CrlyWrly wrote:Tom T. wrote: don't get the redirect from the first site to the second, so presumably, it's been fixed.
I don't understand this bit - I am starting off well, aren't I?
I didn't mention where the pages were located - I assume that is what you mean by "the first site"?
It appears as though I'm the one who didn't understand exactly which site, in what order, did what, when.
I will PM you the url of the "landing page" - which seems fine. There is nowhere else to go from there but to the Forum. The "Forum" link takes you to the forum (phbBB3) login page, which is where the barrage of virus downloads started with FF. Just about every action on the forum triggered a further virus download.
Ah, so it's that Forum that was corrupted. I thought the open-mic site was the villain, sorry.
Side note: You may be fascinated by the JSView add-on, in which you can r-click and "View Page Info". It will show you the full URLs from which scripts are called, such as this one, one of the 120 or so run by my Yahoo webmail:
- http://mail.yimg.com/zz/combo?/nq/mc/15_0_8/js/im_blue_all.js&/nq/mc/15_0_8/js/us_strings.js&/nq/mc/15_0_8/js/msgr.js
and also shows you how many are "Embedded". At Yahoo Mail, that's most of them. I have to allow mail.yahoo.com to use the site, so those scripts come with it, no choice.
Forum Index Page:
Forum Lobby Page:
several free HOSTS services that block your browser from visiting known bad sites
I am on to it! Quickly looked at a few suggestions for Mac but if there is anything in particular you would recommend, please do let me know....
The service I use is Windows-only, and I am not Mac-friendly, so you could look around Mac community sites, check the various services for independent reviews, etc.
Caveat: Most such services redirect the bad sites to 127.0.0.1, which is the "loopback" or "localhost" address -- your machine talking to itself, as it were. There as some good arguments to be made against using this address. If you are interested in Giorgio Maone's discussion of why, it starts here, where I relay my email conversation with the provider to Giorgio, who responds, uh, "strongly".
*Personally*, I have found that changing the redirect address simply to 0 -- just zero, nothing else, no dots -- causes immediate recognition of an invalid destination, while not mucking up anything. This is undocumented, AFAIK, so please, no liability here if you choose to do this.
(I feel sure that I must be missing something about setting up NoScript - is there a way that I can tell it to always block googleadservices, for instance, so that it doesn't keep asking me if I would like to allow it?)
When it asks if you want to allow, click "Mark as Untrusted". This adds it to the "Untrusted" list, and those disappear from the main menu. This is covered in the opening paragraph of SOME SITES YOU MIGHT NOT WANT TO ALLOW.
For what it's worth, I disable offline caching in Firefox, through the Fx GUI Advanced > Network (set offline to 0), and about:config
browser.cache.disk.enable
browser.cache.offline.enable
both toggled to False.
Also, I use (yet another) Windows-only tool called Sandboxie, to trap stuff inside the sandbox (virtual browser) so that it cannot write to the hard drive. It's configured so that at every close of the browser, which is frequent, *everything* is dumped, including malware. (You can give specific permission to save bookmarks, NS settings, various Fx settings, etc. for permanent use.) There are many sandboxing or virtualizing solutions out there -- I think VMWare Workstation may work on Mac -- and some are free or donor-ware. Another good layer of defense-in-depth.
I have also run a full Sophos AV scan on my computer and it has not found anything untoward.
A lot of users like the free trial of MalwareBytes Anti-Malware (www.malwarebytes.org), but I don't see a Mac version listed. Any chance of running it on a Windows emulator? It seems like the malware has gotten hold of your machine, and is avoiding removal -- probably because there is a file or two that regenerates the actual virus every time it is removed. Some of these get very clever, splitting themselves in two and renaming themselves, possibly mimicking legitimate file names. If an online tool can't find the source of reinfection, it may require competent, local professional help. It's the fact that new bookmarks are being generated that makes me suspect a more permanent, "parent' infection, possibly the dreaded rootkit.
I guess I should really have posted this in the "Security" sub-forum rather than this one - but that was because I didn't understand how NoScript worked and imagined that it would react to the script within pages, rather than what you said
No, you were fine. The "Security" sub-forum is for topics that are known to be not directly related to NS, but are of interest to security-minded users in general. This was as good a place to start this topic as any.
Will PM you the site url so you can have a poke around if you feel like it
Thanks. It may not be immediately, because it may take some thorough investigation, but hopefully, within a day or two. Just wanted to get these comments to you in the meantime.
Regards,
Tom