[Solved]HTML REDIR.A Virus HELP!!

Discussion in 'adware, spyware & hijack cleaning' started by charger69, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    I have been infected and I cannot seem to get rid of the viruses. I have seen HTML REDIR.a, JAVA_BYTEVER.A, JAVA_FEMAD.B to name a few. I have a firewall (zonelab) and it continues to ask permission for IE to access the internet. If I say yes, It fills up my index.dat with porn cookies. I have run Ad-aware and Spybot and deleted all of the junk. I also checked to ensure that I had the most recent update. I will delete the temporary internet folder contents and no virus appears, but it keeps coming back. Attached is a HJT log. NOTE: I want to delete the HOSTS entries, but I do not know what they are. I decided to wait until I consulted an expert.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:56:11 AM, on 06/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\FLRSERV.EXE
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\WINNT\System32\svchost.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Microsoft Office\Office\excel.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\winhlp32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O1 - Hosts: Usage Information:
    O1 - Hosts: Save Changes - Save any changes you make to hosts file
    O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
    O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
    O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: By Option^Explicit, techcd@shaw.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {11120607-1001-1111-1000-110199901123} - http://www.n28.net/n009/on-line.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70

    Please advise.
    Thank you in advance.
     
  2. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    Re: HTML REDIR.A Virus HELP!!

    I would still like for someone to assist. I think that I have resolved the problem. I downloaded trojan hunter and it located a trojan that I deleted. My computer now appear to be operating at normal speed, but I am not convinced that the problem is totally resolved. Zone labs pops up every now and then stating that the IE explorer want s access the Internet. I deny permission, but it only happens a couple of times as compared to every minute.

    Someone please lead me in the correct direction. I would still like to know about the HOSTS in my HJT log. Can I delete them? What are they for?
     
  3. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: HTML REDIR.A Virus HELP!!

    Hi charger69

    did you download "something" as it are instructions :)

    Did you have a HOSTS file??

    Yes, you can delete that "stuff" .

    Would be great, if you couold run HJT again and post a new log. thanks
     
  4. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    Re: HTML REDIR.A Virus HELP!!

    I did downloaded Trojan hunter from the wilders security link. It no longer finds any trojans, BUT I did allow IE access and my computer showed a number of viruses again. I still have the problem, but it appears that I can contain it for the time being with Zone labs. Attached is my new HJT log... after deleting the trojan, the hosts files in HJT disappeared. I think that the second to the last entry should be deleted (016- DPF, whatever that is), but you are the expert.

    Thank you for your assistance


    Logfile of HijackThis v1.97.7
    Scan saved at 3:33:51 PM, on 06/30/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\FLRSERV.EXE
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PhotoEd.exe
    C:\Program Files\Microsoft Office\Office\excel.exe
    C:\Program Files\TrojanHunter 3.9\TrojanHunter.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
     
  5. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: HTML REDIR.A Virus HELP!!

    Hi charger69

    You still have a "strange bird" :

    C:\WINNT\System32\FLRSERV.EXE
    If you don't know it - pls. check in HJT!

    Check the following items in HJT - close ALL browsers\windows except Hijackthis and click "Fix checked":

    C:\WINNT\System32\FLRSERV.EXE <--- see above !

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch

    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following file:

    C:\WINNT\System32\FLRSERV.EXE <----- see above

    Reboot

    If you do NOT know that file - maybe you scan it here:

    http://www.kaspersky.com/remoteviruschk.html

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Still problems??
     
  6. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    Re: HTML REDIR.A Virus HELP!!

    Mariana,

    I did as you suggested, but I still think that I have something because the IE was asking for permission to have access ( I was already in IE but I was not trying to open another window).
    I have included my HJT log. NOTE: I did not delete
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    This is our local intranet start page.

    Thank you again for your assistance.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:59:07 PM, on 06/30/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
     
  7. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: HTML REDIR.A Virus HELP!!

    HI charger69

    I went through every file again - I can't see anything suspicious. Yeah - your Startpage looked somehow "suspicious" to me :)

    How about you run these 2 and see if something comes up?

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    After you are done - pls. run HJT again and pls. post a FRESH log.
     
  8. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    Re: HTML REDIR.A Virus HELP!!

    I had previously run Spybot and Ad-Aware, but like a good trooper, I followed the experts advise. I was able to find that I had systemie.dll and sysie.dll that had trojans- one was a key logger. I downloaded some trojan hardware. I also found out that my CWS Shredder was outdated and I kept getting an error when trying to update. I had to download again. I am obviously not an expert, so I found information in various sites.
    I do have a question..... The trojan program (TDS3) stated that it could not delete sysie.dll without any explanation. I added the following to a file fix.reg- I got this off of a forum.
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D1228C9-F556-4158-BC0B-D3FF4F3F3E1B}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "systemie"=-
    "systemp"=-

    I rebooted my system and I could not find the file nor does the TDS3 recognize that it exists. Am I freeo_O

    Attached is my HJT log. Please advise if everything looks OK.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:36:05 PM, on 07/01/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\OfficeScan NT\PccNTMon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Microsoft Office\Office\excel.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
     
  9. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HTML REDIR.A Virus HELP!!

    Hello,

    Run HJT again and check this one and reboot:

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com


    Run HJT again and post a new log for final review.
     
  10. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    Re: HTML REDIR.A Virus HELP!!

    OK.... I think that we got it. Please review my HJT log.

    Please offer some advice. What should I have on my computer for protection?
    I presently have Spybot, Ad-Aware, microtrend, trojan hunter, TDS3 (evaluation copy), and a number of registry cleaners. I do a great deal of travelling which is where I get the viruses, trojans, etc.

    Also, The registry entry that I accomplished (see below), do I just leave it?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:28:36 PM, on 07/02/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\OfficeScan NT\PccNTMon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Lotus\Notes\nhldaemn.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe
    C:\OfficeScan NT\TSC.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
    O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
     
  11. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
Thread Status:
Not open for further replies.