My Firefox phucked by phishing?

So I wanted to give GIMP a try on my MacBook Air. I’ve used it on Linux boxen, but not in awhile. These days I edit my photos with Photoshop and Lightroom on the Mac because there are so many things only those tools do well. But I’m tired of being in silos.

Alas, when I did a (defaulted) Yahoo search on my Firefox browser, I made the dumb mistake of clicking on the top result, which was an ad (I think for gimp.us.com, but I’m not sure). I then clicked on the download link, unpacked the .dmg file, did the install — which failed — and have regretted it since. Nearly every link I click goes somewhere Netcraft’s toolbar add-on tells me has a huge risk, or gives me a “Phishing Site Blocked” message.

Down some link paths I get a Firefox cross-site script warning (or something like that — can’t find it now), or this:

Screen Shot 2015-02-27 at 9.40.29 PM

It also talks.

What to do? No idea. Suggestions welcome.

10 comments

  1. John’s avatar

    Are you running Windows? Check uninstall options in Control Panel and sort by most recently installed. Remove anything you don’t recognize.
    This Trojan has been known to install the following: Bing toolbar (not due if it’s legit), DropDownDeals, Yontoo layers, PageRage and BuzzDock. I assume most of these things are adware annoyances. Also remove Gimp and get the real version from gimp.org. Hope this helps.

  2. Susan F Heywood’s avatar

    These are the worst. They put this sh*the on the computer and use it to serve pop up offers to get rid of them. Cyber blackmail is what it seems like to me. I had the same issue at the time of the search change. If you run task manager at start up and see unfamiliar processes, particularly if they are all letters it is probably one of the Trojans. Right click and click end process tree. If you see one called edealpop kill it off. Keep TM open when you open Firefox. If you see a process called Zombie Invasion, kill it off quickly. This should help you search for a fix that is not related to the trojan. Uninstall any Salus programs and other ad programs that you can using the Control Panel.

    Symantec’s Trojan removal tools

    Pop-ups and re-directed are likely to pop up, so be careful or use another machine to get the fix.

    Also, look in certmgr.msc for any certificates from Salus and kill them. This should help keep the app from popping up so frequently after you think you have found and deleted it’s files. This is just based on my personal experience and a few hours of tracking it down.

    Hope this helps. These Trojans are a scourge of the Web.

  3. Susan F Heywood’s avatar

    Of course I didn’t process the Apple on the screen shot, so the process will be different. When one of the population comes up, view the page source to see what loaded. Searc for Apple on Symantec’s site for the Mac version.

  4. Kris Kenyon’s avatar

    Doc,
    As an Apple Consultant network member I do this all of the time. Life hacker has a nice walk though here http://lifehacker.com/bundled-crapware-has-come-to-macs-so-hone-your-bs-dete-1688207772
    Outside of /Library/Launch* look at ~/Library/LaunchAgents because you’ll have items there too. I would also look for add ons to Safari since these usually add them by default. Email me if you have issues.

    P.S. thank you for the years of enjoyment reading your articles. Keep up the good work.

  5. Doc Searls’s avatar

    Thanks, all.

    I’m still in the midst. The apparent culprit is trovi, and I’ve removed everything called trovi that I can find from the machine (a MacBook Air). It no longer seems to be infecting Firefox or Safari, but it’s still infecting Chrome. Every new tab I open has http://www.trovi.com/?… (long string of jive) as the default URL. Chrome seems to have removed “reset browser settings” as an option. I don’t want to reset everything yet, but maybe I’ll have to.

    I also bought and installed Norton, but it does nothing to fix the browser stuff, and didn’t catch anything related to Trovi. Just saying.

  6. Adrian Klaver’s avatar

    Tips on how to get rid of Trovi, including on Chrome:

    http://lavasoft.com/mylavasoft/company/blog/how-to-remove-trovi-search

  7. Doc Searls’s avatar

    Thanks, Adrian, but Lavasoft seems to be Windows only. Won’t work for me.

  8. Adrian Klaver’s avatar

    You do not need to use Lavasoft to do the removal. They would like you to, but it is not a requirement. Go to the bottom of the page and walk throught the instructions for cleaning up Chrome from within Chrome.

  9. Doc Searls’s avatar

    Okay, I reset Chrome and that seems to have done the trick. So I think (or hope) I’m done.

    Thanks for all your help!

  10. Adelia Goetter’s avatar

    Hi there, i just wanted to drop you a line to say that i thoroughly enjoyed this detailed post of yours, I have subscribed to your RSS feeds and have skimmed a few of your posts before but this one really stood out for me. I know that I am just a stranger to you but I figured you might appreciate the admiration Take care and keep blogging.

Comments are now closed.