TechSpot

Hostfile Enteries - Malware?

By Blind Dragon
Nov 7, 2007
  1. Any ideas on a virus that changes your hosts file and redirects you back to yourself when trying to access virus protection sites. I had a problem with this and figured you all would find it interesting. HJT showed a string of entries starting with 1.1.1.1 which I was curious what that is a redirect to, as 127.0.0.1 is yourself, and it just showed those sites and 'page not available'. I have already ran a fix on deleting these entries and can now update my definitions,as that was blocked also, and run another scan.

    here is fresh HJT

    I don't have the log with the entries on it cause i ran fix on them to delete so I could update definitions.
     
  2. Daveskater

    Daveskater Banned Posts: 1,687

    i haven't seen that ip before either so it is possibly an illegitimate change of your hosts file

    you can get a hosts file from the link here that protects you from all sorts of stuff, if you want to replace your current one, remember to make a backup though just in case :)
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Indeed those hosts entries are bogus. However, that begs the question as to how there got there in the first place.

    I suggest you do a thorough check for malware as per these instructions.

    Regards Howard :)
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    probably looking at too much pr0n haha. I share this computer with 2 other people here at my office and they don't ever clean up after themselves.

    Thanks for the quick replies

    Howard, here is my log for Crusty.exe
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with malware.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    OK, so far step 10 'Tool 3' would not open, i even tried different browsers. Just loads for about 5 minutes then page not found. Tools 1 & 2 were fine.

    I went on from there and here are the results from panda.

    will edit this when i have finished
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Skip tool3 and continue with the rest of the instructions.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Forgot to save the log from AVG so here is screen shot of quarantine. If you need I can rescan but it took like 3 hours
    View attachment 25009
    View attachment 25010
    View attachment 25011

    I don't understand how doing it this way i found 3,422 pieces of malware. I run spybot and adaware every day just about and they both missed it. Avast, spybot, and adaware all missed the trojan, then AVG picks it up.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    Download and run this Symantec/Norton removal tool.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Here they are, should I keep and run any of these programs on a regular basis?

    Right now I run Avast with spybot SD and adaware
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type regedit into the run box and hit the enter key.

    Navigate to the following reg keys and delete them.

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    C:\WINDOWS\system32\hhxjzmx\csrss.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    C:\WINDOWS\system32\hhxjzmx\csrss.exe


    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system32\hhxjzmx<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh Combofix and HJT logs.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Fresh HJT and Combofix
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s getting better slowly lol.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Hope that got it

    Regards Blind Dragon
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that got it at last.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O17 - HKLM\System\CCS\Services\Tcpip\..\{43679D3A-0E3D-446A-BC70-70D4350D6CC1}: NameServer = 4.2.2.5,4.2.2.6

    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE2A1AB6-1457-4FC1-B983-49FFDD9A2F7D}: NameServer = 192.168.1.136

    O17 - HKLM\System\CS1\Services\Tcpip\..\{43679D3A-0E3D-446A-BC70-70D4350D6CC1}: NameServer = 4.2.2.5,4.2.2.6

    Only fix the above 017 entries, if they don`t belong to your ISP.

    Click on the fix checked button.

    Close HJT and reboot your system.

    Delete the following folder.

    C:\qoobox

    Post a final HJT log.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    I deleted those ISP files and couldn't come online, had to have my ISP reset everything.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Thanks for all the help Howard!

    What is the best way to scan for malware, should I really run avast, spybot, adaware, avg antispyware, zone alarm, my computer seems to boot up a lot slower

    Also should I turn the sheild back on in AVG anti spyware? Or will that conflict with zone alarm and the other active protections.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Uninstall AVG Antispyware, this is what`s probably slowing your system down.

    Keep Avast and Zonealarm. Run Ad-Aware and SS&D only when you want.

    See HERE for info on how to keep your system more secure.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Fixing to install the new hosts file. But noticed in the etc folder there are 4 backup hosts files. could these have been created by my virus or malware? Should I delete the backups?

    example
    hosts.20071001-195613.backup
    hosts.20070702-201343.backup

    There are 4 files like this below my hosts file

    also hosts.hwd and Hosts.msnbak
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I suggest, rather than just deleting them you add them to an archive .zip folder, then delete the hosts.20071001-195613.backup, hosts.20070702-201343.backup, hosts.hwd and Hosts.msnbak.

    If you don`t see any problems after a week or two, you can then delete the .zip files.

    Regards Howard :)

    This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    So, I thought that I still had something on my computer. My connection slows to dial up speed and eventually stops. I call my ISP to tell them this and they say it sounds to be software related. I thought that my connection was hijacked. So i format and install clean version of vista. It didn't fix the problem. I could connect wireless through my ps3 but not on my ethernet. They said that my network adapter was bad and their router is fine. So I get a new network adapter install it and disable the onboard adpater. Still no connection. I call them again and they said that I needed to get a new motherboard. Where do they get these people. I went to best buy and bought a cheap wireless usb adpater and now connect just fine. And have a clean version of windows. This may be a stupid question but is there anyway that a virus or malware could disable the ethernet ports on my router? Ethernet still doesn't work but wireless is fine. Tested on 3 computers with 3 different network adapters and 3 different ethernet cables
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...