Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Afraid computer security may be compromised; Gmail showing up as "Untrusted Connection" etc


  • Please log in to reply
3 replies to this topic

#1 linds42

linds42

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 08 February 2011 - 04:11 PM

When I attempted to go to Gmail.com earlier I was given a warning page from Firefox that said this:

This Connection is Untrusted

You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

Technical Details

www.google.com uses an invalid security certificate.

The certificate is only valid for the following names:

www.xing.com, xing.com

(Error code: ssl_error_bad_cert_domain)


I had been using this same computer for a few hours previous to this and had been on Gmail during that time with no problems, it just seemed to happen at random when I started Firefox up again. I wasn't on any unordinary sites in the time between when Gmail worked and when it gave me the error message and nothing else out of the ordinary was happening with my computer either. I have never heard of or visited "xing.com" before (apparently it's some sort of German social networking site) and I have no idea why it appeared in the error message. I cleared my cache and everything else and restarted Firefox but was still met with the same warning when attempting to go to Gmail. I googled it and found that this error is sometimes caused by an incorrect system date/time, but I verified that mine is correct so that's not the issue. I then tried to access gmail from my laptop (also using Firefox) and it worked fine and didn't give me any warnings. I did some more searching to try and find out what the cause might be and noticed that the "auto-detected location" that appears in the left-hand side of the google search results was incorrect, displaying "New York City, New York" which is the wrong state and off by about a thousand miles. I tried making a google search with my laptop and there was no location listed there at all.

I don't know a whole lot about this sort of thing, but the incorrect location coupled with the sudden mysterious "Untrusted Connection" error (both of which I've never experienced until now) got me suspicious enough to unplug my routers entirely and then run two full 3.5 hour system scans with two anti-virus programs (Norton 360 and AVG). I plugged my routers back in after about a half hour and tried accessing gmail again and this time did not receive the error anymore. I tried doing a google search and the auto-detected location had gone back to being correct again. About 3 hours later the anti-virus scans finished and neither of them had found anything at all.

Still, I can't help but worry since the untrusted connection/incorrect location issues sound like symptoms of a hijack/hack attempt or some sort of virus or infection and before going to Gmail and getting that error I had just been logged into my online bank account so that makes me even more ill at ease. So do I have reason to worry? Is it safe to log into Gmail and other accounts now? What could the explanations be for why this happened and/or why unplugging my routers fixed it, and what should I be doing about it now?

Other info: I'm not sure how relevant this is, but my OS is Windows XP Professional SP3 and I have two routers; one is a Linksys Wireless-N Broadband Router and the other is a Netopia ADSL+ Gateway. I'm not the one who bought or installed either of these (they belong to my roommate) but they're set up so that my desktop computer (the one with the problem) is using a wired connection and my laptop and my roommate's mac are using a wifi connection.
Thanks in advance for any help or information!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 AM

Posted 08 February 2011 - 10:05 PM

Hello,that sure does sound odd. lets do a malware scan and see what comes back.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 linds42

linds42
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 11 February 2011 - 08:44 PM

Sorry for the late reply; I did the MBAM scan and it found two infected items (which surprised me since the 3.5 hour long full system scans with Norton 360 and AVG found nothing at all)

Here's the log:

-----------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5722

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/9/2011 3:13:19 PM
mbam-log-2011-02-09 (15-13-19).txt

Scan type: Quick scan
Objects scanned: 154177
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\uackkplranbxnjvrmt.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

-----------------

I've done several scans with MBAM since then which have come up clean. So is it likely that one or both of the infections above caused the issue with Gmail and the false location in the search results? If one or both of those was the cause I'm not sure why simply unplugging the router fixed the issue since the infections were clearly both still there after I did that--it wasn't until the following day that MBAM detected and removed them. I'm also not sure why they'd pick that specific time to go into action...I'm almost positive that I didn't visit any sites besides my usual trusted ones that day (Google, Gmail, Amazon, banking website etc) so I'm having a hard time figuring out where the infection may have come from.

Apart from that info, two other things to note...they could be relevant or not, but I figured I'd include them. The first is that when accessing Gmail yesterday (Feb 10th) I got this error message that I've never seen before:
Posted Image

I refreshed the page and it went away, but I still found it odd.

The other is that while in Gmail yesterday and earlier today I got this icon at the bottom of the browser window:
Posted Image

I'm not sure if I've gotten that before or not because normally I'm not looking for it. When I log into gmail now I get the standard gold lock icon without the red exclamation point next to it so I don't know why it was there earlier or if it's anything to be worried about.
Thanks for the help so far!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 AM

Posted 12 February 2011 - 10:20 AM

Let's first see if there are more TDSS infections as they all can be related.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users