Possible Malware: redirection and dialogue box popup

First I will describe the issue I am noticing, and then I will ask a few questions I have regarding the Read & Run Me First/XP Malware Removal/Cleaning Procedure, so that I carry it out properly.

I am trying to figure out if I have an infection of sorts or not. Although I primarily use Firefox, I do use Internet Explorer regularly as well. Over the last month or two, when using Internet Explorer, I have had pages (seemingly from apps.facebook.com, although this could be coincidence as those are the pages I most often access in IE) appear to try to redirect to another website (I see a blank page with a strange web address) (after the current page has been loaded for a while, not while first trying to go to the page) and a standard gray dialogue box comes up with some sort of fake virus warning, asking me to click "OK" to download something or run a scan. The message varies - once it was purportedly from ESET and another time from AVG, neither of which I use or have installed. I have always gone into task manager and terminated Internet Explorer from there when that happened. Each time it has happened, I have scanned with Malwarebytes Antimalware, Microsoft Security Essentials, Spybot Search and Destroy, and Vipre Computer Rescue (each of which I make sure are up to date; each were run from an administrator account/elevated to administrator privileges except possibly MSE). Each time I have not found a thing. It has been my assumption that it is being caused by an ad that takes advantage of Internet Explorer in some way (it never happens when I am at the same pages in Firefox). The frequency of occurrences is approximately once a week, and the recurrence of the issue makes me wonder.

I should note that last August MSE detected and removed what it called Trojan: Java/Mugademel.A and TrojanDownloader: Java/OpenConnection.EM At that time I did nothing more than run scans MBAM, Spybot Search and Destroy, Vipre Computer Rescue, Super Anti Spyware, Ad Aware and Microsoft Security Essentials, none of which found anything further (Note: MSE is my only active protection; the rest I scan with if I think there might be an issue, or schedule scans with). If there was anything left over from that it may show up once I carry out the cleaning procedure.

Questions:

Background - I have two created accounts. One is an account with administrator privileges (separate from the administrator account accessible when in safe mode) which I usually only access if I need to install updates or programs, or carry out some other maintenance. My other account is a limited user account in which I work all the rest of the time.

1) Should I be running all of the programs in the malware removal/cleaning procedure from my created admin account, or should I run them on the limited user account as well?

2) What about the programs in read & run me first (CCleaner, checking MSconfig, disabling Disk Emulation software)?

3) Should I enable viewing of hidden files, etc. on both accounts?

4) Is there anything else I should be aware of regarding my two accounts that I have not asked about with respect to the read & run me or the removal/cleaning procedure?

5) I already have previously installed SuperAntiSpyware and MalwareBytes AntiMalware (which I may have gotten last year through links on MajorGeeks, from CNET, or from the company websites). Do I need to uninstall and make sure I redownload/reinstall from links on this forum?

Thank you! I will happily run through the instructions and procedures once I have answers to these questions.

 

I was unsure if I could post again before the other post I submitted went through (since it appears moderators need to approve posts, and the one I submitted earlier today has not gone through), but I will try in order to post the rest of the files from my scans.

In this post I should have the logs from MBAM, Combofix, and RootRepeal.

 

Hmm... I'm not sure what happened since the post I just submitted did go through (last time I submitted a post, it told me a moderator needed to approve it). Well, I will submit what would be the last of my 9 files in this post, assuming the post from earlier today goes through. It is odd, because the mouseover text from the attachment icon in the forum suggests that I do have 8 attachments in this thread so far, which is what it should be, if my earlier post (with much explanation and notes) does go through. I will attempt to duplicate the text from my earlier post tonight, and will post it again in the morning (along with the attachments that were in that post) if the missing post does not show up.

In this post I should have attached MGlogs.zip.

The missing post had logs from GooredFix, TDSSkiller, and SAS (2 logs, one from a scan in my admin account and another from the scan in my limited user account).

 

OK, here goes an attempt to reproduce the text of my missing post, with a little additional information (and hopefully not missing anything that I put in the missing post). I have decided not to wait for the morning to post the information and logs that were in the missing post - the missing post was submitted 7 hours ago (around 5:00 mountain time). I hope this does not cause any problems - I would just prefer to have all my information out there sooner rather than later for review. If the missing post did not show up in the morning and I posted then, it would push my thread's last post time up a lot.

I finally finished running through the "Read and Run me first" and the "XP Malware removal/cleaning procedure."

Altogether I have 9 files I am attaching. I went through the "Fixing Google Redirection/Hijacking Problems" as it seemed at least somewhat relevant. From there I have two logs, one from GooredFix, and one from TDSSkiller. After the five files from the XP Malware removal/cleaning, I attach an addional file for SAS and MBAM, because I ran scans with each on both my limited user account and my adminstrator account (which is what I understood I should do from TimW's post). All the other files were produced from scans/programs run on my administrator account.

Notes from running through the procedures:

I noticed the instructions in step 1 from "Google Redirection/Hijacking problems" for flushing the Internet Explorer and Firefox caches do not quite fit with my versions of Firefox (3.6.16) and Internet Explorer 8. I think I did what was wanted, though.

In step 2 from "Google Redirection/Hijacking problems", I do not have explicit instructions for resetting my modem. I depressed the recessed button in the back of my modem until the lights on the front (for Power, DSL, Internet, and Ethernet) began blinking. Then I powered the modem down and left it off for 1 minute. Then, after turning it back on, I also instructed it to reboot through its software.

When I ran SAS on my limited user account, I had to restart twice. The first time I realized I had not made all hidden and system files and folders visible for my limited user account (I had on my admin account), so I made that change after canceling a scan. After the second scan, I realized that having updated SAS in my administrator account did not update SAS in the limited user account, so I updated and then ran another scan, the result of which I am attaching. None of each of the scans appeared to find anything.

When I ran combofix I did not see any messages that I was disconnected from the internet. This is probably not important at all, but I wanted to note it.

When I ran MGtools, I did briefly see HijackThis open (first on the toolbar, and then as a window), but it closed itself before I could close it. Also, I received error message type 4, indicating that I do not have the Microsoft .NET Framework software installed. In add/remove programs I do have some entries similar to .NET Framework (Microsoft .NET Framework 4 Client Profile and Microsoft .NET Framework 4 Extended), but it must not be exactly what is needed. I will be happy to install the .NET framework from the link and rerun MGtools if you want me to later.

After working through scans, I noticed that I sometimes took an unusually long time (that is, noticeably longer than I would expect) to switch between pages of posts on the malware forum (as I was trying to see if the missing post would show up). I was still on my administrator account, and this seemed to be correlated with high CPU usage of a svchost.exe process. Since I logged out of my admin account and into my limited user account (which is where the posts that have gone through were posted from), I have not experienced this issue - perhaps it was leftover from processes that began running with all the scanning and other programs run for the cleaning. I had not experienced this issue before, either.

Additional information on new issues experienced on Thursday, which is before I went through the procedures (on Friday):

While loading Facebook application pages, I encountered a gray popup upon loading a page. The title bar stated, "The page at [someaddress] says:" where "[someaddress]" is a strange web address. The popup stated, "Mozilla Security has found critical process activity on your system and will perform fast scan of system files". There was one OK button. I terminated Firefox from Task Manager. No redirection appears to have taken place.

I also encountered (when loading a Facebook application page) a gray popup with title "confirm" that stated, "To display this page, Firefox must send information that will reapeat any action (such as a search or order confirmation) that was performed earlier." It had resend and cancel buttons. I realized I had been seeing these types of popups recently, and had not thought much of them. This popup could be due to a change in how Facebook works with application pages - I'm not sure.

In this post I should have attached the logs from GooredFix, TDSSKiller, and SAS.

As I have been researching information for this post, I noticed that Firefox is not listed in add/remove programs. Odd, but probably insignificant and not relevant. I hope I have not written too much or been too detailed in my notes in this post.

 

Issues experienced before starting "Read and Run me first":

1) Approximately weekly gray dialogue boxes in internet explorer sometimes purporting to be from an antivirus software, asking to run a scan or download something. Accompanied by a redirection of a page that had been loaded for a bit already to a strange address with a seemingly blank page.

I have not experienced this issue since running through all of the procedures. However, given the infrequency of this issue, if it is still occurring, I may not notice for another week.

2) Last Thursday - two different dialogue boxes in Firefox, one asking to resubmit information (which simply seemed odd for the Facebook application webpage), and another saying "Mozilla Security has found critical process activity on your system and will perform fast scan of system files".

I have not seen either of these since running through the procedures. The Facebook application did undertakes some changes on Friday which could have affected these dialogue boxes/popups if they were due to something from the webpage. I have noticed that the cleaning procedures we did seem to have wiped out many of the immunization protections Spybot Search and Destroy had put into place for Firefox - I don't know if that would have an effect on these popups/dialogue boxes either.

Since the cleaning procedures:
Very rarely a web page is slow to load which seems correlated with high svchost.exe CPU usage. Several times this happened in switching between pages of posts in the malware forum, and all the rest of the times it has happened if I had disconnected and then reconnected my ethernet cable and then opened Firefox.

Do you think it is a possibility that the dialogue boxes I had seen are due to ads, and not actual malware?

Let me know what you want me to do now. I have not yet reapplied the Spybot Search and Destroy immunization in case it would interfere with something else you wanted done.

 

It would appear that the dialogue boxes are still happening in Internet Explorer. I left IE at a Facebook application page I had loaded (Mousehunt) and left my computer. Perhaps 30 seconds later, I heard a beep (I assume because a dialogue box came up) and found a dialogue box with the following text: "E-Set has found suspicious activity on your pc and will perform some action on your pc" This is quite similar to what I have seen before. The Facebook application page also seems to have been redirected to a mostly blank page, as seen in the screenshot. This is also what I had experienced before.

Of course I do not have E-Set, and terminated internet explorer from the task manager. This time I managed to get a screenshot, which I am attaching to this post.

 

I ran the eSet scan from my administrator account (since I needed administrator privileges to install it) via Firefox. Only 4 items were detected, two of which seem to be the false detections mentioned in the instructions for the online scanner. The other two I assume both relate to the minou partout.exe that was detected. That particular application I have had for quite some time (years) - it was passed around in an email from family. It basically animates a cat doing different things on your screen. It has been a very long time since I have run it, and don't really need it. Other scans I have run in the past may have picked it up up but indicated that it was not exactly a threat, so I had previously left it on my computer.

The dialogue box in IE was seen in my limited user account.

This is probably unimportant, but I'll mention it anyway - approximately a year ago I reformatted my computer after a very sudden and obvious rogue antivirus software infection, and copied all my files back over from a newly bought flash drive. If minou partout.exe is involved (which I have some doubts about), I suppose it could have somehow have been activated when I accessed the drive to copy files back, although I should have noticed if it were running due to the animation.

I have only been using Internet Explorer some of the time for the last 5 months - before that I had been using only Firefox except for checking Windows Updates.

 

I do not. I was not aware that something like that existed for Internet Explorer; I did recently start using Adblock Plus for Firefox (as a result of what I was seeing in Internet Explorer).

I went ahead and installed it just now. What suggestions for its usage do you have?

 

So far I have not run into any problems in IE, although I have had rather limited usage thus far. However, I just experienced a redirection and a popup/dialogue box in Firefox (I had not seen something like this before - this one is attempting to be more convincing than the others I had seen). I was using adblock plus, using a filter that blocks malware domains rather than the English Easylist. I was browsing in the Facebook application Mousehunt, but I cannot say if I had just loaded a page or if I had been on a page for a while. I terminated Firefox via task manager. What do you suggest my next step should be? I was about to run a full scan with Malwarebytes Antimalware (to check and see if there are any malware that could be detected now) with administrator privileges from my limited user account, but thought I should ask first since I am already working with you on these types of issues. A screenshot is attached.

 

After updating MBAM, I ran a full scan in my limited user account by running MBAM as my Admin account. MBAM did not appear to find anything; the log is attached.

Question: When I went through the cleaning procedures, you had me scan with MBAM both in my Administrator and Limited User accounts. Why? What is the difference? How does the scan I just did compare - is it the same as running a scan directly in my administrator account?

I uninstalled my current version of Firefox and installed the new version. Apparently I had originally installed Firefox when my limited user account was an administrator, before I created a separate administrator account (thus I could only uninstall Firefox from my limited user account).

I deleted the folders you requested; for the ones involving user account names, I deleted the requisite folders for my limited user account, my administrator account, and the computer's administrator account.

After installing the new version of Firefox, I noticed that in my administrator account, one of my addons was still there, as were my bookmark items for that account (which I had forgotten to export anyway). In my limited user account, I did need to import my bookmarks, as well as reinstall both of my addons. However, the address bar does suggest sites when I type an address that I neither have bookmarked nor have visited since the reinstallation (that I visited before the new version of Firefox), although history does not reflect the sites.

I am now running my addblock plus in Firefox using both the list for malware domains as well as one of the English lists.

I hope I can handle the new Firefox version. From what I read, it seems potentially more secure and better performing - but I feel like I'm straining my neck with it at the moment. I did do some rearrangement to make it look similar to Firefox 3.

So far no issues - but I have not had much of a chance to see any yet.

 

Actually, I was mistaken. The suggested sites for my limited user are only those that I had bookmarked previously.