Help with a Redirect Virus

[California]

Help with a Redirect Virus? I haven't had to deal with malware in 10+ years and I'm lost.

I click on others' links to Harbor Freight over in the Don't Suck thread, and get redirected to a warning page instead.

While the link destination shows as HF.... at the bottom of TBN the page, as it should, the actual link data is:

http://api.viglink.com/api/click?format=go&jsonp=vglnk_14235203345829&key=a6c73c8a58f6c5d5816e8336c8228973&libId=095eaefa-38af-47eb-b976-aed3cc6b6387&loc=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fparts-repairs%2F114176-harbor-freight-tools-dont-suck-216.html%23post4035679&v=1&out=http%3A%2F%2Fwww.harborfreight.com%2F1500-lb-capacity-dual-wheel-swing-back-boat-trailer-jack-67500.html&ref=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fsubscription.php%3Fdo%3Dviewsubscription&title=Harbor%20Freight%20Tools%20that%20don%27t%20suck%20-%20Page%20216&txt=1500%20Lb.%20Capacity%20Dual%20Wheel%20Swing-Back%20Boat%20Trailer%20Jack

That's hard to read. Here it is with some spaces to break it up:
http: // api.viglink.com/api/click?format=go&jsonp=vglnk_14235203345829&key=a6c73c8a58f6c5d5816e8336c8228973&libId=095eaefa-38af-47eb-b976-aed3cc6b6387&loc=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fparts-repairs%2F114176-harbor-freight-tools-dont-suck-216.html%23post4035679&v=1&out=http%3A%2F%2Fwww.harborfreight.com%2F1500-lb-capacity-dual-wheel-swing-back-boat-trailer-jack-67500.html&ref=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fsubscription.php%3Fdo%3Dviewsubscription&title=Harbor%20Freight%20Tools%20that%20don%27t%20suck%20-%20Page%20216&txt=1500%20Lb.%20Capacity%20Dual%20Wheel%20Swing-Back%20Boat%20Trailer%20Jack

I ran Malwarebytes. It removed and quarantined:

Folder: Program Files (x86)\File Type Assistant
File: Downloads\gimpts_729.exe
Registry keys:
HKLM\SOFTWARE\WOW6432NODE\FREEZE.COM
HKLM\SOFTWARE\WOW6432NODE\InstallIQ

But my redirect problem persists. This pc has an Ethernet cable to the router. My wife's laptop via wireless exhibits the same redirect from those HF links.

I checked DNS in this PC and the router. Changing both from 'get automatically' to a specific DNS provider and back made no difference.

System: Win 7 with MSE.

What do I run next to diagnose this?

Thanks in advance for any advice!

 

[MossRoad]

I frequently get redirected to that api.viglink.com..... stuff when I try to click on buttons at the bottom of the screen on TBN. Its' frustrating. But I never get warnings. It just goes places I don't want to go.

So we're going to ask the obvious questions here. Don't get insulted, as we don't know if you know what you're doing or not. Kinda like foreign tech support! :laughing:

Have you cleared your cache, deleted your cookies and rebooted?
Have you run CCleaner? Keep running it until it comes up clear.
Have you scanned your registry with CCleaner? Again, keep scanning it until it comes up clear.
Have your run a scan with your anti-virus software?
Have you run MalwareBytes? (I see you did but this is the standard spiel).
Have you run MalwareBytes again and again until it comes up clear?
Have you flushed your DNS cache? (if you don't know how, click START, type command to open a command prompt, type "ipconfig /flushdns" and hit enter. That'll flush your DNS cache. Reboot and try it again.)
Have you tried a system restore back to a date before you were having problems?

That's about all I know. Sad for 25+ years in I.T.

 

[tcartwri]

I had a recent one with chrome, and I wound up having to uninstall chrome to get rid of it. Spent a good part of a weekend messing with it and none of the anti malware cleaners would get rid of it.

Brought back bad memories of windows early days with constant viral crap.

 

[tcartwri]

Sorry, there was one other issue that I was not able to confirm, but I had suspicions that because all of my devices are synched through Google, that it was a conduit for re-infecting the browser. I never did prove that though.

 

[California]

Ok, I'm making a little progress.

Malwarebytes and Superantispyware each found a couple of items of interest. But quarantining these didn't fix the problem. (and CC cleaned up a lot of clutter, but none critical). Also completed the rest of the steps listed by MossRoad above.

One clue...
Harborfreight is listed as a participating 'insider' on viglink .com:

Powering content-driven commerce.

VigLink is the platform on which site-to-site clicks are priced, bought, and sold.

"For example, if a blogger mentions a product, brand or store, they don't have to worry about linking it themselves: VigLink will take care of that with its link insertion technology, which optimizes for both user experience and revenue."

"Calling the link 'the original native ad,' Oliver Roup, Founder and CEO of VigLink views his platform as making the most of this 'defining feature of the Internet. Links engage readers and drive tremendous value to their target. That value has never been market priced until now.'
John Rampton, for Forbes

And links from TBN to HF, and to a couple of other sites, are the only instances where I get the warning. I'm not sure what to make of this.


Also, another request for help. In CC I let it purge the font cache, 45 mb, that I assumed would be replentished as needed. (Cache, right?) Nope, I now seem to have only system fonts for Windows and in Firefox. How the heck do I resume use of all the fonts?

signed .. Frustrated.

 

[California]

I'm happy to report that after I left the home pc and came out here to the ranch this afternoon, I don't see the problem here. (Separate DSL account from the same ISP, separate laptop that stays at the ranch.)

I'll resume work on the problem after I return to town next week.

I''m leaning toward an exorcism for that home pc.

 

[aczlan]

I loaded TBN on a "unblocked " browser and I do not get the vigilink link, I just get a direct link to HF.
Do you have Internet Explorer, Firefox or Chrome?
Can you provide a list of the programs installed on your computer and a list of addons or toolbars installed in your browser?

Aaron Z

 

[IslandTractor]

Viruses and malware drive me nuts. I manage to get one about once a year, usually after forgetting that the Aholes that run shareware sites often allow unwanted taskbars etc to be installed simultaneously. My solution has typically been to run Malwarebytes, reinstall Avast (my antivirus), and if that fails to just do a system restore. Once I gave up and bought a new computer.

I'd love to capture some of these virus/malware hackers and turn them over to ISIS.

 

[California]

Firefox 100% of the time, with Adblock Plus always on. Just MSE for an antivirus.

I started IE on the home pc and found this same redirect appeared there, too. (That's why I first suspected a DNS hijack but switching from automatic to specific DNS providers, at google and my ISP, didn't help).

I'm running the usual programs, the stuff Ninite can update. I don't recall any new programs in the past year or so. And my wife's laptop shows the same redirect problem while it nearly never gets a new application added.

After this problem appeared I added and ran Malwarebytes and then Superantispyware, a program that a longtime respected member of another forum said can find stuff that the usual programs miss. He also said "One other to try if you are in a bind is Dr Web Cureit: freedrweb.com/cureit/?lng=en ". And he said he often starts with search and destroy. I haven't tried these yet.

Nothing exotic in my Firefox addons. Adobe Acrobat Reader, Java, Google Earth Plugin etc.

I note that I and wife accepted the latest Java update yesterday, on my home pc and her laptop, while I refused it on this Ranch laptop I'm using at the moment that remains troublefree. So java update could be the vector. (Her laptop exhibits the same redirect problem out here at the ranch, same as it did in town. So it appears the problem resides in the two computers, home pc and her laptop, and is not a network issue.)

No browser toolbars. Running CC located some trace of Ask toolbar that I probably let install by mistake long ago, then removed the moment I saw it. There was no Ask toolbar in the browser or mention of it in Control Panel's Uninstall menu.

The weather finally cleared up and we came out to the ranch to spend several days, so I'm now not at the home pc that has the problem.


I appreciate everyone's suggestions. I'll try them after I get back to the home pc. Maybe sooner on my wife's laptop if that seems helpful. Her laptop hasn't seen a redirect problem aside from my trying a TBN > HF link that went to that warning instead of landing at HF.


I got most of my gray hair in PC support 20 years ago when it was exotic but simple. Its been a long time since I encountered a hair puller like I have now.

 

[California]

Hmmm. Posted at VBulletin.org:

VigLink is the easiest way to monetize your outbound links. You get paid when visitors click from your forum to a retailer and buy something. The VigLink analytics dashboard tells you which outbound links are clicked most, which are making you the most money, and more.

You've created something special. Your community is a place where people congregate to discuss their passion. It turns out they also make decisions about what to buy and where to buy it, and that's valuable. VigLink helps you capture this value, effortlessly.

In fact, VigLink is second only to AdSense as the most widely used monetization technology for vBulletin. ...

This add-on will install the VigLink javascript on your forum, without the need to edit templates.

VigLink Convert
Your members are constantly posting links to retailers. If any go to over 35,000 retailers, VigLink will automatically convert them to monetized links that pay you a commission.

And apparently my ISP blocks these redirects that would pass through VigLink; That's why I see a Warning instead of the intended HF page. But - then why doesn't this ranch laptop (via same ISP) encounter that warning? Maybe its Adblock is trapping the diversion?

How the heck do I make my other two pc's act like this laptop I'm on now, and ignore VigLink?

 

[California]

After some more research: Looks like VigLink is redirecting to emjcd .com , 'Commission Junction' - a site that offers you 'valuable coupons' to download.

Herdprotect Anti-malware (whoever that is) declares that emjcd downloads malware.

This might explain why my ISP blocks the (redirected) link that should have gone from here to HF.

 

[KubotainNH]

These things can be a bear to resolve. Usually Malwarebytes and Superantispyware do the job with tons of reboots in the process. You can check the add-ons section of firefox to see if something was added that shouldn't be there. My FIL was getting these things all the time until I made it so software couldn't be added without putting in a system password. I didn't tell him the password...lol.

BTW, sometimes you have to run windows with minimal programs running for Malwarebytes to clean properly, usually through safemode.

As for Fonts, find the fonts folder on another PC and copy them all to a flash drive then dump them on the other PC. Usually it's in the Windows/fonts folder

Good luck.

 

[MossRoad]

Did you try a system restore to a point before you were having this problem with redirects?

 

[California]

I was going to do the System Restore next but ran out of time. It is definitely in my list of tools I'm going to throw at it.

KubotaNH thanks for the suggestion for restoring fonts. I'll do that. Yes, I'm running all diagnostics in safe mode and with nothing else running.

It baffles me that IE which I never use, exhibited the same behavior.

When I get back to the home pc I'll try everything that is suggested in this tread.

 

[aczlan]

I was going to do the System Restore next but ran out of time. It is definitely in my list of tools I'm going to throw at it.
KubotaNH thanks for the suggestion for restoring fonts. I'll do that. Yes, I'm running all diagnostics in safe mode and with nothing else running.
It baffles me that IE which I never use, exhibited the same behavior.
When I get back to the home pc I'll try everything that is suggested in this tread.

It is probbaly an addon or toolbar in firefox that is causing this then.
Try creating a new profile (directions here) and see if it happens there.

Aaron Z

 

[California]

Thanks for that link. My Firefox profile probably dates clear back to Netscape/dos, long overdue for a cleanup. I'll try that.

I'm sure I'm not running added toolbars. Addons are plain vanilla and no new ones recently. But it is possible that a update claimed to be for one of them wasn't legitimate.

I may also purge/replace Firefox after saving a cleaned-up version of the profile.

 

[MossRoad]

Not to keep beating a dead horse, but the beauty of system restore is you would have been done 10 minutes after you pushed the button instead of doing all the things you did. I know you want to know what's causing it, so you need to take some actions that take your time. But in a production environment, if we can't fix it in just a few minutes, we restore the machine either to a point in time before the problem happened or we just clone a new image onto it.

Of course, that's assuming your restore points aren't infected.

 

[California]

But I need to know!

Agreed, in a production environment just roll it back to known-good and get on with life. But now I'm retired and have the time to pursue my curiosity. Partly so I don't create this problem again.

I have system restore points over the past two years and the changed behavior is recent, so no problem there.

As for a Firefox profile: if necessary I can copy the (uninfected) profile from this ranch laptop I'm using now, into the PIA home desktop.

 

[MossRoad]

But I need to know!

Agreed, in a production environment just roll it back to known-good and get on with life. But now I'm retired and have the time to pursue my curiosity. Partly so I don't create this problem again.

I have system restore points over the past two years and the changed behavior is recent, so no problem there.

As for a Firefox profile: if necessary I can copy the (uninfected) profile from this ranch laptop I'm using now, into the PIA home desktop.

Just remember that curiosity killed the cat! :laughing:

Hope you find it. :thumbsup:

 

[arrow]

Viruses and malware drive me nuts. I manage to get one about once a year, usually after forgetting that the Aholes that run shareware sites often allow unwanted taskbars etc to be installed simultaneously. My solution has typically been to run Malwarebytes, reinstall Avast (my antivirus), and if that fails to just do a system restore. Once I gave up and bought a new computer.

I'd love to capture some of these virus/malware hackers and turn them over to ISIS.

Myself included but i'd want to water board them with turpentine. Might clear up some of their geek acne. It was the predominant reason I gave up and 4 years ago bought a Mac. In 4 years, have never had a wit of a problem with this sort of crap. (watch, because I just haunted myself, I'll get whacked tomorrow with some trojan, virus or malware)