Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hosts System file infected?


  • This topic is locked This topic is locked
2 replies to this topic

#1 sofiano

sofiano

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 14 February 2010 - 01:49 PM

I have the latest Norton anti-virus system and Spy Sweeper both updated but I still cannot remove the infection as they do not detect it. Google does not work neither does Bing.com when I open CMD and ping google.com it gives me the address " 89.248.168.186 for both Bing and Google.


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 11:00:31.17 on Sun 02/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.521 [GMT -8:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: System Defender *On-access scanning enabled* (Updated) {100E89D2-642F-43D0-946C-3595230B5CCC}
FW: Webroot AntiVirus with Spy Sweeper *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
FW: System Defender *enabled* {DF3DFAFF-C9DB-4E0C-AAB6-BDD72EF3C55D}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\Defogger.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options -
IFEO: a.exe -
IFEO: aAvgApi.exe -
IFEO: AAWTray.exe -
IFEO: ackwin32.exe -

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ras4ht6o.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-11-22 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-11-22 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-4 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-11-22 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-11-22 114736]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-27 55656]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-11-22 126392]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-12-23 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-22 102448]
S2 EraserSvc10922;Symantec Eraser Service;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-11-22 126392]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20091217.002\IDSXpx86.sys [2009-12-18 329592]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091222.004\NAVENG.SYS [2009-12-22 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091222.004\NAVEX15.SYS [2009-12-22 1323568]
S3 NdisWDM;Belkin Wireless G Plus USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [2009-10-27 198144]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S4 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]

=============== Created Last 30 ================

2010-02-14 18:57:47 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-02-14 03:32:06 0 d-----w- c:\program files\DjVuZone
2010-02-08 06:04:00 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-08 06:01:08 0 d-----w- c:\windows\SHELLNEW
2010-01-28 23:35:48 0 d-----w- c:\program files\StreamTorrent 1.0
2010-01-27 02:14:35 0 d-----w- c:\windows\.jagex_cache_32
2010-01-23 03:16:11 0 d-----w- c:\windows\ERUNT
2010-01-23 03:15:02 0 d-----w- C:\SDFix
2010-01-23 03:06:58 1529241 ----a-w- C:\SDFix.exe
2010-01-22 03:00:17 246 ----a-w- c:\windows\wininit.ini
2010-01-21 05:52:01 0 d-----w- c:\program files\LimeWire
2010-01-16 05:15:24 0 d-----w- c:\windows\system32\TVUAx
2010-01-16 04:35:27 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2010-01-16 04:29:04 0 d-----w- c:\program files\TVUPlayer

==================== Find3M ====================

2009-12-23 23:59:47 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-06 03:33:50 146786 ----a-w- c:\windows\hphins32.dat
2009-11-22 21:06:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-06 16:13:05 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-06 16:13:06 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-06 16:13:05 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:00:41.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:10 PM

Posted 15 February 2010 - 06:31 AM

Hi sofiano,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Norton Internet Security or Webroot AntiVirus with Spy Sweeper.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

  3. After running ComboFix please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:10 PM

Posted 22 February 2010 - 10:48 AM

This thread will now be closed due to lack of activity.

If you should have the same or a new issue, start a new topic with current logs and don't run ComboFix without supervision.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users