Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Happili, Rocketnews and other sites redirects


  • Please log in to reply
5 replies to this topic

#1 P51DMustang

P51DMustang

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 23 June 2012 - 11:36 AM

Hello,
For several months I have had redirects on search engine results. I primarily use FireFox and occasionally use IE with both having the same negative rediect issues. I have used Malwarebytes, Viper, Microsoft Scanner, Eset, Kaspersky Rootkiller and recently Combofix with help from a friend who runs a large PC repair and installation business. My Hosts file only shows 127.0.0.1 local host.

Combofix finds several system32 files infected, but does not repair them. Generally I can hold my own, but this one seems to escape repair. Help is appreciated.

BC AdBot (Login to Remove)

 


#2 P51DMustang

P51DMustang
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 23 June 2012 - 12:07 PM

Also, I noted this in the scan results.
shmediax.dll
I think it is the TR/Vundo.88576.AV Trojan
FYI, XP Pro sp3

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:04 PM

Posted 23 June 2012 - 12:28 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#4 P51DMustang

P51DMustang
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 23 June 2012 - 12:47 PM

Scanning now. Kaspersky didn't find anything and aswMBR is doing its thing. Will post shortly.

#5 P51DMustang

P51DMustang
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 June 2012 - 01:43 PM

Kaspersky did not find anything and I am not sure where it puts the report. I tried to copy and paste but it would not allow.

here is the aswMBR log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-23 17:58:22
-----------------------------
17:58:22.609 OS Version: Windows 5.1.2600 Service Pack 3
17:58:22.609 Number of processors: 1 586 0x207
17:58:22.609 ComputerName: DANSOFFICE UserName: Dan Moore
17:58:24.687 Initialize success
18:04:51.296 AVAST engine defs: 12062301
18:04:55.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:04:55.656 Disk 0 Vendor: WDC_WD1000JB-00CRA0 16.06V16 Size: 95396MB BusType: 3
18:04:55.859 Disk 0 MBR read successfully
18:04:55.859 Disk 0 MBR scan
18:04:56.312 Disk 0 unknown MBR code
18:04:56.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 95385 MB offset 63
18:04:56.406 Disk 0 scanning sectors +195350400
18:04:56.640 Disk 0 scanning C:\WINDOWS\system32\drivers
18:05:24.562 Service scanning
18:06:50.734 Modules scanning
18:07:01.484 Disk 0 trace - called modules:
18:07:01.500 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
18:07:01.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a97fab8]
18:07:02.015 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000072[0x8a9b2f18]
18:07:02.015 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a9b1940]
18:07:03.328 AVAST engine scan C:\WINDOWS
18:07:38.796 AVAST engine scan C:\WINDOWS\system32

Here is the eset log. You will note that shmediax.dll file I was worried about was changed to a tmp file by me before the scan. I can to change the file properties to allow the admin to modify since it was protected to start.

C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{FA0F7527-B8F1-4541-A077-22F7B7829518}\{6E5F79B6-CDA6-4469-84A5-923C8C0CCEB0}\SBVIPRE_EN.msi Win32/KeyLogger.UltimateKeylogger.AD application deleted - quarantined
C:\Documents and Settings\Dan Moore\Application Data\Sun\Java\Deployment\cache\6.0\0\49e03e00-7299254a Java/Agent.AC trojan deleted - quarantined
C:\Program Files\GFI Software\VIPRE\SBAMScanShellExt.dll Win32/KeyLogger.UltimateKeylogger.AD application cleaned by deleting - quarantined
C:\Program Files\GFI Software\VIPRE\SBFE.DLL Win32/KeyLogger.UltimateKeylogger.AD application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\shmediax.tmp.vir a variant of Win32/Ponmocup.CW trojan cleaned by deleting - quarantined

18:16:37.562 AVAST engine scan C:\WINDOWS\system32\drivers
18:17:14.015 AVAST engine scan C:\Documents and Settings\Dan Moore
18:28:31.187 AVAST engine scan C:\Documents and Settings\All Users
18:31:25.125 Scan finished successfully

At the moment there are no redirects. At times it has gone for a day or two and not redirected, so time will tell. I did run Combofix again and it still finds several files in the system32 that it thinks is infected. Let me know if you would like that log. Thanks for now.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:04 PM

Posted 24 June 2012 - 02:13 PM

We do not analyze combofix logs here

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users