Browser hijacked twice - but - Scans are clean. Infected?

[ckbosh]

Merged

Good day,

Thanks in advance for your expertise, I really appreciate the dedication I see in these forums, especially from volunteers. I've tried to be succinct, but provide as much detail as I know to give. I've _not_ made any changes, just run scans as described. I'll happily and accurately follow any direction given to further diagnose.

Thanks again.

QUESTIONS UP-FRONT (Background Details Below)

1. MAIN CONCERN: Is there any reasonable chance I have an undetected, active malware infection given the information below? (five different clean scans today - see "Today" item #7 below for details)
   
2. Are the episodes of the two days related or coincidence?
   
3. Should I assume that the "Your computer is at risk" JavaScript popup was a trojan trying to get me to load something else, more virulent, and by not following it and killing the browser each time I prevented that?
   
4. If #3 is true, what the heck caused the browser re-direct but isn't being scan-detected? Do trojans sometimes commit suicide and delete themselves?
   

CONFIGURATION

• WinXP
  
• AVG 10.0.1424 with auto-updates actively running. Resident checks enabled. Current definitions (last update this AM) in place
  
• ZoneAlarm Free as firewall set to flag Internet access (in or out) from any program/process I've not explicitly given "yes" perm.
  
• Browser in question is Firefox. All described issues occurred in FF 3.6 (I know it's old -- I'm a Web developer and have to keep old versions to test sites). Also used Chrome today. No issues there.
  
• Firefox is set to block all Flash content by default. I need to manually allow each page's flash component.
  
• MBAM 1.60.1000 with 2012.03.21.02 DB for scans
  

HISTORY

TWO DAYS AGO 3/21/12

Mistakenly followed a link in a phishing email (sleepy early morning email reading - shame on me for that, I'm plenty embarassed by it).

Knew what I did it as soon as I did but too late to stop the Web page from opening. Don't remember the browser's exact behavior, but I killed it with Task Manager. Did not interact with the destination page in

any way. AVG did not display a detection warning.

Immediately scanned with MBAM (quick-scan with fresh definitions), TDSKiller and SpybotSD. No detections.

Figured I beat it by killing the browser.

Firewall did not report access of the Internet by any unknown program/process.

Phishing Destination URL: http://mgxls.com/k4H1CSBf/index.html

1. VirusTotal.com of that URL shows it as a phishing site (See https://www.virustot...sis/1332514434/)
   
2. VirusTotal of the site itself has two hits showing Malware (https://www.virustot...sis/1332514395/)
   
3. Scumware (one of the VirusTotal hits) shows the following for the IP of the site: http://www.scumware....rt/110.4.45.141
   

TODAY 3/23/12:

1. Visited a Web site of a local business. Following an internal link on the home page of the site to another page on the site resulted in a redirection and a JavaScript pop-up of "Attention! Your computer is at risk..." with the OK button to "start a scan". I immediately used Task Manager and killed the browser - did _not_ click the OK button.
   
2. Searches for that pop-up text show plenty of duplicate pages that look pretty junky. Followed NONE of the advice on any of them; wonder if they're part of the scam. All seem to be pretty new pages per Google.
   
3. Submitted the site and specific URL on which the redirect happened to VirusTotal - no detections.
   
4. Restart of the browser resulted in a re-direct, again with the JavaScript popup. I killed the browser with Task Manager - did not click "OK".
   
5. Subsequent restarts of the browser and normal browsing (including using search engines) result in no abnormal behavior, even after clearing cache & cookies.
   
6. Firewall has not reported access of the Internet by any unknown program/process.
   
7. Scans (all done in safe mode for what that's worth)
   A. MBAM full scan - No detections
   B. TDSKiller - No detections
   C. GMER - No detections
   D. AVG ("auto-clean" off) - No detections
   E. SpybotSD - No detections
   
8. Ran dds.scr. Attached outputs here.
   

One bit of additional configuration I neglected to include. I have Java (but not JavaScript) disabled in Firefox. Sites I visit don't use it, and as it is sometimes a vector for malware (I think), I leave it disabled.

dds.txt

attach.txt

[screen317]

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!