PDA

View Full Version : Strange redirect - Is my computer infected?



john_collins
2011-04-21, 04:46
Hi,

I have a laptop with Windows 7 and IE8. I also run Norton 360 Premium Edition 4.0.

When I visited this website:

http://www.serradinho.com

I was redirected to the following website, which displayed a fake virus warning:

http://www1.simplegoantivir.0ze.net/fhrpvn?rwj041mma=lungnZu1uDJ59qT5dXJpKGToKSP5tLWr6qQkZaT36qjwLmT3N%2BimJ%2BYlOPcs%2BDoqZ3MmZh8yquKGT6OXP3tOe3tXK3cuY1dqnc
3VX1t2erKKbop6blaKZnKWZq4%2Fl5tjepadunpPY3M2qqZ%2BajePV2rHLp86no6fMaJpmzpPV5qaeo5yYmqOXpKqgnM3h39jnnGo5OSVodbc4%2BDJ0diO4d
XP25fb5d7clWKS4ZPE29qq1NnL4NHI1pg%3D

I also got a JavaScript popup asking me to click OK to remove the viruses, after which I opened the Task manager and killed the IE process. I didn’t get a warning from Norton about a virus or malware.

I didn’t have this problem (the redirect) in the latest version of Firefox.

Then I switched JavaScript to “Prompt” in IE and visited the http://www.serradinho.com again.
After clicking "No" to all JS load prompts the site loaded just fine without redirecting me.
After that I reloaded the site and started clicking "Yes" on the JS prompts and on the 3rd one
I saw in the IE taskbar that the browser was loading something from lshfwq.co.cc and then I was
redirected to the 0ze.net subdomain mentioned above.

The http://www.serradinho.com is the only site this redirect is happening on, as far as I can tell.

I also did the following:

- I ran SpyBot and it didn’t find anything.
- I downloaded and ran TDSSKiller.exe from Kaspersky, which didn’t find anything either.
- I did a registry search for lshfwq.co.cc, but didn’t find anything.
- I loaded the same site http://www.serradinho.com, from another laptop with Windows 7 and Norton 30 Premium Edition 4.0, but with IE 9 instead of IE 8 and I didn’t have the redirect problem.
- I did a quick scan Norton and didn’t find anything either

I’m doing a full scan with Norton now, but this will take a few hours.

Is my computer infected or is the problem with http://www.serradinho.com?

tashi
2011-04-21, 06:43
Hello john_collins,

If you would like someone to take a look at the system please see this sticky which includes guidelines for this forum and instructions in post #2 on how to provide preliminary "DDS" logs used for analysis. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic providing the logs and a volunteer analyst will advise you when available. :)

If DDS won't run and produce a log please start a new topic anyway and explain the situation.

Best regards.