Wierd Firefox redirect. Possibly virus?

[InvisiblePrawn]

Hey guys. Another wierd one...

I've been getting a strange redirect to an "Update your Flash Player" website thing. You know the ones, obviously fake. Usually the adress is "lmpxp.20XX..." where XX is a number, usually 29 or 31 with a long string of jibberish after it. Over the last few days, it's been happening regularly. Although seemingly random, I can reliably replicate the popup just by going on imgur. It reliably pops up after a few images.

I've tried all the simple stuff to try to stop it. No wierd processes or FF extensions running. Reinstall and reset of FF settings. Several Malware scans; originally with Windows Defender and then with several "Free Trial" things. Malwarebytes to name one. They don't find anything. Googling lmpxp just grings up hundereds of these template "Virus Help" sites trying to get you to install some software, so I'm stuck. Does it sound like a virus that these things aren't detecting? I'm pretty good with dodgy websties and regular scans etc, but hey.

Chrome doesn't seem to do the redirect thing. I installed it to check, though I'd hate to switch browsers. It also happens in safe mode with networking, too. Any ideas? I can post scan logs or anything you need if neccesary.

 

[opethdisciple]

I too sometimes get redirects with Firefox.

Usually if I leave http://www.newsnow.co.uk/h/ open for too long, I get a page usually with an update your flash message.... It's just a regular news website.

I run a very tight ship, so it's unlucky to be a virus etc.... I reckon it's the website causing the issue.

Although havent seen it recently.

What sites are you browsing when you see this issue?

 

[KIA]

Are you running adblockplus?

 

[lucifer-mnm]

Run ccleaner
Run adwcleaner
Run malwarebytes
Run Hitman Pro

If the issue persists

Run combofix (download from bleepingcomputer)

 

[InvisiblePrawn]

Thanks for the replies, guys.

What sites are you browsing when you see this issue?

Randomly with all sites and then more frequently on Imgur and a few wiki sites. Very wierd!

Are you running adblockplus?

I'm not. Never felt the need for it. Will report back.

Run ccleaner
Run adwcleaner
Run malwarebytes
Run Hitman Pro

If the issue persists

Run combofix (download from bleepingcomputer)

Adwcleaner, Malwarebytes and Hitman I've already done. Will try the others. Thanks again.

 

[lucifer-mnm]

Check your installed programs list for anything that looks out of place or that you haven't installed.

Check your hosts file located c:\windows\system32\drivers\etc - it should look like the one below (Win7 and 8)

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

 

[InvisiblePrawn]

Check your installed programs list for anything that looks out of place or that you haven't installed.

Check your hosts file located c:\windows\system32\drivers\etc - it should look like the one below (Win7 and 8)
-SNIP-

Thanks man. Should have mentioned. Everything in programs is accounted for and had alread checked Hosts; everything normal.

I put the firewall settings on my router (VM superhub, wired) up to max just to see if it made a difference. Redirect still happened, and it wasn't letting Steam or Origin connect! I could probably add exceptions, but I just put it back to default for now.

 

[lucifer-mnm]

Any weird entries in startup tab of msconfig? (or run sysinternals autoruns)

Any proxy server listed in connections settings (control panel, internet options, connections, lan settings)

Check your dns settings on the pc and in the router's config

Are you by chance using a tp-link, edimax or linksys router ? http://www.cbits.co.uk/ourblog/news/fake-flash-player-update-virus-routers-tp-link/ http://grahamcluley.com/2014/02/moon-router-worm/

 

[InvisiblePrawn]

Nothing strange in startup. No listed proxies that I could find, though my experience is limited when it comes to networking stuff.

Router is a VM Superhub so it doesn't have its own DNS settings. I tried to find them last night. I can't access the Properties of TCP/IP in Network Settings to check, either as I get an error saying "You must install and configure an adapter card to configure..."

 

[KIA]

Have you tried adblockplus yet?

 

[lucifer-mnm]

You can check your dns settings by opening a command promt (start, run, cmd, enter) and do ipconfig /all

 

[InvisiblePrawn]

You can check your dns settings by opening a command promt (start, run, cmd, enter) and do ipconfig /all

Thanks. DNS servers are 194.168.4.100 and 194.168.8.100. They're the normal ones, right?

As for Adblock, I've just put it on and it seems to be preventing the redirects. I'll report back after a while longer using it.

If it is just random then I guess it's fine. If, however, it is something more malicious, could ignoring it lead to something worse? Like wallpapering over damp? I'd rather avoid my computer's ceiling falling in, so to speak.

 

[lucifer-mnm]

Thanks. DNS servers are 194.168.4.100 and 194.168.8.100. They're the normal ones, right?

They appear to be virgin media's servers so should be fine.