TVtropes.org redirecting to malicious websites? Am I infected?

Hello!

Recently, TVTropes.org has been acting odd. Before this, I’ve never had problems with this website.

First, a few weeks ago, before the main page of the website loaded, a website other than TVTropes came up with a gray background and a small gray pop-up that WARNED me that I need to update one of my Adobe programs. This seemed malicious to me, so I immediately exited the browser. Then, today, once again before the actual website loaded, I was taken to a website called “2.tvropes.org” instead. I definitely typed in the correct link, so I know I didn’t accidentally type “2.tvtropes.org”. I’m assuming that means TVTropes.org or my computer (maybe it’s malwared?) redirected me to another website?

I scanned “2.tvropes.org” with http://zulu.zscaler.com/ and it said it was malicious. See here: http://zulu.zscaler.com/submission/show/4762d16e13f12e7ebd4fe355ccab872e-1384470033

According to Zulu, “2.tvropes.org” contains adware/spyware. I’m not sure if I have good adware/spyware protection, so I’m a bit concerned. Avast! doesn’t detect ad/spyware, but MBAM does, correct? Is MBAM a good choice for ad/spyware protection, or do you guys have any other recommendations?

Lastly, the computer slowed down considerably after the “2.tropes” incident (though that could be because its been turned on for a long time), but a quick-scan from MBAM didn’t detect anything. The computer has been working fine after turning it back on. But I’m still concerned on whether or not the computer is infected with ad/spyware. Going to do a full-scan with MBAM tomorrow when I have the time.

Sorry for the long post.

Best regards.
-Misuzu

Avast! doesn't detect ad/spyware, but MBAM does, correct?
wrong....avast detect all types of malicious code
Is MBAM a good choice for ad/spyware protection
it is the best...... pro version is recomended, then you get autoupdate and a protection module

do you use removable drives? MCShield usb protector. www.mcshield.net

hi Misuzu,

You’re correct in that the redirect you’re seeing is the result of a hacked site redirect to the actual secondary site that contains or drops malware onto a victim’s system. Most of the time this redirect is invisible to the user. Drive-by attack.

An additional tool to help protect against malicious modifications of any browser you use when surfing: http://www.sandboxie.com/

Essentially, you would be running your browser in a virtualized sandboxed protected environment separated from the rest of your system. Good for other programs as well.

Do tell how MBAM turned out.

Thank you for the recommendations and sorry for the late post.

I did a full-scan with MBAM and a boot-scan with Avast! and neither of them found any malware. :slight_smile:
Is there anything else I should do?

Based on what you’ve said, I’d monitor the system for a bit, as you say it seems to have recovered its’ former speed after a reboot. You could try a run of the free version of Hitman Pro and see if it finds anything (I doubt it). But be careful of what you do if it does find something, always quarantine the suspicious file just in case you need it and it is found clean later.

If you feel you need the help of a certified malware expert to ensure nothing is amiss, then go here: http://forum.avast.com/index.php?topic=53253.0

Download and run these three programs: Malwarebytes, OTL, and aswMBR.exe. Attach all logs in your next reply should you decide you do need this help. You can attach the Malwarebytes log since you already have it.

Site may indeed spam and redirect to malware/adware.
From that platform HTML:RedirME-inf Trj is being spread: HTML:RedirME-inf [Trj] is indeed being flagged by avast!

So you are probably fully protected against this threat because avast! av is the only av to detect this!
Avast! is among the best, you see. Aren’t you lucky then? ;D

polonus

Well, just to make sure everything is okay, I scanned with OTL and aswMBR. I also did a quick-scan with MBAM, since it’s been a few days since my last scan with it. All the logs I got are attached to this post.

As for whether the computer is working okay…

For the most part, the computer seemed fine after I restarted it. Though, something odd recently happened… I started up the computer last night and it was working fine, but after a few minutes, the cursor stopped working. When I tried to move the cursor, a symbol popped up that showed a finger with a slashed circle. I also noticed an orange light above the touchpad, which I had never seen before. However, I could still use the keyboard and everything else as normal. Only the touchpad wouldn’t work and consequently, the cursor wouldn’t move. I took out the battery to “restart” the computer since I couldn’t move the cursor.

Another oddity was that Firefox refused to start and claimed that it was already running, even though we hadn’t touched Firefox after turning the computer on. I had to restart the computer to make it work.

I’m not sure if any of the above would have anything to do with malware though…

Doesn’t hurt to be sure.

I’ve contacted a malware expert to have a look-see. It may be a bit as he may live in another time zone than you.

Thank you! I really appreciate all your help guys! ;D

Oh, one last thing… I forgot to mention earlier… After scanning with aswMBR, it created a file on the desktop called “MBR.dat”. What is that? Is it safe to delete or do I need it?

Yes you can delete mbr.dat

I can see an indication of an old zero access infection so I will run a stronger tool

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the ComboFix log.

Combofix didn’t restart my computer. Is this normal?

Also, the computer seems to be working as well as it did before. Not much seems to have changed. There’s a slight slowdown, but I think the slowdown is because the computer has been on for several hours and its getting warm. The only “oddities” so far after using ComboFix was that Firefox (the main browser we use) told me that it wasn’t the default browser and it asked me if I wanted to make it so. I do believe this happened the last time I used ComboFix, so this is probably normal? Lastly, when the computer turned off the display (when you don’t touch the computer for a set amount of time) it reset the files on the desktop back to their default places instead of where I put them. So far, no other “odd” things have happened.

Thanks, essexboy! :slight_smile:

EDIT: I got to go to bed soon… Will it be okay to turn off the computer or use the internet normally after using ComboFix?

Yes use it as normal, are you still getting the anomalies with the redirect to 2.tvropes ?

I haven’t went back to TVtropes.org since that happened. I assumed it was the website instead of the computer redirecting me.
Does the ComboFix log look okay? Any problems/malware?

Nope the combofix log was good, the registry entry I saw was a stray and harmless. I agree that the website was at fault. If you are happy I will tidy up :slight_smile:

So the infection you talked about earlier turned out to be benign?

Also, we used the internet very little between now and the ComboFix scan, so I doubt we got any malware. So if you don’t see any problems, I think everything is okay. :smiley:

It was a zero access registry entry but it had no files associated with it so it was completely harmless :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

I forgot to temporarily disable Avast! before uninstalling ComboFix and I got the message attached in this post. Will this cause any problems? That said, I did as the message said and ComboFix did seem to uninstall successfully. Though, the computer does seem slightly laggy, though it did before the uninstall as well. The computer’s fan doesn’t work very well, so it may just be the computer’s getting warm, hence the lag.

Also, how do I uninstall aswMBR? Do I just delete it?

EDIT: Nevermind, OTL got rid of it for me. I didn’t see the OTL part of your post.

Sorry for all the questions.

No problem, just delete aswmbr :slight_smile:

Okay, I uninstalled all the programs. Everything seems to be working okay now. No more lag after I restarted the computer.

Thanks for everything! ;D
Best regards.
-Misuzu

My pleasure