Help with a Redirect Virus

[California]

Help with a Redirect Virus? I haven't had to deal with malware in 10+ years and I'm lost.

I click on others' links to Harbor Freight over in the Don't Suck thread, and get redirected to a warning page instead.

While the link destination shows as HF.... at the bottom of TBN the page, as it should, the actual link data is:

http://api.viglink.com/api/click?format=go&jsonp=vglnk_14235203345829&key=a6c73c8a58f6c5d5816e8336c8228973&libId=095eaefa-38af-47eb-b976-aed3cc6b6387&loc=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fparts-repairs%2F114176-harbor-freight-tools-dont-suck-216.html%23post4035679&v=1&out=http%3A%2F%2Fwww.harborfreight.com%2F1500-lb-capacity-dual-wheel-swing-back-boat-trailer-jack-67500.html&ref=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fsubscription.php%3Fdo%3Dviewsubscription&title=Harbor%20Freight%20Tools%20that%20don%27t%20suck%20-%20Page%20216&txt=1500%20Lb.%20Capacity%20Dual%20Wheel%20Swing-Back%20Boat%20Trailer%20Jack

That's hard to read. Here it is with some spaces to break it up:
http: // api.viglink.com/api/click?format=go&jsonp=vglnk_14235203345829&key=a6c73c8a58f6c5d5816e8336c8228973&libId=095eaefa-38af-47eb-b976-aed3cc6b6387&loc=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fparts-repairs%2F114176-harbor-freight-tools-dont-suck-216.html%23post4035679&v=1&out=http%3A%2F%2Fwww.harborfreight.com%2F1500-lb-capacity-dual-wheel-swing-back-boat-trailer-jack-67500.html&ref=http%3A%2F%2Fwww.tractorbynet.com%2Fforums%2Fsubscription.php%3Fdo%3Dviewsubscription&title=Harbor%20Freight%20Tools%20that%20don%27t%20suck%20-%20Page%20216&txt=1500%20Lb.%20Capacity%20Dual%20Wheel%20Swing-Back%20Boat%20Trailer%20Jack

I ran Malwarebytes. It removed and quarantined:

Folder: Program Files (x86)\File Type Assistant
File: Downloads\gimpts_729.exe
Registry keys:
HKLM\SOFTWARE\WOW6432NODE\FREEZE.COM
HKLM\SOFTWARE\WOW6432NODE\InstallIQ

But my redirect problem persists. This pc has an Ethernet cable to the router. My wife's laptop via wireless exhibits the same redirect from those HF links.

I checked DNS in this PC and the router. Changing both from 'get automatically' to a specific DNS provider and back made no difference.

System: Win 7 with MSE.

What do I run next to diagnose this?

Thanks in advance for any advice!

 

[MossRoad]

I frequently get redirected to that api.viglink.com..... stuff when I try to click on buttons at the bottom of the screen on TBN. Its' frustrating. But I never get warnings. It just goes places I don't want to go.

So we're going to ask the obvious questions here. Don't get insulted, as we don't know if you know what you're doing or not. Kinda like foreign tech support! :laughing:

Have you cleared your cache, deleted your cookies and rebooted?
Have you run CCleaner? Keep running it until it comes up clear.
Have you scanned your registry with CCleaner? Again, keep scanning it until it comes up clear.
Have your run a scan with your anti-virus software?
Have you run MalwareBytes? (I see you did but this is the standard spiel).
Have you run MalwareBytes again and again until it comes up clear?
Have you flushed your DNS cache? (if you don't know how, click START, type command to open a command prompt, type "ipconfig /flushdns" and hit enter. That'll flush your DNS cache. Reboot and try it again.)
Have you tried a system restore back to a date before you were having problems?

That's about all I know. Sad for 25+ years in I.T.

 

[tcartwri]

I had a recent one with chrome, and I wound up having to uninstall chrome to get rid of it. Spent a good part of a weekend messing with it and none of the anti malware cleaners would get rid of it.

Brought back bad memories of windows early days with constant viral crap.

 

[tcartwri]

Sorry, there was one other issue that I was not able to confirm, but I had suspicions that because all of my devices are synched through Google, that it was a conduit for re-infecting the browser. I never did prove that though.

 

[California]

Ok, I'm making a little progress.

Malwarebytes and Superantispyware each found a couple of items of interest. But quarantining these didn't fix the problem. (and CC cleaned up a lot of clutter, but none critical). Also completed the rest of the steps listed by MossRoad above.

One clue...
Harborfreight is listed as a participating 'insider' on viglink .com:

Powering content-driven commerce.

VigLink is the platform on which site-to-site clicks are priced, bought, and sold.

"For example, if a blogger mentions a product, brand or store, they don't have to worry about linking it themselves: VigLink will take care of that with its link insertion technology, which optimizes for both user experience and revenue."

"Calling the link 'the original native ad,' Oliver Roup, Founder and CEO of VigLink views his platform as making the most of this 'defining feature of the Internet. Links engage readers and drive tremendous value to their target. That value has never been market priced until now.'
John Rampton, for Forbes

And links from TBN to HF, and to a couple of other sites, are the only instances where I get the warning. I'm not sure what to make of this.


Also, another request for help. In CC I let it purge the font cache, 45 mb, that I assumed would be replentished as needed. (Cache, right?) Nope, I now seem to have only system fonts for Windows and in Firefox. How the heck do I resume use of all the fonts?

signed .. Frustrated.

 

[California]

I'm happy to report that after I left the home pc and came out here to the ranch this afternoon, I don't see the problem here. (Separate DSL account from the same ISP, separate laptop that stays at the ranch.)

I'll resume work on the problem after I return to town next week.

I''m leaning toward an exorcism for that home pc.

 

[aczlan]

I loaded TBN on a "unblocked " browser and I do not get the vigilink link, I just get a direct link to HF.
Do you have Internet Explorer, Firefox or Chrome?
Can you provide a list of the programs installed on your computer and a list of addons or toolbars installed in your browser?

Aaron Z

 

[IslandTractor]

Viruses and malware drive me nuts. I manage to get one about once a year, usually after forgetting that the Aholes that run shareware sites often allow unwanted taskbars etc to be installed simultaneously. My solution has typically been to run Malwarebytes, reinstall Avast (my antivirus), and if that fails to just do a system restore. Once I gave up and bought a new computer.

I'd love to capture some of these virus/malware hackers and turn them over to ISIS.

 

[California]

Firefox 100% of the time, with Adblock Plus always on. Just MSE for an antivirus.

I started IE on the home pc and found this same redirect appeared there, too. (That's why I first suspected a DNS hijack but switching from automatic to specific DNS providers, at google and my ISP, didn't help).

I'm running the usual programs, the stuff Ninite can update. I don't recall any new programs in the past year or so. And my wife's laptop shows the same redirect problem while it nearly never gets a new application added.

After this problem appeared I added and ran Malwarebytes and then Superantispyware, a program that a longtime respected member of another forum said can find stuff that the usual programs miss. He also said "One other to try if you are in a bind is Dr Web Cureit: freedrweb.com/cureit/?lng=en ". And he said he often starts with search and destroy. I haven't tried these yet.

Nothing exotic in my Firefox addons. Adobe Acrobat Reader, Java, Google Earth Plugin etc.

I note that I and wife accepted the latest Java update yesterday, on my home pc and her laptop, while I refused it on this Ranch laptop I'm using at the moment that remains troublefree. So java update could be the vector. (Her laptop exhibits the same redirect problem out here at the ranch, same as it did in town. So it appears the problem resides in the two computers, home pc and her laptop, and is not a network issue.)

No browser toolbars. Running CC located some trace of Ask toolbar that I probably let install by mistake long ago, then removed the moment I saw it. There was no Ask toolbar in the browser or mention of it in Control Panel's Uninstall menu.

The weather finally cleared up and we came out to the ranch to spend several days, so I'm now not at the home pc that has the problem.


I appreciate everyone's suggestions. I'll try them after I get back to the home pc. Maybe sooner on my wife's laptop if that seems helpful. Her laptop hasn't seen a redirect problem aside from my trying a TBN > HF link that went to that warning instead of landing at HF.


I got most of my gray hair in PC support 20 years ago when it was exotic but simple. Its been a long time since I encountered a hair puller like I have now.

 

[California]

Hmmm. Posted at VBulletin.org:

VigLink is the easiest way to monetize your outbound links. You get paid when visitors click from your forum to a retailer and buy something. The VigLink analytics dashboard tells you which outbound links are clicked most, which are making you the most money, and more.

You've created something special. Your community is a place where people congregate to discuss their passion. It turns out they also make decisions about what to buy and where to buy it, and that's valuable. VigLink helps you capture this value, effortlessly.

In fact, VigLink is second only to AdSense as the most widely used monetization technology for vBulletin. ...

This add-on will install the VigLink javascript on your forum, without the need to edit templates.

VigLink Convert
Your members are constantly posting links to retailers. If any go to over 35,000 retailers, VigLink will automatically convert them to monetized links that pay you a commission.

And apparently my ISP blocks these redirects that would pass through VigLink; That's why I see a Warning instead of the intended HF page. But - then why doesn't this ranch laptop (via same ISP) encounter that warning? Maybe its Adblock is trapping the diversion?

How the heck do I make my other two pc's act like this laptop I'm on now, and ignore VigLink?