I think two of my Macs are infected. I keep getting Russian redirects through Google image search. I have five Macs, three other Mac don't seem to be infected.
Outline of equipment.
Gateway SOHO router has IPS/IDS paid deep packet inspection, and AV.
Second UTM server in bridge mode is an Untangle- Lite with Kaspersky and Clam gateway AV with all modules in use. http://www.untangle.com/Product-Overview
All 5 Macs running Snow Leopard fully updated and firewalls enabled.
All 5 Macs have Firefox 3.6.13 with NoScript, AdBlocker, BetterPrivacy, and Ghostery.
The 2 Macs that appear to be infected are my wife's and my daughters that use webkit/Safari mostly.
The 3 I run use Firefox with above add-ons enabled almost exclusively.
All run OpenDNS and OpenDNS is speced in router. ( I test for Macs running OpenDNS monthly)
Apple updates get updated the same day they are released ( always)
Intego Virus Barrier X6 updated daily with full scans twice a month, quick scans weekly and ClamXav scans monthly even though Clam has a couple of Mac sigs, I still do it for PC viruses. Ran latest definitions on both . Clean.
Ran Sophos when this happened and did it with best practices disabling on-demand scanners when other AV is scanning, plus call out AV files as Trusted. Ran latest definitions. Clean.
Ran Rootkit Hunter 0.2 with updated sigs. Clean.
Here is how I found my issue. We have 2 iMacs side by side. Mine and my daughters. My daughter Googled "difficult color by number printables" and she clicked on the "images" link to get all the images instead of the normal Google links page. She clicked on an image in a newly updated nightly build of Webkit and received the browser warning about going any farther will damage your computer or something like that. I said cool, let me see if I get that in Firefox. It didn't, so I tried Webkit and still nothing. I tried loading the same image in Firefox on my daughters Mac and it called out malicious site just like Webkit. The redirects affect both browsers.The redirect would want to go to a XXXXXX.ru address. I would try some other images on the Google image page and her computer would get block pages from the browser. My computer would not, I loaded a clean, non redirected page with no redirect on my computer. Same image 2 different outcomes. Ran newly imaged Fedora 14 on a machine that never was on the net and all is well with the Google image search.
My wife's computer is running in Admin to my disappointment. My daughters is running in a Standard account, and the Admin account is clean and does not get redirected.
Something is sending me to .ru . On the my daughters infected computer I am also getting redirected to a link page" Rivasearchpage dot com". Both my daughters and my wife's computer act the same so I m assuming they have the same infection. I just loaded Opera on my daughter computer to see if a new browser would be redirected, it was to a porn page that my OpenDNS filter blocked. It also is going to Rivasearch dot com on 30% of the images. On my clean computer next to it, I am getting all clean images on clean sites.
Any ideas????
This thread was automatically locked due to age.
