Boz Posted September 19, 2008 ID:28322 Share Posted September 19, 2008 I posted an issue yesterday and nobody at all has replied. I am wondering what the problem is.Is my problem too difficult to solve ?.. or am I doing something wrong ?.. missing something maybe ???Please help.Boz*******************************My Ad-Aware discovered 'Redirected Hostile Entry' items, but could not remove or quarantine them. I have been trying to clean my computer up for the last couple of days.Following are the required logs. The Panda scan results and illustrations looked different from the instructions so I am posting 2 items which hopefully provide you all the info you need.Thanks for your help !(1) mbamMalwarebytes' Anti-Malware 1.28Database version: 1169Windows 5.1.2600 Service Pack 39/18/2008 11:25:26 AMmbam-log-2008-09-18 (11-25-26).txtScan type: Quick ScanObjects scanned: 51279Time elapsed: 3 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)**********************************(2) Panda;***********************************************************************************************************************************************************************************ANALYSIS: 2008-09-18 14:33:42PROTECTIONS: 2MALWARE: 2SUSPECTS: 1;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================Windows Defender 1.1.3903.0 No NoZone Alarm Security Suite 7.0.483.000 No No;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00039204 adware/cws Adware No 0 Yes No c:\documents and settings\basil\favorites\fun & games03432170 Trj/Rebooter.J Virus/Trojan No 0 Yes No C:\WINDOWS\pss\Reboot.exeCommon Startup;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================No C:\WINDOWS\system32\Tools\Restart.exe ;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;===================================================================================================================================================================================;===================================================================================================================================================================================........and (Panda Results page)Home | Give us your opinion! | HelpResultsFiles scanned: 893993Files infected: 2Suspicious files detected: 1Vulnerabilities detected: 0You are infected!We have detected that the Windows Defender protection installed on your PC is disabled and not up-to-date.You need better protection for your PC. With Panda solutions you will be protected against more than 3 million viruses, spyware and other threats.Register free to disinfect viruses, worms and Trojans. Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28323 Share Posted September 19, 2008 Hi There.Sorry for the delay in responding.Your Hijackthis log looks okay. The other two programs that are reporting, if you could be so kind as to zip those files as dustinrequest1.zip and send it to uploads.malwarebytes.org, I can take a look at them and make sure they are detected by us in the future. Lets not delete either of them yet tho, until I make sure they haven't hooked anything crazy in your system.You mentioned that Adaware was detecting 'Redirected Hostile Entry'. Can you provide its logfile please?Oh, and for future reference sir,Generally the people assisting persons with issues do so on their free time, Most of us do have a life outside of help forums. Posting such.... comments in the future could cause helpers/mods/admins to ignore you in the future and/or possibly decide your a troll or something. Please understand, we do this to help you, but not necessarily on your schedule.Thanks! Link to post Share on other sites More sharing options...
Boz Posted September 19, 2008 Author ID:28332 Share Posted September 19, 2008 Hi There.Sorry for the delay in responding.Your Hijackthis log looks okay. The other two programs that are reporting, if you could be so kind as to zip those files as dustinrequest1.zip and send it to uploads.malwarebytes.org, I can take a look at them and make sure they are detected by us in the future. Lets not delete either of them yet tho, until I make sure they haven't hooked anything crazy in your system.You mentioned that Adaware was detecting 'Redirected Hostile Entry'. Can you provide its logfile please?Oh, and for future reference sir,Generally the people assisting persons with issues do so on their free time, Most of us do have a life outside of help forums. Posting such.... comments in the future could cause helpers/mods/admins to ignore you in the future and/or possibly decide your a troll or something. Please understand, we do this to help you, but not necessarily on your schedule.Thanks!**********************************Thanks for responding, and I am sorry if I offended. I didn't mean to. I realize that there is no obligation to respond here. It is just that other posts (after me) were getting lots of views and replies, while I got nothing. And I started wondering if there was something wrong with my post, especially that the blue box next to my post looked unique and was not even in the symbol legend.I uploaded the files you asked except the Ad-Aware log which the system will not load as a '.jpg', '.doc', or '.xml'. I'll try to include it as text below.I appreciate your help.*****Scan ResultsAd-Aware 2008 Free EditionLog File Created on:2008-09-1908:59:57Using Definitions File:C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdefComputer name:BASIL-0CQJBXCYWName of user performing scan:SYSTEMName of user ordering scan:BasilScan completed successfully System InformationFile Version InformationAd-Aware 2008 SettingsExtended Ad-Aware 2008 SettingsDatabase InformationScan StatisticsScan Detailed StatisticsInfections FoundListing of running processesSystem InformationNumber of processors:2Processor type:Genuine Intelmbam_log_2008_09_18__11_25_26_.txtPanda_ActiveScan.txtPanda_Results.docmbam_log_2008_09_18__11_25_26_.txtPanda_ActiveScan.txtPanda_Results.doc Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28336 Share Posted September 19, 2008 The cookies can be ignored, and the redirected hosts can also be ignored. Your not infected with anything, sir. The host redirection entries cause your computer not to surf to the sites listed. If your running windows XP, you can edit the following file and it should remove them. The only line you really need in the file is 127.0.0.1 localhostC:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.Edit this file with notepad.Please let me know your results. Link to post Share on other sites More sharing options...
Boz Posted September 19, 2008 Author ID:28346 Share Posted September 19, 2008 The cookies can be ignored, and the redirected hosts can also be ignored. Your not infected with anything, sir. The host redirection entries cause your computer not to surf to the sites listed. If your running windows XP, you can edit the following file and it should remove them. The only line you really need in the file is 127.0.0.1 localhostC:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.Edit this file with notepad.Please let me know your results.Thanks for the quick response.However, let me check if I understand exactly what you want me to do b4 I do anything boneheaded. You want me to open C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.with Notepad and simply delete all entries except127.0.0.1 localhostand that will get rid of the 'Redirected Hostile Entry' items, which is the only infection left in my system. Right ? Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28353 Share Posted September 19, 2008 Thanks for the quick response.However, let me check if I understand exactly what you want me to do b4 I do anything boneheaded. You want me to open C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.with Notepad and simply delete all entries except127.0.0.1 localhostand that will get rid of the 'Redirected Hostile Entry' items, which is the only infection left in my system. Right ?That is correct. They aren't infections, just blocked sites, courtesy of your hosts file. If your sure you don't ever want to surf to any of the listed, then don't remove them from the hosts. file.Either way you decide to go, they pose no threat to you as is, In fact; your computer will refuse to visit those sites. Link to post Share on other sites More sharing options...
Boz Posted September 19, 2008 Author ID:28361 Share Posted September 19, 2008 That is correct. They aren't infections, just blocked sites, courtesy of your hosts file. If your sure you don't ever want to surf to any of the listed, then don't remove them from the hosts. file.Either way you decide to go, they pose no threat to you as is, In fact; your computer will refuse to visit those sites. I highlighted and deleted everything but 'localhost'. But when I opened the Hosts file (C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) again, there they were. They are back. I also ran Ad-Aware and the 'Redirected Hostile Entry' items showed up again with a Threat Analysis Index (TAI) of 4.Posting to malwarebytes.org was the last step of a couple of days working on cleaning up all kinds of malware and viruses that somehow sneaked into my machine. I think it is last of them. I am trying to learn something here, so I appreciate your patience.1- Why does Ad-Aware detect malware ?2- Is there a way to remove the 'Redirected Hostile Entry' items ?Thanks again for everything. Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28364 Share Posted September 19, 2008 I highlighted and deleted everything but 'localhost'. But when I opened the Hosts file (C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) again, there they were. They are back. I also ran Ad-Aware and the 'Redirected Hostile Entry' items showed up again with a Threat Analysis Index (TAI) of 4.Posting to malwarebytes.org was the last step of a couple of days working on cleaning up all kinds of malware and viruses that somehow sneaked into my machine. I think it is last of them. I am trying to learn something here, so I appreciate your patience.1- Why does Ad-Aware detect malware ?2- Is there a way to remove the 'Redirected Hostile Entry' items ?Thanks again for everything.Ad-aware seems to be detecting cookies from potentially bad websites. Hmm... Would you mind posting a fresh hijackthis log please? You may have software monitoring that file. Link to post Share on other sites More sharing options...
Boz Posted September 19, 2008 Author ID:28390 Share Posted September 19, 2008 Ad-aware seems to be detecting cookies from potentially bad websites. Hmm... Would you mind posting a fresh hijackthis log please? You may have software monitoring that file.A little while ago I had an instance where I was redirected (hijacked ?) to an unrelated website (I think it was a Bank of America site) while I was attaching a '.jpg' file to an e-mail. I hope this helps explain something.Following is the HJT log you asked. Thnx.B.**********************************Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:43:58 PM, on 9/19/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Logitech\CallCentral\CallCentral.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.comO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191179581135O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 8561 bytes Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28393 Share Posted September 19, 2008 I personally do not know if Avast or Zone Alarm blocks modification of your hosts file. I am not familiar with the following files, and would greatly appreciate it if you could zip them as a dustincheck3.zip file and send them uploads.malwarebytes.org here? I suspect one or both of them may be responsible for reversing your hosts. changes. Link to post Share on other sites More sharing options...
Boz Posted September 19, 2008 Author ID:28398 Share Posted September 19, 2008 I personally do not know if Avast or Zone Alarm blocks modification of your hosts file. I am not familiar with the following files, and would greatly appreciate it if you could zip them as a dustincheck3.zip file and send them uploads.malwarebytes.org here? I suspect one or both of them may be responsible for reversing your hosts. changes.1- Avast (anti-virus) and ZoneAlarm (firewall) were installed only 2-3 days ago when my Norton360 stopped working and I discovered my system riddled with viruses, trojans and malware.2- I am not sure what exactly you want me to upload.3- what is a dustincheck3.zip file ?thnx. Link to post Share on other sites More sharing options...
Raid Posted September 19, 2008 ID:28411 Share Posted September 19, 2008 1- Avast (anti-virus) and ZoneAlarm (firewall) were installed only 2-3 days ago when my Norton360 stopped working and I discovered my system riddled with viruses, trojans and malware.2- I am not sure what exactly you want me to upload.3- what is a dustincheck3.zip file ?thnx.C:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\SearchProtocolHost.exeThese two files. I would appreciate it if you could copy them to an empty folder and use winzip or 7zip to store them inside a dustincheck2.zip file. The filename just makes things easier for me to differentiate your files from someone elses.I don't know what program owns them, and I've seen mixed results on a googlesearch. So I need them. Link to post Share on other sites More sharing options...
Boz Posted September 20, 2008 Author ID:28477 Share Posted September 20, 2008 C:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\SearchProtocolHost.exeThese two files. I would appreciate it if you could copy them to an empty folder and use winzip or 7zip to store them inside a dustincheck2.zip file. The filename just makes things easier for me to differentiate your files from someone elses.I don't know what program owns them, and I've seen mixed results on a googlesearch. So I need them.Here are the files.I see that you have been up late, so you probably won't see them till later. Enjoy your weekend.Thnx.**********I have a problem. The file won't upload (larger than the available space). What can we do ? Link to post Share on other sites More sharing options...
Raid Posted September 20, 2008 ID:28478 Share Posted September 20, 2008 Here are the files.I see that you have been up late, so you probably won't see them till later. Enjoy your weekend.Thnx.**********I have a problem. The file won't upload (larger than the available space). What can we do ?Hi Boz.It's okay. Zip them seperatly then and upload them here:uploads.malwarebytes.orgI'll get to them as quick as I can. Link to post Share on other sites More sharing options...
Boz Posted September 20, 2008 Author ID:28500 Share Posted September 20, 2008 Here's one. The other won't load. I get msg.:Attachment space used 414.22K of 500KError Upload failed. The file was larger than the available spaceI'll try the other now in another 'reply'.It's still not working. The other zipped file is 92KB, which puts me a little over the 500 (seemingly) total space limit.Any suggestions ?.. Link to post Share on other sites More sharing options...
Raid Posted September 23, 2008 ID:28749 Share Posted September 23, 2008 Okay... Do you know the difference between attaching a file here to a forum post, and uploading the file at that site I keep asking you to visit? uploads.malwarebytes.orgI'm not trying to belittle you, but I can't help you out much if you can't do as I need you to do. So if you need something explained, please say so. We are wasting each others time otherwise.Thanks! Link to post Share on other sites More sharing options...
Boz Posted September 23, 2008 Author ID:28776 Share Posted September 23, 2008 Okay... Do you know the difference between attaching a file here to a forum post, and uploading the file at that site I keep asking you to visit? uploads.malwarebytes.orgI'm not trying to belittle you, but I can't help you out much if you can't do as I need you to do. So if you need something explained, please say so. We are wasting each others time otherwise.Thanks!Every time I click on the 'http://uploads.malwarebytes.org' link you give, I get 'Address Not Found'. That is why I kept uploading into this post. This is the first time I am using this forum. Is there anything I need to know ?Thnx. Link to post Share on other sites More sharing options...
JeanInMontana Posted September 24, 2008 ID:28925 Share Posted September 24, 2008 Please try it again. Link to post Share on other sites More sharing options...
Boz Posted September 24, 2008 Author ID:28938 Share Posted September 24, 2008 Please try it again.I just tried clicking on the upload link (uploads.malwarebytes.org) and got:"Internet Explorer cannot display the webpage"..........in IE, and"Address Not FoundFirefox can't find the server at uploads.malwarebytes.org."..................in Firefox Link to post Share on other sites More sharing options...
Raid Posted September 24, 2008 ID:28955 Share Posted September 24, 2008 I just tried clicking on the upload link (uploads.malwarebytes.org) and got:"Internet Explorer cannot display the webpage"..........in IE, and"Address Not FoundFirefox can't find the server at uploads.malwarebytes.org."..................in FirefoxAlright, We'll give this another shot then. Please rename the .zip file to raidy.dat and email it to me as an attachment here:bughunter.dustin@gmail.com Link to post Share on other sites More sharing options...
Boz Posted September 24, 2008 Author ID:28968 Share Posted September 24, 2008 Alright, We'll give this another shot then. Please rename the .zip file to raidy.dat and email it to me as an attachment here:bughunter.dustin@gmail.comDone ! Link to post Share on other sites More sharing options...
Bret Posted September 25, 2008 ID:28971 Share Posted September 25, 2008 Also my thanks for your help. I guess I was computer eavesdropping as a result of Google and a problem I had with Ad-Aware reporting I had 9 Link to post Share on other sites More sharing options...
Raid Posted September 25, 2008 ID:28983 Share Posted September 25, 2008 Done !Thanks Boz, I have recieved them. Allow me a bit of time and I will be able to give you a full report. Link to post Share on other sites More sharing options...
Boz Posted September 25, 2008 Author ID:29004 Share Posted September 25, 2008 Thanks Boz, I have recieved them. Allow me a bit of time and I will be able to give you a full report. Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 26, 2008 Root Admin ID:29108 Share Posted September 26, 2008 Hello Boz,Raid had to take care of some other matters so I will be taking over for him. Please give me some time to review your logs and post back any logs or other information that Raid may have requested. Link to post Share on other sites More sharing options...
Recommended Posts