A new variant of (Microsoft Description) Trojan:JS/Seedabutor.B

I am dealing with something similar to what is shown on Microsoft’s page below except the URL isn’t dsparking.com/?epl= but dsnetservices.com/?epl= in my case:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:JS/Seedabutor.B

If I try to go to a URL that doesn’t exist z.emmerick.com for example (no DNS for it) my browser (Both IE and Chrome) will load the attached page.

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Friday, May 24, 2013 1:04:41 PM

5/24/2013 1:06:22 PM http://z.emmerick.com/ is OK
5/24/2013 1:06:25 PM http://z.emmerick.com/?epl=aYuufwzRL5R9iCjJtySQKUDD9qAMCYVTJHfxw6liL-UMAQMTH4JjIFMATggeX3Zbm5EHJT5zmO6VBED2otIYP8eqbIFF-eboNaF4sZaDQSCk5MmM5w1oMzUy2-hda_iWjX1Ao9GoR9poCDR6iqCMAYCkH6SnQRF1ACAQ3u-_AADgfwUAAECAWwgAADRsD8pZUyZZQTE2aFpCeQAAAPA is OK
5/24/2013 1:06:27 PM http://z.emmerick.com/favicon.ico is OK

I ran a full system scan with Avast Internet Security 8.0.1483 and definitions 130524-0, no threats were detected. I looked around for some suspicious files, but found none.

follow the guide above your post…“logs to assist in cleaning malware”

when done a removal expert will help you

I have attached the log files as requested.

removal experts are notified, it may take hours before they arrive so be patient

That is generally a java script in the temporary folder, so lets clear that now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

The problem persists after running the OTL script - log attached. I have also attached the quick scan log as well.

See a variant detected here: http://evuln.com/tools/malware-scanner/tanyadurack.com/
For the connection reset by peer, see: http://jsunpack.jeek.org/?report=3e610ea4ffd60492767da4882f49e79648b32c56
epl = programmatic interfaces allow statements to be individually compiled or loaded in bulk through a URL
Link for the security aware only, open up with NS active and in a VM,
given a faikure now → : <urlopen error [Errno 104] Connection reset by peer>

polonus

Is this on your system or on your website ? If on your system what browsers does it affect

Please download to your desktop Short cut cleaner
Then run.

https://dl.dropbox.com/u/73555776/sc%20cleaner.JPG

When the Shortcut Cleaner has finished scanning your hard drive it will create a log file on your desktop called sc-cleaner.txt and then display it.
Please post that log

This is on my laptop.

I have IE 10 and Chrome 27.0.1453.94 m installed, both are having the same problem. This is not isolated to my emmerick.com domain. I get hijacked with any URL that doesn’t really exist like http://lkajajldjladjjdadljd.com/

I also run Connectify to use my laptop as a hotspot. If I connect my Kindle Fire (Android based) to the Connectify hotspot, its browser (Chrome) will also be hijacked when trying to load non-existent URLs.

Did you set the homepages to about blank ?

Yes, I did set the homepages to about:.blank

It is just that when I try to visit non-existant pages my about blank pops up

There are no anomalous files that I can see in the logs. Have you reset your DNS

ipconfig /release
ipconfig /renew

Yes, I even tried different DNS servers, in case my primary DNS servers had bad data.

I “went” to a non-existent website, saved the page as a mht file (hoping the malware was trying to spread), and sent it to virscan.org. I had 1 positive hit from Quick Heel as a HTML.Redirector.WD. http://r.virscan.org/report/9dc3d0d61ee8fff5312aebfabf8ca358.html

I won’t attach this file without instructions, don’t need anyone else to pick this up.

One hit would tend to suggest a possible false positive

Silly question why are you going to non-existant web sites

True, but it is also described as a redirector, which just happens to be my problem. I have found more than one suspicious file in the past. Had it scanned at virscan.org and had no hits. Then submitted it to Avast and/or Microsoft for analysis and had it be identified a few days later as a new virus/trojan/etc.

I discovered the problem when I made a typo going to a website. Now, I’m just trying to get more information on what this is, how it works, and how to get rid of it.

There is nothing showing on your computer, is it exhibiting any weirdness ?

I restored a clean image to my laptop. Updated everything that needed updating since I made the image. Installed Connectify 5.01.

I found if I do not have Connectify running, or if it is running, but the Hotspot has not been started - everything is good. But, if I start the Hotspot, the browser hijacking commences on the non-existent URLs.

I sent an email to Connectify’s support. Anyone care to see if they can duplicate the problem, http://www.connectify.me/download-hotspot/

OK that would explain why I could find no infection on the system. Maybe Hotspot inserts the ads as part of the parking domain