Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sc.videofreeforonline.com

Posted on 2008-10-22
4
Medium Priority
?
1,533 Views
Last Modified: 2013-12-08
Have contracted (on a business machine) a suspected virus or malware, whereby Internet Explorer redirects any web page to www.Sc.videofreeforonline.com/00/00/00/error.php and prompts to download protection software. The user has obviously done this and now can't remove the problem. We run Trend OfficeScan v8.0 which does not detect this as a problem at all, can't see any obvious registry settings relating to this either...

Any ideas please?
0
Comment
Question by:ken_roberts
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 22775075

Please download hijack this from the below link, install , run a scan & post the log file here

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?
page=download
0
 

Author Comment

by:ken_roberts
ID: 22776194
Thanks Admin3k... contents of log attached as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12:06, on 22/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\YEF1A3.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
P:\LawSoft.exe
\stronsql2\lawsoft\LSBacs.exe
\stronsql2\lawsoft\LSContactMaint.exe
\stronsql2\lawsoft\lsmaineq.exe
\stronsql2\lawsoft\LSOutlook.exe
\stronsql2\lawsoft\LSBillPrint.exe
\stronsql2\lawsoft\timerec.exe
\stronsql2\lawsoft\FEPInterface.exe
\stronsql2\lawsoft\LSContact.exe
\stronsql2\lawsoft\workmngr.exe
\stronsql2\lawsoft\LSAsset.exe
\stronsql2\lawsoft\DBServer.exe
C:\Program Files\BigHand\TotalSpeech 3\TotalSpeech.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stronweb1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://stronweb1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.9.100.10:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://stronweb1;http://stronpoint;https://stronweb1.stronachs.co.uk:4343/officescan/default.htm;https://stronweb1.stronachs.co.uk;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpyPsy - {C420CF9F-D9D6-421F-958F-AA59906C2B12} - C:\WINDOWS\system32\ifsndu.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PspUsbCf] pspusbcf.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stronachs.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = stronachs.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stronachs.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stronachs.co.uk
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 6423 bytes
0
 
LVL 23

Accepted Solution

by:
Mohamed Osama earned 1000 total points
ID: 22777841
Your machine is infected with some sort of Proxy trojan & a BHO  causing this redirection

http://spywarefiles.prevx.com/RRHDDC565675/MSSRV32.EXE.html


C:\WINDOWS\TEMP\YEF1A3.EXE ( is this one of your apps ?)

O2 - BHO: SpyPsy - {C420CF9F-D9D6-421F-958F-AA59906C2B12} - C:\WINDOWS\system32\ifsndu.dll

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe


Those are the bad entries, I doubt Hijack this will remove those entries, so you may need to download & run Malwarebytes anti-malware from this link  http://www.malwarebytes.org/mbam.php, install, update & run a full system scan, if the problem persists you may want to try  Combofix, please ensure your antivirus is disabled while running Combofix and follow the instructions in the below link carefully.

Download combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
tutorial on CDombofix usage : http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Hope this helps.
0
 

Author Closing Comment

by:ken_roberts
ID: 31508664
Downloaded Malwarebytes anti-malware, installed and scanned... cleaned the machine and is working normally again. Thanks!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question