Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange browser redirect > possible malware/virus?


  • This topic is locked This topic is locked
4 replies to this topic

#1 Atamarashi

Atamarashi

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 03 June 2010 - 05:41 AM

Hello,

Yesterday, I had been browsing the internet, specifically tech sites (www.tomshardware, www.hardforums.com, etc); using Mozilla Firefox 3.6.3 on my Windows 7 system, when I had gone to click on a bookmarked site (www.tweakguides.com), when I was strangely redirected to a peculiar IP address starting with 77. I can't remember the exact address I was redirected to, however Firefox had stopped loading of the page, apparently due to the website 'requesting to redirect' in a manner that will never complete, or so. I suspected I may have encountered some sort of malicious site, so I immediately closed the browser and ran both a Quick Scan and a Full Scan with Avast, after updating definitions of course, finding nothing infected. I then updated Malwarebyte's Antimalware and proceeded to try to scan in both 'Quick Scan' and 'Full Scan' modes, still finding nothing infected.

I also have checked for any strange running processes with Process Explorer, finding multiple svchost.exe's, where one had started up WmiPrvSe.exe (or similar) at system boot-up, and that process would stay running until about 15/30 min of use where it would strangely disappear.

One svchost.exe process was using about 141MB of memory for no particular reason; which raised my idle memory usage to 30%, where my usual memory usage would be listed at around 26%-28% with only minimal programs running (Rivatuner, Avast). (I have 4GB of RAM installed in my system)

I am yet to re run these scans from Avast and Malwarebyte's Antimalware in Safe Mode; however I am wondering whether this is actually a case of virus/malware/spyware infection at all.

I am considering if this may also be some sort of Trojan/Rootkit....

The system does not seem to be exhibiting any unusual sorts of symptoms of an infection, other than a videogame running on my system taking up 1,067MB of memory, totaling my combined memory usage to about 2,458MB or so.

Any investigation into this matter would be greatly appreciated.

More detailed System information:
  • Windows 7 Ultimate x64
  • 4GB RAM
  • Internet browser: Mozilla Firefox 3.6.3 w/NoScript, AdBlockPlus, Web of Trust addons.
  • Java Version: Platform SE 6 U18
I think I run what is called a 'protected Admin' account.

Edit Update: I reran Malwarebytes Antimalware with Quick and Full Scans while in Safe Mode, finding nothing infected yet again...

I am thinking of attempting to use an online virus scanner, such as TrendMicro's Housecall.

Edited by Atamarashi, 03 June 2010 - 07:58 AM.

------------
"Do or do not. There is no try." - Yoda

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:24 AM

Posted 03 June 2010 - 11:21 AM

Hello, ********
Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

If you cannot use or complete a scan in normal mode, then try performing a Quick Scan in "Safe Mode". After reboot, click the Logs tab and copy/paste the contents of the new report in your next reply.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Atamarashi

Atamarashi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 04 June 2010 - 02:43 AM

Thankyou for replying.
First item; here attached is my MBAM Quick Scan report log while in normal mode.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4168

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/06/2010 4:01:38 PM
mbam-log-2010-06-04 (16-01-38).txt

Scan type: Quick scan
Objects scanned: 121175
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

When I had booted into Windows to do the MBAM scan, I had noticed the computer was running slightly sluggish...

Now, while I had first ran ATF Cleaner while in Safe Mode, I had forgotten to run it as an Administrator, however I followed the rest of the instructions to Select All and click to Empty Selected. It had found and removed some 30,000MB worth of files before I realised I had not ran it as an Administrator.

I then followed through with the SUPERAntiSpyware Complete Scan (Safe Mode):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/04/2010 at 05:31 PM

Application Version : 4.38.1004

Core Rules Database Version : 5030
Trace Rules Database Version: 2842

Scan type : Complete Scan
Total Scan Time : 01:17:11

Memory items scanned : 337
Memory threats detected : 0
Registry items scanned : 10868
Registry threats detected : 0
File items scanned : 164565
File threats detected : 0

After this scan had completed, I ran ATF Cleaner as an administrator and did the exact same instructions as before for ATF to see if the elevation to Administrator privileges made a difference: It found and removed 3,111KB worth of files.

I attempted to click the Firefox tab at the top of the ATF window, however it was strangely greyed out.

I rebooted back into normal mode and still the computer does not seem to be exhibiting any major symptoms of infection, (as far as I can tell).
I am starting to have doubts on whether my system actually had an infection or not...

Edited by Atamarashi, 04 June 2010 - 02:50 AM.

------------
"Do or do not. There is no try." - Yoda

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:24 AM

Posted 04 June 2010 - 09:37 AM

Well your description sure did sound like malware. I feel there may be a protected rootkit in here.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Gmer may not run on a 64 bit system so move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:24 AM

Posted 04 June 2010 - 10:23 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/321673/strange-browser-redirectpotential-malwarerootkit/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users