make this more than it is. When possible, ride without allowing JS or at least don't allow permanently.

[myBad]

I'm going to assume this is due to some new adware, despite the fact Ad-Aware and Anti-Malware haven't detected anything. The redirects are happening despite NoScript and Adblock...and even on pages I haven't enabled javascript through NoScript.

[Giorgio Maone]

Which DNS are you using?
Could you show us the output of

Code: Select all

ping www.google.com

?

[AlphaCentauri]

I ran into similar behavior recently on a computer that had several types of malware, including Vundo. Avira wasn't detecting it (nor was it getting updates, as it had not received the recent major upgrade with enhanced rootkit protection). Malwarebytes antimalware wouldn't even install. I finally bought Stopzilla on suggestion of our IT support guy who'd had luck with it before. That was able to remove several pieces of malware. Then when I had Stopzilla do a rescan, it found nothing else but Avira awoke and started finding more things. Finally I was able to install Malwarebytes and it found yet more crap the first two missed.

I'd love to know who downloaded the malware in the first place and from where (shared work computer), but it erased all the history from the browsers, too.

[GµårÐïåñ]

Shared environments are very hard to secure when the users are not on equal footing regarding security knowledge. I am sorry you went through that AlphaCentauri and glad you finally got it resolved.

myBad, in addition to providing the ping results for what Giorgio asked, can you provide a traceroute as well? Are you using a proxy?

[myBad]

For the ping:

Pinging http://www.l.google.com [72.14.205.99] with 32 bytes of data:

Reply from 72.14.205.99: bytes=32 time=62ms TTL=242
Reply from 72.14.205.99: bytes=32 time=53ms TTL=242
Reply from 72.14.205.99: bytes=32 time=55ms TTL=242
Reply from 72.14.205.99: bytes=32 time=53ms TTL=242

Ping statistics for 72.14.205.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 53ms, Maximum = 62ms, Average = 55ms

As for the traceroute:

Tracing route to http://www.google.com ...

traceroute to http://www.google.com (64.233.169.147), 30 hops max, 40 byte packets
1 208.64.252.229.uscolo.com (208.64.252.229) 0.269 ms 0.329 ms 0.390 ms
2 208.64.248.17.uscolo.com (208.64.248.17) 0.274 ms 0.324 ms 0.376 ms
3 bbr02-xe-5-2.lax02.us.xeex.net (216.151.129.189) 0.476 ms 0.527 ms 0.575 ms
4 bbr01-xe-5-2.sjc01.us.xeex.net (216.152.255.18) 8.605 ms 8.780 ms 8.829 ms
5 eqixsj-google-gige.google.com (206.223.116.21) 8.644 ms 8.879 ms 8.888 ms
6 216.239.49.170 (216.239.49.170) 10.013 ms 10.206 ms 9.552 ms
7 209.85.243.122 (209.85.243.122) 9.992 ms 9.944 ms 209.85.243.247 (209.85.243.247) 70.324 ms
8 209.85.249.140 (209.85.249.140) 70.730 ms 72.14.239.137 (72.14.239.137) 67.752 ms 209.85.249.140 (209.85.249.140) 70.700 ms
9 216.239.48.68 (216.239.48.68) 81.335 ms 80.569 ms 81.270 ms
10 64.233.175.219 (64.233.175.219) 83.201 ms 79.518 ms 83.167 ms
11 216.239.49.149 (216.239.49.149) 88.076 ms 91.038 ms 88.693 ms
12 yo-in-f147.google.com (64.233.169.147) 84.553 ms 84.049 ms 81.458 ms

Traceroute Complete

I'm not on a proxy.

[Tom T.]

Opps...I forgot, Javascript is enabled.

For *everything"? Try selectively allowing the minimum possible scripts that will still let the game run. This may take a bit of experimentation.
FWIW, I just went to ign.com, loaded a free game, (didn't play), and it was looking all good. No redirects.

...and even on pages I haven't enabled javascript through NoScript.

Showing a number of blocked objects in NS menu, mostly .swf (Flash), and from media.ign (sounds like advertising) and chat.ign (Do you have to chat to play the games?)

I don't ever have a problem at YouTube. Went there just now and played a video. No problem. My method of visiting: All Flash is blocked by default everywhere. "Everything" is blocked everywhere. (NS > Options > Plugins = all checked.) Allow scripts from youtube and ytimg.com. Then click *only* the placeholder (NS icon) of the video(s) you want to watch. This way, you are not giving blanket permission for YT or any third party to run any Flash video they want to.

In NS > Options > Advanced > Untrusted, is "Forbid META redirections" checked? (So long as you keep at least one script blocked from ign, as suggested above, the site isn't "trusted". Don't put the site in your Whitelist, or remove it if it's there. "Temporarily allow" what you need might help.

I block all apis (googleapis.com, yahooapis.com), unless absolutely required by the site, in which case, Temp Allow.

It's probably malware, as the above replies suggest, but it can't hurt to make sure you're running as safely as possible first. Thanks for your time.

[Tom T.]

...I'd love to know who downloaded the malware in the first place and from where (shared work computer),

Why are you going to all those sites on the company's computer and time?

[myBad]

Thanks Tom T. The forbid META redirections suggestion actually worked.

BTW, when I said "I forgot Javascript is enabled.", I wasn't talking about noscript. I was replying to therube asking if I had it enabled in Adobe Reader. I simply forgot to put that part in the previous post. Sorry for the confusion.