HTML REDIR.A virus HELP!!

Discussion in 'malware problems & news' started by Charger69, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. Charger69

    Charger69 Guest

    I have been infected and I cannot seem to get rid of the viruses. I have seen HTML REDIR.a, JAVA_BYTEVER.A, JAVA_FEMAD.B to name a few. I have a firewall (zonelab) and it continues to ask permission for IE to access the internet. If I say yes, It fills up my index.dat with porn cookies. I have run Ad-aware and Spybot and deleted all of the junk. I also checked to ensure that I had the most recent update. I will delete the temporary internet folder contents and no virus appears, but it keeps coming back. Attached is a HJT log. NOTE: I want to delete the HOSTS entries, but I do not know what they are. I decided to wait until I consulted an expert.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:56:11 AM, on 06/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\FLRSERV.EXE
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\WINNT\System32\svchost.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Microsoft Office\Office\excel.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\winhlp32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O1 - Hosts: Usage Information:
    O1 - Hosts: Save Changes - Save any changes you make to hosts file
    O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
    O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
    O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: By Option^Explicit, techcd@shaw.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {11120607-1001-1111-1000-110199901123} - http://www.n28.net/n009/on-line.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70

    Please advise.
    Thank you in advance.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.