Browser Hijacker I can't get rid of

[Curson]

Hi lkbart,

Could you please list the browsers which are redirecting ?
Are other computers on on the same network affected as well ?
Is your router admin panel password weak or default ?

Regards.

[lkbart]

Firefox, Chrome
No, there are 4 other computers unaffected.
No, it's not default.  Not a weak password, probably not terribly strong, but nothing common or a word or anything like that.  I am updating it now to a stronger one.

[Curson]

Hi lkbart,

This is really unusual.
Could you please confirm that your ISP is Cox Communications ?

Regards.

[lkbart]

Yes, it is Cox

[lkbart]

An interesting thing - back in September I got an email from Cox saying that one of our computers may be infected with a virus; we scanned everything and nothing ever showed up, no symptoms, nothing caught in any scans.  I called Cox & basically they said that if they thought we had the virus that they could and would shut off our internet, they couldn't tell me how they got the report that we had an infected computer, just said I should go to their website to access their security software (which is McAfee).  Never found anything, and never heard back from Cox.  And we still have internet.  I don't think what I've got is that virus, as it apparently gives redirects in google searches to ads, and I've never had that happen (it just takes over one browser tab that's already open), and I haven't had any programs fail to run.  The only part of it that seems to be the same (from the blip I read) is that the services it uses don't show it being infected.

Not sure that this helps, but thought I'd throw it out there if it might.  Here's the email from Cox, copied & pasted:

Dear Subscriber,
 
Cox has identified that one or more of the computers in your home may be infected with the Alureon / TDSS Virus.
 
Viruses can take control of your PC and gather your personal information such as passwords and credit card numbers, putting your data at risk
 
The following FREE security tools could help you detect and remove infections from your systems:
The Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/
 
Norton Power Eraser
http://security.symantec.com/nbrt/npe.aspx
 
Cox Security Suite Plus powered by McAfee is included FREE with your Cox High Speed Internet service.  This software can be used to help protect up-to 5  devices in your home, including Windows and Mac OS computers, and Android and Apple tablets and smartphones.
To get started, simply browse to www.cox.com/securitysuite and login with your Cox primary User ID and Password.
If you already have an Anti-virus solution installed, you should refer to your software manual before installing the Cox Security Suite.
 
If you need additional support, Cox offers premium technical support at reasonable rates. 
Visit Cox Tech Solutions at https://secure.coxtechsolutions.com/ or call 877.TEC.SOLV (832.7658) to get started.
 
If you would like additional information on the Alureon / TDSS Virus:
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fAlureon.H
 
If you have any questions regarding this matter, you may call Cox Customer Safety at 800-753-6085.
 
Regards,
 
Cox Customer Safety

[lkbart]

So I've run some additional scans - a couple from the email from Cox, although I can't get the Cox Security Suite to open for me, not sure if this is because of the virus or if Cox's website is just screwed up (won't go there on another computer either, so I think it's their website).  I ran the Microsoft Safety Scanner, TDSSkiller, Norton Power Eraser, Rkill, Malwarebytes, Zemana & ComboFix; am attaching the first ComboFix report, mainly because I have no idea how to read it.  I ran the ComboFix again, mainly because I opened it to see if there were any options & it just simply runs, so after the second run, it put the reports from the first run in its "Qoobox" folder, those two files are the ones I've attached.   

[Curson]

Hi lkbart,

ComboFix log is clean.
Did TDSSkiller detect anything ?

Regards.

[lkbart]

Honestly can't remember right now - it produced 2 logs & I've attached those.

[lkbart]

So, I bought a new computer (needed more RAM anyway).  I can't load any personal information on the infected one without fear of it being compromised, and I'm really not in the mood to share my data with all the scammers out there.  Only issue right now is that I have no confidence that the 2 drives that were attached to it are clean.  There are no program files on them (or shouldn't be), there are mainly photo files - CR2, JPG, PSD, PNGs, a few GIFs & some BMPs.  Also some text , WPD (WordPerfect) & PDFs.   

I have read that because photo files contain a space for the metadata, that they could fairly easily be compromised and someone could hide some code in them.  What I don't know is if a photo file is hiding code, will the photo still show up like normal?  And is there any way to scan these drives for stuff like that?  I do have another old computer that I can hook these drives up to, and see if they infect it - it's old and we don't use it, & I'm thinking there's no personal data on it. 

The other thing I may do, since the infected computer has a nice SSD, I may format it from DOS or Linux, and then reinstall windows & see what happens.  I'm just wondering how well the drive was formatted from the Windows 7 formatting & installation, since it took hardly any time at all for it to format, and installation was a lot quicker than when I did the Windows installation without formatting. 

Thoughts on any of this?

[lkbart]

So, got the new computer hooked up, was using Firefox & the blasted Urgent Firefox Update popped up.  I was horrified - I had not plugged any external drives into it and I hadn't been anywhere I would have previously considered to be sketchy.  So I did some research on another computer & apparently it is just an ad - a pretty aggressive and malicious looking ad, but is supposed to be stopped by an ad blocker extension.  Just search for "Fake Firefox Update".  I also installed an ad blocker in Chrome for when I use it since that is where I got the first redirect.  I guess that's why the scans never showed anything, because I never clicked on it and let it install anything, I just pulled the plug.

Since I had only been on like 3 sites, I disconnected from the network and checked the history.  The only thing it could have come from is:  r.search.yahoo.com  We have now blocked that site in the router.  And I believe I had typed a search in the address bar (I have an email at att.net, and yahoo is in the url), and somehow that had to be what caused this crap.  I attached a photo of the history log & I don't read code, but that address can't be legit.  So I have sworn off any Yahoo anything on my computers (am thinking maybe I need to replace that email with a different one too)!

Thanks for all your help.  I did get a new computer out of the deal! I guess that should make up for some of the extreme frustrations of the past week. lol

[Curson]

Hi lkbart,

The TDSSKillers logs were clean as well.

I have read that because photo files contain a space for the metadata, that they could fairly easily be compromised and someone could hide some code in them.  What I don't know is if a photo file is hiding code, will the photo still show up like normal?  And is there any way to scan these drives for stuff like that?  I do have another old computer that I can hook these drives up to, and see if they infect it - it's old and we don't use it, & I'm thinking there's no personal data on it. 

Metadatas can be used to install malware using exploits but if your softwares are up to date, it can't happen.
I suggest you to do a full antivirus scan of the drive, so you can be sure it doesn't contain anythins malicious.

The other thing I may do, since the infected computer has a nice SSD, I may format it from DOS or Linux, and then reinstall windows & see what happens.  I'm just wondering how well the drive was formatted from the Windows 7 formatting & installation, since it took hardly any time at all for it to format, and installation was a lot quicker than when I did the Windows installation without formatting.

Formating of a SSD drive is a speedy process.
This is perfectly normal.

Since I had only been on like 3 sites, I disconnected from the network and checked the history.  The only thing it could have come from is:  r.search.yahoo.com  We have now blocked that site in the router.  And I believe I had typed a search in the address bar (I have an email at att.net, and yahoo is in the url), and somehow that had to be what caused this crap.  I attached a photo of the history log & I don't read code, but that address can't be legit.  So I have sworn off any Yahoo anything on my computers (am thinking maybe I need to replace that email with a different one too)!

The URL is likely linked to an ad.
I advice you to install an Adblocker on your favorite browsers : uBlock Origin for FireFox and uBlock Origin for Chrome.

Thanks for all your help.  I did get a new computer out of the deal! I guess that should make up for some of the extreme frustrations of the past week. lol

You are welcome.
Yet, I'm really sorry we weren't able to pinpoint the source of the redirections.

Regards.