Announcement

Collapse
No announcement yet.

I might have a redirect virus

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I might have a redirect virus

    I honestly have no clue.

    On my desktop box, I have Avira, SAS, win defender and the firewall all working together.

    Lately I have been getting hit with server not found errors and tonight I seem to be getting slammed. I thought it might have been my modem since it seems to be taking longer then normal to powercycle sometimes when I unplug it, but right now i am on my laptop and getting to myu while it says "server not found" on my other comp.

    I did hijack this and it found nothing when i loaded it to hijackthis.de

    I have done scans with SAS and avira and nothing has been found. I am not getting redirected to a bunch of popup sites. WTF could be going on?

    edit:
    gaming and BT are not affected


    New hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:07:57 AM, on 8/30/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18813)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Anthony\AppData\Local\Google\Update\Goog leUpdate.exe" /c
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient Control) - https://juniper.net/dana-cached/sc/J...etupClient.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE2EFC39-5F58-4CC9-BDC3-789E0C948FD8}: NameServer = 192.168.1.1
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 6922 bytes
    Last edited by dragonash; 08-30-2009, 01:09 AM.

  • #2
    What's with all the unknown owner crap? Is that something peculiar to Vista?

    I don't see anything glaringly obvious there, but I'm no expert.

    I've seen DNS servers get screwed up, either by attack or by misconfiguration, that makes certain sites "disappear" for a while.
    National Sarcasm Society
    "Like we need your support."

    Comment


    • #3
      well, i WAS thinking it was a time warner issue. But it's not happening on my laptop or my fiance's laptop. My host file is clean too.

      I have avira scanning now and will follow it up with SAS. In a way, i want there to be a virus, just so I have a definitive answer. But i hope I dont lol

      Comment


      • #4
        Could try to verify it is/isn't DNS on the PC.

        ipconfig /flushdns

        Point it at OpenDNS
        208.67.222.222
        208.67.220.220

        ???
        When you girls are done kissing, I've got some asskicking for you!

        Comment


        • #5
          both SAS and avira came back clean

          Bald - true, that is a good test. Right now i have it set to my router since it has all that info. But it's weird. Now I am not having problems. It's like it happens at night or something. I will try it when it acts up again.

          Comment


          • #6
            netstat -a

            Do you see port 25 connections happening massively?

            Install Malwarebytes. Update. Reboot in SAFE MODE, run full scan.
            Download Combofix. Run in full.
            Still happening?
            Originally posted by Ranshackle
            I like Hasselhoff's ass better.

            Comment


            • #7
              nope, no port 25 spam.

              i had my dns set to my routers ip
              192.168.1.1, so Itook Balds advice and set the dns to my ISP's instead of the router (even though the router SHOULD do the work correctly). Right now, everything seems fine. That might be the fix, but it's a wait and see thing.

              Comment


              • #8
                I would still scan. Got hit with a nasty rootkit a couple weeks ago that was doing something similar. Only difference was it also had a port25 spam zombie component.

                Here's the thing - if you're getting a 404 on a website, then not, then 404 again, you've got something else going on. Your computer and/or router will cache lookups, so you should never see such behavior.
                Originally posted by Ranshackle
                I like Hasselhoff's ass better.

                Comment


                • #9
                  will do then.

                  i will give an update when its complete

                  Comment


                  • #10
                    Originally posted by Dr. Death View Post
                    What's with all the unknown owner crap? Is that something peculiar to Vista?
                    moreover, what's up with the services section?

                    i don't see anything bad either, but the rootkit i got, i was running Antivir in agressive mode, I clicked on a link to a site (torrentreactor), and got infected via PDF exploit almost immediately. didn't even have time to close the browser (less than 1 second to infected state).

                    the worst part about the rootkit was, it had several components and the files and the registry entries were HIDDEN from the Windows API, so the only way to see them was to kill the Windows shell and specifically run commands outside the shell.

                    VERY screwed up!!
                    Originally posted by Ranshackle
                    I like Hasselhoff's ass better.

                    Comment


                    • #11
                      Originally posted by shifty View Post
                      got infected via PDF exploit almost immediately.
                      So all this is Apple's fault?

                      Comment


                      • #12
                        Adobe, you mean?
                        Originally posted by Ranshackle
                        I like Hasselhoff's ass better.

                        Comment


                        • #13
                          I thought they were pretty much joined at the hip, at least when it came to desktop publishing/etc......

                          (PS)

                          Comment


                          • #14
                            Shifty - Maleware bytes came back with nothing.
                            I was reading into combofix. Is it needed if malewarebytes didnt find anything? It seems like a very last resort thing.

                            edit:
                            also, I had hijackthis clean up the "missing" items in the services. so it should look neater

                            Comment


                            • #15
                              It is a good last-minute thing. I would skip combofix.

                              I would look at your Antivir logfile, though - the logfile it prompts you to look at after your scan is complete - and check the section labelled "hidden objects search" to see if anything is being hidden from the windows API.
                              Originally posted by Ranshackle
                              I like Hasselhoff's ass better.

                              Comment

                              Working...
                              X