Jump to content

Browser hijacked twice - but - Scans are clean. Infected?

Recommended Posts


Good day,

Thanks in advance for your expertise, I really appreciate the dedication I see in these forums, especially from volunteers. I've tried to be succinct, but provide as much detail as I know to give. I've _not_ made any changes, just run scans as described. I'll happily and accurately follow any direction given to further diagnose.

Thanks again.

QUESTIONS UP-FRONT (Background Details Below)

  1. MAIN CONCERN: Is there any reasonable chance I have an undetected, active malware infection given the information below? (five different clean scans today - see "Today" item #7 below for details)
  2. Are the episodes of the two days related or coincidence?
  3. Should I assume that the "Your computer is at risk" JavaScript popup was a trojan trying to get me to load something else, more virulent, and by not following it and killing the browser each time I prevented that?
  4. If #3 is true, what the heck caused the browser re-direct but isn't being scan-detected? Do trojans sometimes commit suicide and delete themselves?


  • WinXP
  • AVG 10.0.1424 with auto-updates actively running. Resident checks enabled. Current definitions (last update this AM) in place
  • ZoneAlarm Free as firewall set to flag Internet access (in or out) from any program/process I've not explicitly given "yes" perm.
  • Browser in question is Firefox. All described issues occurred in FF 3.6 (I know it's old -- I'm a Web developer and have to keep old versions to test sites). Also used Chrome today. No issues there.
  • Firefox is set to block all Flash content by default. I need to manually allow each page's flash component.
  • MBAM 1.60.1000 with 2012.03.21.02 DB for scans


TWO DAYS AGO 3/21/12

Mistakenly followed a link in a phishing email (sleepy early morning email reading - shame on me for that, I'm plenty embarassed by it).

Knew what I did it as soon as I did but too late to stop the Web page from opening. Don't remember the browser's exact behavior, but I killed it with Task Manager. Did not interact with the destination page in

any way. AVG did not display a detection warning.

Immediately scanned with MBAM (quick-scan with fresh definitions), TDSKiller and SpybotSD. No detections.

Figured I beat it by killing the browser.

Firewall did not report access of the Internet by any unknown program/process.

Phishing Destination URL: http://mgxls.com/k4H1CSBf/index.html

  1. VirusTotal.com of that URL shows it as a phishing site (See https://www.virustot...sis/1332514434/)
  2. VirusTotal of the site itself has two hits showing Malware (https://www.virustot...sis/1332514395/)
  3. Scumware (one of the VirusTotal hits) shows the following for the IP of the site: http://www.scumware....rt/

TODAY 3/23/12:

  1. Visited a Web site of a local business. Following an internal link on the home page of the site to another page on the site resulted in a redirection and a JavaScript pop-up of "Attention! Your computer is at risk..." with the OK button to "start a scan". I immediately used Task Manager and killed the browser - did _not_ click the OK button.
  2. Searches for that pop-up text show plenty of duplicate pages that look pretty junky. Followed NONE of the advice on any of them; wonder if they're part of the scam. All seem to be pretty new pages per Google.
  3. Submitted the site and specific URL on which the redirect happened to VirusTotal - no detections.
  4. Restart of the browser resulted in a re-direct, again with the JavaScript popup. I killed the browser with Task Manager - did not click "OK".
  5. Subsequent restarts of the browser and normal browsing (including using search engines) result in no abnormal behavior, even after clearing cache & cookies.
  6. Firewall has not reported access of the Internet by any unknown program/process.
  7. Scans (all done in safe mode for what that's worth)
    A. MBAM full scan - No detections
    B. TDSKiller - No detections
    C. GMER - No detections
    D. AVG ("auto-clean" off) - No detections
    E. SpybotSD - No detections
  8. Ran dds.scr. Attached outputs here.

One bit of additional configuration I neglected to include. I have Java (but not JavaScript) disabled in Firefox. Sites I visit don't use it, and as it is sometimes a vector for malware (I think), I leave it disabled.



Link to post
Share on other sites

  • 1 month later...
  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.