Results 1 to 3 of 3

Thread: Browser Redirect virus on hotel server... help!!

  1. #1
    Junior Member
    Join Date
    Jun 2011
    Posts
    1

    Unhappy Browser Redirect virus on hotel server... help!!

    Hello,

    I have done a quickscan with MBAM; and scanned with AVG. Here is the hijackthis logfile:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:06:20 PM, on 6/5/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Cherry\KeyMan\KeyMan.exe
    C:\Program Files\Cherry\CDI\cdimsrclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\VMUSER\Application Data\Best Western\Checking In\tray_stub_bwi.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\ImageTech\VisualMatrix\Devices\vmSRV_SHELL.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
    C:\WINDOWS\system32\HPSIsvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\ImageTech\VisualMatrixMSSQL$VISUALMATRIX\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\Cherry\CDI\cdi.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\ImageTech\VisualMatrix\Devices\vmSRV.exe
    C:\ImageTech\VisualMatrix\Devices\vmCLI_CA.exe
    C:\ImageTech\VisualMatrix\Devices\vmCLI_CC.exe
    C:\ImageTech\VisualMatrix\Devices\vmCLI_CR_BW2W.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\System32\svchost.exe
    C:\ImageTech\VisualMatrix\vmSHELL.exe
    C:\ImageTech\VisualMatrix\VisualMatrix.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Trojan Remover\unins000.exe
    C:\DOCUME~1\VMUSER\LOCALS~1\Temp\_iu14D2N.tmp

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5081009
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 172.21.10.92 twoway-gateway.bestwestern.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [CherryKeyMan] "C:\Program Files\Cherry\KeyMan\KeyMan.exe"
    O4 - HKLM\..\Run: [CDIMSRClient] "C:\Program Files\Cherry\CDI\cdimsrclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKLM\..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe "C:\Program Files\HP\HP UT\"
    O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Checking In] C:\Documents and Settings\VMUSER\Application Data\Best Western\Checking In\tray_stub_bwi.exe
    O4 - HKUS\S-1-5-21-965164830-2305482558-4074932367-1005\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'chirag1972')
    O4 - HKUS\S-1-5-21-965164830-2305482558-4074932367-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'chirag1972')
    O4 - HKUS\S-1-5-21-965164830-2305482558-4074932367-1010\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Front')
    O4 - HKUS\S-1-5-21-965164830-2305482558-4074932367-500\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Administrator')
    O4 - Startup: Device Server.lnk = C:\ImageTech\VisualMatrix\Devices\vmSRV_SHELL.exe
    O4 - Startup: Dropbox.lnk.disabled
    O4 - Startup: EvernoteClipper.lnk.disabled
    O4 - Startup: ZooskMessenger.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.image-support.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
    O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://mallcam.uta.edu/SysCamInst.cab
    O16 - DPF: {1D457968-BC9D-4E6B-B47A-9E51EE126C81} - http://192.168.0.51/webview/LiveView.exe
    O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://inatsuki.aa0.netvolante.jp/kxhcm10.ocx
    O16 - DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} (pmjpegaudio Class) - http://202.212.193.26:555/JpegInst.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.7.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/...ds/sysinfo.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1232571004252
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1280809579820
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://wimpro.cce.hp.com/ChatEntry/...ads/msxml4.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF413F63-F9D6-4F83-888B-17648FA596D7}: NameServer = 8.8.8.8,8.8.4.4
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: B92C98AF - Unknown owner - C:\WINDOWS\system32\B92C98AF.exe (file missing)
    O23 - Service: Cherry Device Interface - ZF Electronics GmbH - C:\Program Files\Cherry\CDI\cdi.exe
    O23 - Service: dkab_device - Unknown owner - C:\WINDOWS\system32\DKabcoms.exe (file missing)
    O23 - Service: HP LaserJet Professional M1210 MFP Series Receive Fax Service (HPM1210RcvFaxSrvc) - Marvell - C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
    O23 - Service: HP SI Service (HPSIService) - HP - C:\WINDOWS\system32\HPSIsvc.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 12032 bytes

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hello BWalamosainn,

    In case you missed it please see the FAQ which also includes guidelines for this forum and instructions in post #2 on how to provide the preliminary "DDS" logs used for analysis.
    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky and a volunteer analyst will advise you when available.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hello BWalamosainn,

    http://www.spywareinfoforum.com/index.php?/topic/131991-browser-redirect-virus-on-hotel-server-help/page__pid__748281__st__0&#entry748281

    From this forum's FAQ.
    Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums. Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •