HTML REDIR.A virus HELP!!

Discussion in 'malware problems & news' started by Charger69, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. Charger69

    Charger69 Guest

    I have been infected and I cannot seem to get rid of the viruses. I have seen HTML REDIR.a, JAVA_BYTEVER.A, JAVA_FEMAD.B to name a few. I have a firewall (zonelab) and it continues to ask permission for IE to access the internet. If I say yes, It fills up my index.dat with porn cookies. I have run Ad-aware and Spybot and deleted all of the junk. I also checked to ensure that I had the most recent update. I will delete the temporary internet folder contents and no virus appears, but it keeps coming back. Attached is a HJT log. NOTE: I want to delete the HOSTS entries, but I do not know what they are. I decided to wait until I consulted an expert.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:56:11 AM, on 06/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\FLRSERV.EXE
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\WINNT\System32\svchost.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Microsoft Office\Office\excel.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\winhlp32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O1 - Hosts: Usage Information:
    O1 - Hosts: Save Changes - Save any changes you make to hosts file
    O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
    O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
    O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: By Option^Explicit, techcd@shaw.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {11120607-1001-1111-1000-110199901123} - http://www.n28.net/n009/on-line.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70

    Please advise.
    Thank you in advance.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.