More darned malware - now is it dying?

What's in your hosts file?

It's often targetted but overlooked in the fight to clean the machine.
Had one this week where the file itself had 'disappeared'.

You might want to shut down one of the anti virus progs and repeat a scan with the enabled one. Two or more packages running together can cause allsorts of silly problems - just like you've been experiencing.
 
Ok so you ran Combofix, and it says it found nothing? Are you sure, do you know how to read Combofix logs?

If it's quietened down and you are happy, thats fine, i'm just not sure it is clean.

And as Alumni has pointed out ONE anti virus programme only.

Regrading your running programmes and processes look at all the 04 and 023 entries you have in your log, and the first part of the Hijackthis log, i run some pretty intensive stuff on my machine, but my log is about 80% smaller than yours.
 
i had a virus on a computer the other day that changed the dns servers of the router, make sure that the dns is automatically by your isp, but to check the host file, C: > windows >system32 >drivers >etc >right click on hosts and open with note pad, copy and paste it here.
 
There isn't a hosts file any more, I think a deep scan by one of the anti-virus progs cleared it. I'm 100% certain there was one before.
(I'm not hiding system folders or files, I checked.)

Combofix, and it says it found nothing? Are you sure, do you know how to read Combofix logs?
Not a scooby. It didn't make a fuss about anything, beyond that I don't understand 10% of it. It's
here. It mentions about 10 anti-virus progs, I'm sure I never loaded that lot :)

Norton was on the thing since year dot, MSE came in sometime, then TH guard as well so yes there were >1 progs , whether they were working or not I'm not sure, but I picked something nasty up it seems. Hence not sure what to leave working now.

Re the 04 and 023 entries - well it's a few years of trying things I suppose. Adobe and Google and Apple seem to like to load things in bunches. Apart from occupying a bit of memory are they doing any harm? I don't know what some of them are for.
I have used it for editing videos, designing pcbs, designing plumbing systems, a few things.
You can't do pictures like
unledkp.jpg

without some digery pokery.
And if you want a stereo pair you need a bit more. (and crossed eyes - try it)
unledqfl.jpg


What are you looking for?
Your Virus
What I meant, was how would it show..?
 
As suspected, you've got the latest nasty.
Spent most of last week sorting out the damage this causes.
And yes, it removes your hosts file.

So, open notepad and copy the following into it, then save the file as Hosts and save in location mentioned earlier - C;/windows/sys32/drivers/etc

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


Now, having done that. Exit from ALL your anti virus stuff and then just run Security Essentials. This should find your problems.
IMPORTANT
Then run checks on ALL usb devices you have.
This nasty looks for all drives d:/ onwards.

Once you've sorted this out, then you can start on any other machine you may have networked and/or used a usb on.

Most of the anti virus products find/prevent this latest virus. However, i suspect your machine is crippling itself with too many AV packages running.
 
Er, all the lines in that file start with a #
so they'll all be seen as comments won't they??
Or did you mean something else?

(What's a "host" anyway?! how come it's running without the file :? )
 
Er, all the lines in that file start with a #
so they'll all be seen as comments won't they??
Or did you mean something else?

(What's a "host" anyway?! how come it's running without the file :? )
Upto you whether you use it.

And your machine is not exactly running is it?, more of a crawl.
The hosts file only comes into play with the t'interweb (in essence).

This time, you've lost yours. but usually the hosts file gets additions onto the end - not commented out and you end up unable to access all the usual security sites. Remember the registry enties you had in your last file attachment?.

As i say, spent several days this week sorting problems out with this virus - and at a very large corporate!
 
SOrry, what I meant to say was that I don't understand what it does .

Do all the # mean it's effectively "empty" or should the ones at the beginning of the last couple of lines not be there?

Imean should it be:

127.0.0.1 localhost
::1 localhost

?
 
SOrry, what I meant to say was that I don't understand what it does .

Do all the # mean it's effectively "empty" or should the ones at the beginning of the last couple of lines not be there?
It's used for mapping DNS to IP addresses
You can use the file to protect your machine by adding entries at the bottom.
The two at the bottom currently are local addresses, that is, your machine- the localhost address, not your actual ip address. So, commented or not, it won't normally make a difference to non internet activity.
By all means remove the comments on the 2 entries, mine were probably commented out by me previously and i forgot to remove them.
 
copy and paste it exactly as it is, those are correct entries. Also when you are done, make sure that your internet options security settings are on default mode, then go to the advanced tab click restore advanced settings, then under that click reset.

After all that download the norton removal tool here
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

(choose the correct one)

@ alumni have you ever used the norton power eraser?

http://security.symantec.com/nbrt/npe.aspx?lcid=1033

or the old timer move it

http://www.geekstogo.com/forum/files/file/402-otm-oldtimers-move-it/

combined with this text

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

(paste into left side and click move it)
 
Good advice being given there, my advice would have been slightly different, if the above does not work, or you are still having issues, backup essential data, choose the programmes you really want to keep and use, and then reformat your hard drive and re-install Windows.

Just on a side point, are Automatic Updates working?
 
@ alumni have you ever used the norton power eraser?

http://security.symantec.com/nbrt/npe.aspx?lcid=1033

or the old timer move it

http://www.geekstogo.com/forum/files/file/402-otm-oldtimers-move-it/

combined with this text

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

(paste into left side and click move it)
I was focussing more on getting the machine 'safe' again.
I suggested using Security Essentials simply because it is already on the machine, it also happens to find and resolve these current nasties.

Yes, the DNS issues would need to be resolved, especially if further security package solutions were to be required.

Regarding Norton. No, not used it. Nor will i. Nothing Norton will ever be going anywhere near any of my machines.
 
fair comment about norton as regards to the rest i just wondered if you have ever used them yourself? If not the old timer tools are a fine addition to your arsenal
 
fair comment about norton as regards to the rest i just wondered if you have ever used them yourself? If not the old timer tools are a fine addition to your arsenal
No, i hadn't, but added to my arsenal now. :)

I usually keep well away from nasties but unfortunately someone who really should know better thought he'd circumvent the system.

As i understand it, next incident will result in the dole queue increasing.

Seems more than fair to me.
 
Back
Top