Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\windows\hosts.exe


  • Please log in to reply
9 replies to this topic

#1 Animalwg82

Animalwg82

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 03:57 PM

When my computer starts a command prompt pops up and runs c:\windows\hOsts.exe. I have searched and come up with different things. I would appreciate any help.

thanks

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 23 September 2007 - 04:06 PM

I'm pretty sure that this file is bad, but if you would like a second opinion, you can use a file scanner like Jotti Virus Scanner .
Click on Browse button.
Copy and paste the following filepath in the box:

c:\windows\hosts.exe

Click on the Open button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.

Edited by rookie147, 23 September 2007 - 04:06 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Animalwg82

Animalwg82
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 04:28 PM

Thanks man I will post the results whenever the website catches up. It says the server is very busy and it will get to me in a minute. I have the file posted but the submit button is not enabled right now.

#4 Animalwg82

Animalwg82
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 04:38 PM

Scan taken on 23 Sep 2007 21:29:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#5 Animalwg82

Animalwg82
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 05:24 PM

File: h0sts.exe
Status: OK
MD5: 999bfcc8c2fb0c94136ea48b14cf9a82
Packers detected: -
Bit9 reports: File not found

Also after that file loads in the cmd promt it opens a web page, but there is nothing on it but a counter and some advertisements.

Here is the page:

http://lausungen.cc/ct.php

Edited by Animalwg82, 23 September 2007 - 05:30 PM.


#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:02:22 AM

Posted 23 September 2007 - 06:12 PM

Try running a scan at virustotal. Everything that I find says that you have a backdoor trojan. My XP Pro machine does not have that file anywhere.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 Animalwg82

Animalwg82
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 06:33 PM

Prevx1 V2 2007.09.24 Heuristic: Suspicious File Which Interferes With Vulnerable Files Like The HostsFile

Additional information
File size: 540778 bytes
MD5: 999bfcc8c2fb0c94136ea48b14cf9a82
SHA1: c771ebf4a8548e6be56e6ed0321efe3547492a4b
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...5C0B700E855B01A

Prevx1 was the only one to find anything at virustotal. What now? Should I just delete the file?

#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:02:22 AM

Posted 23 September 2007 - 07:24 PM

I would use a program Such as Spybot S & D to eliminate the startup entry to see if you have any problems. Everything that I find, including the startup list here at bleeping computer indicates that you have some kind of backdoor trojan.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 Animalwg82

Animalwg82
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 September 2007 - 07:53 PM

I have run spybot. Is there a certain way to check startup programs with sb?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 23 September 2007 - 08:46 PM

Launch Spybot, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup.

Download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users