IMGUR on Firefox rederecting to virus infection warning.

Hi.

I have been using Pale Moon a Firefox copy, but today i re-installed the latest Firefox and installed Ublock.

But when i go to IMGUR within 15 seconds i am re-directed to an fake web infecting warning, asking for money.

IMGUR works fine on Pale Moon, My newely installed Firefox is having the problem.

I have dont a full scan with Malwarebytes and superantispyware and all is clean, I have CCleaner and cleaned the browser cache, but i still get the virus re-direct on IMGUR.

So does anybody know what is happening.

thanks

John.

 

Not happening here. New FF, imgur as usual from Reddit mostly, using ublock origin, and a bunch of other addon's, testing Trend Micro Maximum Security.

One weird thing just happened though...

I was saving a photo from imgur, and tried to switch to another folder within my saved area on the local disk, and Trend Micro killed FF saying it tried to do something bad... I thought it was a folder access issue, so I overrode it and restarted FF and saved ok.

Maybe I should do a scan...

Running FF 44.0.2

 

I did a screen grab, click link below to see it.

http://i.imgur.com/eJiYYVs.jpg

John.

 

It looks like an adware infection, you should look into removal tools. I use Norton Security - now TrendMicro / Spybot immunization / Spywareblaster immunization, and check *all* the boxes for uBlock lists, and haven't had an infection for so long I don't know what to suggest, except for what I run on occasion for rootkit and malware scans:

Norton Power Eraser, free to use:
Eliminates deeply embedded and difficult to remove crimeware that traditional virus scanning doesn't always detect.
https://security.symantec.com/nbrt/npe.aspx

Malwarebytes, free + free trial for full product:
Download free version, then during/after install select Pro trial
https://www.malwarebytes.org/mwb-download/

Please let us know how it works out

 

I am 27mins into a full Free Malwarebytes scan 0 results so far, I did a full scan using Avast 0 problems.

I will try the free virus scanner you have linked.

Thanks

John.

 

Here is a more specific treatment, and although the image is different in the malware, the text is similar / the same.

Beware that searching found a number of questionable sites first, so be careful.

The site has links to step by steps, including the first one which may be enough on it's own, I recall using it in the past AdwCleaner.

Toolslib, author of AdwCleaner - download
https://toolslib.net/downloads/finish/1/

Remove “Windows Firewall Warning” virus (Support Scam)
https://malwaretips.com/blogs/remove-windows-firewall-warning-scam/

How to remove Windows Firewall Warning pop-up ads (Virus Removal Guide)

"This page is a comprehensive guide, which will remove “Windows Firewall Warning” virus from your computer and any other adware program that may have been installed during the setup process.
Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.
STEP 1: Remove Windows Firewall Warning adware with AdwCleaner
STEP 2: Remove Windows Firewall Warning browser hijacker from Junkware Removal Tool
STEP 3: Remove Windows Firewall Warning pop-up virus with Malwarebytes Anti-Malware Free
STEP 4: Double-check for the “Windows Firewall Warning” malware with HitmanPro
(Optional) STEP 5: Remove Windows Firewall Warning pop-up ads from Internet Explorer, Firefox and Google Chrome "

Here is the google search I used:
https://www.google.com/search?num=5...tI7LAhUP-mMKHWfwBLwQvwUIGigA&biw=1120&bih=530

 

I have been using AdwCleaner for months, I ran it this morning it found a directory "C:\Users\John\AppData\Local\Temp\ext" I cleaned it and rebooted my notebook, I used it yesterday and it found the same directory so did it not remove it.

John.

EDIT : the "C:\Users\John\AppData\Local\Temp\ext" directory contained 5 dll files, I uploaded them all to virus total, and they are all clean.

 

That could be it, something / somewhere you are going to is re-infecting you.

If you haven't downloaded adwcleaner updates for a while, try that, maybe a new version cleans up the whole infection better.

 

Shouldn't ccleaner have cleaned that out of Temp anyway? Maybe run it again and see if it goes. If not, something is running from there and keeping those DLL's open locking those files from deletion. It might be a good idea to figure out what is using them.

If they are in use, Adwcleaner may not have been able to actually clear them, and that's why they showed back up again.

Try renaming the folder, or file names, or whatever trick you can muster to delete that directory of DLL's.

Just because they scanned clean doesn't mean that as a whole + something else, that they aren't doing something nasty

 

Adwcleaner says it has deleted "C:\Users\John\AppData\Local\Temp\ext" but the directory and files are still there, and Adwcleaner finds it again on the next scan, the files in the directory are.

php_curl.dll
php_mbstring.dll
php_mysql.dll
php_openssl.dll
php_sockets.dll

John.

 

I dont see any real infection.

Thanks

John.

 

Try blocking this .com site... it looks like the source of the warning.

Maybe increase the number of lists you have selected in the ublock dashboard, and before starting firefox run Spybot + Spywareblaster, update both to the latest lists and then immunize to block those malware sites.

And, change your DNS to a good known one, from the default you get from your ISP. Easy to remember is Google's DNS servers, 8.8.8.8 and 8.8.4.4, manually setting the Ethernet/Wifi interfaces primary and secondary DNS. You can also set your router primary/secondary DNS.

But, that hostname is coming from somewhere... if it's only happening with imgur, something is redirecting you first to the malware hostname.

 

Interesting, I wonder if its part of imgur itself, here are some complaints from people on PC and mobile getting redirected to ad's, and some complain about the same one you are seeing:

I’m getting horrible “pop-up” ads while using the mobile website… what is going on?
https://community.imgur.com/t/im-ge...ing-the-mobile-website-what-is-going-on/13903

"I don't think I've ever gotten these types of ads while on the computer, but I can't remember because I mostly browse Imgur on mobile (while commuting, etc). For a long time I got these ads, then they seemed to stop, and now I seem to be getting them again. And they are VERY frequent. Usually some ******** ad for some ******** app, and it will actually take me to the google play store. Or, sometimes it is one of those "YOUR DEVICE IS INFECTED WITH VIRUSES!!" ads.

And this ONLY happens while I am browsing imgur, no other website. Will switching to the mobile app help? And just in general, why is imgur's mobile site getting all these early-2000's-era type pop-up ads?"

CoppermantisEmperor of Mick Foley
Sep '15
goldenretrievers
I've been getting them too on my PC, using Google Chrome. Again, no other websites do this. They seem to occur pretty much immediately after I load a new image, but sometimes can occur if I switch to another tab for a while and just leave imgur sitting there.

At least they are listening:

yrannoSARAusrex Rawrrr I'm a Dinosaur - Support
Nov '15
dubbelu
Thanks for the information! These type of ads are not allowed, but advertisers sometimes 'forget' our rules during the holiday season. To help us better locate the source would you mind sending over your location (state and/or country)? Were you connected to your mobile data or wifi at the time you saw the bad ad? Additionally, how many images were you able to view before the bad ad appeared? We can use this information to find the bad ad and squash it.

goldenretrievers *woof* I'm Imgur Staff!
Dec '15
slavoj
Thanks for the reports! I've forwarded these to the team to block these bad ads & prevent these domains from getting though again.

Maybe report what you are seeing to them, and check more posts on the imgur site to find a more specific desktop browser based complaint topic.

 

Malvertising could be the reason you're getting those. It could be something coming from an ad network where a malicious ad was pushed and made it past the ad network's filters, etc.

Malwarebytes has a rather high number of examples of malvertising: https://blog.malwarebytes.org/category/malvertising-2/

 

I just did a clean install of Win10 so i just have the bare bones at the moment, I will have a look at IMGUR and see what happens.

John.

 

It makes it hard to hate these guys, when they seem like pretty hoopy froods...

http://imgur.com/gallery/MAphI

(did you get an ad when viewing it?)

Not sure what the option is that lets my Ublock Origin block imgur ad's - I don't see any, but I do recall the AdblockPlus option to disable - "allow some non intrusive advertising", and here is a thread about that:

imgur [ad on the bottom]
https://adblockplus.org/forum/viewtopic.php?t=29549

Not sure if this will cover the redirect ad's...

Ublock Origin info

Spoiler

The count of used hosts for each list shows unique entries - some lists show 0 used, and those could be unchecked, but someday they might have a unique entry or two, so I keep them checked.

When you purge the caches and Download again, the counts will change for each list that has changed since the last cache download

 

It could be some malware / redirect being pushed through flash. I have flash disabled, clicked on your link and it loaded imgur no problem but I was being prompted to let flash load on imgur.

 

Everything seems OK since i did a new clean install of Win10.

I tried your link but everything seems normal, though sometime malware can take a while to show.

John.

 

Flash is a pain, but so much still uses it.

John.