Hostfile Enteries - Malware?

[Blind Dragon]

Any ideas on a virus that changes your hosts file and redirects you back to yourself when trying to access virus protection sites. I had a problem with this and figured you all would find it interesting. HJT showed a string of entries starting with 1.1.1.1 which I was curious what that is a redirect to, as 127.0.0.1 is yourself, and it just showed those sites and 'page not available'. I have already ran a fix on deleting these entries and can now update my definitions,as that was blocked also, and run another scan.

here is fresh HJT

I don't have the log with the entries on it cause i ran fix on them to delete so I could update definitions.

 

[Daveskater]

i haven't seen that ip before either so it is possibly an illegitimate change of your hosts file

you can get a hosts file from the link here that protects you from all sorts of stuff, if you want to replace your current one, remember to make a backup though just in case

 

[howard_hopkinso]

Indeed those hosts entries are bogus. However, that begs the question as to how there got there in the first place.

I suggest you do a thorough check for malware as per these instructions.

Regards Howard

 

[Blind Dragon]

probably looking at too much pr0n haha. I share this computer with 2 other people here at my office and they don't ever clean up after themselves.

Thanks for the quick replies

Howard, here is my log for Crusty.exe

 

[howard_hopkinso]

Your system is infected with malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

OK, so far step 10 'Tool 3' would not open, i even tried different browsers. Just loads for about 5 minutes then page not found. Tools 1 & 2 were fine.

I went on from there and here are the results from panda.

will edit this when i have finished

 

[howard_hopkinso]

Skip tool3 and continue with the rest of the instructions.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Forgot to save the log from AVG so here is screen shot of quarantine. If you need I can rescan but it took like 3 hours
View attachment 25009
View attachment 25010
View attachment 25011

I don't understand how doing it this way i found 3,422 pieces of malware. I run spybot and adaware every day just about and they both missed it. Avast, spybot, and adaware all missed the trojan, then AVG picks it up.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Download and run this Symantec/Norton removal tool.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\windows\ALCXMNTR.EXE
C:\WINDOWS\addins\spsa.bak2
C:\WINDOWS\Microsoft.NET\goldrah.bak2
C:\WINDOWS\System32\d?dplay.exe
Folder::
C:\qoobox
C:\WINDOWS\system32\hhxjzmx
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D7360A-EC45-23C4-8602-16550FFC7E3F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ilsuf"=-
"Notn"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\hhxjzmx\csrss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\hhxjzmx\csrss.exe

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Here they are, should I keep and run any of these programs on a regular basis?

Right now I run Avast with spybot SD and adaware

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type regedit into the run box and hit the enter key.

Navigate to the following reg keys and delete them.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\hhxjzmx\csrss.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\hhxjzmx\csrss.exe


Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\hhxjzmx<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post fresh Combofix and HJT logs.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Fresh HJT and Combofix

 

[howard_hopkinso]

It`s getting better slowly lol.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\csrss.lnk
C:\WINDOWS\pss\csrss.lnkStartup
Folder::
C:\qoobox
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^csrss.lnk]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Hope that got it

Regards Blind Dragon

 

[howard_hopkinso]

Yes, that got it at last.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O17 - HKLM\System\CCS\Services\Tcpip\..\{43679D3A-0E3D-446A-BC70-70D4350D6CC1}: NameServer = 4.2.2.5,4.2.2.6

O17 - HKLM\System\CCS\Services\Tcpip\..\{BE2A1AB6-1457-4FC1-B983-49FFDD9A2F7D}: NameServer = 192.168.1.136

O17 - HKLM\System\CS1\Services\Tcpip\..\{43679D3A-0E3D-446A-BC70-70D4350D6CC1}: NameServer = 4.2.2.5,4.2.2.6

Only fix the above 017 entries, if they don`t belong to your ISP.

Click on the fix checked button.

Close HJT and reboot your system.

Delete the following folder.

C:\qoobox

Post a final HJT log.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

I deleted those ISP files and couldn't come online, had to have my ISP reset everything.

 

[howard_hopkinso]

Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Thanks for all the help Howard!

What is the best way to scan for malware, should I really run avast, spybot, adaware, avg antispyware, zone alarm, my computer seems to boot up a lot slower

Also should I turn the sheild back on in AVG anti spyware? Or will that conflict with zone alarm and the other active protections.

 

[howard_hopkinso]

Uninstall AVG Antispyware, this is what`s probably slowing your system down.

Keep Avast and Zonealarm. Run Ad-Aware and SS&D only when you want.

See HERE for info on how to keep your system more secure.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

Fixing to install the new hosts file. But noticed in the etc folder there are 4 backup hosts files. could these have been created by my virus or malware? Should I delete the backups?

example
hosts.20071001-195613.backup
hosts.20070702-201343.backup

There are 4 files like this below my hosts file

also hosts.hwd and Hosts.msnbak

 

[howard_hopkinso]

I suggest, rather than just deleting them you add them to an archive .zip folder, then delete the hosts.20071001-195613.backup, hosts.20070702-201343.backup, hosts.hwd and Hosts.msnbak.

If you don`t see any problems after a week or two, you can then delete the .zip files.

Regards Howard

This thread is for the use of Blind Dragon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

So, I thought that I still had something on my computer. My connection slows to dial up speed and eventually stops. I call my ISP to tell them this and they say it sounds to be software related. I thought that my connection was hijacked. So i format and install clean version of vista. It didn't fix the problem. I could connect wireless through my ps3 but not on my ethernet. They said that my network adapter was bad and their router is fine. So I get a new network adapter install it and disable the onboard adpater. Still no connection. I call them again and they said that I needed to get a new motherboard. Where do they get these people. I went to best buy and bought a cheap wireless usb adpater and now connect just fine. And have a clean version of windows. This may be a stupid question but is there anyway that a virus or malware could disable the ethernet ports on my router? Ethernet still doesn't work but wireless is fine. Tested on 3 computers with 3 different network adapters and 3 different ethernet cables