I'm new to these forums, so if this posted incorrectly, please feel free to move it.
One of my Clients has been "infected" with a odd malware. The symptoms are:
Sites that redirect to another site are effected.
A Porn popup from i_Bongacash pops up a small window at the bottom right of the window featuring a unwanted video clip.
Its a small box that allows you to close it. what else it does when closed, I'm not sure.
I was able to reproduce this on one computer regularly. While it was up, I brought up the source code for the site, which also showed the source for the pop up as well. I was even able to watch as I refreshed the page, and the code appeared out of nowhere.
It must have come from one computer and spread. But as it doesn't seem to a virus or malware.....
Things I have tried to find out what is causing this:
Bitdefender, Webroot, Malwarebytes, hitmanpro. None of these programs found anything on the computers.
Bitdefender is currently running on the server and one other machine. Server doesn't have any other AV or AM software running.
Things I have done to workaround this:
Added 4 different IP addresses to the Sonicwall block any traffic going to them. 3 addresses found by nslookup of i_bongacash.com, another one that Malwarebytes was blocking. Not sure if this has stopped it. If it has, then I need to find out how this happened or is happening. Very odd how some code can just be injected seemingly out of no where into a page.
Its not an extension, not a program running in the background. if it was either, I would see a strangely named process running, and/or one of the above programs should have picked it up.
Could it be the Sonicwall been infected and doing the injection?
They also have a Microtek router that sites between the internet and the Sonicwall.
I'm running out of ideas as to what to try.
Has anyone come across anything like this? Its very odd, and hard to explain completely.