Jump to content

Hosts file. ZeroAccess? Backdoors

Recommended Posts


I scanned with otl and it's part of log.

O1 HOSTS File: ([2015-08-15 12:17:30 | 000,450,774 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: www.007guard.com
O1 - Hosts: 007guard.com
O1 - Hosts: 008i.com
O1 - Hosts: www.008k.com
O1 - Hosts: 008k.com
O1 - Hosts: www.00hq.com
O1 - Hosts: 00hq.com
O1 - Hosts: 010402.com
O1 - Hosts: www.032439.com
O1 - Hosts: 032439.com
O1 - Hosts: www.0scan.com
O1 - Hosts: 0scan.com
O1 - Hosts: 1000gratisproben.com
O1 - Hosts: www.1000gratisproben.com
O1 - Hosts: 1001namen.com
O1 - Hosts: www.1001namen.com
O1 - Hosts: 100888290cs.com
O1 - Hosts: www.100888290cs.com
O1 - Hosts: www.100sexlinks.com
O1 - Hosts: 100sexlinks.com
O1 - Hosts: 10sek.com
O1 - Hosts: www.10sek.com
O1 - Hosts: www.1-2005-search.com
O1 - Hosts: 1-2005-search.com
O1 - Hosts: 123fporn.info
O1 - Hosts: 15471 more lines...


This is weird, especially i can't enter to router- doesn't work. I can only enter my RP-14( which expands network.

I should reset router but I've done it many times, and still some sh*t changing everything. I had 40ping when gaming now it's 90-120 and jump to 1000 sometimes. Also on system- once detect ZeroAccess, I remove it, next day scanners finds Trojan.Zeus, even after reinstall system few times.

Please check my logs and help me clear out backdoors.




DDS attach.txt







Link to post
Share on other sites

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


The Hosts file entries are part of Spybot S&D protection, nothing of concern....




Disable Spybots teatimer and leave off for now.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident > uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.




Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
  • Post back the report which should also be located here:

C:\Programdata\RogueKiller\Logs <-------- W7/8/10
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

The log will be listed similar to this: RKreport_SCN_06282015_153950.log

Post hose logs, also give an update on any remaining issues or concerns...


Thank you,



Link to post
Share on other sites

Malwarebytes found nothing.

About 1month ago, i scanned with Malware-nothing,Adw-nothing, later scaned with RogueKiller and it found ZeroAccess in Mbam (0o) i deleted it and remove rogue.

Rogue found something interesting: RunOnce - before many system reinstall i had it in registry, and it back.

Also many, many times unknown user take ownership of mine files and folders, and maked it own hidden partitions, idk if there is still some- it can be.

Malwarebytes Anti-Malware.txt


Link to post
Share on other sites

RogueKiller logs are clean, when RK finds entries running from strange folder it may flag as malicious entry. Your entry run from D:\, usually will be running from C:\. if you look at the end of the entry you see this: mbamservice.exe[7] the bracketed number is not indicating malicious entry, is indicating clean....


The rest of the log entries are also not active, they show as Znaleziono (found) again the indentity digit is 0 (zero) means not active....


You should never believe what you assume log entries mean, maybe you should read up on RogueKiller tutorial.... As yet none of the logs you post are indicating any obvious malware or infection on your system...


I do not see any Anti-virus program installed on your system, is that correct?


Thank you,



Link to post
Share on other sites

Thanks for directing me.



I do not see any Anti-virus program installed on your system, is that correct?

That's right. I have not installed any AV, but i'll soon. The reason is that previous AV I had before reinstalling was 'eaten' by 'what I have'. I had:

-Bitdefender 2015 IS

-Kaspersky 2015 IS

-Webroot 2015 SAA - This lived the longest.

Ofc not all at one time.


With all due respect to your experience, Iam pretty sure I have something that is very, very difficult to detect if programs such as Malwarebytes/Adwcleaner/HitmanPro could not detected, but if detected something, it wasn't core of infection.


Is that clean too?


AVAST engine scan C:\Windows

21:24:51.373    File: C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.18465_none_8d7f08131e967858\rdpudd.dll **HIDDEN**
21:24:51.538    File: C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.18465_none_8d7f08131e967858\rdpvideominiport.sys **HIDDEN**
21:24:51.641    File: C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.22678_none_8e00d7b637b97d3f\rdpudd.dll **HIDDEN**
21:24:51.715    File: C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.22678_none_8e00d7b637b97d3f\rdpvideominiport.sys **HIDDEN**

After 5-6 reinstalls, uploading on a fresh system softwares to combat worms problem stopped, however, not quite. It back sometimes not so much as old system, but still comes back.

-What more i can do to find it?


Link to post
Share on other sites

aswMBR log does not indicate any malware/infection, hidden entries are video card components...


Please download Gmer from Here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...

            Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Please post the content of the ark.txt here.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Post that log...

Link to post
Share on other sites

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file C:\Windows\system32\wbem\WMIADAP.EXE
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files



Thank you,



Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.