Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Host file infected by speedrunner


  • This topic is locked This topic is locked
2 replies to this topic

#1 olduser1

olduser1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 09 April 2009 - 03:04 PM

Help please I have been trying to clear my PC running Win XP with SP3 and cannot work out what to do next, the trogan keeps popping up when I run the StopZilla program it says the Host File Trojan infected to 127.0.0.1 speedrunner.com
Niether Zonealarm, Spybot or CC Cleaner picked this item up, only the Stop Zilla sw which keeps hightlighting the Hosts file as a modeate threat. I delete but it reappears upon start up in the infection list from Stop Zilla
I am unable to delete using anti virus CC Cleaner or Malwerbytes.
Please note the PC used Zonealarm Suite + Spybot untill last 3 days when I downloaded the ZA v8 from the check point site the PC would not start windows - only in safe mode. I deleted ZA V * and lost the lot.
The Kaspersky data on the logs seems to refer to an old version 7 which I used to have some time ago.

I have attached the Hijack This data.
Please let me know what steps to take to delete and or remove the entry for the Host infection.
Thank you in anticipation


DDS (Ver_09-03-16.01) - NTFSx86
Run by steve at 20:52:24.39 on 09/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2000 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\steve\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
uRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 7\PCSync2.exe" /NoDialog
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://carolinedoodledoo.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1219182051203
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172522313734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165765412046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: "c:\progra~1\google\google desktop search\GoogleDesktopNetwork3.dll"
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\r54if4kz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://news.bbc.co.uk/1/hi/uk/default.stm|http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1203594771&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-8 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-8 15504]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6; [x]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2008-7-11 166504]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-9 30192]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [2006-10-23 22760]

=============== Created Last 30 ================

2009-04-09 18:36 9,848 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-04-09 16:15 <DIR> --d----- c:\program files\Avira GmbH
2009-04-09 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-09 14:21 <DIR> --d----- c:\program files\STOPzilla!
2009-04-09 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-08 23:58 0 a------- c:\documents and settings\steve\kavremover9.exe
2009-04-08 13:50 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-08 13:50 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-04-08 11:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-08 11:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 11:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 22:41 <DIR> --d----- c:\program files\Kaspersky Lab
2009-04-07 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-04-07 21:58 <DIR> --d----- c:\program files\common files\iS3
2009-04-07 20:33 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-07 18:51 63 a------- c:\windows\system\SysSD.dll
2009-04-07 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-07 15:42 <DIR> --d----- c:\documents and settings\steve\.housecall6.6
2009-03-31 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-03-31 14:56 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-03-31 14:55 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-03-27 10:56 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2009-03-27 10:55 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54 221,184 a----r-- c:\windows\system32\IS3Win325.dll
2009-03-27 10:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50 716,800 a----r-- c:\windows\system32\IS3Base5.dll
2009-03-20 11:40 <DIR> --d----- c:\docume~1\steve\applic~1\Trusteer
2009-03-20 11:39 <DIR> --d----- c:\program files\Trusteer
2009-03-12 12:18 54,656 a----r-- c:\windows\system32\drivers\SZKG.sys

==================== Find3M ====================

2009-04-08 09:28 4,212 a---hr-- c:\windows\system32\zllictbl.dat
2009-04-07 15:43 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-25 12:08 58,996 a---h--- c:\windows\system32\mlfcache.dat
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-05-30 11:19 513,536 a------- c:\program files\Crack.exe
2008-03-13 21:04 87,608 a------- c:\docume~1\steve\applic~1\inst.exe
2008-03-13 21:04 47,360 a------- c:\docume~1\steve\applic~1\pcouffin.sys
2006-02-06 20:14 242,907 a------- c:\documents and settings\steve\setup.exe
2002-11-09 13:57 27,070,049 a------- c:\program files\dvdxcopy_v10_b625.exe
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2008-05-12 12:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 20:53:20.48 ===============

Attached Files


Edited by olduser1, 10 April 2009 - 04:49 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:32 PM

Posted 20 April 2009 - 01:09 PM

Hello olduser1,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:32 PM

Posted 08 May 2009 - 01:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users