Jump to content

Mediashifting redirecting, tab opening, general slowing...

Recommended Posts

Merged 7 post

Hi everyone.

I've been using malwarebytes for quite a long time now, and it never failed me even facing some baaaaad trojans or others, but this time I keep having this one problem that won't go ..

I've seen other topics about it but it's highly recommended to treat each case individually so here's mine :

Recently, I've had mediashifting.com/some_bs_key_words_ ..... type tabs opening for no reason, at first only at the opening of firefox, but now basically anytime ( switching from full screen to normal while viewing a video, strating a google search, opening a link , ... it depends .)

I've run mbam both quickly and complete scan several times, but in the end after restarting my computer I still get some of these tabs every now and then, and as I'm using my computer for 3dmodelling and rendering I can definitely see that my computer is getting slower, and now the only thing mbam detects is an hkey entry corrupted, wich comes back at every new start up ... but which needs the computer restarted to get deleted .... So I'm thinking there's definitely sthing else

The thing is I've read somewhere that these kind of viruses often combine with other types, get crossed, etc ... I've already got rid of anti virus 2012 about 3 month ago, but now that I see that I'm wondering if I really got everything out of my system.

As I use my online connection for bank accounts and other sensitive infos, I'd like to be sure that I destroy fully this mediashifting thing, and at the same time that I get cleared from all remaining virus-related files.

So as seen on the forum i ran DDS, here are the logs I got from it, I've attached dds and attach, hoping it'll be helpfull .

I apologize in advance for my english, being french ain't helping, hope it's not too hard to read.

Thanks in advance.

I will if I find anything by myself.

For now, repeted MBAM full scans when started ( with restart between 2 ) got me rid ( for now at least ) of the tab opening ... but there's still definitly sthing going on... I can almost " feel" that the virus or else it trying to start his new tab or other weird connection, but it seems to fail ( anyway the computer is still slowed down from time to time )

As I'm still not comfortable using combofix tds killer or esle without sone specifically telling me to use it ( even though some case look similar, I ain't gonna risk crashin my whole pc ), I updated my mbam today and full scanned my sys again, waiting for the " expected " registry false value backdoor i had at every new scan since i got infected, but instead I got 2 results, both deleted, here is the log if it can help anyone to rescue me.

Malwarebytes Anti-Malware


Version de la base de données: v2012.01.24.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Maxwell :: MAXWELL-PC [administrateur]

24/01/2012 11:55:42

mbam-log-2012-01-24 (11-55-42).txt

Type d'examen: Examen complet

Options d'examen activées: Mémoire | Démarrage | Registre | Système de fichiers | Heuristique/Extra | Heuristique/Shuriken | PUP | PUM

Options d'examen désactivées: P2P

Elément(s) analysé(s): 525121

Temps écoulé: 1 heure(s), 17 minute(s), 1 seconde(s)

Processus mémoire détecté(s): 0

(Aucun élément nuisible détecté)

Module(s) mémoire détecté(s): 0

(Aucun élément nuisible détecté)

Clé(s) du Registre détectée(s): 0

(Aucun élément nuisible détecté)

Valeur(s) du Registre détectée(s): 0

(Aucun élément nuisible détecté)

Elément(s) de données du Registre détecté(s): 0

(Aucun élément nuisible détecté)

Dossier(s) détecté(s): 0

(Aucun élément nuisible détecté)

Fichier(s) détecté(s): 2

C:\Users\Maxwell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HRYV46O6\10[1].exe (Trojan.Zbot.CBCGen) -> Mis en quarantaine et supprimé avec succès.

C:\Users\Maxwell\AppData\Local\Temp\36D5.tmp (Trojan.Zbot.CBCGen) -> Mis en quarantaine et supprimé avec succès.


Even though it don't think it matters that much but if it makes it easier for you I guess I can set my mbam to english so the report will be in english, fell free to ask me.

Thanks in advance for any help.

New today's problem: no more results in my mbam scans ( updated today right before launching the scan ), but some beep sound, kind of the same one as when mbam opens the log at the end of the scan or the noise windows make everytime he opens an information or error window. But the thing is ... it appears to be comin from nowhere.

But at once when I came back into firefox, I had a window asking me user name and log in to connect to some ip ( which I stupidly didn't noted down ... will do if show back ! ) , and there is no way I hitted sthing redirecting to this ip..

So I'm thinking there's so background thing running on my computer gathering infos then sending it to some remote server which stupidly enough asks me for the login ... It's quite scary as I can't use my computer anymore for any sensitive action, as I wouldn't like my bank informations or other sent back to some data server..

And I also seems wayyyyyy to easy to me how i got rid of this mediashifting stuff while some others need combo fix deleting files and other things, while I "just" ran a few mbam scans ...

Any one having any clue ?

Thanks in advance.

ps:Rascaljay, what's going on with you, how is your malware infection evolving?

Nothing but sympathy for you max0211. On my machine, I ran Malwarebytes and I think it removed Mediashifting, but now I still get random tabs opening in Firefox with "page cannot be displayed" but a Mediashifting URL. Otherwise my system appears fine. I ran TDSKiller and Combofix, crashed my machine, and had to use System Restore to get it working again, but now the problem tabs still appear. Not sure what else to do.

It seems to be a quite common infection these times as seen on the top topics, can't any of the experts take a look at our logs to check if we are actually 100% cleaned up from this stuff ( becuse with some trojans in it, it ain't that hard to get my bank infos and others, which I would definitely NOT like ... ) ?

I didn't use combo fix or tds killer , way too afraid to crash my whole system which would take me forever to reinstall with all the apps, mbam updated seems to be okay with evertything on my computer, but I'd really like to be sure ...

I too believe mwnrnc that mediashifting is having some problem, maybe they got caught or something, but their site definitely had some problems last time it tried to load, but with this IP asking for login and pass yesterday and other slowing moments I'd like to be sure I'm free from this shi*. Anyway their cash rewarding site may be the visible tip of the problem, which I'd like to be sure.

Going to run another mbam scan just in case, don't hesitate to tell if you get anything new on your system due to these.


Just got the ip username and login page opening .... The IP is, and according to google this thing is a dictionnary / attack mail server.

I'm getting sick of these ...... !! How bad do you have to be for not even being able to carry a dictionnary attack properly !

Just a random question : technically, any ip can go down due to a Ddos attack ? Because damn this thing is pissing me off, and if I can't fix my thing, I'll just crash their !

Ok I just learned that this IP was to one of my relatives, who apparently got his server probably infected without knowing it, I can't tell however if this is linked to mediashifting because it started as the other mediashifting symptomes had stopped !

Anyone able to tell how infected or not we still are by checking our logs ?



Link to post
Share on other sites

  • 2 months later...
  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.