HOSTS problem: Anyone else encountered this specfic problem?

Discussion in 'Spyware' started by Brian E. Clark, Dec 3, 2004.

  1. I asked earlier about this problem and got some very good advice from
    Jim Byrd and others.

    But I'm still wondering: has anyone else encountered malware that does
    what mine is doing: REGENERATING the Hosts file even if it's deleted,
    and REPAIRING any changes made to the Hosts file so that the malignant
    entries remain intact?

    I've seen spyware that rewrites -- one time -- the Hosts file entries,
    but this one is persistent to the point of madness.
     
    Brian E. Clark, Dec 3, 2004
    #1
    1. Advertisements

  2. Brian E. Clark

    Dennis Guest

    Hijacking the HOSTS file is is a popular battle front for malware. ALWAYS make
    it read only.

    Dennis
    ================
     
    Dennis, Dec 3, 2004
    #2
    1. Advertisements

  3. try setting your hosts file as 'read only'.
     
    |3iff //ullins, Dec 3, 2004
    #3
  4. Brian E. Clark

    Chuck Guest

    Brian,

    If you have spyware on your system, it will protect itself. If its payload
    includes a Hosts / DNS hijack, it will protect the hijack by rebuilding Hosts to
    its purpose, every time YOU remove its payload.

    You have to get rid of the problem (the spyware), not correct the symptom (the
    Hosts file contents). My suspicion is that any program that can rebuild Hosts
    can probably remove the Read-Only setting.

    Start by downloading each of the following free tools (whatever you haven't
    already tried):
    AdAware <http://www.lavasoftusa.com/>
    CWShredder <http://www.majorgeeks.com/download4086.html>
    HijackThis <http://www.majorgeeks.com/download.php?det=3155>
    LSP-Fix <http://www.cexx.org/lspfix.htm>
    WinsockXPFix <http://www.spychecker.com/program/winsockxpfix.html>
    Spybot S&D <http://www.safer-networking.org/index.php?page=download>
    Stinger <http://us.mcafee.com/virusInfo/default.asp?id=stinger>
    TrendMicro Engine <http://www.trendmicro.com/download/dcs.asp>
    TrendMicro Signatures <http://www.trendmicro.com/download/pattern.asp>
    TrendMicro Instructions <http://www.trendmicro.com/ftp/products/tsc/readme.txt>

    Create a separate folder for HijackThis, such as C:\HijackThis - copy the
    downloaded file there. Create a separate folder for the two TrendMicro files,
    such as C:\TrendMicro - copy the downloaded files there (unzipped if necessary).
    AdAware, CWShredder, and Spybot S&D have install routines - run them. The other
    downloaded programs can be copied into, and run from, any convenient folder.

    First, run Stinger. Have it remove any problems found.

    Next, close all Internet Explorer and Outlook windows, and run CWShredder. Have
    it fix all problems found.

    Next, disable System Restore.
    <http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm>
    Boot your computer into Safe Mode.
    http://support.microsoft.com/?id=315222
    Run C:\TrendMicro\Sysclean.com. Delete any infectors found. Reboot your
    computer, and re enable System Restore.

    Next, run AdAware. First update it, configure for full scan
    (<http://forums.spywareinfo.com/index.php?showtopic=11150>), then scan. When
    scanning finishes, remove all Critical Objects found.

    Next, run Spybot S&D. First update it, then run a scan. Trust Spybot, and
    delete everything ("Fix Problems") that is displayed in Red.

    Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
    HJT Log.
    <http://forums.spywareinfo.com/index.php?showtopic=227>
    <http://forums.spywareinfo.com/index.php?showtopic=11150>

    Finally, have your HJT log interpreted by experts at one or more of the
    following security forums (and PLEASE post a link to your forum posts, here):
    Aumha: <http://forum.aumha.org/index.php>
    Net-Integration: <http://forums.net-integration.net/>
    Spyware Info: <http://forums.spywareinfo.com/>
    Spyware Warrior: <http://spywarewarrior.com/index.php>
    Tom Coyote: <http://forums.tomcoyote.org/>

    If removal of any spyware affects your ability to access the internet (some
    spyware builds itself into the network software, and its removal may damage your
    network), run LSP-Fix and / or WinsockXPFIx.
     
    Chuck, Dec 3, 2004
    #4
  5. Brian E. Clark

    CalamityKen Guest

    |3iff //ullins typed:
    Any application can remove the "Read-only" attribute then do its nastyness
    then set it back to "Read-only"

    CoolWebSearch (CWS) are masters of this hijack and have used it to their
    advantage for ages.
     
    CalamityKen, Dec 3, 2004
    #5
  6. Doesn't work. This malware is *monitoring* changes to the HOSTS file. I
    can change HOSTS to read-only, but within a second it's back to normal.
     
    Brian E. Clark, Dec 3, 2004
    #6
  7. Brian E. Clark

    CalamityKen Guest

    Brian E. Clark typed:
    CoolWebSearch (CWS) are the masters of this hijack.

    Install the prevention protection below and help your friends from being
    infected on the Internet.
    "An ounce of prevention is worth a pound of cure."

    Remove the infections and install the prevention protection on ALL User
    Account IDs.

    Empty the Recycle Bin frequently.

    Run CleanUp! as the Temp folders should be cleaned out periodically as
    installation programs and hijack programs leave a lot of junk there.
    http://cleanup.stevengould.org/
    Then reboot to let it clean out what it found.

    By the way, in order to improve Internet Explorer (IE) performance the
    Temporary(TIF)should be cleaned out periodically.
    Also, it is a good idea to limit the size of the TIF to 200MB for
    performance sake.
    In IE go to Tools then Internet Options then Settings and move the slider
    down to 200MB.

    Download and install WinPatrol.
    http://www.winpatrol.com

    Browser settings for increased security:
    http://bshagnasty.home.att.net/browsersettings.htm

    Install IE-SPYAD then run the install.bat in the ie-spyad folder and
    SpywareBlaster then keep them up to date as today's Internet is full of
    nasty infections.
    https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
    http://www.javacoolsoftware.com/spywareblaster.html
     
    CalamityKen, Dec 3, 2004
    #7
  8. Brian E. Clark

    Jim Byrd Guest

    Hi Brian - Two things - First, I don't think you're going to be able to
    handle this one by yourself, but here's a tool which may help you a little
    w/the HOSTS problem: http://downloads.subratam.org/HostsFileReader.zip Use
    carefully!

    Next, at this point I would suggest that you follow exactly the HiJackThis
    procedures that I outlined in my previous post and log on to one of the
    Forums for some expert help with this using the procedures I gave there.

    --
    Please respond in the same thread.
    Regards, Jim Byrd, MS-MVP



    In
     
    Jim Byrd, Dec 3, 2004
    #8
  9. Brian E. Clark

    Lance Guest

    Sorry for butting in...

    I've wondered about this. How about changing NTFS permissions so
    "Administrator" is owner and has only he has write permission. Then
    explicitly deny write permission to all other users?

    Would that help protect HOSTS?

    Lance
    *****

    CalamityKen thought carefully and wrote on 12/3/2004 9:36 AM:
     
    Lance, Dec 4, 2004
    #9
  10. Brian E. Clark

    CalamityKen Guest

    Lance typed:
    Lance, yes I believe it would as long as the log on does not have
    "Administrator" privileges.
     
    CalamityKen, Dec 4, 2004
    #10
  11. Brian E. Clark

    Chuck Guest

    And as long as the nasty stuff runs under the context of the user. If the nasty
    stuff runs under the system context, you're screwed.
     
    Chuck, Dec 5, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.