Bug Report Possible malware?

Status
Not open for further replies.

tiny

Contributor
Messages
5,467
Role
  1. Private
Huh. That's strange. I have Avast installed on this (Windows 7) machine, and although I don't see a warning in Avast, a shield icon appears in the URL bar of Firefox. Clicking it says that Firefox has blocked content that isn't secure.

It give a link to this page and seems to be related to pages that have both HTTP and HTTPS content. It's probably nothing to worry about... but I'm not entirely sure...
https://support.mozilla.org/en-US/k...re-affect-my-safety?as=u&utm_source=inproduct
 

BoundCoder

nnember
Est. Contributor
Messages
1,261
Role
  1. Diaper Lover
  2. Other
  3. Private
Played around with the domain a bit, it seems to be set up to redirect towards google (random technobabble for those slightly interested):

wget --max-redirect 0 --user-agent="Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" hyyp://eleksircirks.com/
--2014-07-26 01:34:34-- hyyp://eleksircirks.com/
Resolving eleksircirks.com... 75.102.9.195
Connecting to eleksircirks.com|75.102.9.195|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: hyyp://www.google.com/]Google [following]
0 redirections exceeded.

When I hit the page you link to though, I don't see any request go out for anything similar. Possible it's either keyed to only inject to people matching specific criteria, or more likely, some other malware on your machine is injecting the request into the page (affiliate fraud maybe)?
 

Snivy

Est. Contributor
Messages
2,654
Role
  1. Babyfur
  2. Carer
  3. Private
People upload spam all the time but as long as the error is displayed. Take action and decipher what is the true cause. Out of several pages on that thread there can be a virus up there that NEEDS to be removed yet. I have Total Defense Antivirus on my new laptop and even with my old laptop back then I have yet to encounter this problem.

My former High-school used avast and I visited that thread not even 4-5 months ago and never encountered the situation. If it's an issue you can temporary disable it and find out on another source. You can experiment with Internet Explorer and Google Chrome and see if it's an identity match. If none of the murder's appear then I highly find the conclusion a false accusation. Nothing I wouldn't really concern with. Your laptop SHOULD be fine.

It is supposed to protect but sometimes it has given out warnings that were not severe in the past before yet some cases are real...other cases are not. It just means something that wasn't registered properly or text/pic/html is either out-of-date or infested (minorly). again...my apologies but I think your fine.
 

AuraBlaze

Est. Contributor
Messages
214
Role
  1. Adult Baby
  2. Diaper Lover
  3. Babyfur
Yeah, I'm getting the same thing from Avast for the entire site. I had to disable the antivirus to get on. Hopefully it doesn't bite me in the butt.
 

Moo

ADISC Admin
Staff
Messages
5,852
Role
  1. Private
I've searched, but nothing comes up for any of this in my searches. I really need a lot more information to figure out what is going on here.
Merely "avast detected X" isn't anywhere near enough.

I've installed Avast myself and am going to let it run for a week, seeing if I get any of these alerts.
 

tiny

Contributor
Messages
5,467
Role
  1. Private
Huh. That's strange. I have Avast installed on this (Windows 7) machine, and although I don't see a warning in Avast, a shield icon appears in the URL bar of Firefox. Clicking it says that Firefox has blocked content that isn't secure.

It give a link to this page and seems to be related to pages that have both HTTP and HTTPS content. It's probably nothing to worry about... but I'm not entirely sure...
https://support.mozilla.org/en-US/k...re-affect-my-safety?as=u&utm_source=inproduct

Well... I just tried the link in the original post using Arch Linux, and I still see the shield & warning from Firefox (without Avast or any other antivirus)... The page also seemed to take a very long time to download... :dunno:
 

Eulogy

ADISC Moderator
Staff
Messages
1,344
Role
  1. Adult Baby
  2. Babyfur
I've run Avast for a couple years now, never had anything pop up for ADISC. That said, I have had false alarms on other sites with no notable cause (For example, YouTube did this for a few days before. Never figured out why, and it stopped before I could.)

Willing to bet it's something client-side (The question still remains: What?)
 

Snivy

Est. Contributor
Messages
2,654
Role
  1. Babyfur
  2. Carer
  3. Private

tiny

Contributor
Messages
5,467
Role
  1. Private
I have SSL disabled. Should I try enabling it?

No -- it's just that I do, and I thought that the problem might be with mixed content when you have SSL enabled. But obviously not... :-/

Do other people see the shield icon in the URL bar in Firefox (to the left of the SSL padlock, before the http: or https: bit) on the affected ADISC pages...?

If there's some strange malware doing the rounds, it might be a good idea to run a full scan with Avira (and MBAM and adwCleaner too):
MBAM: https://www.malwarebytes.org/
adwCleaner: AdwCleaner Download
 

tiny

Contributor
Messages
5,467
Role
  1. Private
Well, I turned off SSL and the shield icon in Firefox disappears on the "affected" pages... But Avast doesn't fire up at all.

It does if I visit hxxp://eleksircirks.com/lrhIaJE2.js?J=f6303301e55c and Avast blocks access to that site.

I wonder why the problem occurs for the two of you...? Did you run anti-virus/anti-malware scans?
 

tiny

Contributor
Messages
5,467
Role
  1. Private
Okay... I set up a new virtual machine with a clean XP image (with Windows Updates) and installed Avast with all the web & browser protection features turned on.

Visiting the "affected" pages (in Firefox, Chrome or IE) doesn't cause any problems or Avira warnings. So I guess there must be some malware on your PCs injecting the malicious URL into certain web pages in your browser...?
 

Snivy

Est. Contributor
Messages
2,654
Role
  1. Babyfur
  2. Carer
  3. Private
I hope it isn't a troll because I ran a full security scan on all 836 Pages and nothing has popped up. I have visit hxxp://eleksircirks.com/lrhIaJE2.js?J=f6303301e55c to be super-safe and double check but no threads except that porn si- *cough* *cough* anyway I have yet to see any malicious software or any kind of activity. It would occur to me his security and laptop isn't well yet stable. If all possible do the following suggested 1 by Tiny

If there's some strange malware doing the rounds, it might be a good idea to run a full scan with Avira (and MBAM and adwCleaner too):
MBAM: https://www.malwarebytes.org/
adwCleaner: AdwCleaner Download

Or download another Anti-virus because maybe yours somehow defected and this website is just the beginning.

I never needed to do this thou because I never had an issue and people on this site were clean which is obvious and I only downloaded AVAST last week to help this issue out. There is no indication of a virus on that thread if all possible maybe there is a software baby bug latched onto an avatar and he just pops up on your firewall ONLY *because he likes you?* I also looked in a few guides for false alarms and minor threats but...what threat? I have yet to see one on that page and I remember commenting few days ago on that thread. Then he said it moved to 835 which drew me into an abyss because everything that is there stays the same unless a mod deleted/changed it or the members changed up their sentence. If someone had the letter "P" full of bugs then I throw out that letter and run the software scan 100% fully to make sure my incident wouldn't happen again.
 

AuraBlaze

Est. Contributor
Messages
214
Role
  1. Adult Baby
  2. Diaper Lover
  3. Babyfur
I just did a full malware and antivirus scan, and I've got nothing. Since I've been disabling my antivirus to access the site, I'm going to guess it's a false alarm from Avast. Either that, or my computer is irreparably infected with some horrible thing. *shudders*
 

tiny

Contributor
Messages
5,467
Role
  1. Private
I just did a full malware and antivirus scan, and I've got nothing. Since I've been disabling my antivirus to access the site, I'm going to guess it's a false alarm from Avast. Either that, or my computer is irreparably infected with some horrible thing. *shudders*

Well... that would be strange as I get no alarms at all from Avast (except from the eleksircirks page). :-/ If you have to disable Avast to get to ADISC... that doesn't sound good... :-/ What OS are you running? What browser? Are your browsers and OS all up-to-date?

Maybe try deleting your browser's cache ("temporary internet files" in IE) in case something weird has been cached...? And a rootkit scanner might be an idea. These are probably the best ones:
aswMBR Download
TDSSKiller Download

I'd re-enable Avast if I were you and try to fix the problem, rather than disable your protection because you may be "infected"...

If the rootkit scanners turn up nothing, "Hijack This" (HJT) produces a log file of potentially suspicious registry entries, etc. If you're vaguely technical the log file it produces might help; if you're a-little-bit-technical there are some online logfile analysers that can assist; if you're not sure what you're doing, then the HJT forum has plenty of people willing to help you out... or I don't mind having a look if I have the time.
HiJackThis | Free software downloads at SourceForge.net

If you really, really don't have dodgy malware on your machine, then I can't think what the problem could be... :-/
 

AuraBlaze

Est. Contributor
Messages
214
Role
  1. Adult Baby
  2. Diaper Lover
  3. Babyfur
This is really bizarre considering that I'm using a new laptop with up to date software, and haven't been on any weird sites since I started using it. Also, ADISC is the only thing showing any abnormalities. I have a rootkit scan running now.

- - - Updated - - -

Yep, I'm not getting anything weird out of any scans. Also, I only have to disable Avast to get onto the site. If I re-enable it once I'm on, I can browse normally.

Just in case, here's the log file:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 3:37:42 PM, on 7/28/2014
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17126)

FIREFOX: 30.0 (en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
C:\Program Files\ASUS\ASUS VivoBook\vivokey.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
C:\Windows\syswow64\wwahost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Users\Zach\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus13.msn.com/?pc=ASJB
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus13.msn.com/?pc=ASJB
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1ewenusDefaultPack/UP97_FRPage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
O4 - HKLM\..\Run: [WebStorage] C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - Startup: Dropbox.lnk = Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASLDR Service (ASLDRService) - ASUSTek Computer Inc. - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ASUS InstantOn Service (ASUS InstantOn) - ASUS - C:\Program Files\ASUS\P4G\InsOnSrv.exe
O23 - Service: Asus WebStorage Windows Service - ASUS Cloud Corporation - C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @oem16.inf,%WIN32_DPTF_PARTICIPANT_PROC_SERVICE_DISPLAY_NAME%;Intel(R) Dynamic Platform and Thermal Framework Processor Participant Service Application (DptfParticipantProcessorService) - Unknown owner - C:\Windows\system32\DptfParticipantProcessorService.exe (file missing)
O23 - Service: @oem16.inf,%WIN32_DPTF_POLICY_CONFIGTDP_SERVICE_DISPLAY_NAME%;Intel(R) Dynamic Platform and Thermal Framework Config TDP Service Application (DptfPolicyConfigTDPService) - Unknown owner - C:\Windows\system32\DptfPolicyConfigTDPService.exe (file missing)
O23 - Service: @oem16.inf,%WIN32_DPTF_POLICY_CRITICAL_SERVICE_DISPLAY_NAME%;Intel(R) Dynamic Platform and Thermal Framework Critical Service Application (DptfPolicyCriticalService) - Unknown owner - C:\Windows\system32\DptfPolicyCriticalService.exe (file missing)
O23 - Service: @oem16.inf,%WIN32_DPTF_POLICY_LPM_SERVICE_DISPLAY_NAME%;Intel(R) Dynamic Platform and Thermal Framework Low Power Mode Service Application (DptfPolicyLpmService) - Unknown owner - C:\Windows\system32\DptfPolicyLpmService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppIntegrationService - WildTangent - C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: Intel(R) Capability Licensing Service Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: Intel(R) ME Service - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
O23 - Service: Intel(R) Smart Connect Technology Agent (ISCTAgent) - Unknown owner - C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9903 bytes
 
Status
Not open for further replies.
Top