Jump to content

'Redirected Hostile Entry'


Recommended Posts

I posted an issue yesterday and nobody at all has replied. I am wondering what the problem is.

Is my problem too difficult to solve ?.. or am I doing something wrong ?.. missing something maybe ???

Please help.

Boz

*******************************

My Ad-Aware discovered 'Redirected Hostile Entry' items, but could not remove or quarantine them. I have been trying to clean my computer up for the last couple of days.

Following are the required logs. The Panda scan results and illustrations looked different from the instructions so I am posting 2 items which hopefully provide you all the info you need.

Thanks for your help !

(1) mbam

Malwarebytes' Anti-Malware 1.28

Database version: 1169

Windows 5.1.2600 Service Pack 3

9/18/2008 11:25:26 AM

mbam-log-2008-09-18 (11-25-26).txt

Scan type: Quick Scan

Objects scanned: 51279

Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**********************************

(2) Panda

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-18 14:33:42

PROTECTIONS: 2

MALWARE: 2

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3903.0 No No

Zone Alarm Security Suite 7.0.483.000 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\basil\favorites\fun & games

03432170 Trj/Rebooter.J Virus/Trojan No 0 Yes No C:\WINDOWS\pss\Reboot.exeCommon Startup

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\system32\Tools\Restart.exe

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

........and (Panda Results page)

Home | Give us your opinion! | Help

Results

Files scanned: 893993

Files infected: 2

Suspicious files detected: 1

Vulnerabilities detected: 0

You are infected!

We have detected that the Windows Defender protection installed on your PC is disabled and not up-to-date.

You need better protection for your PC. With Panda solutions you will be protected against more than 3 million viruses, spyware and other threats.

Register free to disinfect viruses, worms and Trojans.

Link to post
Share on other sites

Hi There.

Sorry for the delay in responding.

Your Hijackthis log looks okay. The other two programs that are reporting, if you could be so kind as to zip those files as dustinrequest1.zip and send it to uploads.malwarebytes.org, I can take a look at them and make sure they are detected by us in the future. Lets not delete either of them yet tho, until I make sure they haven't hooked anything crazy in your system.

You mentioned that Adaware was detecting 'Redirected Hostile Entry'. Can you provide its logfile please?

Oh, and for future reference sir,

Generally the people assisting persons with issues do so on their free time, Most of us do have a life outside of help forums. Posting such.... comments in the future could cause helpers/mods/admins to ignore you in the future and/or possibly decide your a troll or something. Please understand, we do this to help you, but not necessarily on your schedule.

Thanks!

Link to post
Share on other sites
Hi There.

Sorry for the delay in responding.

Your Hijackthis log looks okay. The other two programs that are reporting, if you could be so kind as to zip those files as dustinrequest1.zip and send it to uploads.malwarebytes.org, I can take a look at them and make sure they are detected by us in the future. Lets not delete either of them yet tho, until I make sure they haven't hooked anything crazy in your system.

You mentioned that Adaware was detecting 'Redirected Hostile Entry'. Can you provide its logfile please?

Oh, and for future reference sir,

Generally the people assisting persons with issues do so on their free time, Most of us do have a life outside of help forums. Posting such.... comments in the future could cause helpers/mods/admins to ignore you in the future and/or possibly decide your a troll or something. Please understand, we do this to help you, but not necessarily on your schedule.

Thanks!

**********************************

Thanks for responding, and I am sorry if I offended. I didn't mean to.

I realize that there is no obligation to respond here. It is just that other posts (after me) were getting lots of views and replies, while I got nothing. And I started wondering if there was something wrong with my post, especially that the blue box next to my post looked unique and was not even in the symbol legend.

I uploaded the files you asked except the Ad-Aware log which the system will not load as a '.jpg', '.doc', or '.xml'. I'll try to include it as text below.

I appreciate your help.

*****

Scan Results

Ad-Aware 2008 Free Edition

Log File Created on:2008-09-1908:59:57

Using Definitions File:C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdef

Computer name:BASIL-0CQJBXCYW

Name of user performing scan:SYSTEM

Name of user ordering scan:Basil

Scan completed successfully

System Information

File Version Information

Ad-Aware 2008 Settings

Extended Ad-Aware 2008 Settings

Database Information

Scan Statistics

Scan Detailed Statistics

Infections Found

Listing of running processes

System Information

Number of processors:2

Processor type:Genuine Intel

mbam_log_2008_09_18__11_25_26_.txt

Panda_ActiveScan.txt

Panda_Results.doc

mbam_log_2008_09_18__11_25_26_.txt

Panda_ActiveScan.txt

Panda_Results.doc

Link to post
Share on other sites

The cookies can be ignored, and the redirected hosts can also be ignored. Your not infected with anything, sir. The host redirection entries cause your computer not to surf to the sites listed. If your running windows XP, you can edit the following file and it should remove them. The only line you really need in the file is 127.0.0.1 localhost

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.

Edit this file with notepad.

Please let me know your results.

Link to post
Share on other sites
The cookies can be ignored, and the redirected hosts can also be ignored. Your not infected with anything, sir. The host redirection entries cause your computer not to surf to the sites listed. If your running windows XP, you can edit the following file and it should remove them. The only line you really need in the file is 127.0.0.1 localhost

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.

Edit this file with notepad.

Please let me know your results.

Thanks for the quick response.

However, let me check if I understand exactly what you want me to do b4 I do anything boneheaded. You want me to open

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.

with Notepad and simply delete all entries except

127.0.0.1 localhost

and that will get rid of the 'Redirected Hostile Entry' items, which is the only infection left in my system. Right ?

Link to post
Share on other sites
Thanks for the quick response.

However, let me check if I understand exactly what you want me to do b4 I do anything boneheaded. You want me to open

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.

with Notepad and simply delete all entries except

127.0.0.1 localhost

and that will get rid of the 'Redirected Hostile Entry' items, which is the only infection left in my system. Right ?

That is correct. They aren't infections, just blocked sites, courtesy of your hosts file. If your sure you don't ever want to surf to any of the listed, then don't remove them from the hosts. file.

Either way you decide to go, they pose no threat to you as is, In fact; your computer will refuse to visit those sites. :angry:

Link to post
Share on other sites
That is correct. They aren't infections, just blocked sites, courtesy of your hosts file. If your sure you don't ever want to surf to any of the listed, then don't remove them from the hosts. file.

Either way you decide to go, they pose no threat to you as is, In fact; your computer will refuse to visit those sites. :angry:

I highlighted and deleted everything but 'localhost'. But when I opened the Hosts file (C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) again, there they were. They are back. I also ran Ad-Aware and the 'Redirected Hostile Entry' items showed up again with a Threat Analysis Index (TAI) of 4.

Posting to malwarebytes.org was the last step of a couple of days working on cleaning up all kinds of malware and viruses that somehow sneaked into my machine. I think it is last of them. I am trying to learn something here, so I appreciate your patience.

1- Why does Ad-Aware detect malware ?

2- Is there a way to remove the 'Redirected Hostile Entry' items ?

Thanks again for everything.

Link to post
Share on other sites
I highlighted and deleted everything but 'localhost'. But when I opened the Hosts file (C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) again, there they were. They are back. I also ran Ad-Aware and the 'Redirected Hostile Entry' items showed up again with a Threat Analysis Index (TAI) of 4.

Posting to malwarebytes.org was the last step of a couple of days working on cleaning up all kinds of malware and viruses that somehow sneaked into my machine. I think it is last of them. I am trying to learn something here, so I appreciate your patience.

1- Why does Ad-Aware detect malware ?

2- Is there a way to remove the 'Redirected Hostile Entry' items ?

Thanks again for everything.

Ad-aware seems to be detecting cookies from potentially bad websites. Hmm... Would you mind posting a fresh hijackthis log please? You may have software monitoring that file.

Link to post
Share on other sites
Ad-aware seems to be detecting cookies from potentially bad websites. Hmm... Would you mind posting a fresh hijackthis log please? You may have software monitoring that file.

A little while ago I had an instance where I was redirected (hijacked ?) to an unrelated website (I think it was a Bank of America site) while I was attaching a '.jpg' file to an e-mail. I hope this helps explain something.

Following is the HJT log you asked.

Thnx.

B.

**********************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:43:58 PM, on 9/19/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\CallCentral\CallCentral.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191179581135

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 8561 bytes

Link to post
Share on other sites

I personally do not know if Avast or Zone Alarm blocks modification of your hosts file.

I am not familiar with the following files, and would greatly appreciate it if you could zip them as a dustincheck3.zip file and send them uploads.malwarebytes.org here? :angry:

I suspect one or both of them may be responsible for reversing your hosts. changes.

Link to post
Share on other sites
I personally do not know if Avast or Zone Alarm blocks modification of your hosts file.

I am not familiar with the following files, and would greatly appreciate it if you could zip them as a dustincheck3.zip file and send them uploads.malwarebytes.org here? :angry:

I suspect one or both of them may be responsible for reversing your hosts. changes.

1- Avast (anti-virus) and ZoneAlarm (firewall) were installed only 2-3 days ago when my Norton360 stopped working and I discovered my system riddled with viruses, trojans and malware.

2- I am not sure what exactly you want me to upload.

3- what is a dustincheck3.zip file ?

thnx.

Link to post
Share on other sites
1- Avast (anti-virus) and ZoneAlarm (firewall) were installed only 2-3 days ago when my Norton360 stopped working and I discovered my system riddled with viruses, trojans and malware.

2- I am not sure what exactly you want me to upload.

3- what is a dustincheck3.zip file ?

thnx.

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

These two files. I would appreciate it if you could copy them to an empty folder and use winzip or 7zip to store them inside a dustincheck2.zip file. The filename just makes things easier for me to differentiate your files from someone elses.

I don't know what program owns them, and I've seen mixed results on a googlesearch. So I need them.

Link to post
Share on other sites
C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

These two files. I would appreciate it if you could copy them to an empty folder and use winzip or 7zip to store them inside a dustincheck2.zip file. The filename just makes things easier for me to differentiate your files from someone elses.

I don't know what program owns them, and I've seen mixed results on a googlesearch. So I need them.

Here are the files.

I see that you have been up late, so you probably won't see them till later. Enjoy your weekend.

Thnx.

**********

I have a problem. The file won't upload (larger than the available space). What can we do ?

Link to post
Share on other sites
Here are the files.

I see that you have been up late, so you probably won't see them till later. Enjoy your weekend.

Thnx.

**********

I have a problem. The file won't upload (larger than the available space). What can we do ?

Hi Boz.

It's okay. Zip them seperatly then and upload them here:

uploads.malwarebytes.org

I'll get to them as quick as I can.

Link to post
Share on other sites
Here's one. The other won't load. I get msg.:

Attachment space used 414.22K of 500K

Error Upload failed. The file was larger than the available space

I'll try the other now in another 'reply'.

It's still not working. The other zipped file is 92KB, which puts me a little over the 500 (seemingly) total space limit.

Any suggestions ?..

Link to post
Share on other sites

Okay... Do you know the difference between attaching a file here to a forum post, and uploading the file at that site I keep asking you to visit? uploads.malwarebytes.org

I'm not trying to belittle you, but I can't help you out much if you can't do as I need you to do. So if you need something explained, please say so. We are wasting each others time otherwise.

Thanks!

Link to post
Share on other sites
Okay... Do you know the difference between attaching a file here to a forum post, and uploading the file at that site I keep asking you to visit? uploads.malwarebytes.org

I'm not trying to belittle you, but I can't help you out much if you can't do as I need you to do. So if you need something explained, please say so. We are wasting each others time otherwise.

Thanks!

Every time I click on the 'http://uploads.malwarebytes.org' link you give, I get 'Address Not Found'. That is why I kept uploading into this post. This is the first time I am using this forum. Is there anything I need to know ?

Thnx.

Link to post
Share on other sites
Please try it again.

I just tried clicking on the upload link (uploads.malwarebytes.org) and got:

"Internet Explorer cannot display the webpage"..........in IE, and

"Address Not Found

Firefox can't find the server at uploads.malwarebytes.org."..................in Firefox

Link to post
Share on other sites
I just tried clicking on the upload link (uploads.malwarebytes.org) and got:

"Internet Explorer cannot display the webpage"..........in IE, and

"Address Not Found

Firefox can't find the server at uploads.malwarebytes.org."..................in Firefox

Alright, We'll give this another shot then. Please rename the .zip file to raidy.dat and email it to me as an attachment here:

bughunter.dustin@gmail.com

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.