Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Zief.pl


itsmejjj

Recommended Posts

yes funny name but a pain !

 

ok so what is know about this?

 

sorry for the long post .but here i go ..

 

Symantec W32.Virut Removal Tool 1.1.2

 

W32.Virut has not been found on your computer.

 

 

 

ok ran this and clear...but we still had modem worrying the the unwanted ips

to goole,yahoo,ZIEF.pl..go daddy,and secure.nett.

so i investigated them to see why and what was doing this..

 

my gess is its embedded in SVHOST.exe and altho its cleared., still say it is not.

why.if i turn it of(block) no qwerys..turn it back on.boom thy are spored again..

just sitting there watching the logs..and doing nothing..

 

 

Summary information i found on this server Zief.pl and its tentacles...

zief.pl

 

Zief.pl is a domain controlled by two name servers at zief.pl themselves. Both are on different IP networks.

The primary name server is dns4.zief.pl. Incoming mail for zief.pl is handled by one mail server also at zief.pl. Zief.pl has one IP number (91.188.59.197).

 

Brenz.pl, trenz.pl, lometr.pl,]www.brenz.pl], ad.lometr.pl and at least one other host point to the same IP.

Ircgalaxy.pl, exerevenue.com, chura.pl, uuskula.com, makkam.com and at least two other hosts share name servers under another name with this domain.

Brans.pl and ghura.pl share mail servers under another name with this domain. Ircd.zief.pl, dns2.zief.pl, mail.zief.pl, irc.zief.pl, sys.zief.pl and at least

four other hosts are subdomains to this hostname.

 

You might also be interested in zief.org, zief.net, zief.com and ziefv.us.

 

Zief.pl is ,world wide and is hosted on a server in Latvia even though the host name implies Poland. It has eleven in links.

perhaps more?

 

Trustworthiness,

vendor reliability, privacy and child safety of this site is very poor. (more on reputation).It is blacklisted in one list. Search for zief.pl.

and by the virus vendors

 

 

so i searched evey thing I could not find what it was.that made the links..

so i sat there pondering .what? and where its coming from.

then added the links provided by Mcfee...Ip numbers..

to block them..

 

 

ok so decided to Yes again a brand new install..win7

just 1 hard disk reformatted 2 times.(deep)

and to start with ,all clear..

 

after 2 days guess what.surfing for information .AND so on it was back!

nothing stoped it.it seemed to what i think inbed the SVhost.EXE

 

 

so i turned of the modem.then watched my Ip blockers.

carefully..as the modem fired up.

and before it linked fully i saw the ip 2 of them..first of the rank.

penatrating my driver,(net) REALTEK ip.UDP

..now by blocking this ,it stoped.!but i could not brows the net!

 

by disable-ling svhost..the same no browsing was possible bar proxy,bypass

 

so how the heck did it get back in.Google?..or yahoo.perhaps a download of a movie.you tube?

watching live..? flash?

i do not know.now what i have read so far this is one of the worst offender on the world net

and non detectable..when installing ,bypassing all defenses..this thing has been around a while

so how do you stop it.from entering ones system? as it not seen.or picked up.

 

sorry for the long post but i would like to hear from our members..

vurit t i know about the virus..but this is a behavior problem.

nothing that i have can find it.scanning.so its not a virus..?

 

itsmejjj

Link to comment
Share on other sites

Re: Zief.pl

 

if you read the above let me say its not a worry as i have this undercountrole

by simply blocking..but its a pain , as it attempts to scan my system.and then send out data.(whatever) by linking to the ips and or Zief.?

 

i was not going to post this subject but after a week of searching ,scanning ,i cant find what it is nor find any thing on the drives..

 

so this is more asking if any one has the same or had the same problem?

 

as you can see i do block heavy..i don't think this could be transfered using TOR?

 

or is this possible?

itsmejjj

Link to comment
Share on other sites

well to add to this the whatever exe. Zief.pl.Query's still cant be found..

 

i just scanned with 3 of the best know mallaware scanners.full deep scans

 

but did come up with this lot

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Windows\System32\ACCTRES.back (Trojan.Banker) -> Quarantined and deleted successfully.

 

1 of them picked this up..

 

i used 2 different virus checkers and all cleared.

 

so we keep hunting

 

now any hope that iobit could look into this pest and perhaps some how set this to block in 360? from making a Query to the modem ports

 

or perhaps add a app to be able to block ports unwanted? or something that would alert one to this type of Query?

 

 

 

 

itsmejjj

Link to comment
Share on other sites

It has a reputation

 

I Googled Zief.pl and found a bit of discussion on it, there is also this Google Diagnostic page

@ http://www.google.com/safebrowsing/diagnostic?site=zief.pl/

 

Safe Browsing

Diagnostic page for zief.pl

 

What is the current listing status for zief.pl?

 

Site is listed as suspicious - visiting this web site may harm your computer.

 

What happened when Google visited this site?

 

Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-15, and the last time suspicious content was found on this site was on 2010-09-15.

 

Malicious software includes 14 trojan(s).

 

This site was hosted on 1 network(s) including AS6851 (BKCNET).

 

Has this site acted as an intermediary resulting in further distribution of malware?

 

Over the past 90 days, zief.pl appeared to function as an intermediary for the infection of 343 site(s) including koratceo.com/, thaigoodview.com/, leadcityhigh.org/.

 

Has this site hosted malware?

 

Yes, this site has hosted malicious software over the past 90 days. It infected 713 domain(s), including thaigoodview.com/, koratceo.com/, peesirilaw.com/.

 

How did this happen?

 

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

 

Next steps:

 

* Return to the previous page.

* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

 

Updated 22 hours ago

 

All the best, woz of oz

Link to comment
Share on other sites

thank you woz..for the post

 

this has been driving me silly..but i found the simple answer ,after a lot of

research and testing ..the DNS service the culprit! thy say its the safe thing to run..but let me say its now EXPLOITED by malaware and rouge links..that use this to get to the drives of victims.. unknown..as the very clever installed malaware is not detectable,by your virus,or known soft ware.why?

its not seen as malicious..or misbehavior..using the service..

ok i may be dead wrong also but its stopped..

now if i sit here doing nothing..and watch my open browser..like here say reading..nothing is transferred to and from my system..and so it should..

no Query's of any kind..or attempted linking...up loading downloading.

(ping)

 

well let hope so ..this now is running correctly ! the only time should be if tapping on the browser..

a link or page...

itsmejjj

Link to comment
Share on other sites

Hi jjj

In ASC / System Optimize it used to suggest to deactivate the DNS service - haven't checked that recently - how are your settings?

Cheers

solbjerg

 

 

thank you woz..for the post

 

this has been driving me silly..but i found the simple answer ,after a lot of

research and testing ..the DNS service the culprit! thy say its the safe thing to run..but let me say its now EXPLOITED by malaware and rouge links..that use this to get to the drives of victims.. unknown..as the very clever installed malaware is not detectable,by your virus,or known soft ware.why?

its not seen as malicious..or misbehavior..using the service..

ok i may be dead wrong also but its stopped..

now if i sit here doing nothing..and watch my open browser..like here say reading..nothing is transferred to and from my system..and so it should..

no Query's of any kind..or attempted linking...up loading downloading.

(ping)

 

well let hope so ..this now is running correctly ! the only time should be if tapping on the browser..

a link or page...

itsmejjj

Link to comment
Share on other sites

The problem Query's are now gone..but what is doing this and from where?

it has to be from a system..so far i cant find it.and no one can tell me .

no soft ware can find it..but i Say its on the drive that trigers the command to make Query's but disable DNS stopped it .so its using this service .

 

besides the fact it probably save band with over the mount. as well.

 

the whole point here is and so far no one has stated so is this happening to you if using the service?

or you the reader are not aware it is.. i have posted many captured live shots to show you it did to myself.and tryed to pass out information to the links...

.and the dangerous links your system could be making unknown to you ..

 

now someone posting you have a Virus,yes its possible ,but nothing can find it..

as its non malicious type.or misbehavior type of virus.non aggressive coding..

that cant be seen..as so..

 

"the green arrows are my posting the blue are nothing sent ether way."

no more Query.by any from the system..

 

 

 

 

itsmejjj

Link to comment
Share on other sites

Isp ?

 

In the image in post# 3 BeeThink IP Blocker says that 202.142.142.142 and 202.142.142.242 were blocked because of Query sys.zief.pl but an IP Address search says they belong to Wideband Networks Pty Ltd, Broadband Internet Provider, Australia

Is this your ISP ?

 

202.142.142.142

http://www.ip-adress.com/whois/202.142.142.142

 

202.142.142.242

http://www.ip-adress.com/whois/202.142.142.242

 

192.168.001.064 looks like a Router IP Address

http://www.ip-adress.com/whois/192.168.001.064

 

 

Also about the DNS Client service BlackViper says:

If you attempt to "Diagnose" your network connection and a dialog box complains that the "DNS resolver failed to flush the cache," this service is the reason

 

Only in extreme situations should you disable this service as caching DNS lookups reduces network traffic and makes internet surfing performance faster

http://wiki.blackviper.com/wiki/DNS_Client

 

All the best, woz of oz

Link to comment
Share on other sites

Hi guys,

 

Sorry jjj ; I had a quick look at this topic the other day but didn't have time to post back. I did see a mention of "Virut" and thought to myself... Oh Boy...

 

Just to clear up something you wondered about earlier : Virut does not survive a format or a re-image, unless the image wasn't clean. I know you always keep clean images. Virut can and will come back after a format but only if you re-introduce infected backups, or when someone uses an infected recovery partition to re-install (rare though). Anyway, I'm sure you don't have any traces of it now. And by the way, Virut is a virus so most anti-malware tools won't be able to identify/treat/block it ; you need a good antivirus for that. For Virut, Kaspersky and Dr.Web are probably the best out there and they have free antivirus toolkits that anybody can use. But, when Virut hits a machine and installs, it usually means a format will be necessary. We've discussed this before, with another member here i think.

You are correct about svchost.exe being infected. Virut goes after all .exe files including the most important system processes (svchost, winlogon, userinit, explorer, etc...) so that it can live and re-infect at will.

 

~~~~

 

About DNS hijacks : they are very common and often come with rogue antivirus or anti-malware programs (infections). You know more about networking than I do, but let's just say these things modify your DNS settings, so that browser requests are redirected to ads sites. Your browser usually opens a new window for every request you make. Very annoying. You block them so you only notice the requests, but people who don't block get redirected constantly. It's cash-per-click and the bad guys make a fortune.

 

Tools like Hijack ("Scan" or "This") can sometimes pick up these bad DNS settings, but other times they miss them. We have other tools that never miss them.

 

Just so you know : these settings can be set back to what they need to be so that you can use the DNS service again without a problem. If you want to look without any tools, jsut go to your connection properties (TCP/IP) and look for strange DNS settings, pointing to Russian servers ; if you're using Vista or Win7, check under IPv4 settings for these.

Some of these infections can also modify your router's DNS settings, so that every machine on the network will be redirected even if they aren't infected. Again, check you router's DNS settings. If you have an access password to the router that is not default, then you have nothing to worry about (for the router).

 

I think the majority of people who have a high speed connection use dynamic IP and this makes it easier to fix the problem : when looking at your connection properties, you should see Obtain IP address automatically and Obtain DNS server address automatically. The infection changes that for the DNS, and sets a bad one (2 IPs > primary and secondary). All it takes usually is to set it back to Obtain DNS automatically, then flush your DNS cache and you're set. If the redirects persist, you may have to set DNS to known safe ones like OpenDNS or Google's. With dynamic IP, your router should also be set to Obtain automatically.

 

jjj : I think one of our members had you use a tool named OTL the other day, yes ? If so, it is very good at detecting these DNS hijacks. Just do a quick scan ; from the log, scroll down about halfway and look at the "O17" line (or lines). Paste them here if you'd like me to take a look. That's all I need to see. And let me know if you use a router.

 

===

Link to comment
Share on other sites

Hi jjj,

 

I have another request. when you do the OTL scan, paste the "O1" lines as well as the "O17" lines from the log, please.

 

I've just noticed that Virut modifies the Hosts file as well, pointing to Zief.pl :

http://vil.nai.com/vil/content/v_154029.htm

The 9.tmp file will be executed and can download further malware. %WINDOWS%\System32\drivers\etc\hosts file will be modified to have the following host string prepended:

 

* 127.0.0.1 ZieF.pl

-

 

W32/Virut.n connects to the following domains or IP addresses:

 

* horobl.cn

* goasi.cn

* setdoc.cn

* irc.zief.pl

* DNS2.zief.pl

* proxim.ircgalaxy.pl

* anti-captcha.com

* lorentil.cn

* thaexp.cn

-

 

It connects to the following IRC servers to receive commands:

 

* irc.zief.pl

* proxim.ircgalaxy.pl

 

It would also join an IRC channel to receive commands which includes downloading of other malware:

 

* PRIVMSG [blocked] :!get hxxp://horobl.cn/[blocked]/0032.exe

* PRIVMSG [blocked] :!get hxxp://horobl.cn/[blocked]/0034.exe

 

Emails are havested from the infected machine and posted to the following server:

o 69.46.16.191

 

Malware that were downloaded may introduce other malicious behaviours in the system such as rootkits, backdoors and downloaders et cetera.

Etc...

-

-

Link to comment
Share on other sites

you need a good anti virus for that. For Vi-rut, Kaspersky and Dr.Web are probably the best out there and they have free antivirus toolkits

 

ok lets slow down here,firt of i do be leave i may be infected?

 

but do not know where i think and say think Svhost was hit and the file called query.ddl and exe..

 

as soon as i turn on the dns service it back!

so point me to some tools..links so i can find the bloody thing..

this is the first priority..infected or not..

 

i am rather upset this bloody thing got in after all the care to prevent this..

 

 

ok the net work that i am being directed to is not my isp...querys made,so i am blocking them for now..till i sort this out..

this only happens when DNS server is on..

 

and the router add 192.168.0.64 is the ip range where it starts..

yes.

i am dreading a format and a reinstall.why i may have to rid every thing?

sugar all my programs? and every thing i have ,why it could be any were..

 

ok so far i seem to be clean .but i really think i am not.as this started about 6 weeks back.before i noticed the query's..and started looking why?

 

 

Emails are havested from the infected machine and posted to the following server:

o 69.46.16.191 yes i have this also set blocking..

 

just to say i am blocking 10 digets in ips. 1,920,678,786

and its getting silly..

so let start slow here

 

please i know zip all about virus stuff..and have taken what i saw as good protection.but it seems failed..

itsmejjj

Link to comment
Share on other sites

Hi jjj :-P

 

Ok sorry, I'll be more specific with my instructions. Just know that I'm not going into malware removal mode here. Not my turf. But I will investigate just enough to see if we have a real problem, or not. If it's just DNS stuff, we can handle it here.

 

We'll look into DNS first, and leave any antivirus scans for later, if needed.

 

jjj : I've have you download a diagnostics tool and run a scan with it. The tool is OTL. OTL comes as an .exe file, but is also offered as a .scr or .com file to avoid injection from some viruses, so I'll have you run that one (.com) :

http://oldtimer.geekstogo.com/OTL.com

 

Just download it to your Desktop and run it. Click on "Scan", without changing any options. If you haven't run this tool before, two logs will be created (OTL.txt and Extras.txt) ; I just need you to paste the content of the OTL.txt one here, or attach it if it doesn't fit in one post.

 

Can you also tell me what brand and model your router is ? You can PM me if you'd rather not say here.

 

I may not be around for the next few hours, so sit tight and don't do anything that you're not comfy with yourself ;-)

 

====

Link to comment
Share on other sites

Edit : you posted your log above while I was writing my message (below). I will look at the logs and give you a quick answer, in a few minutes...

 

This is my working theory right now :

 

- I don't think you have a full blown Virut infection on your machine, because you have re-imaged. If Virut wre active, your system would be quite unstable.

 

- You defnitely have a DNS problem. Now, if the DNS settings at the router were altered, they wouldn't get fixed with a re-image or a format, because the router is a separate device. from your computer. Since Virut does download and install all kinds of other malware on infected machines, it is very possible that a DNS changing infection got in and tampered with your router settings. After you re-imaged, Virut and all other infections were gone but the router settings remain.

 

It is just a theory, for now. We'll see. No need to panic, indeed ;-)

 

===

Link to comment
Share on other sites

O1 HOSTS File: ([2010/09/18 01:59:26 | 000,001,475 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 jL.chura.pl

O1 - Hosts:

O1 - Hosts: 127.0.0.1 validation.sls.microsoft.com

O1 - Hosts: 127.0.0.1 zief.pl

O1 - Hosts: 127.0.0.1 Query zief.pl

O1 - Hosts: 127.0.0.1 MSN.com

O1 - Hosts: 127.0.0.1 zone labs.com

O1 - Hosts: 127.0.0.1 microsoft.com

O1 - Hosts: 127.0.0.1 google-analyze.ru

O1 - Hosts: 127.0.0.1 googie-update.com

O1 - Hosts: 127.0.0.1 googlehosting.ru

O1 - Hosts: 127.0.0.1 gouqle.com

O1 - Hosts: 127.0.0.1 google.com

O1 - Hosts: 127.0.0.1 yahoo.com

O1 - Hosts: 127.0.0.1 update-flash.com

O1 - Hosts: 127.0.0.1 install.xxxtoolbar.com

O1 - Hosts: 127.0.0.1 intelinet-global.net

O1 - Hosts: 127.0.0.1 intelinet-secure.com

O1 - Hosts: 127.0.0.1 intelinet-secured.com

O1 - Hosts: 127.0.0.1 intelinet-secure1.com

O1 - Hosts: 127.0.0.1 download.antispyware.com

O1 - Hosts: 127.0.0.1 download.adwarebot.com

O1 - Hosts: 127.0.0.1 download-everything.com

O1 - Hosts: 127.0.0.1 download.errorsmart.com

O1 - Hosts: 127.0.0.1 download.errorsweeper.com

O1 - Hosts: 1 more lines...

my host file setting i added

jjj

Link to comment
Share on other sites

that's better ok i hope this helps i sure do not have a clue .

itsmejjj

and thank you so very much

 

ok the router is a Lynksys model wag54g gateway .wireless..adsl gateway..

pluged in the wall...

 

ok think thats it ..

 

ok take care unzipping the file .i cant garroter , any thing ,its a text file so so be ok..

i will not take any blame its your risk..if you open it..i done this one time before send a zip file and got blasted for it..

 

ok i removed this now as its very private..as you have this..

 

and thanks for the trust..

Link to comment
Share on other sites

Thanks jjj :smile:

 

Those DNS settings in Windows are Ok. I have to go now and won't return for at least 3 hours. I'll look at all the log in detail, too.

 

We'll look into the router. I have the manual for it so it should go smoothly. It is the blue one, right ?

 

===

Link to comment
Share on other sites

picture is better than words...from the disk that came with it

 

first of all you are very kind to help me ..and the trust shown..

i never ever posted any thing about my systems..and its because i know and feel

we have good people here that do help one and the other i rid the zip file as you understand ,its kind of scary sitting there for perhaps the wrong person to geek at...

but i do feel safe in your capable hands..

virus and malware problems are not my strong point..and am like a newbie

when it comes to this..talk ip.blocking stealth.yes i this i specialize in.and know..

but this is scary for me..virus,,

 

 

 

in this case i need it Help,and thank you again..and for my plea for it..

i am very worried but feel we can find out what it is..and you reassured me some..

not to get to flustered..

 

itsmejjj

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...