is this virus - gertosta.com, strigols.com

Hi

Yesterday after I clicked in Firefox 3.6.13 on link I was redirected to strigols.com page. Today after I clicked in price comparing portal on link which was supposed to direct to online shop I was redirected to gertosta.com page. Both pages: strigols.com and gertosta.com had different content but the layout i.e. the same colors, the same images, the same menu layout. They are saying something about some company but there is no contact info. According to whois both pages are registered in Russia.
Is this some trojan horse, virus, etc.?

Hi adamwojciechowski1111,

Welcome to the forums!
It could be a rather innocent redirector, but also a nasty infection… hard to say at this point.

Can you download MBAM antimalware Download Malware Removal 2023 | Free Antivirus Scan & Virus Protection Tool and see what it comes up with?

A second opinion could be run by HitmanPro http://www.surfright.nl/en/hitmanpro it’s a portable scanner.

What is your primary Security Solution?

Hi

Thank you for quick reply. I scanned my computer using 2 suggested applications and NONE of them detected any problem.

Thanks
Adam

Please do a scan with HiJackThis and copy-paste the log when it finishes scanning.

Hi

Thank you for your reply.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:09:00, on 30/01/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [TrueCrypt] “C:\Program Files\TrueCrypt\TrueCrypt.exe” /q preferences /a logon /a devices
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘USŁUGA SIECIOWA’)
O8 - Extra context menu item: &Clean Traces - C:\Program Files (x86)\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\lxdfserv.exe
O23 - Service: lxdf_device - - C:\Windows\system32\lxdfcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


End of file - 7497 bytes


USLUGA LOKALNA = LOCAL SERVICE (eng.)

Thanks
Adam

According to the log, everything is OK. MBAM and Hitman Pro didn’t find anything, so I think that your PC is not infected. If you don’t have, you can install WOT on your browser - it’ll warn you on dangerous pages.

I wish you were right that I’m not infected. Assuming I’m not infected, I wander what caused redirection to these pages yesterday and today.

[attachment deleted by admin]

You’re not infected; probably the pages you have visited are containing redirecting script. Could you give us the exact links from which you were redirected?
Also, I strongly recommend installing WOT on your browser(s).

Did you have an infection in the past?

Some malware will alter the hosts file. Thus the problem could continue even after the infections are removed.

No, I did not have any infection in the past. 5 minutes ago I was redirected from
http://www.techsupportforum.com/forums/f50/is-this-virus-gertosta-com-strigols-com-547410.html
to http://iklabuxa.com/index.html. This page looks similar in terms of layout to gertosta and strigols

My hosts file looks ok to me. All lines are commented out by # sign.

Can you verify your hosts file and check your DNS server settings?

Siteinspector doesn’t flag the site as “automatic infector”
http://siteinspector.comodo.com/taskreport/?uid=1692

hosts

Copyright (c) 1993-2009 Microsoft Corp.

This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

This file contains the mappings of IP addresses to host names. Each

entry should be kept on an individual line. The IP address should

be placed in the first column followed by the corresponding host name.

The IP address and the host name should be separated by at least one

space.

Additionally, comments (such as these) may be inserted on individual

lines or following the machine name denoted by a ‘#’ symbol.

For example:

102.54.94.97 rhino.acme.com # source server

38.25.63.10 x.acme.com # x client host

localhost name resolution is handled within DNS itself.

127.0.0.1 localhost

::1 localhost

DNS Servers . . . . . . . . . . . : 173.192.105.217
173.193.227.124

Maybe mentioned sites are not dangerous but I’m getting nervous by being redirected to same strange pages. If Firefox was redirecting me to his own website, I would understand but I am being redirected to same strange website.

Yes I would become very nervous also, there is something “wrong” somewhere…

Can you try a rootkit scan with Gmer and Rootrepeal?
http://www.gmer.net/

See if any suspicious warnings are triggered?

Are you running Truecrypt full disk encryption? if so did you have any issues lately at system boot not accepting the password?

I ran Gmer. Here are the results:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-30 20:22:44
Windows 6.1.7600
Running: 2he5gjch.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186ae4b56
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186ae4b56@444e1a208d5b 0x98 0x5A 0x2A 0x21 …
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186ae4b56 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186ae4b56@444e1a208d5b 0x98 0x5A 0x2A 0x21 …

---- Files - GMER 1.0.15 ----

File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd\BASE_UPD_END_USER_v7543.cav 21172 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd\BASE_UPD_END_USER_v7544.cav 64822 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAV5210.tmp 8388608 bytes

---- EOF - GMER 1.0.15 ----

Rootrepeal does not work and says he does not support 64 bit OS.
Regarding Truecrypt - I have 2 partitions on hard disk. C is not encrypted, the other one is encrypted. I had no problem with password acceptance lately. I’m thinking about formatting partition C and reinstalling Windows.

Agree.
Being redirected isn’t always malicious.

However, in firefox you can go to -->tools >options> advanced> general…
and tick “warn me when websites try to redirect a page”

Also, you might consider keeping your browser inside ‘Sandboxie’ in the future.
It takes away that feeling of playing ‘Russian Roulette’ while browsing.

[attachment deleted by admin]

You have quite a bit of “unknown owner” files in the log

Unknown owner
also
DNS Servers . . . . . . . . . . . : 173.192.105.217 173.193.227.124
Is this your ISP's DNS sever?? I don't see much info on it in google (To be fair, I didn't look very hard either) If it's not, who's DNS is it, but If that's the case and you want to use a more secure DNS, follow these steps here http://www.comodo.com/secure-dns/ On the bottom right side of the page, click on windows xp, vista(windows7 too) MAC(apple), or router

If you got some time, feel free to run “file checker” (it will take some time)
feel free to use file checker
Click on the “START” button ----> Click on “RUN” Type in:
sfc /scannow

We run a large ISP and was informed by one of our broadband modem vendors that there is someone hacking modems and changing the DNS setting from dynamic to static and changing the DNS servers to the two listed listed in this thread. They think that it is someone setting up for a massive hacking/phishing attempt or other malicious activity. Check with your provider on what the proper setting should be, and change the modem password to something more secure. Broadband modem brands apparently involved include Comtrend, Belkin, Dlinks, and Linksys.

Hi

I have formatted drive c: and reinstalled windows 5 days ago. Problem is gone. When I return to my previous location, I can check my DNS settings. So there was definitiely something ‘wrong’ with my computer.

Thanks
Adam

OK, I’m back to my previous location. The computer I had problem with has now DNS servers:
DNS Servers . . . . . . . . . . . : 156.154.70.25
156.154.71.25
According to http://www.geobytes.com/IpLocator.htm it’s in Australia.

My second computer which has not caused mentioned problems yet has
DNS Servers . . . . . . . . . . . : 173.192.105.217
173.193.227.124
According to http://www.geobytes.com/IpLocator.htm it’s in USA.

My current location is Europe.

I will switch do comodo secure DNS anyway.

This looks like there is a hacker out there Hijacking DNS and directing it to his name servers. I know of ISPs that have had there whole DSL network hijacked and all modems with static DNS pointing to this guys servers. I have heard speculation of a preparation of a huge DoS attack. Also i have heard that it is a guy named Hacker Dan and is based out of Jordan. I can also confirm that I have gotten all of the same info as Rberg

I have switched to Comodo secure DNS. Now after ipconfig /all I can see

DNS Servers . . . . . . . . . . . : 156.154.70.22
156.154.71.22

According to geobytes above servers are in Australia too. Is it ok?