.75tz.com host file in my IP connections

Hello folks,

I think I have a trojan of some sort but can't find anything with Spybot/Adaware/Ewido or Antivir. I run a neat utility called "What's Running" and, among other things, it lists my IP connections. I have ".75tz.com" listed as a Remote IP-host name associated with Firefox as the process name. I was able to find a little when I googled it and found some mention of of a trojan using that site (75tz.com) do download 3 files but I can't find those files nor the registry changes they were suppose to make.

Has anyone encountered this? I confess to not being all that fluent in the IPconnection/host file/etc arena but isn't the host file a list of sites that your computer won't let you connect to? I have .75tz.com listed at the top of my Spybot host list.

Any suggestions would be much appreciated. I am running XP Pro that I slipstreamed with SP2 on a P4 HP that I inherited recently. It has 1gb of RAM and an 80 GB harddrive.

Thanks,
Left

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

Mr. S.P. Dude,

Thanks for replying to my posting. I followed the "Read & Run Me First" sticky and completed all of the tasks. The only deviation I had was that I messed up and clicked on "Issues" when running CCleaner by habit.

The Microsoft Windows Malicious Software Removal Tool came up with nothing. The Ad-aware scan resulted in two minor things, they are quarantined. Spybot, Defender, CWShredder and Kill2Me all found nothing at all.

I have attached the result of the BitDefender scan... and the HJT scan. The Panda Scan did not have a log file for me to save because it did not find anything. I tried it in safe mode w/networking originally then again in normal mode and both times, nothing.

Using "What's Running" to monitor the IP connections, things were looking a lot cleaner until I clicked to open my firefox browser. At that point I saw .75tz.com listed as the remote IP host name as well as the local IP host name. Both the remote and local Ip addresses listed are 127.0.0.1 and the process is firefox.exe.

Thank you for your help,

Lefty

 

You havn't attached the Bitdefender log, or the Hijack this log (Step 7)

 

Hey Matt.... thanks for the lightning fast reply. I got the logs attached now.

 

No you have not ......

 

I edited the posting you commented on originally....

 

Got them now.....

Bitdefender tells me you have a few infected restore points but we'll get to them in a bit.

You HJT log look as though its been run from safe mode. Please reboot into normal mode and post a fresh HJT log

 

Matt,

Thanks for your help. I'm pretty certain that I was in normal mode when I did the first HJT scan. But, here's another.... I went Run>msconfig>made sure "normal' was ticked>OK>restart.

Did I forget something?

Thanks again

 

Your log just seems very small for a HJT log in normal mode.

Have HJT fix this line:

You have processes running from your E: How come ?

Other than that I can see nothing wrong. We need to fix the infected restore points yet (by flushing them and creating a new one) but don't do this yet until I am sure your system is clean.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt when finished.

 

Matt,

I didn't take care of the HJT issue until after I ran WinPfind. Is this ok?


As far as using the E: drive. I had read a strategy for using multiple partitions (one for OS, another for Data, third for Programs). I wasn't sure which programs needed to be on the same partition as the hard drive. Is this a possible cause?

Are you familiar with the program "What's Running" or "Current Ports"? Perhaps a snapshot of one of those could help.?

Thanks again,
Lefty

 

Yours hosts file has redirected some adware sites to 127.0.0.1, this is a measure used to block people from accessing them which is fine. Some program has been creating backups of the Host file each time though but this doesn't cause any problems.

The domain 75tz.com doesn't exist or at least won't resolve into an IP so I don't see why firefox would be accessing it.

Your system seems fine, How is it running, any popups, slowness or wierdness ?

 

I'll sometimes get a popup of a firefox window that shows up in the upper left corner and is tiny... if I drag the edges out, it has no address bar.

I haven't been able to figure out what triggers this window to pop up and when I purposely open a browswer, it will show up with the full address bar and such but will be as tiny as that first one and in the same area of the screen.

I also noticed that when I was attaching all of these logs that when I'd click 'Browse", the "Find" window would be opened to my firefox folder.

I'm sorry for not being able to describe things on a more technical level and I hope this makes some semblance of sense to you.

Thanks again,
L

 

OK

Can you take a look in your c:\windows\ folder and tell me if you see any of these files ?


mstu32.dll
d3cq.exe
bheaw.dll

 

Matt,

I couldn't find those files but I do recall reading something about the files that this trojan download from .75tz.com were given random names. I think it is from Sophos website.

Hey, I have to give up on this for now but I want to thank you for hanging in there for the last 3 hrs or so. Much appreciated.

Thanks again,
L

 

No problem.

You still have infected restore points that need fixing but I would rather wait until we can find and remove whatever is causing this before we fix them. I will be consulting with soomeone else on this issue so check back as he may have some more advice.

 

Download
- Pocket Killbox

Follow the directions for the following procedures:
Running Hoster

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

How is your computer running?

 

Matt and Mr. Dude,

Thanks for the help and sorry for taking so long to get back here. I have completed the latest suggestions. Here's a couple of notes from performing the tasks:

1) When running Hoster, it said that my host file was read only and I had to click on a button there to make it writable. Is that usually the case when running Hoster?

2) Killbox took care of deleting all of the files you mentioned but I also noticed there was a file 20060717-175323.backup that you didn't mention to delete. Was it overlooked or do I have to have at least one backup file?

You asked how it is running.... and it seems to be running strong for me but when I opened "What's running" to look at the IP connections, it looks just the same only instead of what use to say .75tz.com it now says "local host".

Here's the latest HJT log.

Thanks,
L

 

Your HijackThis log is clean.

Sometimes malware wite set the file attribute to Read-Only on the hosts file. When that happens Hoster will warn you that the file is write-protected, and ask you to make the file writable.

Delete that file also.

Good

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Thanks again for all of your assistance. Helping someone like me who doesn't know much about these matters must be a test of your patience. For that alone you are commended.

I was attempting to attach a screen dump of a utility I use called "What's Running". I'm not sure if you're familiar with it but one of it's features is that it will list all of the IP connections your computer is making or trying to make. I couldn't attach it because the only way I know to do this is to make it a .doc and then it's too large so I'll have to just tell you about it.

I restart my computer, start What's Running and then one Firefox browser. Two instances of this process will appear in the IP connections of What's Running. They both list firefox.exe as the process name and the following is what else they list. I'll use (1) and (2) to differentiate between the two instances.

Local Port and Local Portname- (1) 1168 (2) 1167
Process- 1640 (both)
State - Established (both)
Local IP address and Remote IP address- 127.0.0.1 (both)
Remote Port and Remote Portname- (1)1167 (2)1168 *the opposite of Local*
Remote IP hostname and Local remote hostname- .75tz.com (both)
Socket- TCP (both)

If it is nothing to worry about then I would feel much better if I hear that from you but when I google ".75tz.com" I only see bad things.

Thanks again,
L

 

Follow the directions for the following:
Running WinPfind by OldTimer
Using GetRunKey
Using ShowNew

Post WinPFind.txt, runkey.txt, and newfiles.txt.

 

three utilities were run and nothing extraordinary to report...

Thanks, Left

 

Follow the directions for Running Hoster.

Delete the following files:
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060731-051620.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060731-051620.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060731-051620.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060801-030105.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060801-030105.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060801-030105.backup

Reboot

How is your computer running now?

 

Howdy,

I'm sorry it has taken me so long to get back to you. My computer was running fine for a few days then the .75tz.com came back. This time it was occurring with IE as well as firefox. Then, .75tz.com was replaced by another remote host "0-29.com".

I am writing from a friend's computer because now when I start my computer one of the svchost.exe processes in Task Manager will occupy all of the CPU time and I can't get anything else to start. The Process ID so far has been different each time (they have all been in the 800's).

I'm not sure if this is a continuation of the previous problem or something completely new.

I'll try to get my computer back but in the meantime will check in here at majorgeeks when I can get access.

Thanks,
L

 

It's probably a continuation of the original problem.