Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Hosts trojan found


  • Please log in to reply
33 replies to this topic

#1 Claytronic

Claytronic

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 19 February 2012 - 07:24 PM

A while back I created this thread:
http://www.bleepingcomputer.com/forums/topic428090.html/page__p__2476333__fromsearch__1#entry2476333
and these logs:
http://www.bleepingcomputer.com/forums/topic430643.html/page__p__2496104__fromsearch__1#entry2496104

but got caught up in some real-life stuff and my replies were very slow. I figured I may as well create a new topic because it's been so long and my computer has had many updates and whatnot.

Anyways, this is what Malwarebytes found: http://i44.tinypic.com/ixhaqd.png


Any help and I will be extremely thankful. :inlove:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 19 February 2012 - 08:03 PM

Hello again. I closed the other topic it is too old, If we need to go there again we'll start a new one.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 19 February 2012 - 09:06 PM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Clayton (administrator) on 19-02-2012 at 21:01:40
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

**** End of log ****


Edited by boopme, 21 February 2012 - 07:48 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 19 February 2012 - 09:25 PM

OK, Go into the program removal and remove this.
Java™ 6 Update 26 (64-bit) (Version: 6.0.260)
Spybot - Search & Destroy (Version: 1.6.2)

your choice IObit Security 360 (Version: 1.0)
as Malware bytes is the better tool
>>>>>>

Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.

>>>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 19 February 2012 - 09:28 PM

By "program removal" do you mean My Computer > Control Panel > Programs and Features > Right-click "Uninstall" Java, Spybot and IObit?

Just want to make absolute certain.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 19 February 2012 - 09:36 PM

Yes, I was not certain of this step in WIN7> Programs and Features

Dont uninstall All Java just the outdated ones I listed. They are exploitable and you have the latest in the next one in the list.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 20 February 2012 - 12:18 AM

I reset my HOSTS and did the ESET Scan.

C:\Users\Clayton\AppData\Local\Temp\Update_9bef.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Users\Clayton\AppData\Local\Temp\Update_dd6e.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Users\Clayton\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\Users\Clayton\Downloads\gamebooster.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined


Edited by Claytronic, 20 February 2012 - 12:23 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 20 February 2012 - 02:49 PM

Let's just Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 20 February 2012 - 07:29 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Clayton :: CLAYTON-PC [administrator]

2/20/12 7:19:01 PM
mbam-log-2012-02-20 (19-19-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191475
Time elapsed: 9 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\hosts (Trojan.Agent) -> Quarantined and deleted successfully.

(end)


Then I restarted and I still see "desktop.ini" on my desktop and some files still aren't accessible.. meaning, when I click on them I get a Critical Stop sound and this pop-up.
Any of the selections with the small arrow to the right are the ones that give me the Critical Stop sound.
http://i43.tinypic.com/6fru2v.jpg

I just quickscanned and MalwareBytes found nothing. Fullscanning now.

Edited by Claytronic, 20 February 2012 - 11:13 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 20 February 2012 - 11:58 PM

Ok, sorry had to run out.. The INI files are OK.

InfoTip
A string of text that will be displayed when you hover over the folder.

As you can see the desktop.ini file holds folder customization information. They are hidden by default and will only be displayed if you choose to Display Protected Operating System Files by unchecking the checkbox.

Read here about this and also how to hige them again. L@@K

The one on the desktp[ bothers me though... If you open it ,what's inside?


some files still aren't accessible I what way? Are you gtting an error?


:ets see the last scan results too.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 21 February 2012 - 12:03 AM

I've never thought of clicking them but the one on the desktop says...

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Journal.lnk=@%ProgramFiles%\Windows Journal\Journal.exe,-3074


Yeah, any of the ones that have that little arrow like in the screencap I linked give me the Critical Stop sound and a popup saying I can't access it.
Here's the link again.
http://i43.tinypic.com/6fru2v.jpg

The full-scan is still in progress. I will post both the quick-scan and full-scan logs when finished.

#12 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 21 February 2012 - 12:26 AM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Clayton :: CLAYTON-PC [administrator]

2/20/12 11:04:29 PM
mbam-log-2012-02-20 (23-04-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192092
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


and

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Clayton :: CLAYTON-PC [administrator]

2/20/12 11:12:55 PM
mbam-log-2012-02-20 (23-12-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354180
Time elapsed: 1 hour(s), 12 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:53 PM

Posted 21 February 2012 - 12:48 AM

Hello, we look clear now,, I believe tis is a System file error and you shouls ask about this in WIN 7 as I cannot fix these.

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Journal.lnk=@%ProgramFiles%\Windows Journal\Journal.exe,-3074
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:53 PM

Posted 21 February 2012 - 01:02 AM

Hi

Sorry to hijack this thread

Open your C drive,on top click on ORGANIZE-FOLDER & SEARCH options

Click on View tab

Under Advanced settings, select Do not show hidden files and folders

Put a tick mark on HIDE protected operating system files and then click OK.

That should solve the desktop,ini and access denied issue

good luck

Edited by narenxp, 21 February 2012 - 01:03 AM.


#15 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 21 February 2012 - 09:24 AM

Hello, we look clear now,, I believe tis is a System file error and you shouls ask about this in WIN 7 as I cannot fix these.

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Journal.lnk=@%ProgramFiles%\Windows Journal\Journal.exe,-3074

I will definitely contact Windows about this, thank you :)

Hi

Sorry to hijack this thread

Open your C drive,on top click on ORGANIZE-FOLDER & SEARCH options

Click on View tab

Under Advanced settings, select Do not show hidden files and folders

Put a tick mark on HIDE protected operating system files and then click OK.

That should solve the desktop,ini and access denied issue

good luck

Is it only saying this because they're normally supposed to be hidden?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users