I'm going to war with a Level 84 Adware Injector, help me destroy it
October 7, 2011 2:15 AM   Subscribe

Some adware is injecting this javascript code into page source on my Firefox. Help me find it.

The code gets injected right after the 'body' element for the website begins.

It only happens on Firefox and is not entirely reproducible, i.e., it seems to occur randomly. AdBlock keeps the ads themselves blocked, so all I see is a white rectangle as per the 'div' parameters, which does nothing and obscures anything underneath it.

So far, I've found it happen on MetaFilter, Reviewing the Kanji, LazyMeter and Anime News Network.

Interestingly, it seems to stay off of major websites like Google, Wikipedia, BBC, CNN, Al Jazeera, Hotmail, etc.

I can't find anything by googling (I'm not even sure what to google). I ran a full scan with Microsoft Security Essentials, but it didn't yield anything. Tried clearing my cookies and cache, didn't work.

I do have a ton of add-ons, but none that were installed/updated recently, and this problem began only yesterday. I have no baggage toolbars or plugins or anything of the sort.

Help me MeFi, only hope, etc. etc.
posted by Senza Volto to Computers & Internet (16 answers total) 3 users marked this as a favorite
Response by poster: P.S. I just remembered another effect that's been happening since yesterday. Often, I get 404 errors on websites for what are otherwise perfectly fine links.

Right after I made this post, I clicked on the Ask MetaFilter logo and was taken to Error, page not found page (with ask.metafilter.com in the address bar).

I've noticed 404s occurring on some other sites yesterday, though they get fixed by a refresh.
posted by Senza Volto at 2:18 AM on October 7, 2011

Test to see if it happens when connected to an https site. That might help you pin down if it's happening locally or elsewhere on the network.
posted by NMcCoy at 2:52 AM on October 7, 2011

Response by poster: Checked out about dozens of random https sites and doesn't seem to be happening on them. But then, it doesn't happen on lots of regular http sites too, so I can't be sure.

Got a lead. Was visiting a vBulletin forum I frequent and I got a 404 when accessing the main page with the message that "/.mytemp" was not found on the server. The site loaded normally after that.
posted by Senza Volto at 4:21 AM on October 7, 2011

Maybe try clearing cache and then running wireshark to get some clues on the origin of the pastebin'd source?
posted by Dr. Eddie Evil at 4:34 AM on October 7, 2011

Does software like spybot search and destroy yield anything?
posted by I_pity_the_fool at 4:54 AM on October 7, 2011

Response by poster: Will try doing both, thanks.

I found the thing popped up on a site, and disappeared when I visited its https version. Of course, when I returned to the regular version it was gone too, but it's probably safe to say now that it doesn't happen over https.
posted by Senza Volto at 5:00 AM on October 7, 2011

If Security Essentials didn't find anything and it only happens in Firefox, I'd turn off all FF add ons except no script.
posted by advicepig at 5:22 AM on October 7, 2011

I would run Security Essentials and Malwarebytes *while in safe mode with networking*. A lot of newer stuff either can't be removed or doesn't show up while in normal mode.
posted by gracedissolved at 6:46 AM on October 7, 2011

Response by poster: Had Security Essentials do a scan and clean-up, still happening. Am trying to pin things down with Wireshark just now, but just thought I'd mention that I tried Firefox under a blank profile and it seems to come up on it (no extensions installed). So we can rule out extensions and preferences tampering.

The popup seems to programmed to show up once after a period of inactivity, so constantly refreshing isn't helping. I have to wait, then refresh the target page and it comes up. I think the time limit is a few minutes long.
posted by Senza Volto at 7:02 AM on October 7, 2011

Change DNS servers?
posted by Thorzdad at 7:09 AM on October 7, 2011

Response by poster: @Thorzdad: Did, tried OpenDNS and Google, didn't work.
posted by Senza Volto at 7:30 AM on October 7, 2011

Response by poster: Dang sorry, in the second-to-last post I meant Spybot Search & Destroy, not Security Essentials. My bad, not enough coffee obviously.
posted by Senza Volto at 7:32 AM on October 7, 2011

Best answer: Just as a sanity check, have you looked at your FF proxy settings? (In FF on Mac this is in Settings > Advanced > Network > Connection > Settings.)

Also, I found one report of an ISP injecting this into client traffic.
posted by mvd at 7:33 AM on October 7, 2011 [1 favorite]

Response by poster: Thanks for the link, mvd! It looks they've started today. I'll follow that link for further developments. :)
posted by Senza Volto at 8:09 AM on October 7, 2011

If the code is consistent from page to page and fits a pattern you can describe in regexp, you can use a web filter to extract it. Such a program would be the web proxy, so you can disable and enable it at will. It's possible that FF's plugin/extension "NoScript" is serving this role as well, without being a proxy.

I used to use Proxomitron, which last I checked is long out of development but very robust and has a decent community support. It does act as a web-proxy, so it'll handle all your browsers, assuming they're configured for the proxy. Just do your brain a favor and turn off the default skin.
posted by Sunburnt at 9:40 AM on October 7, 2011

mvd's link implies that this is purposefully injected by your ISP. If your ISP is injecting this, then HTTPS wherever you can is important, but you may also want to consider a 3rd party VPN solution. They shouldn't be able to inject into that.

Also, if your ISP does this, fire them ASAP and get service from a company that is not doing this.
posted by Mad_Carew at 5:39 PM on October 7, 2011

« Older Looking for help with anti-dehydration drink while...   |   Robbery - what next? Newer »
This thread is closed to new comments.