firefox/opera problem- randomly 'redirecting' me

[TBABill]

I have not been able to find a solution through searching online, but this appears to be a problem others have reported in Windows, Mac and Linux, mostly via Firefox. I did find there was a flash plugin for Firefox that was not actually Adobe Flash. It was a spoof that caused redirect problems and such. I would suggest uninstalling Firefox and reinstalling it fresh without any addons - and do so via the repository. Perhaps a clean install will help if the problem is within Firefox itself.

If Opera uses Firefox settings that may be why they both act in a similar fashion, but I am uncertain whether it does or not. Sorry I can't help more, but not a lot of information is available regarding the "I am alive" redirect that I could find quickly.

[TBABill]

EDIT: The informaiton below was related to MS Word documents, not browsers, but the action sounds very similar with the "I am alive" action. I have not found any link to a web-enabled version of this via browser (checked Symantec, Mcafee and TrendMicro), but it sounds as though it could be an enhanced variant (but that's just opinion)...END EDIT

This information is directly from the SYMANTEC website.
If you have this problem then your browser/machine is likely infected. This is a macro-based virus and, according to the website, only affected Windows machines running MS Word, but it appears to be the same or similar based on the explanations of the OP. Possibly this is a copy/derivative of the original? I am not sure, but here's what I was able to find on it. Perhaps a more in-depth search through the other anti-virus sites would provide further answers or newer information.

Discovered: July 23, 1996
Updated: February 13, 2007 11:53:42 AM
Also Known As: Polite, Macro.Word.Polite [AVP], WM/Polite [NAI], WM_POLITE [Trend], WM/Polite [Sophos]
Type: Macro
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


WM.Polite consists of two macros.
The first macro is triggered as files are closed. This macro will infect the global template, Normal.dot, unless it already contains the macro module "FileClose." Before it infects Normal.dot, it displays this message:
I am alive!
The second macro module is executed as files are saved. This module infects the active document. Before attempting to infect the document, it displays this message:
Shall I infect the file ?
If you click No, the file will not be infected. Otherwise, this virus will copy itself into the active document.
Recommendations


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Neal Hindocha

[TBABill]

Ok, third post in a row on this one. I have tunnel vision for problems like the OP posted. I focused on "I am alive" and I think that made the search ineffective online. However, if you do a search for Google redirect virus you will see many postings. What I cannot find is anything that points directly to Linux distributions yet. However, it seems to span across operating systems and the key links are Opera and Firefox. I have to get back to work but hopefully someone can continue the search to see if the Linux versions of Opera and Firefox are actually susceptible, and how they are susceptible, to the virus if that's found to be the cause.

It looked like people on Windows who were infected had a great deal of difficulty eliminating all traces of it so hopefully it is not a similar problem on Linux machines. It shouldn't be since we have a very different security configuration than Windows, but maybe something happened on some machines while operating as root?

Any follow-on help figuring this one out could be huge. It appears many of those were infected through Facebook and MySpace.

[J V]

Oh for the millionth time, *there are no linux virusses in the wild*

If it is malware its a firefox exploit, one which is probably unfixable seeing as its been around so long- And its probably because the site you are looking at (As mentioned before, also, probably running on windows) has been hacked...

[TBABill]

Sorry, I did not intend to imply that anyone on a Linux distro may have a virus. I was pointing out that there are viruses in the Windows world that this problem seems to mimic in some ways (most likely just malware). However, spyware/malware/virus are all concerning and the OP was looking for assistance finding and clearing the problem. I found what I could with my skills, time and focus, but there is obviously a minor infection of some sort that is still outstanding and any assistance pointing to an exact cause and remedy are appreciated. My machine is not suffering from these problems, but I hope the OP finds a solution and will share with everyone for future reference and searches of the forum.

[twinaxel]

Some more info http://www.bleepingcomputer.com/foru...p/t268735.html

[aaamos]

It's nearly a year since my last post, and I came across this thread again by chance while searching for something else. Since I haven't encountered this problem for ages, I wondered what may have "fixed" the issue (or at least made it disappear). Reading, through some of the other posts, I remembered that I'd got a new router ages ago, which makes me wonder whether it could've been a sort of "virus" in my router. Was anyone else who encountered this problem using a D-Link router?

[Helkaluin]

Should've been some old exploit (possibly on the router, possible a trojan on the Windows machines in the network) that carries out a DNS spoof attack.

[krisgesling]

So it turns out my compty was just toying with me, making me think that it was fixed and the problem has returned.

<PERHAPS NOT>
Hey I just had this problem and fixed it by defining the DNS servers on my router rather than letting it automatically detect them.

Strange thing is I've been using the same modem (D-Link DSL-G604T) with the same ISP for ages but I updated the firmware yesterday so it must be a bug in that I guess. Either way its all working fine now.
</PERHAPS NOT>

[krisgesling]

It might be related to my proxy settings which I have set up for uni.

The problem stopped immediately when I changed firefox to use no proxy but when switching it back didn't start happening again so maybe its completely unrelated and just another red herring

Pretty frustrating