I got a strange user survey when browsing the web a few days ago, that made me suspicious of virus on either my computer or (more likely) the web site.
I went to the domain strawberri with TLD .es
And got redirected to a page titled Chrome User Survey (2014)
The URL was: http://sweden.survygenie.com/e/valse30n.html?keyword=53bb488fb9305fb37c13ae8f&country=SE&domain=SE&pid=&voluumdata=vid..00000006-cd88-4c38-8000-000000000000__vpid..dc77d000-7e3a-11e4-8d74-45aaefec7a13__caid..f3a6c967-9777-4102-a4bc-fb123a56cc21__lid..978225d0-af54-401f-bd8d-bbe6003f0fa1__rt..D__oid1..452240d3-bc53-4b87-897f-877efe38fa66__oid2..62f6bbd9-3fb8-47e6-b455-8e88c218eb8e__oid3..850cbfdd-c8ba-417e-8409-7e8380d13dc7__var1..53bb488fb9305fb37c13ae8f__var2..n%2Fa__var3..0\.\0136__var4..wifi__var5..others__var6..SE&sourceid=53bb488fb9305fb37c13ae8f&match=n/a&cpc=0.0136&carrier=wifi&mob_pf=others
The title is generated by jquery: $('title').html(browserName + ': User Survey') (Chrome User Survey or Firefox User Survey) On the page it says something strange that the survey has nothing to do with Chrome / Firefox. IT said I could get products worth 400 SEK for answering the survey.
I had seen the exact same survey on another site the same day, but then I had so many browser tabs open I just clicked it away and dont remember where it came from.
I scanned the strawberri dot es with virustotal.com and it come out clean. This guy seems to have seen a similar survey.
Since I saw it before and since virustotal says the site is clean, I wonder if my computer is infected?
I also had a sore throat that day so I think I might have caught a computer virus myself (joking).
I scanned the whole computer with AVG. Says it is clean. I tried the strawbeeri site from my other computer, first with TOR browser, then it shows another page (regular "this domain is for sale page"). When I tried it with Chrome, Firefox, on my other computer it shows the survey again. So either it is the site or I got my other computer infected by going there.
Since Chrome/Firefox and TOR Browser shows different pages, it is definitely something fishy.
Anyone knows if this site is infected?
Its a new (Lenovo) laptop I had only installed:
- Windows 8.1 with updates (.iso downloaded from the pirate bay, but I checked the SHA1 code and it was the same as Microsoft publishes on the msdn site for isos). I reinstalled it to get rid of annoying bloatware (including one that shows ads on web sites!!). thepiratebay.se is down now unfortunately so I can't link to the torrent.
- Some other programs like: Mobile Partner (3G internet), VLC player, Skype, TOR Browser, Chrome, Firefox, GPA (GPG4win.com),
- I downloaded Ninite (bundle installer) and used it to install: iTunes, SumatraPDF, Notepad++, Audacity, WinRAR, Filezilla. Virutstotal said it was clean.
- Then I got uTorrent version 3.2.3 from an old versions site, seemed clean according to virustotal.com
- According to Control Panel I also have: Bonjour, Microsoft Visual C++, Visual Studio 2012, Apple Mobile Device Support, Apple Application support, Apple Software update, Bonjour, Lenovo Easycamera, Mozilla Maintenance service, Synaptics Pointing Device Driver, Conexant HD Audio.
(- Later I also got Ms Office 2013 from an original DVD.)
Some web site said there is a virus like this and to remove extensions in my web browsers, that I should have none if I have installed anything. I had 3 in Chrome, all names related to Google Docs (seemed legit). I removed them just to be sure. Firefox had no extensions but some plugins (iTunes, google update, MS Office 2013, OpenH264)
I ran HijackThis on the computer and saved logs after each program I installed (for future references).
My log from HiJackThis.
I cleaned out the red and some purple stuff (33 items) in HJT (mainly O23 references to missing files). After that I scanned again with HJT see my new log file, and surprisingly I got new warnings (some were the same but some were new (O18)). Seems a bit virusy that items appear again...
Why do I get new stuff in my HJT log after cleaning with HJT?
The computer seems clean but since I forgot to make restore points and it is new, I want to ask here anyway (I have the chance to reinstall everything before setting up all my preferences etc).
Is this kind of survey common? I.e. do sites get hijacked a lot?
Does anyone else see a problem at strawberri dot es?
Edited by boopme, 13 December 2014 - 10:55 PM.