Possible infection - redirector.gvt1.com

[Armadillo]

Greetings everyone!

Thank you very much for keeping this forum, to assist people like me. I'm pretty paranoid about computer security, so I've decided to create this topic after malwarebytes showed me some suspicious events. 

The event was an outbound connection from firefox, it logged 3 of these connection attempts right after each other. I checked my logs, and these were the only ones that happened in a long time (except from some skype related in and outbound connections, but I guess that's normal since it seems to be a peer to peer program, and I keep it running most of the time to communicate).
Malwarebytes blocked them and they haven't returned so far. I've googled what is this, and the results weren't really promising. Even though the domain appears to be owned by google, people claimed it can be signs of a serious infection, that's why I want to make sure nothing shady lurks on my computer. 

My PC is protected by the payed versions of:
- malwarebytes
- Eset nod32
And I also have spybot search&destory installed, along with adwcleaner. 

I've ran deepscans with all of them using administrator privileges, but nothing showed up.
P.S.: during this event firefox and chrome was open, but my active window was chrome not firefox. Firefox was just running in the background with a few tabs. None of my browsers have plugins, except Firefox with adblocker. The settings also seem to be fine without tampering.

The suspicious event (I apologize about the language, I could not find where to set it to english inside the program)
Malwarebytes
www.malwarebytes.com

-Napló adatai-
Védelmi esemény dátuma: 2017. 03. 30.
Védelmi esemény időpontja: 12:43
Naplófájl: 
Rendszergazda: Igen

-Szoftver adatai-
Verzió: 3.0.6.1469
Összetevők verziója: 1.0.75
Frissítési csomag verziója: 1.0.1627
Licenc: Premium

-Rendszeradatok-
Operációs rendszer: Windows 10
Processzor: x64
Fájlrendszer: NTFS
Felhasználó: System

-Blokkolt webhely részletei-
Káros webhely: 1
, , Blokkolva, [-1], [-1],0.0.0

-Webhely adatai-
Tartomány: redirector.gvt1.com
IP-cím: 216.58.209.206
Port: [55218]
Típus: Kimenő
Fájl: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

************************************************************************************
I've attached the Farbar recovery scan tool logs to the post. 
Thank you very much if someone can assist me in this matter. 

 

 

 

 

Edited March 30, 2017 by miekiemoes
Attachements deleted per user request.

[erimeix]

I just got a redirector.gvt1.com notification on Malwarebytes 2 minutes ago so I came here, but it was something about blocking my Baidu antivirus

[TheScoobs]

It appears this starts when Google Chrome updates to 57.0.2987.98

This started immediately this morning for my wife.  Then, just for kicks, I updated Chrome and it immediately started happening during the update.

[Dangaard]

Just woke up this morning with this infection.  Normally don't run AV software other than Windows defender.  Turned my computer on this morning and opened my firefox and my browser was clearly hijacked.  Voice going "Critical alert from Microsoft" etc etc, unclosable log-in/sign-up credential pop up and fake alert boxes, crashing plugins, unclosable browser window. 

Used Chrome to grab MBAM and the scan showed nothing, but it was constantly blocking a website redirect from redirector.gvt1.com for 5 minutes or so before it went silent.  Scan report immediately after showed nothing.  A restart and a firefox browser reset later, I tried opening firefox without MBAM running, and there was no redirect.  Opened up MBAM and a repeat scan showed nothing, but a few minutes later, it blocked two more redirect attempts.  Definitely still lurking around.

[miekiemoes]

Hi,

Thanks for reporting. This will be adjusted in next database update.

[Armadillo]

Thank you all for the replies!
So can I assume this was just a false alarm since it will be adjusted in the database?

[acm6473]

I had the exact same problem this morning.  I would be interested in knowing what MBAM is responding to?  If it isn't actually trying to do something, why would we get the message at all?  What will a change in the database do?

[Dangaard]

Sounds like it means that MBAM is updating its database to be able to detect and remove the browser hijacker that it is already responding to in order to block activity for, but unable to find and remove at this time.  Malware is constantly evolving to avoid detection, and anti malware is constantly evolving in parallel to combat it.

[miekiemoes]

Hi,

One of the subdomains was involved into malicious activity which triggered our generic detection and also caused this False Positive. This has been adjusted in a meanwhile.

Thanks all for reporting! Nothing to worry here, your PC isn't infected.

[Armadillo]

Thank you very much miekiemoses for taking the time to look into this. You helped my paranoia a bit with this
I wish everyone a nice day!

****
Dangaard: I'm no expert, but I'm not sure you have the same problem as me. In my case the computer showed no sign of infection or weird behaviour at all. However your's seem to behave infected. I think you should start a topic to make sure  you get proper help in case there are really malicious stuff lurking there. 
I followed this topic to create mine: 

 

[Dangaard]

o_O  huh.  I guess I had a one time website redirect which corresponded to a new MBAM false positive?  I'll wait it out, see if it happens again when I disable MBAM.  If nothing happens, no harm no foul I suppose.  If it happens again then I can investigate further.

[Error_Hazard]

I guess this is new. I am not using a PC, I am using an Android. I do not use chrome, nor do I update it as I don't use it at all, ever.

I too have kinks to .gvt1.com I just got them, not from a security alert, but because Facebook was updating.(ALL Auto updates on my accouns accept AntiV and Firewall, are off, but Facebook keeps creeping it's foot in the door so to speak.

r3---sn-a5mlrn76.gvt1.com

r2---sn-a5mekn7y.gvt1.com

r1---sn-a5m7lnlz.gvt1.com

At or around sametime above traffic, the only background traffic was,

external-atl3-1.xx.fbcdn.net

lookaside.facebook.com

external.xx.fbcdn.net

scontent-atl3-1.xx.fbcdn.net

Hope this helps the right people.

[a925sw]

Just wanted to add to this. I just was trying to update a new android phone, the essential. The update kept failing so I pulled up my firewall and Pi-Hole logs(DNS level ad-blocker), the phone kept trying to query "redirector.gvt1.com" on update. This was an android system update. This being a brand new phone, minutes out of the box, I took took to the web to look into it and arrived here after parsing through a bunch of misinformation, it seems. It is still unclear to me what or why it needs to contact this address, but it wasn't until I white-listed the address that I was able to perform the update. It's easy enough to see it was coming from the phones IP/Mac. It doesn't appear to me to be linked to any mal-ware. Just thought I would throw some more info into the information pool.

 

[MollyDarknet]

I know this is an old post but gvt1.com, gvt2.com, and it's subdomains are owned by Google. gvt stands for Google video transcoding. The domains main objective is to cache videos like youtube and they also are used to update chrome and other Google products and services. I would not block these domains.

[AdvancedSetup]

Hello @MollyDarknet

I'm not showing any blocks on either site. If you're seeing them can you please check for updates within Malwarebytes and let us know if that corrects the issue for you.

Thank you

Ron