Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Arrrgh Redirect virus!! XP-Pro svchost.exe problem

  • This topic is locked This topic is locked
1 reply to this topic

#1 Jim Shoe

Jim Shoe

  • Members
  • 7 posts
  • Local time:07:30 AM

Posted 04 October 2010 - 09:56 AM

Mod EDIT: whomever takes this topic, I have merged several posts and deleted others in an effort to get the OP's log posted. Sorry for the mess ithe topic is in.~~boopme

My work terminal is experiencing a nasty trojan possible rootkit infection. I've ran Malwarebytes and it said trojan.hiloti was detected and removed and no other threats were uncovered after numerous run throughs. I think it is a rootkit virus, I ran the rootkit unhooker and it said at the end


Also svchost.exe keeps trying to reference memory that can not be accessed 0x00000000

its driving me crazy and it is my workstation and reinstalling the OS and all my work applications is an absolute last resort. I have not run combofix yet.

Any thoughts?

thanksDDS (Ver_10-03-17.01) - NTFSx86
Run by mhurley at 11:15:54.32 on Mon 10/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.138 [GMT -5:00]

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesKaseyaAgentKaUsrTsk.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe
C:Program FilesSophosAutoUpdateALMon.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Program FilesJavajre6binjqs.exe
C:Program FilesKaseyaAgentAgentMon.exe
C:Program FilesKaseyaAgentKasAVSrv.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filescommon filesprotexislicense servicepsiservice_2.exe
C:Program FilesSophosAutoUpdateALsvc.exe
C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesRealVNCVNC4WinVNC4.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesHewlett-PackardToolboxjrebinjavaw.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesConnectWisePsa.NetPsaStarter.exe
C:Program FilesConnectWisePsa.Net2.0.0.18Psa.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsmhurleyDesktopDownloadsDefogger.exe
C:Documents and SettingsmhurleyDesktopDownloadsdds.scr

============== Pseudo HJT Report ===============

============ Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
mRun: [Synchronization Manager] %SystemRoot%system32mobsync.exe /logon
mRun: [Kaseya Agent Service Helper] "c:program fileskaseyaagentKaUsrTsk.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TomcatStartup 2.5] c:program fileshewlett-packardtoolboxhpbpsttp.exe
StartupFolder: c:docume~1mhurleystartm~1programsstartupmagicd~1.lnk - c:utilsmagicdiscMagicDisc.exe
StartupFolder: c:docume~1mhurleystartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupautoup~1.lnk - c:program filessophosautoupdateALMon.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: RestrictWelcomeCenter = 1 (0x1)
uPolicies-explorer: DisableThumbsDBOnNetworkFolders = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: RecycleBinSize = 2 (0x2)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL

I am having problems posting my logs to this thread, it keeps saying
Internet Explorer cannot display the webpage

What you can try:
It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.

Retype the address.

it does the same in firefox

=============== Created Last 30 ================

2010-10-04 16:11:21 0 ----a-w- c:documents and settingsmhurleydefogger_reenable
2010-09-30 20:38:20 0 d-----w- c:program filesCCleaner
2010-09-30 19:05:08 0 d-----w- c:docume~1mhurleyapplic~1SUPERAntiSpyware.com
2010-09-30 19:05:08 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2010-09-30 19:04:53 0 d-----w- c:program filesSUPERAntiSpyware
2010-09-30 17:22:37 143360 ------w- c:windowssystem32RtlCPAPI.dll
2010-09-30 17:21:22 69632 ------w- c:windowsAlcmtr.exe
2010-09-29 20:49:49 0 d-----w- c:program filesSophos
2010-09-29 00:13:51 293376 ------w- c:windowssystem32browserchoice.exe
2010-09-28 22:13:29 0 d-----w- C:778c4e21436ca1848dbf8158142e1ae1
2010-09-27 15:44:07 0 d-----w- c:docume~1mhurleyapplic~1Malwarebytes
2010-09-27 15:43:52 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-09-27 15:43:51 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-09-27 15:43:51 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-09-27 15:43:51 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-09-22 15:00:55 1324 ----a-w- c:windowssystem32d3d9caps.dat
2010-09-22 14:48:57 120 ----a-w- c:windowsYkojujodiv.dat.bad
2010-09-22 14:48:57 0 ----a-w- c:windowsElafalajoq.bin
2010-09-22 00:30:20 406016 -c----w- c:windowssystem32dllcacheusp10.dll
2010-09-21 22:28:02 0 d-----w- C:9058f3b30ec3c2e85b
2010-09-21 22:24:06 58880 -c----w- c:windowssystem32dllcachespoolsv.exe
2010-09-21 22:18:07 293376 -c----w- c:windowssystem32dllcachewinsrv.dll
2010-09-21 21:13:37 1615240 ----a-w- c:tempwindowsxp-kb905474-enu-x86_de6cd4d37729f6079366b53cc3cdaa6ecafbb56f.exe
2010-09-07 22:17:14 0 d-----w- C:f1d9f5de60a6063bc85d

==================== Find3M ====================

==================== Find3M ====================

2010-10-04 16:04:17 952 --sha-w- c:docume~1alluse~1applic~1KGyGaAvL.sys
2010-08-17 13:17:06 58880 ----a-w- c:windowssystem32spoolsv.exe
2010-08-16 14:04:40 53943 ----a-w- c:windowshppins01.dat
2010-07-22 15:49:15 590848 ----a-w- c:windowssystem32rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:windowssystem32xpsp4res.dll
2008-10-30 19:11:37 32768 --sha-w- c:windowstempcookiesindex.dat
2008-10-30 19:11:37 32768 --sha-w- c:windowstemphistoryhistory.ie5index.dat
2008-10-30 19:11:37 49152 --sha-w- c:windowstemptemporary internet filescontent.ie5index.dat

============= FINISH: 11:20:53.80 ===============

================= FIREFOX ===================

FF - ProfilePath - c:docume~1mhurleyapplic~1mozillafirefoxprofilesek7ne1o0.default
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL -


FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows

presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-10 67656]
R2 KaseyaAgent;Kaseya Agent;c:program fileskaseyaagentAgentMon.exe [2008-10-21 610304]
R2 KaseyaAVService;Kaseya Security Service;c:program fileskaseyaagentKasAVSrv.exe [2009-6-2 221184]
R2 MSSQL$ACT7;SQL Server (ACT7);c:program filesmicrosoft sql servermssql.1mssqlbinnsqlservr.exe [2009-9-6 29180768]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:program filessophosautoupdateALsvc.exe [2010-5-27 172032]
R3 KAPFA;KAPFA;c:windowssystem32driversKaPFA.sys [2008-10-21 20792]
S3 WinRM;Windows Remote Management (WS-Management);c:windowssystem32svchost.exe -k WINRM [2006-2-28 14336]
S4 ACT! Scheduler;ACT! Scheduler;c:program filesactact for windowsAct.Scheduler.exe [2008-2-28 65536]
S4 vmserverdWin32;VMware Registration Service;c:mcsevmwarevmware servervmserverdWin32.exe [2008-5-9 1650781]

=============== Created Last 30 ================

OK I think I handled the problem there was a TLD3 virus that infected the ipsec.sys file and also there were several murofet-A virus infections on multiple files as well as another redirect virus. I used the Sophos scanner which did a great job of detecting the murofet viruses but couldn't kill the rootkit so I used the Kaspersky TDSSKiller which found the ipsec.sys infected file, completely killed the rootkit and now my computer appears to be symptom free

Thank you so much for this wonderful forum

you guys are the best

btw hxxp://dogarmc.com/iframefile.js is an evil evil file from an evil evil site

EDIT: 3 posts merged and link disabled ~BP

Edited by Budapest, 05 October 2010 - 04:04 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:08:30 AM

Posted 06 October 2010 - 09:24 AM

Closed,OP has solved issue and told me via PM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users