Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

301/302 errors, unknown cause (referral from "Am I infected?" forum)


  • Please log in to reply
11 replies to this topic

#1 Dornroschen

Dornroschen

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 04 September 2015 - 02:52 PM

Dear BleepingComputer,

My original post in the "Am I infected? What do I do?" forum can be found here.

 

(Note that I tried to post the FRST log below as instructed, but was told: "Your post was too long. Please go back and shorten it a little."  I guess it was exceptionally long for some reason?  As such, I have included BOTH the FRST log and Addition.txt as attachments)

 

 

The problem

 

All details, screenshots etc from my problem are given at the above link, but in summary, my laptop (running Firefox 40.0.3 under Windows 8.1 64-bit) and my father's desktop (also running Firefox 40.0.3 under Windows 8.1 64-bit, and using the same router) are receiving 301 and 302 errors when trying to follow certain links (including one posted by BleepingComputer helper Broni) in certain ways. 

 

As described (and screenshotted) at the link above, alternate left-clicks on such links consistently provide different results (but neither gives the desired target page).  Even-numbered clicks give "about:blank", and odd-numbered clicks give the "301 Moved Permanently" screenshot given in the above forum post.  These links work fine if I right-click and "open in new tab", or if I copy them to my bookmarks toolbar and then open them through that.

 

Clearing the cache does not affect this behaviour, and exactly the same symptoms apply to a number of html links that I have encountered (e.g. the three given in the profile of this Twitter user).  My best hypothesis about the commonality between the links to which this applies is that perhaps they are all multi-stage redirects.

 

Another laptop (my old one - running Firefox 40.0.3 under Windows 8) is unaffected and functioning normally, despite using the same router/connection.

 

These problems may or may not be related to disruption to our internet service (which became slow and intermittent when this issue began, though our ISP has since resolved this and it is now functioning well) and the fact that RSS feeds are intermittently resetting to 18th August (i.e. only displaying posts up to 18th August, rather than the most recent ones).

 

 

Attempted resolutions

 

Guided by Broni at the above forum I have run a number of scans.  I also resolved the internet connectivity issue with my ISP in case this was the cause.  However, symptoms are persisting (and only on certain computers), which makes me suspect malware infection.  As you can see, after taking me through several investigations Broni has asked me to run FRST and post the logs here, which I have done - find attached.

 

Any advice much appreciated, thank you.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 06 September 2015 - 08:53 AM

hi,

 

I believe these are the result of your Firefox addons, I can see you use HTTPS everywhere, ABP, no script and ghostery. I use FF and some of these addons and get similiar results some times. See screenshot. When you reinstalled FF did you use it without installing the addons? Its unique to FF right?

Usually Iam only on this site once or twice per day so you may not get a reply back from me until the following day.

 

Attached File  SS.png   166.93KB   1 downloads


How Can I Reduce My Risk to Malware?


#3 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 07 September 2015 - 09:55 AM

Ah, thank you for this.  That is a helpful lead.  After some investigations I now discover that when I disable Ghostery on the two computers concerned, the symptoms no longer manifest, and when I re-enable it they return.

 

That is somewhat reassuring, but I still have a lingering concern about the integrity of those two systems, because I note that these symptoms are only affecting two of the four computers in the house, all of which are running the latest Firefox and the latest versions of Ghostery and the other add-ons.  Indeed, the two desktop computers are identical hardware builds with very similar software configurations, but one of them consistently has these symptoms (since they first manifested, and when Ghostery is enabled) and the other has never had them. 

 

The two laptops are again similar, but this one has the symptoms (when Ghostery is enabled) and the other never has (even with Ghostery enabled), despite identical Firefox setups.  I also note that the symptoms began not when I updated Firefox or Ghostery, but were rather attended by intermittent disruption to our internet connection (and logs of 'intrusions' on our router).

 

Does that perhaps suggest that these symptoms are the result of some other unwelcome software on those two computers clashing with Ghostery, and that perhaps you have it too?  I have never encountered such messages on the other two machines.

 

Note that while there are also similar intermittent problems with my taskbars, the symptoms given above are continual and unchanging.  It would be interesting to know whether you get the same symptoms when left-clicking on the AdwCleaner download link on this BleepingComputer page.

 

Thanks for the reply, and the diagnostic progress it has led to, and hopefully we'll get to the bottom of this soon.


Edited by Dornroschen, 07 September 2015 - 10:00 AM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 07 September 2015 - 04:19 PM

Are the configurations/options for ghostery set up the same for all the machines?  Are both enable ghostrank and Enable tracker library auto updating options both unchecked.

 

 

you have it too?

 

That screenshot I uploaded is from my linux machine.


How Can I Reduce My Risk to Malware?


#5 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 07 September 2015 - 05:31 PM

Good thinking.

 

On both laptops (one of which has these symptoms and one of which doesn't) the Ghostery settings are the same, and both options that you ask about are checked.

 

Looking further into Ghostery options, it was set to block different cookies and trackers on each laptop, which I initially thought might well be the cause.  But I have now set Ghostery on both machines to block all trackers and cookies, manually updated the Ghostery tracker library on both, closed Firefox, cleared the cache and reopened Firefox.  I cannot now find any difference when I go through the options set in both Firefox and Ghostery.  And still the symptoms are only presenting on one of the machines.

 

On both desktops (one of which has these symptoms and one of which doesn't) the Ghostery settings are the same as each other, with tracker library auto-updating enabled, but Ghostrank disabled.

 

So the mystery continues.  But it is nonetheless reassuring to see that the symptoms are the same on a Linux machine.  Did you check whether that link works for you?



#6 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 07 September 2015 - 07:11 PM

We can conclude then that the behaviour only happens with ghostery enabled, on one machine now, if I read that right?

 

Why dont you try unchecking the auto updating feature in the options for both machines  Also check the advanced options if you havent and make sure there all set the same.

 

Do both the machines use the same FF addons other than ghostery?

Do you use AVG's link checker/scanner- I think its called. Its a optional feature of AVG that checks links and  URLs for malware?

That link you posted goes back to this post. May not be back online for 16 or so hours.


How Can I Reduce My Risk to Malware?


#7 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 11 September 2015 - 09:54 AM

No, it is affecting two of our computers.  I was describing four computers in our household - two desktops and two laptops.  The symptoms are manifesting one of the two laptops and one of the two desktops.  Ghostery's advanced settings do not differ between the affected and unaffected machines, and they are also using the same other FF addons.  But yes, in all cases the symptoms manifest only when Ghostery is enabled, and disappear when it is disabled.

 

Interestingly though, I have discovered that if I whitelist the websites in question through Ghostery, the problem still manifests on those two machines.  And even if I "pause blocking" altogether through Ghostery, the problem still manifests (even having followed your excellent suggestions to try diabling AVG's web protection and Ghostery's auto-update).  It is only if I actually disable Ghostery via the Firefox addons menu that the links work normally.  So the mystery remains.

 

Regarding the link I posted for you to test, it does not go back to this post - it goes to my original post about the same problem in the "Am I infected? What do I do?" forum, which is where you will find the AdwCleaner link in question, as posted by BleepingComputer's Broni (just search the page for "AdwCleaner" to jump to it).  I would still be interested in what happens when you left-click it.
 

Thanks



#8 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 11 September 2015 - 05:43 PM

My left click on the link went to the adwcleaner website. for the taskbar issues I see you have 7+ Taskbar Tweaker v5.0 installed, may be a issue with that. 

 

So two computers. Pretty sure we can rule out a malware cause. So you have to completely disable ghostery for links to work ok. When ghostery is enabled does it affect the same links or is it random links for each machine?

 

Any other security type software that might be installed thats common to both the machines?

 

I have another W7 machine I will install ghostery on and if see anything strange happens.


How Can I Reduce My Risk to Malware?


#9 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 13 September 2015 - 06:25 PM

So I installed ghostery on another W7 machine and havent had any problems. Whats it looking like on your end? Any changes


How Can I Reduce My Risk to Malware?


#10 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 17 September 2015 - 01:05 PM

Sorry for the delayed response - it's been a remarkably busy week for me.

 

Thanks for testing that link for me.  It is working for me too right now, which is great, as that's the first time (presumably due to the various tweaks I've made to Ghostery settings).

 

To answer your question, it was specific links that were affected, but if you're happy to rule out a malware cause then that's good enough for me to call the issue closed.  Really my only reason for continued interest was in case these symptoms betrayed some kind of malware.

 

The minor issues that remain are easy enough to work around and probably caused by some obscure software clash.  They may even resolve themselves with updates (to answer your other question, yes, there are various pieces of security software that are installed on both affected machines). 

 

I'll let you know if anything else dramatic occurs, but otherwise, many thanks for your time and creative input - it is greatly appreciated.  I actually feel secure enough to access my online banking on this machine now!

 

Cheers

 

ps  I didn't have any taskbar issues, apologies, that was a typo.  I meant the *toolbar* issues mentioned in my OP.  I have now found that these intermittent issues can be resolved by disabled Ghostery momentarily and then instantly re-enabling it.  After that, the toolbar is functional again for a day or two.



#11 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:18 AM

Posted 20 September 2015 - 04:38 PM

Sorry for the delay in responding.  I think we can safely rule out malware. You might try a different addon on one of the computers that is similar to ghostery.  Happy Safe Surfing out There.


How Can I Reduce My Risk to Malware?


#12 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:18 AM

Posted 21 September 2015 - 04:44 AM

Thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users