Jump to content

Host file take over - Windows Security Suite already removed.


Kinesin

Recommended Posts

Hi all,

Friends laptop recently started to receive warning from 'Windows Security Suite' which a quick google confirmed as Malware.

Originally machine had Eset NOD32 installed however this has been removal by the malware.

I downloaded and installed Malwarebtyes Anti-malware which removed 'Windows Security Suite', and then install Avira AntiVir Personal which killed off a few more Trojans. (I had this log)

However a attempt to access https://www.google.com highlighted the fact the c:\windows\system32\Drivers\etc\Hosts file has been corrupted (invalid Cert)

(now a hidden file, read-only unable to reclaim permissions using windows)

Running as Admin in Safe mode does not allow me to reclaim permissions.

Hijack this confirm issue with host file.

Machine is Windows XP SP3 running 'Vista inspirat 2' skin (Yzshadow/Ubericon etc)

Eset online scanner was run last night and finds nothing.

Current MBAM & HJT logs below, original MBAM log showing removal is available if required.

Many thanks for any help

Cheers

Steve

### LOG FILES ###

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:24, on 12/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\Launchy\Launchy.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Safari\Safari.exe

C:\Documents and Settings\Amber Laird-Parry\My Documents\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 88.198.198.202 google.ae

O1 - Hosts: 88.198.198.202 google.as

O1 - Hosts: 88.198.198.202 google.at

O1 - Hosts: 88.198.198.202 google.az

O1 - Hosts: 88.198.198.202 google.ba

O1 - Hosts: 88.198.198.202 google.be

O1 - Hosts: 88.198.198.202 google.bg

O1 - Hosts: 88.198.198.202 google.bs

O1 - Hosts: 88.198.198.202 google.ca

O1 - Hosts: 88.198.198.202 google.cd

O1 - Hosts: 88.198.198.202 google.com.gh

O1 - Hosts: 88.198.198.202 google.com.hk

O1 - Hosts: 88.198.198.202 google.com.jm

O1 - Hosts: 88.198.198.202 google.com.mx

O1 - Hosts: 88.198.198.202 google.com.my

O1 - Hosts: 88.198.198.202 google.com.na

O1 - Hosts: 88.198.198.202 google.com.nf

O1 - Hosts: 88.198.198.202 google.com.ng

O1 - Hosts: 88.198.198.202 google.ch

O1 - Hosts: 88.198.198.202 google.com.np

O1 - Hosts: 88.198.198.202 google.com.pr

O1 - Hosts: 88.198.198.202 google.com.qa

O1 - Hosts: 88.198.198.202 google.com.sg

O1 - Hosts: 88.198.198.202 google.com.tj

O1 - Hosts: 88.198.198.202 google.com.tw

O1 - Hosts: 88.198.198.202 google.dj

O1 - Hosts: 88.198.198.202 google.de

O1 - Hosts: 88.198.198.202 google.dk

O1 - Hosts: 88.198.198.202 google.dm

O1 - Hosts: 88.198.198.202 google.ee

O1 - Hosts: 88.198.198.202 google.fi

O1 - Hosts: 88.198.198.202 google.fm

O1 - Hosts: 88.198.198.202 google.fr

O1 - Hosts: 88.198.198.202 google.ge

O1 - Hosts: 88.198.198.202 google.gg

O1 - Hosts: 88.198.198.202 google.gm

O1 - Hosts: 88.198.198.202 google.gr

O1 - Hosts: 88.198.198.202 google.ht

O1 - Hosts: 88.198.198.202 google.ie

O1 - Hosts: 88.198.198.202 google.im

O1 - Hosts: 88.198.198.202 google.in

O1 - Hosts: 88.198.198.202 google.it

O1 - Hosts: 88.198.198.202 google.ki

O1 - Hosts: 88.198.198.202 google.la

O1 - Hosts: 88.198.198.202 google.li

O1 - Hosts: 88.198.198.202 google.lv

O1 - Hosts: 88.198.198.202 google.ma

O1 - Hosts: 88.198.198.202 google.ms

O1 - Hosts: 88.198.198.202 google.mu

O1 - Hosts: 88.198.198.202 google.mw

O1 - Hosts: 88.198.198.202 google.nl

O1 - Hosts: 88.198.198.202 google.no

O1 - Hosts: 88.198.198.202 google.nr

O1 - Hosts: 88.198.198.202 google.nu

O1 - Hosts: 88.198.198.202 google.pl

O1 - Hosts: 88.198.198.202 google.pn

O1 - Hosts: 88.198.198.202 google.pt

O1 - Hosts: 88.198.198.202 google.ro

O1 - Hosts: 88.198.198.202 google.ru

O1 - Hosts: 88.198.198.202 google.rw

O1 - Hosts: 88.198.198.202 google.sc

O1 - Hosts: 88.198.198.202 google.se

O1 - Hosts: 88.198.198.202 google.sh

O1 - Hosts: 88.198.198.202 google.si

O1 - Hosts: 88.198.198.202 google.sm

O1 - Hosts: 88.198.198.202 google.sn

O1 - Hosts: 88.198.198.202 google.st

O1 - Hosts: 88.198.198.202 google.tl

O1 - Hosts: 88.198.198.202 google.tm

O1 - Hosts: 88.198.198.202 google.tt

O1 - Hosts: 88.198.198.202 google.us

O1 - Hosts: 88.198.198.202 google.vu

O1 - Hosts: 88.198.198.202 google.ws

O1 - Hosts: 88.198.198.202 google.co.ck

O1 - Hosts: 88.198.198.202 google.co.id

O1 - Hosts: 88.198.198.202 google.co.il

O1 - Hosts: 88.198.198.202 google.co.in

O1 - Hosts: 88.198.198.202 google.co.jp

O1 - Hosts: 88.198.198.202 google.co.kr

O1 - Hosts: 88.198.198.202 google.co.ls

O1 - Hosts: 88.198.198.202 google.co.ma

O1 - Hosts: 88.198.198.202 google.co.nz

O1 - Hosts: 88.198.198.202 google.co.tz

O1 - Hosts: 88.198.198.202 google.co.ug

O1 - Hosts: 88.198.198.202 google.co.uk

O1 - Hosts: 88.198.198.202 google.co.za

O1 - Hosts: 88.198.198.202 google.co.zm

O1 - Hosts: 88.198.198.202 google.com

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe

O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)

O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 11218 bytes

### MBAM LOG

Malwarebytes' Anti-Malware 1.41

Database version: 3149

Windows 5.1.2600 Service Pack 3

12/11/2009 10:50:39

mbam-log-2009-11-12 (10-50-39).txt

Scan type: Quick Scan

Objects scanned: 108231

Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.