Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser name (chrome/Firefox/...) user survey 2014 - virus?


  • This topic is locked This topic is locked
4 replies to this topic

#1 alex1313

alex1313

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 13 December 2014 - 12:47 PM

Mod Edit moved to Forum for HJT logs~~ boopme

I got a strange user survey when browsing the web a few days ago, that made me suspicious of virus on either my computer or (more likely) the web site.
 
I went to the domain strawberri with TLD .es
 
And got redirected to a page titled Chrome User Survey (2014)
 
The URL was: http://sweden.survygenie.com/e/valse30n.html?keyword=53bb488fb9305fb37c13ae8f&country=SE&domain=SE&pid=&voluumdata=vid..00000006-cd88-4c38-8000-000000000000__vpid..dc77d000-7e3a-11e4-8d74-45aaefec7a13__caid..f3a6c967-9777-4102-a4bc-fb123a56cc21__lid..978225d0-af54-401f-bd8d-bbe6003f0fa1__rt..D__oid1..452240d3-bc53-4b87-897f-877efe38fa66__oid2..62f6bbd9-3fb8-47e6-b455-8e88c218eb8e__oid3..850cbfdd-c8ba-417e-8409-7e8380d13dc7__var1..53bb488fb9305fb37c13ae8f__var2..n%2Fa__var3..0\.\0136__var4..wifi__var5..others__var6..SE&sourceid=53bb488fb9305fb37c13ae8f&match=n/a&cpc=0.0136&carrier=wifi&mob_pf=others
 
The title is generated by jquery: $('title').html(browserName + ': User Survey') (Chrome User Survey or Firefox User Survey) On the page it says something strange that the survey has nothing to do with Chrome / Firefox. IT said I could get products worth 400 SEK for answering the survey.
 
I had seen the exact same survey on another site the same day, but then I had so many browser tabs open I just clicked it away and dont remember where it came from.
I scanned the strawberri dot es with virustotal.com and it come out clean. This guy seems to have seen a similar survey.
 
Since I saw it before and since virustotal says the site is clean, I wonder if my computer is infected?
 
I also had a sore throat that day so I think I might have caught a computer virus myself (joking).
 
 
I scanned the whole computer with AVG. Says it is clean. I tried the strawbeeri site from my other computer, first with TOR browser, then it shows another page (regular "this domain is for sale page"). When I tried it with Chrome, Firefox, on my other computer it shows the survey again. So either it is the site or I got my other computer infected by going there.
 
Since Chrome/Firefox and TOR Browser shows different pages, it is definitely something fishy.
 
 
Anyone knows if this site is infected?
 
 
Its a new (Lenovo) laptop I had only installed:
 
- Windows 8.1 with updates (.iso downloaded from the pirate bay, but I checked the SHA1 code and it was the same as Microsoft publishes on the msdn site for isos). I reinstalled it to get rid of annoying bloatware (including one that shows ads on web sites!!). thepiratebay.se is down now unfortunately so I can't link to the torrent.
 
- Some other programs like: Mobile Partner (3G internet), VLC player, Skype, TOR Browser, Chrome, Firefox, GPA (GPG4win.com),
 
- I downloaded Ninite (bundle installer) and used it to install: iTunes, SumatraPDF, Notepad++, Audacity, WinRAR, Filezilla. Virutstotal said it was clean.
 
- Then I got uTorrent version 3.2.3 from an old versions site, seemed clean according to virustotal.com
 
- According to Control Panel I also have: Bonjour, Microsoft Visual C++, Visual Studio 2012, Apple Mobile Device Support, Apple Application support, Apple Software update, Bonjour, Lenovo Easycamera, Mozilla Maintenance service, Synaptics Pointing Device Driver, Conexant HD Audio.
 
(- Later I also got Ms Office 2013 from an original DVD.)
 
 
Some web site said there is a virus like this and to remove extensions in my web browsers, that I should have none if I have installed anything. I had 3 in Chrome, all names related to Google Docs (seemed legit). I removed them just to be sure. Firefox had no extensions but some plugins (iTunes, google update, MS Office 2013, OpenH264)
 
I ran HijackThis on the computer and saved logs after each program I installed (for future references).
My log from HiJackThis.
I cleaned out the red and some purple stuff (33 items) in HJT (mainly O23 references to missing files). After that I scanned again with HJT see my new log file, and surprisingly I got new warnings (some were the same but some were new (O18)). Seems a bit virusy that items appear again...
 
Why do I get new stuff in my HJT log after cleaning with HJT?
 
The computer seems clean but since I forgot to make restore points and it is new, I want to ask here anyway (I have the chance to reinstall everything before setting up all my preferences etc).
 
 
Is this kind of survey common? I.e. do sites get hijacked a lot?
 
Does anyone else see a problem at strawberri dot es?

Edited by boopme, 13 December 2014 - 10:55 PM.


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 18 December 2014 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 alex1313

alex1313
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 19 December 2014 - 07:01 AM

If anyone else is wondering about this, I checked on another computer (with Internet Explorer) and the same thing happened there.

 

Concluion: the mentioned site is redirecting to a scam survey. Don't go any further on that site.

 

If anyone has a comment on my specific post and questions, feel free to reply...



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 19 December 2014 - 08:59 AM

I consider this topic as fixed.

It will be closed.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 19 December 2014 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users