Re: Virus rewrites hosts file?

From: Chuck (none_at_example.net)
Date: 05/11/04 

Date: 10 May 2004 19:12:10 -0500

On Mon, 10 May 2004 13:16:47 -0500, "John E. Carroll, Jr."
<*email_address_deleted*> wrote:

>I have Norton antivirus on XP Pro. I pretty well keep
>everything up to date, but- got something. Computer was
>locking up (screen freeze)and performing poorly. Coudn't
>get through to updates or antivirus sites. Was able to
>run scan on web with Trend - W32.Gaobot found &
>Repaired?. Still could not get updates or view any web
>sites (other than main page) about antivirus. I did some
>checking on my machine and found the hosts file
>(c:\windows\system32\drivers\etc\hosts) and saw a list of
>sites that was the same as sites I could not access
>(relative to anti-virus). I renamed the the hosts file
>and created a new one with the list deleted. I was able
>to run updates and get to all the norton sites, etc.
>I ran a full scan and got the following report(s);
>
>bot[1].exe W32.Gaobot.AFJ (backup copy of repaired
>file)
>
>Document.scr W32.Beagle.X@mm (backup copy of repaired
>file)
>
>soundtaskmgr W32.Goabot.AFJ (backup copy of repaired
>file)
>
>System is runnin stable, things seem to be ok, but-
>Whenever I run Norton update (each day) I have to open up
>the hosts file and delete the list of blocked sites - the
>file keeps getting rewritten.
>So it seems I still have something on the machine
>rewriting th hosts file. I can't find any information at
>norton (or anywhere else) on how to repair this.
>
>Any ideas anyone?
>
>PS. While working on my machine during the main problem I
>looked over start up items (msconfig) and can't figure
>out what this is-
> 1 1 SOFTWARE\Micosoft\Windows\CurrentVersion\Run
>I have the item unchecked. Would it be safe to delete
>this key and does it have anything to do with above
>problem?
>
>THANKS to all those who spend their time helping out on
>these newsgroups!!!!!!!!

John,

The registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is a
normal part of Windows. "...Micosoft\Windows..." is not. Did you type as
intended, or was that a typo?

Immediately after you clear your hosts file, check for spyware.

First, download LSP-Fix and WinsockXPFIx from <http://www.cexx.org/lspfix.htm>,
and CWShredder from <http://www.majorgeeks.com/download4086.html>. All are
free.

Next, close all Internet Explorer and Outlook windows, then run CWShredder.
Have it fix all variants.

Now check for, and remove, spyware. Get HijackThis
<http://www.majorgeeks.com/download.php?det=3155> and Spybot S&D
<http://www.safer-networking.org/index.php?page=download>. Both free.
1) Install and run Spybot. First update it ("Search for updates"), then run a
scan ("Check for problems"). Trust Spybot, and make all recommended deletions.
2) Install and run HijackThis. Do NOT make any changes immediately. Save the
HJT Log.
3) Have your HJT log interpreted by experts at one or more of the following
forums (and post it here):
<http://forums.net-integration.net/>
<http://www.spywareinfo.com/forums/>
<http://forums.tomcoyote.org/>
<http://www.wilderssecurity.com/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

And John, please don't contribute to the spread of email address mining viruses.
Learn to munge your email address properly, to keep yourself a bit safer when
posting to open forums. Protect yourself and the rest of the internet - never
post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Relevant Pages

  • Re: Random Dialing
    ... AdAware, CWShredder, and Spybot S&D have install routines - run them. ... Spyware Warrior: ... Check at least monthly for security updates. ... Block possibly dangerous websites with a Hosts file. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Help.
    ... The third is spyware / viruses, hijacking some critical function of your ... AdAware and Spybot S&D have install routines - run them. ... First update it ("Search for updates"), ... Block possibly dangerous websites with a Hosts file. ...
    (microsoft.public.windowsxp.network_web)
  • Re: ccApp and svchost
    ... AdAware is not the only tool for removing spyware, ... CWShredder and Spybot S&D have install routines - run them. ... First update it ("Search for updates"), ... Block possibly dangerous websites with a Hosts file. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Spurious URLs being inserted into IE "Back" list
    ... Install all Critical updates from Windows Update. ... typically count on my other spyware applications to do the harder work ... From Blocking Unwanted Parasites with a Hosts File, ... > Download HijackThis, free, here: ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Computer with Alzheimers
    ... Now check for, and remove, spyware. ... Install and run Spybot. ... Check at least monthly for security updates. ... Block possibly dangerous websites with a Hosts file. ...
    (microsoft.public.windowsxp.help_and_support)