2

I'm running Windows 7. Yesterday, when I opened a website with Firefox, I saw 3 ads at the top of the site.

Then, when I checked other websites with different browsers, I saw these ads:

enter image description here

In the page source, I can't see any code for these ads. After using Inspect Element, this code was added to the header:

<iframe src="http://85.25.138.211/index.php?3a2j"></iframe>

And the code in the body for this ad is:

<a href="http://track.impreskin.pl/product/ImpreSkin/?uid=21002&amp;pid=153&amp;bid=1659" rel="nofollow" title="wygladzanie zmarszczek"><img src="http://track.impreskin.pl/banner/?uid=21002&amp;pid=153&amp;bid=1659" alt="wygladzanie zmarszczek"></a>

I don't see any new and unwanted plugins in my browsers, and I haven't installed Hotspot Shield.

Is this malware, and if so, how can I remove it?

Run5k
  • 15,723
  • 24
  • 49
  • 63
Mohammad Fanni
  • 141
  • 2
  • 12
  • 1
    I'm not sure why you are thinking it is as a malware. It's just a banner. You would see them everywhere on internet. – Haplo Oct 27 '14 at 15:03
  • 2
    because this ads is not for that sites , ads display in stackoverflow or my personal website that i not add this ads in my site – Mohammad Fanni Oct 27 '14 at 16:20
  • Are you also using Edimax router as [me](http://superuser.com/q/831994/213663)? – Martin Prikryl Oct 29 '14 at 07:09
  • @MartinPrikryl : No , i am using D-link wireless modem are you think this virus source is one pc or mobile that connect to this modem? – Mohammad Fanni Oct 29 '14 at 19:07
  • @MartinPrikryl : Do you know name of this kind virus? – Mohammad Fanni Oct 29 '14 at 20:33
  • @mohammad6006 Do you mean your PC/mobile or attacker's PC/mobile? I do not believe the source of the problem is infected PC/mobile. I do not even think that someone hacked your Wi-Fi (and re-configured the router afterwards). As the problem seems world-wide, remote exploiting of some router vulnerability is more likely. – Martin Prikryl Oct 30 '14 at 07:04
  • @MartinPrikryl i want research about this kind of vulnerabilities. can you help me what keywords should i search? – Mohammad Fanni Oct 31 '14 at 07:37
  • @mohammad6006 I do not know. I had difficulties myself finding anything about it. – Martin Prikryl Oct 31 '14 at 07:52
  • Something like "D-link/Edimax router vulnerability". I've found [Router Vulnerability](http://community.plus.net/forum/index.php/topic,124783.0.html). Though it mentions Edimax only, not D-link. – Martin Prikryl Oct 31 '14 at 07:57

3 Answers3

1

You are experiencing malware which has been designed to operate just before your web browser displays web pages. It typically intercepts a browser request to retrieve a web page, analyzes the site you are visiting and tries to inject HTML ADs which may or may not be pertinent to what you are viewing.

You will have to check the proxy settings of all of your web browsers and run full malware and antivirus scans on your PC because your computer is severely infected

Adblock will not help you, this is a virus. I would confidently guess that all web pages are loading very slowly and if you check your task manager then FireFox is probably using 300-500 MB just to view one website.

MonkeyZeus
  • 9,026
  • 7
  • 26
  • 46
  • yes , how can i detect this virus? i have update eset smart security and scan with windows defencer but can not find any virus – Mohammad Fanni Oct 27 '14 at 16:34
  • 1
    Malwarebytes works very well but you should follow the instructions on http://superuser.com/questions/100360/how-do-i-get-rid-of-malicious-spyware-malware-viruses-or-rootkits-from-my-pc – MonkeyZeus Oct 27 '14 at 16:42
  • scan with Malwarebytes but problem not solved :( – Mohammad Fanni Oct 28 '14 at 09:50
  • You should probably wipe your computer back to a clean install. Please read the answers in the link I posted. If you underestimate the severity of the issue then you are going to have a bad time. If you truly believe that your system can be cleaned then you can try **[ComboFix](http://www.bleepingcomputer.com/download/combofix/)** – MonkeyZeus Oct 28 '14 at 13:35
  • 3
    The problem is actually [a compromised router](http://superuser.com/q/831994/213663). It's not a local infection. – Martin Prikryl Oct 29 '14 at 07:05
  • @MartinPrikryl has mohammad6006 confirmed this? – MonkeyZeus Oct 29 '14 at 16:09
  • @MonkeyZeus Yes, see [his accepted self-answer](http://superuser.com/a/832972/213663). – Martin Prikryl Oct 29 '14 at 19:20
1

After research I found this answer by Martin Prikryl:

... the problem is happening on cellular network only because of caching. After some time of being connected on cellular network and keeping refreshing, the problem went away. And reappeared only after connecting back to the Wi-Fi.

This made it obvious that the problem is due to compromised router. Resetting it back to factory settings fixed it.

Community
  • 1
Mohammad Fanni
  • 141
  • 2
  • 12
-1

I have the exact same problem. Platform - windows 7 64. It does not only attack firefox. It hacks all your web browsers (firefox, i.e. and I'm guessing it also would have done chrome, too)... that means it's either installed as an extension or as some piece of global cached scripting code (for all browsers)...or maybe even something more global.

I've managed to "hack" a "bandaid" solution to the problem - namely to block these ip's with windows firewall, and also to download the firefox adblock extension, but that does not address the underlying problem, namely that the system itself has been hacked.

PARTIAL RESOLUTION (solves most of the visual misery): Search your windows directory, and edit either "lmhosts" or "hosts" to map these url's to 

"localhost":
(promo.cityads.ru)
(track.impreskin.pl)
(rcm-na.amazon-adsystem.com)
(www.juicyads.com)

-or-

block these remote ip's in firewall settings

(72.21.202.62)
(81.177.161.202)
(54.192.118.235)
(199.83.129.149)

-and- install adblock for firefox.

This will =still= leave you with the hacker's name on your pages.

UNRESOLVED ANGLES TO FIX THE REST: I'm still working on this part... but I'm trying a disk file contents search for .js and/or php / css files containing: "wygladzanie zmarsczek" and the above url's

^remove related files

Barring success, see about clearing all .js, php and css caching... sorry, but I'm still working on finding out how to do that.

None of that proves you have really cleaned all the malware from your pc. It's just addressing a symptom (like if you had a disease but took aspirin to reduce the pain). There might be alot more this virus left on the pc.

So this solution is a far cry from "perfection", which would be to understand the attack vector this virus used, to close the security hole, and to remove all files it may have deposited -- but it's still alot better than nothing.

If anyone can come up with the formal name for this attack and answer any of those questions, it would help to build a public understanding which resolves the problem.

RESULTS: These files came back associated with that search signature:

C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893

C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\C116A7489A2D13D65DA56BD218030121E46D2476

C:\Users\computer_name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HND03M2G\ga[1].js

Relativize the path for your own pc by replacing "computer_name" with your own self-referential pc name. Those cache files are generated with what might be a random name under firefox... nuking the entire cache might be the best solution.

Kunal
  • 1,889
  • 5
  • 23
  • 31
Sam Jennings
  • 1
  • 1
  • I would not recommend modifying lmhosts or hosts. Additionally, those links are not helpful as they are specific to one advertisement each. – cutrightjm Oct 28 '14 at 02:34
  • Look man -- read up the list. THERE IS NO OTHER ANSWER HERE. So for now it's my way or the highway... :-) Also, why on earth are you saying don't modify lmhosts? That's what it's for! – Sam Jennings Oct 28 '14 at 03:24
  • Hi Sam, there's an answer right above yours that has been accepted. Also, please read this article.. the LMHOSTS and HOSTS files are to map to internal servers or reroute traffic (which this does, but in the wrong context), not serve as a "bandaid" to patch malware: http://technet.microsoft.com/en-us/library/cc977602.aspx – cutrightjm Oct 28 '14 at 04:24
  • 1
    See [Advertisement suddenly appearing on top of almost every page](http://superuser.com/q/831994/213663) – Martin Prikryl Oct 29 '14 at 07:06