Jump to content

Recommended Posts

I need help cleaning the Windows/System32/Drivers/etc/hosts file. (As well as determining if there are any other problems with my computer.)

Symptoms: Browser Hijacking. Instant spyware and tracking cookies from many sites after just starting up IE8 (after previously deleting them.)

Hijack this is unable to clean it even run as administrator.

I am unable to clean it through text editor (run as administrator.)

I am unable to edit it using the command prompt (run as administrator.)

I am unable to edit it in safe mode.

I am unable to change the permissions on the file to allow me to clean it.

I am unable to delete the file on reboot using hijack this.

I have used microsofts fixit tool to "reset" the file. However, this only creates "Hosts.new" in the folder and the old one still remains and is the one being used. Below is my HijackThis log.

In trying to clean the computer, I installed/subscribed Spyhunter4. Not my favorite tool but it detects all of the tracking cookies for me and deletes them. I have also manually deleted the hidden Tempor~1/Content.IE5 folder multiple times to make sure everything is cleaned Before testing the internet again for infection. Everything has come down to the 'hosts' file.

Normal anti-virus is Trend Micro Worry-free business and MalwareBytes.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:23:38 AM, on 1/4/2012

Platform: Unknown Windows (WinNT 6.01.3505 SP1)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\windows\system32\taskhost.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe

C:\Program Files\DYMO\DYMO Label Software\DLSService.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe

C:\Users\SETUP\AppData\Local\Akamai\netsession_win.exe

C:\Users\SETUP\AppData\Local\Akamai\netsession_win.exe

C:\windows\system32\taskeng.exe

C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe

C:\windows\System32\mobsync.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\ACT\Act for Windows\ActSage.exe

C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O1 - Hosts: 66.197.194.231 www.google-analytics.com.

O1 - Hosts: 66.197.194.231 ad-emea.doubleclick.net.

O1 - Hosts: 66.197.194.231 www.statcounter.com.

O1 - Hosts: 69.72.252.254 www.google-analytics.com.

O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.

O1 - Hosts: 69.72.252.254 www.statcounter.com.

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg.dll

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s

O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"

O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload

O4 - HKLM\..\Run: [DLSService] "C:\Program Files\DYMO\DYMO Label Software\DLSService.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [igfxTray] C:\windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup

O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\SETUP\AppData\Local\Akamai\netsession_win.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://pghserver:4343/officescan/console/ClientInstall/WinNTChk.cab

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://pghserver:4343/officescan/console/ClientInstall/setup.cab

O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} (Encrypt Class) - https://pghserver:4343/SMB/console/html/root/AtxEnc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MMSPGH.local

O17 - HKLM\Software\..\Telephony: DomainName = MMSPGH.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MMSPGH.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MMSPGH.local

O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg.dll

O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Client Server Security Agent\UIFramework\ProToolbarIMRatingActiveX.dll

O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe

O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

O23 - Service: Trend Micro Security Agent Communicator (TmListen) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--

End of file - 7441 bytes

Additionally: I have run ComboFix as well. It removed a root kit. Here is the log for that. Even thoguh I ran in safemode, without the process of trend micro actually on, it thought it was still there? I ran it regardless.

ComboFix 11-12-28.03 - mtschippert 12/28/2011 9:25.1.4 - x86 NETWORK

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1783.1102 [GMT -5:00]

Running from: c:\users\SETUP\Desktop\ComboFix.exe

AV: Trend Micro Security Agent *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}

SP: Trend Micro Security Agent *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\e5xj34e0cb2pjt

c:\windows\$NtUninstallKB32979$

c:\windows\$NtUninstallKB32979$\536912083\@

c:\windows\$NtUninstallKB32979$\536912083\bckfg.tmp

c:\windows\$NtUninstallKB32979$\536912083\cfg.ini

c:\windows\$NtUninstallKB32979$\536912083\Desktop.ini

c:\windows\$NtUninstallKB32979$\536912083\keywords

c:\windows\$NtUninstallKB32979$\536912083\kwrd.dll

c:\windows\$NtUninstallKB32979$\536912083\L\xadqgnnk

c:\windows\$NtUninstallKB32979$\536912083\lsflt7.ver

c:\windows\$NtUninstallKB32979$\536912083\U\00000001.@

c:\windows\$NtUninstallKB32979$\536912083\U\00000002.@

c:\windows\$NtUninstallKB32979$\536912083\U\00000004.@

c:\windows\$NtUninstallKB32979$\536912083\U\80000000.@

c:\windows\$NtUninstallKB32979$\536912083\U\80000004.@

c:\windows\$NtUninstallKB32979$\536912083\U\80000032.@

c:\windows\$NtUninstallKB32979$\982674171

c:\windows\Fonts\usps4cb.ttf

c:\windows\system32\R.BAT

c:\windows\system32\S.BAT

.

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-28 14:30 . 2011-12-28 14:32 -------- d-----w- c:\users\SETUP\AppData\Local\temp

2011-12-28 14:30 . 2011-12-28 14:30 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-28 14:30 . 2011-12-28 14:30 -------- d-----w- c:\users\__sbs_netsetup__\AppData\Local\temp

2011-12-28 14:30 . 2010-11-20 04:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-20 19:48 . 2011-12-20 19:48 110080 ----a-r- c:\users\SETUP\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconF7A21AF7.exe

2011-12-20 19:48 . 2011-12-20 19:48 110080 ----a-r- c:\users\SETUP\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconD7F16134.exe

2011-12-20 19:48 . 2011-12-20 19:48 110080 ----a-r- c:\users\SETUP\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconCF33A0CE.exe

2011-12-20 19:48 . 2011-12-20 19:49 -------- d-----w- C:\sh4ldr

2011-12-20 19:48 . 2011-12-20 19:48 -------- d-----w- c:\program files\Enigma Software Group

2011-12-20 19:47 . 2011-12-20 19:48 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP

2011-12-20 19:47 . 2011-12-20 19:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2011-12-20 13:26 . 2011-12-20 13:26 -------- d-----w- c:\users\SETUP\AppData\Roaming\Malwarebytes

2011-12-20 13:26 . 2011-12-20 13:26 -------- d-----w- c:\programdata\Malwarebytes

2011-12-20 13:26 . 2011-12-20 13:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-20 13:26 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-19 14:29 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BA0FA32-1E11-45C3-BF12-A8BF5503968A}\mpengine.dll

2011-12-15 16:08 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-15 16:08 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-12-15 16:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-12-15 16:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-28 13:01 . 2010-10-18 12:56 1682 --sha-w- c:\programdata\KGyGaAvL.sys

2011-12-09 07:54 . 2011-02-02 10:28 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-09-29 16:03 . 2011-11-17 14:49 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-05-11 1885512]

"Akamai NetSession Interface"="c:\users\SETUP\AppData\Local\Akamai\netsession_win.exe" [2011-12-13 3305760]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-17 8546848]

"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2009-02-24 28672]

"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2009-02-24 393216]

"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-05-11 55808]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-03-25 121064]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2009-02-24 81920]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]

R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 136176]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-02-25 65296]

R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-04-16 2533400]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-05-06 13904]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 136176]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-30 187392]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 17:50]

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 17:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.0.0.2

DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://pghserver:4343/SMB/console/html/root/AtxEnc.cab

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(480)

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\conhost.exe

.

**************************************************************************

.

Completion time: 2011-12-28 09:35:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-28 14:35

.

Pre-Run: 463,736,025,088 bytes free

Post-Run: 464,025,329,664 bytes free

.

- - End Of File - - 70E66BD026E5C1501E9CF3A2197179AE

Post Merged

Link to post
Share on other sites

First:

I must inform you that you're infected with Rootkit.ZeroAccess rootkit, a BackDoor Trojan.

Read this warning.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

http://www.howtogeek.com/wp-content/uploads/2008/03/image51.png <--like this

Download and run hosts-perm.bat: Right click, choose "Run as Administrator

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Right click on notepad and choose "Run as Administrator", leave it open.

Navigate to the hosts file, drag it into notepad.

You should now be able to edit, close it out when done and save changes.

MrC

Link to post
Share on other sites

First:

I must inform you that you're infected with Rootkit.ZeroAccess rootkit, a BackDoor Trojan.

Read this warning.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

http://www.howtogeek.com/wp-content/uploads/2008/03/image51.png <--like this

Download and run hosts-perm.bat: Right click, choose "Run as Administrator

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Right click on notepad and choose "Run as Administrator", leave it open.

Navigate to the hosts file, drag it into notepad.

You should now be able to edit, close it out when done and save changes.

MrC

I ran the batch file posted. It did not change anything.

Would you mind elaborating insteading of just saying I have this or that? As in, what tells you I have said rootkit?

Link to post
Share on other sites

(Is there an edit button so I do not have to double post?)

In continuation, I just tried in safe-mode and various other things and actually looked at the batch file to see what it did. It is not an issue with the attributes of the file but permissions themselves. I am the local administrator for this computer and they should be able to be changed without any issues.

Anyways, MBAW and Several online scans have come up empty. Eset's online scanner came up with a trojan that was cleaned at some point last week. I do not know if I have a log of that.

Below I am posting a MBAW log from December (20th I believe?) where there were multiple infections (most of which I could find no information on but all were "successfully cleaned".) These infections led to my computer being inoperable. It associated all .exe files as an unknown type and prevented anything from being opened. This was fixed by changing the registry key. (Combo Fix fixed the fix in place, reverting it to normal.)

**************************************************************

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8402

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.7601.17514

12/20/2011 9:21:13 AM

mbam-log-2011-12-20 (09-21-13).txt

Scan type: Quick scan

Objects scanned: 397935

Time elapsed: 53 minute(s), 30 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\Windows\Temp\ghport\setup.exe (Heuristics.Shuriken) -> 1984 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\5689 (Heuristics.Shuriken) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Trojan.Dropper) -> Value: MozillaAgent -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\Temp\ghport\setup.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Windows\Temp\5689.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Windows\Temp\A0E0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\SETUP\local settings\stf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\SETUP\local settings\application data\stf.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\Windows\System32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.

c:\Windows\Temp\_ex-68.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

***********************************************************

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8402

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.7601.17514

12/20/2011 11:08:35 AM

mbam-log-2011-12-20 (11-08-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 262799

Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\SETUP\AppData\LocalLow\Sun\Java\deployment\cache\6.0\50\55065cf2-14836a86 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

*********************************************************************

Since then, nothing has come up using MBAW.

Link to post
Share on other sites

I ran the batch file posted. It did not change anything.

If you followed my directs exactly you will be able to edit the hosts file.

The bat file was specially created for this and I've used it in the past with success.

Would you mind elaborating insteading of just saying I have this or that? As in, what tells you I have said rootkit?

From your ComboFix log, I can tell....it's a pretty common infection now.

MrC

Link to post
Share on other sites

I ran the batch file posted. It did not change anything.

If you followed my directs exactly you will be able to edit the hosts file.

The bat file was specially created for this and I've used it in the past with success.

Would you mind elaborating insteading of just saying I have this or that? As in, what tells you I have said rootkit?

From your ComboFix log, I can tell....it's a pretty common infection now.

MrC

I just reformatted my hard drive and did a fresh install of windows to solve this problem and any remaining potential security risks that may exist. It was easier and faster as well.

Also, the batch file was exexcuted by Right-clicking->Run as Administrator. It didn't solve the issue. It did not change the permissions that I was being denied access to which is why I was unable to edit the hosts file.

Thanks for your assistance.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.