Hey guys!
This is my first post here, and I come with a problem that affects 2/3 android devices and possibly one desktop PC (Windows).
The problem:
I have malware on my devices and said malware redirects my current page to a russian advertising one. Most of the time i'm redirected to one that activates the vibration, knows the device i'm currenty using and says that I should run a virus scan with AVG.
If I hit return, the page just reloads, If I hit it enough times, I lose the page I was visiting as if I hadn't visited it in the first place.
Here
Code:
imgur.com/a/5dvVR
are some of the URLs I'm redirected to and sometimes, I happen to suffer the problem on the last page, where an ad sits in the middle of the page I'm visiting and If I close it, another tab opens and leads me to the addresses above.
Symptoms:
This problem happens with Google Chrome, Mozilla Firefox and the built-in browser of "Reddit is fun".
This problem happens with and without a WiFi connection. It is more common to happen while on WiFi vs on mobile.
Sites like knowyourmeme.com, foxtrotalfa.jalopnik.com and albums on imgur.com can trigger the malware.
Devices:
Definitively affected:
Lg G2 D-802 , Android 4.4.2
Galaxy Tab S 10.5" SM-T800, Android 5.0.2
Probably affected but not 100% proven:
Huawei Y600 (another carrier, but the problem happened on my GF's WiFi rarely on mobile), workphone
A desktop PC (the ad blocking the page happened just once)
Networks
This desktop PC is my GF's. It's in her WiFi signal that I usually connect and update the apps on my devices. In my house's WiFi the problem seems to happen as well on my devices but not on my Desktop PC (or perhaps it does, but I have ublock origin on my browsers).
However, I can trigger this problem on my G2's carrier Movistar and not on the Huawei's Carrier Telcel.
Working on the problem:
Disabling scripts
The very first thing I did was testing disabling scripts (as suggested by one page I found on google), It did work, to some extent. However, I knew that this wasn't a solution but a workaround.
Suspicious APPs
I know that apps are the main entrance for malware and since the problem DID happened on both devices (G2 and Galaxy Tab) It.HAD to be a common app, so I made a list of common apps and started by the less trustworthy.
I uninstalled and tested Advice animal creator, BS player free, zooper pro, Days counter widget, Disk Usage,electrodroid, ****ing weather, Google tasks organizer lite, GPS test, meme generator, system info for android,reddit is fun , add watermark and Think.
Keep in mind that these apps fill the criteria in which both are present on the phone and tablet and are suspicious to me (a very ambiguous term), however, I'm not stating that any of these have malware on them.
Sadly, after uninstalling and testing on the phone, the problem persisted.
G2's Factory restoration (Through options menu, not recovery menu)
After going through a factory restoration on the phone, the problem persisted. The only things I had installed were Reddit is fun, facebook and whatsapp.My request to you guys:
After all ofthis wall of text (in which I show the symptoms, what I've done, etc) , here comes my request.
Can you guys point me to the right direction?
I just don't want to wipe my devices without knowing what is the problem, how to eliminate it and, MOST IMPORTANTLY, how to prevent it.
What I want to discard is if the problem comes from my GF's network (If that is the case, a factory-through-recovery restoration would be useless), an app or just random malvertising.
I would hate to wipe my cellphone and tablet everytime I jump into this problem and that is not practical for me, I prefer a head-on approach.
Thanks in advance guys!
Hi!
First, here is a little info on avoiding Malware, http://forum.xda-developers.com/general/general/guide-simple-steps-to-avoid-installing-t3000682
And another, http://forum.xda-developers.com/nexus-6/general/guide-little-guide-to-security-privacy-t3042460
As far as Malware you already have....there are malware removal tools on the Play Store...many of them to try.
And if all else fails, here are the device sections or the mobile devices you have.....you could ask for help in the Q&A sections...
http://forum.xda-developers.com/lg-g2
http://forum.xda-developers.com/galaxy-tab-s
Now, if you want to ask about all in one, and the PC....you could try asking or help here...http://forum.xda-developers.com/android/help
Good luck!
Darth said:
Hi!
First, here is a little info on avoiding Malware, http://forum.xda-developers.com/general/general/guide-simple-steps-to-avoid-installing-t3000682
And another, http://forum.xda-developers.com/nexus-6/general/guide-little-guide-to-security-privacy-t3042460
As far as Malware you already have....there are malware removal tools on the Play Store...many of them to try.
And if all else fails, here are the device sections or the mobile devices you have.....you could ask for help in the Q&A sections...
http://forum.xda-developers.com/lg-g2
http://forum.xda-developers.com/galaxy-tab-s
Now, if you want to ask about all in one, and the PC....you could try asking or help here...http://forum.xda-developers.com/android/help
Good luck!
Click to expand...
Click to collapse
Thanks Darth!
But as I said, I tried several apps and didn't find anything wrong.
However, I switched my focus to the possibility of a router infection, and oh surprise it seems to be the rootcause.
Here are some links that report being redirected on several devices to ads pages (I use code since I can't post links in a new account), in this case adsmatte.com:
Code:
http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/how-to-get-rid-of-adsmattecom-adware-opening/06b20667-586a-4ebd-9876-6d28c8528a1f?page=1
https://discussions.apple.com/thread/7052365
http://forums.androidcentral.com/moto-g-2014/528571-adware-redirects-most-websites-how-can-i-get-rid.html
http://www.asus.com/zentalk/forum.php?mod=viewthread&tid=8189&extra=&page=1
Then I tried searching for the page I get redirected to, somethingsomething.epara.ru, so I searched that last common part epara.ru (I thought I had done this before ):
Code:
http://forum.kaspersky.com/index.php?showtopic=334600
https://warosu.org/g/thread/S50749199
http://www.xataka.com/respuestas/malware-adware-en-todos-mis-dispositivos (SPANISH)
What is VERY suspicious is that many of the results, suggest downloading "Spy hunter".
Here are some examples:
Code:
http://solvepcproblem.com/remove-359198-epara-ru/
http://removevirusvideo.com/stop-epara-ru-from-redirecting-epara-ru-removal-tips/
Now, how do you solve it?
Simple:
Disconnect from any WiFi, clear your browser's cache (and even your OS's). CCleaner does a pretty good job for this.
Then go to your suspicious router and factory reset it (or ask your ISP to do that remotely) and update its firmware. After all thosesteps, you can connect again.
What the malware does is change your DNS towards a malicious one.
I haven't done that reset to my GF's router, but that should solve the problem.
Thansk for everything, and I hope this works for somebody else!
Glad you got it sorted. If you want to find further help on anything, use the links I suggested... And if you want to post info to help others, you could post here, http://forum.xda-developers.com/general/general
I'll close this thread now.
:good:
Related
I just upgraded to Titanium Backup Pro and after exiting the program my Browser pops up with this page advertising HotMusic for the Android with a sexy female photo. I exit the browser, and immediately my phone starts downloading the above app. I then get the message that HotMusic application was stopped from loading as it wasn’t from the Android Market. I checked ASTRO File Manager and under downloads I find aMusic201011_3.apk sitting there (with the female thumbnail photo), so I delete it, and run a Lookout malware scan. I’ve searched online as well as on the boards and don’t find any mention of this application or the site. My questions are, is this malware, and has any one else had this problem? Also, if I update to a different ROM will I still have the protection of some unwanted software being able to sideload onto my phone.
Thanks
tahoeflyer said:
I just upgraded to Titanium Backup Pro and after exiting the program my Browser pops up with this page advertising HotMusic for the Android with a sexy female photo. I exit the browser, and immediately my phone starts downloading the above app. I then get the message that HotMusic application was stopped from loading as it wasn’t from the Android Market. I checked ASTRO File Manager and under downloads I find aMusic201011_3.apk sitting there (with the female thumbnail photo), so I delete it, and run a Lookout malware scan. I’ve searched online as well as on the boards and don’t find any mention of this application or the site. My questions are, is this malware, and has any one else had this problem? Also, if I update to a different ROM will I still have the protection of some unwanted software being able to sideload onto my phone.
Thanks
Click to expand...
Click to collapse
I don't have Titanium Pro, but are there ads in it? Possible you clicked one?
In my experience with computers (ie: people using IE calling me to fix their malware), these sort of things often intentionally don't manifest themselves until a bit after their initial infestation.. My guess is so it's harder to determine where they came from.
What other programs have you installed recently? Honestly I still am not that quick to believe that there is malware going on, rather some accidental click or selection, but..
I'm surprised as well, but have come across hijacked respectable websites in the past, so I feel anything is possible. I did not have the browser open when the event took place, nor was it running in the background. I find it hard to believe that the developers of the Titanium package intentionally placed this package on it.
Is this possibly a new malware package or vulnerability exploit of the Android system (or am I just the lucky one)?
Do you still have the "aMusic201011_3.apk" which was downloaded? Might make to easier to figure out
khaytsus said:
I don't have Titanium Pro, but are there ads in it? Possible you clicked one?
In my experience with computers (ie: people using IE calling me to fix their malware), these sort of things often intentionally don't manifest themselves until a bit after their initial infestation.. My guess is so it's harder to determine where they came from.
What other programs have you installed recently? Honestly I still am not that quick to believe that there is malware going on, rather some accidental click or selection, but..
Click to expand...
Click to collapse
Joel doesn't include ads in his app. It's all ad-free and purely run off donations, which I'm sure he receives a lot of.
But I agree with you that OP probably mis-tapped something and thats what caused all this.
Thanks, maybe it was a faulty thumb
Thank you for your responses. It's possible that my thumb hit an ad, it happened very quickly after paying for the pro/premium version. My first inclination was to stop the browser, and then delete the program, so unfortunately I did not keep a copy.
There has not been any further problems with the phone, so consider this post finished. Thanks
Hey there ,
my office computer got infected with some sort of adware evil thing ,
Once or twice a day , when browsing to a website (no matter which) I get an iFrame with an overlay saying : "sponsored by [url I'm browsing to] and then it redirects me to some kind of an full page ad for some sort of naughty online gaming (I forgot the name but next time it happens I'll update here).
Anyway , this is the iframe html :
HTML:
<div class="asgds_content"><div class="asgds_header"><button class="asgds_close">x</button><h4 class="asgds_title">Sponsored by google.com </h4></div><div class="asgds_body"><iframe src="https://extsgo.com/view/teasers?id=191753" style="height: 873px; width: 100%;"></iframe></div><div class="asgds_footer"><button class="asgds_close_text">Close</button></div></div>
searching google for extsgo.com/view/teasers gives me nothing...
using chrome 53.0.2785.143 m on Windows 8.1
Who can help me with removing this stupid thing?
Thanks a lot.
Full Screen Flash might be the culprit?
I've had the same problem. I noticed when I uninstalled Full Screen Flash that it redirected me to extsgo.com as well... given some of the reviews intermittently complaining of advertising redirects, I think it's a distinctly possible culprit. Do you have that extension installed?
For what it's worth, this happened on both my home and work machines and Chrome is the only thing really shared between them. Home has MalwareBytes and McAfee, work has Trend Micro. No malware hits on either end, so I'm quite certain that some Chrome extension or another is responsible.
i had full screen flash shut it off and it solved the problem
well ,
it must be something else , since I never heard about this chrome extension...
Would appreciate more ideas about this issue.
Thanks
Hey ,
I think I got the name of this adware , it's called adnow , any reliable removal tool / guide?
Thanks
Me too
I have managed to end up with this thing too. I've seen it injected into both a site I'm hosting locally and sites across the web (both in Chrome; not seeing it injected when I'm in Firefox). I did not notice it until recently, as I typically use EFF's Privacy Badger, which blocks the actual injection script from loading. I've seen it block requests to extsgo.com and st.adxxx.com, neither of which is related to the local build of the project I'm working on where I see it injected.
It's definitely something (presumably an extension) that is getting synced via Chrome sync as I've noticed it in a Windows 10 installation on one machine and within a Linux VM inside a Windows 7 host OS on a different machine. All software fully up to date.
I see nothing I'm not expecting in terms of extensions and I do not have the "Full screen Flash" extension. Windows Defender has not found anything on the Win 10 install, nor on the Windows 7 one.
Is it perhaps another extension that got hijacked? I know sometimes developers sell extensions and malware makers acquire them for the instantly-installed userbase. Everything in the Chrome Web Store is supposedly scanned, of course, so who knows.
Anyone have any other ideas?
Thanks!
~tw
---------- Post added at 02:13 PM ---------- Previous post was at 01:19 PM ----------
Insert jQuery (not including link; you'll know if you have it) appears to have been the culprit extension. The behaviour I was seeing is consistent with this description: gist.github.com/jimbo1qaz/bc73a2491f0c39b7f206359f089dd79c complete with the redirection to a shady fake magazine URL when I uninstalled Insert jQuery, the issues went away. So this is consistent with a rash of extensions getting updated with updates that include new malware. I originally intended to install that extension....several years ago. I've been using it occasionally ever since.
(My) case closed.
This just happened to me as well. Exactly once on my work computer, then once on my home computer a few hours later, different sites. Both chrome, but different accounts and mostly different extensions. I'll compare extension lists and post the common ones when I get back to my work computer tomorrow. But I don't have either of the mentioned extensions installed.
This thread was the only google result for the url.
Edit: googling the id of the modal div, "asgds_modal", leads to a reddit thread with a few people complaining. They pointed out two new extensions, "http headers" and "w3schools hider". I'm guessing my culprit is the http headers one, as it is on both my computers.
I figured it out.
Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.
ant96 said:
Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.
Click to expand...
Click to collapse
Thank you man, you're my hero.
Hi guys!
I really need your help here please
I seem to have encountered a similar problem as you but i don't have the header http extension you all talked about
it's happen to me only on chrome in different sites, i get this "sponsored by adnow" ads
and i'm not sure what to do, it's on the exact same place where outbrain or taboola show their ads, and its cover it.
i think but not sure that the div id is sc_tblock_319318 and from what i understand it's block the original ad(by outbrain in this case and then it recreate a new one
Is there anyone here who could help me please? really i tried almost every thing...
sorry if my english is not perfect
and thanks in advance!
I am unable to remove annoying pop coming from any web browser I tried to install and use on my new Xperia Premium XZ including Chrome and Firefox. It looks like my phone gets DNS hijacked and randomly few times a day it pops this message - see attached screenshots.
I tried to Google solution, none I found worked including clearing data and cache of these apps, completely reinstalling them.
I tried premium Adware Malwarebytes and it does not detect anything wrong with the phone.
I also activated premium version of AVG but full scan has not discovered any issues.
At this point I ran out of options.
I can't believe there is no clear explanation anywhere about this so called Four Virus neither reference about it with respect to Oreo 8.0.0.
Am I the only Oreo user which has this issue?
Reseting my phone to factory defaults is last thing I would want but could do. Just trying to see other options before executing such drastic solution.
Any ideas are very appreciated.
Hi there
You caught a simple flu, but u probably need Safe Mode to remove it. Follow instructions here => https://forums.androidcentral.com/a...30081-guide-malware-adware-popup-removal.html
Good luck, and keep us posted,
Van
This is well-known problem, widely described on the Net. There's nothing wrong with your phone. There's no malware on the phone itself, which is why the anti-malware tools do not find anything.
What you see is a result of a server-side problem. Either the web page you were trying to visit got hijacked, or an ad provider that displays ads on that page got hijacked, or some DNS entry got hijacked. They used some kind of server-side exploit to redirect your browser to the above fake page. It is ordinary scareware, trying to scare you into purchasing a piece of software you don't really need (and it is useless crap anyway). If you were visiting a legitimate web site at the time this popup appeared, the site owners are most likely already aware of the problem. They will fix it shortly and the problem will go away.
At this time, just to make sure noting is cached on our phone after they fix the issue, a good idea might be to find your browser app in the app list and as Android to clear app data.
Dear friends, when I come here, I fully understand how I will be criticized, but still, those who understand - please help me with the problem of connecting to the casino site https://www.getslots.com/. Recently, when I realized that I liked gambling, I managed to try dozens of official and unofficial sites, even verification took place at bookmakers merged from the casino. So far, the middle ground has not been found. However, friends are actively playing on the getslots website. Although, on the other hand, what friends they are to me when they don't say "How to connect to the site..."
The crux of the problem is that I can't access this site. I tried everything I could: incognito mode, several different browsers, cache cleaning, various extensions, free proxy (and I changed the region, tried to connect from the states, and even European vpn didn't help). Can you imagine? - I even reinstalled the system, some horror!!! In the end, there were only one small change when I decided to buy a quality proxy. If the above methods used the page in the browser to write "Failed to connect to the server," then with the help of a paid one - just the page loads endlessly and the picture does not even appear.
I don't know what to do anymore! Of course, I can just look for another casino, but it's a matter of principle. Besides, people advised me for a reason, so everything is fine there and without deception. If you know this, please help me, I would be very grateful!!!!
Here is a Link a video I just posted on YouTube showing what I'm referring to below did blur out any and all of my personal information, I hope that it does not violate and rules, laws, or policy's. *Side note I somehow messed up the audio & I don't usually sound like a dude
I don't know the correct place for this post even after reading the thread for such things and I did try the search function and still was unsure.
If this post is deleted for incorrect topic forum please advise me of the correct place, if there is one.
I am having this weird thing going on with my phone and I cannot find anything similar to the issue online, and it's highly probable it's somehow user error.
Since I don't know where to turn to for advise (I am aware factory resetting it will probably resolve it but I want to know what is causing it as well as fixing the issue), I figured I would start here as this has been the best source of information on past android questions I've had in the past.
I have contacted the Varo Bank (the new Varo Bank app) support and their developers through the their beta tester app. No response yet (5 days).
The reason for this post... Over the past 2 weeks or so I will hear a (new) tone then my phone opens up my main banking app (Varo Bank). This happens again and again sometimes it only happens a few times a minute others it's 6-7 times in a minute to where my phone is nearly unusable. It can happen anytime my phone is unlocked including while I'm on a call, after restarting phone, on and off wifi, cellular, &/or airplane mode, even while I am already in the banking app. I originally assumed it had to do with some sort of shortcut or where it was located on my home screen. So first I moved it, then when that didn't work, I deleted it for every page except my app drawer. Since non of those issues resolved the issue, I checked for software updates of both my phone and the app itself, yet they were both at the most recent versions. Although I NEED the app for obvious reasons, I decided to uninstall the app. After it was uninstalled I restarted my phone and as soon as I unlocked it I heard the "Ba Ding" sound again, but this time it took me to the Google play store for the same Varo Bank app I had just uninstalled. At this point I joined their beta testers then reinstalled the Beta version of the Varo Bank hoping that if it is the banking app that's causing the issue that would resolve it or I would have a better chance of contacting their developer's or technical support. I have sent 2 emails to their general Support and left a comments on the play store for the app which goes to the developers and is not a public comment. It has been 5 days and I have yet to get a response that wasn't autogenerated.
Sorry for the poorly written, LONG post, this is just driving me crazy. Thanks in advance for any advice, comments or possible direction on where to turn for answers or support.
Lisa Nicole
Hi, to me this sounds like a really terrible bug on the banking app you are using or a virus. Would assume the latter.
I have two separate banking apps on my phone and never ever experienced my apps opening on thier on, even redirecting me to install it again after uninstall.
If it were a phone bug, it would do this with any app not just your banking app.
I could be wrong in my assumptions, just trying to advise you to be careful.
I would, backup my data, format and start fresh.
@soka said:
Hi, to me this sounds like a really terrible bug on the banking app you are using or a virus. Would assume the latter.
I have two separate banking apps on my phone and never ever experienced my apps opening on thier on, even redirecting me to install it again after uninstall.
If it were a phone bug, it would do this with any app not just your banking app.
I could be wrong in my assumptions, just trying to advise you to be careful.
I would, backup my data, format and start fresh.
Click to expand...
Click to collapse
Ya I figured as much, I just really loathe the thought of having to do a fresh install, because my phone storage organization is non existent. Regardless I'm hoping to draw some attention to the issue, with whatever the issue may be. Varo the name has been around for awhile, but they just recently became an actual independent bank (they were under Bank Corp before.
I can't be, nor will I be the only customer with this issue not to mention it's my understanding that you "have" to use the app, due to very limited web capabilities. I have not verified that myself though.
So we'll see if this helps get since attention for the issue
I am getting the same error, but only with the Varo app, nothing else.
I have the same issue that just started this week on my Pixel 7. Did you just add it to your GPay or Wallet recently?