Youtube, Google & Facebook redirect to flash update


Userlevel 1
Unable to access any of the above sites without being redirected to flash update, or it just sits there and hangs, status bar info regularly refreshing.
 
Looking through the forums I see it could possibly be a pseudo Zombie Ad Scam.  I'm not one for clicking on links but I do remember seeing ads on youtube in odd places, and it caught my attention, making me think YT was getting OTT on the advertising....
 
All other sites seem to be working.
 
However I've done various scans (i.e. Eset, Malwarebytes) and now WSA, but its still there....I was kinda hoping this would be the 'super' fix.... but....so its hardly the lever I need to change from Eset.
Any ideas peeps?
 
Running:-
XPPro64
Firefox 27.0.1
Eset Security Suite
Tuneup Utilities
Malwarebytes
WSA trial
 

21 replies

Userlevel 7
Badge +52
Hi GettinBetter, and welcome to the Community!
 
As this is a suspected malware infection, you must Submit a Trouble Ticket  The https:///t5/Community-Guidelines-please-read/Experiencing-a-Webroot-Issue-Start-here/td-p/17460 specify that possible infections must be reported that way as the level of help is generally beyond what can be given here.
 
Avoid concurrent use of two or more antivirus programs.
WSA self-contained product and does not need a third-party antivirus.
Thank you
Best regard, Petr.
Userlevel 7
First, welcome to the Community Forums, GettinBetter...:D
 
Second, Hi Petrovic :D
 
Good advice re. the potential Zombie Scam but I must take friendly issue with your statement on concurrent usage of more than one AV/IS.  
 
That was indeed the general rule, and I believe still is, unless one of the AV/IS apps is WSA, as WSA is designed to complement & co-operate with other AV/IS apps if installed on the same system as one.  It is one of the USPs (Unique Selling Point) of WSA that it can do this, i.e.e, if it detects that another AV/IS app is present it will cede control to that app but instantly jump in should the other app let the malware/threat through and it executes.
 
I and other here have run WSA with the likes of NIS, KIS and others and had little or no issues (and when there were any the were resolved by either Webroot or the other producer very quickly).
 
I am not saying your advice wrong per se but rather that it depends on the security apps used concurrently...if you get my drift.
 
Hope that helps?
 
Regards
 
 
Baldrick
 
 
Userlevel 7
If this is only happening on Firefox, let's check your Add-Ons & Plug-Ins and see what may be lurking there.
 
First restart Firefox with all Add-Ons disabled and see what happens. Click Firefix - Help - Restart with Add-Ons Disabled and let's see if it still occurs.
 
If that works fine:
Restart Firefox again to get it back to normal operation and Firefox button, then Add-Ons. You can see the list of Add-On there, and on the left side you can click for Services. Let's check those.
 
If you still have problem:
Start a support ticket with Webroot and let's see what they find.
Userlevel 1
Ok guys,
I've managed to fix it. Its taken me most of yesterday, & all today, but most of that is waiting for scans...
It WAS the zombie Ad Scam and as posted it was in the Youtube Video downloader addon.
I removed the said video downloader, run one-click TuneUp Utilities, then continued to scan with WSA.
 
In amongst all that I seemed to have developed DNS lookup issues and had to reset my providers DNS IP's again, restart the router several times before getting back online, not sure if the virus had anything to do with that either.
 
I'd already installed Maiwarebytes yesterday, in my attempt to sort it.  but whilst I was scanning with WSA, the Malwarebytes kicked inwith a infected file detected warning? and that I should allow it to removed infected file, I checked the path of the file, and it was in the system restore, so allowed it to proceed, then it proceeded to do a re-scan!! Being new to both programs I didn't immediately recognise the second scan as being a different prog, so let it continue. 
Then  slowly the penny dropped, it was two different progs both had removed files from the system restore section, and I'm not sure yet whether they were both attempting to remove the same file. Did the proverbial restart, and Voila.
All seems to be working now....
 
Appreciate your input guys but I've been down most of the time since posting, but the posts on this site did alert me to the Zombie Ads Scam,  and I did notice the extra ads on Youtube, but at the time I just thought YT was going OTT on their advertising, trying to extract every penny from their viewers/advertisers.
 
Many thanks
Hope this helps someone else.
Userlevel 7
Hi GettinBetter
 
Nice one.  Well done...and thanks for posting back here with what you found.  It is very helpful to the Community re. potential future suffers of the same or similar issues.  Much appreciated.
 
Regards
 
 
Baldrick
Userlevel 7
Glad you got it fixed up!
 
If you ever need any further help, you know where we are!
Userlevel 1
Its back!! Just noticed the redirects popping up again yesterday evening.
ran scanners started with WSA all night long nothing seems to find it??
 
Ran the others in desperation.
 
Do I have to go through all that again its driving me nuts. Its now redirecting my home page as well. (Dogpile.com)
 
 
Userlevel 7
Badge +52
Hi GettinBetter
 
See this Knowledge Base article:
https:///t5/Webroot-SecureAnywhere-Antivirus/Virus-Removal-Options/ta-p/54074
 
Thank you
Best regard, Petr.
Userlevel 7
Badge +52
GettinBetter wrote:

"Do I have to go through all that again its driving me nuts. Its now redirecting my home page as well. (Dogpile.com)"
 
Dogpile.com homepage got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker.
You should always pay attention when installing software because often, a software installer includes optional installs, such as this Dogpile.com browser hijacker. Be very careful what you agree to install.
Always opt for the custom installation and deselect anything that is not familiar, especially optional software that you never wanted to download and install in the first place. It goes without saying that you should not install software that you don’t trust.
 
Thank you
Best regard, Petr.
 
 
Userlevel 1
Mm.. I'm very careful about that sort of thing, especially about unchecking the crap installs. & the Dogpile IS my homepage, but its getting directed to update flash as well now !!
 
I'll follow the other link and have another go 😞
Userlevel 7
Hi GettinBetter
 
Sorry to hear about your continuing travails...sometimes these things do happen however careful one is...and it is not just freeware that is the culprit IMHO/experience.
 
Well, let us know if you require any further assistance and we will see what we can do to provide it.
 
Regards
 
 
Baldrick.
Userlevel 1
Thanks guys,
 
Spent yesterday afternoon, evening,  and night, till one in the morning scanning and searching the registry for clues.
Nothing was removed in the scans of any of the scanners.
 
Removed Java completely.....
Almost too scared to try FB G, or YT....
Home page has loaded so far..... but it seems when ever a warning from Firefox tells me its stopped a redirect, then I know the chances are that the virus still working in the background.
 
Did notice that using Sheilds Up, it reports port 21, 23, & 80.
I expected 80 to be open but what of the others?
I do use FTP, but obviously only for the job its designed for, I don't leave it on. Same goes for telnet although I use it very rarely.
 
Doing a cmd tasklist, shows nothing to be using those two ports!!
 
So the ports are open supposedly at the router, but why doesn't the router keep them closed and is this really an issue?
Router is TP-Link 54M, Firmeware:- 3.0.1 Build 100901 Rel.23594
 
What now?
 
Userlevel 7
Badge +62
Hi GettinBetter, wish I could be of help for you. Will have to call in the big guns for this one. I'm sure someone here can address your issues...but after reading what was posted did you open a support ticket?
Userlevel 7
Hi GettinBetter
 
At this point I really think that you are best off submitting a Support Ticket and letting the professionals in the Support Team take a good hard look at your system.
 
Having said that I do not think that a warned Redirect from FF is necessarily an indication of a virus working in background.  I use a Redirect addon in FF and get them often when the url that one has entered is set up to pass you over to another.  It is always worth being wary but in most cases I would say that these are innocent enough...but in your case itis worth checking hence the recommendation that you open that ticket ASAP.
 
Thanks for keeping us posted...let us know how things go with Support.
 
Regards
 
 
Baldrick
Today at a banking website I was required to get a Flash update. Tried to update but Flash failed. Went to one ADOBE site tried but it still failed. Went to another ADOBE and reloaded the whole program. Now I can get into the bank site.
Userlevel 7
Hi jnto
 
Welcome to the Community Fora...http://www.forumsextreme.com/images2/sSp_balloonsmilies.gif
 
Have to say that I have never heard of that before (but then again I may have led a very sheltered life).  I am assuming that you have WSA installed and if so then I would run a manual sc an just to make sure that all is well and you have not inadvertently downloaded something that you did not want or epxect.
 
I usually only get the Flash updates from the site advising that I need it, i.e., the site I am visiting or from the main Adobe site...so it never hurts to check things out if the unexpected happens...and checks with WSA are so super fast one hasn't even the time to heat the water for a cup of tea before the scan is finished.
 
Hope to see you around?
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
Hello jnto and Welcome to the Webroot Community Forums! 


 
Yes there was a Flash update yesterday: https://community.webroot.com/t5/Security-Industry-News/Adobe-Flash-Player-12-0-0-77/td-p/88640 also it's a good section to look in for certain updates like Adobe, Java, Browsers & Microsoft.
 
Cheers,
 
TH  ;)
Userlevel 1
Ok, I found some nasty looking code in FF yesterday, so decided to delete the old profile and create a new one.
Seems to have done the trick for now........
I have my browser back and can access all pages so far.....
I used the about:config (as read here somewhere) and there was a nasty bit of code that was very large, I have backups of my profile so i'll submit it to support....
 
At least I can get some work done now its put me behind  at least a week.
Thanks for your help guys. 😃
Userlevel 7
Hi GettinBetter
 
Anytime...here to help if we can but it seems as if you sorted it out with some fancy footwork of your own...so well done. http://www.emotiyou.com/galerie/films/animation/moi-moche-mechant/minions/201310250045MIP.gif
 
Regards
 
 
Baldrick
Userlevel 1
Nope:(   it came back.....
Removed a file called "esetolmarikolmascocleaner.sys" according to Norton Power Eraser  it was reported as dodgy, so I search it, and ESET were reporting it as well.....made a big difference but  something still not quite right... :( 
In contact with support...
Userlevel 7
Well, GettinBetter
 
That is really funny because if you Google the fuile name I find that it is produced by "ESET, spol. s r.o.  (signed and verified)".
 
So it looks like a left over from an ESET installation....which is puzzling to say the least.  PM for the link that I am getting the information as I would prefer not to go off topic in the Community.
 
Regards
 
 
Baldrick

Reply