Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Free Edition Scan: Found C:\windows\system32\drivers\etc\hosts And C:\windows\system32\kernel32.dll Change


  • Please log in to reply
5 replies to this topic

#1 Americangirl2007

Americangirl2007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 October 2007 - 05:42 PM

My computer has been running slower lately. I found this forum and read about someone else having a similar problem, but not exactly here.

In the log from the link I posted, SifuMike, posted this:

Lets check your HOSTS file.
It's located at c:\windows\system32\drivers\etc\hosts.
You can open it up in Notepad.
If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;
however, if there are others following 127.0.0.1 localhost, you may have to fix it.
Post it here if that's the case.


I opened up my HOSTS file at that location and there were other lines following 127.0.0.1 localhost. This is what was in there:

# Copyright 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#102.54.94.97 rhino.acme.com # source server
#38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 bin.errorprotector.com
127.0.0.1 br.errorsafe.com
127.0.0.1 br.winantivirus.com
127.0.0.1 br.winfixer.com
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 cdn.errorsafe.com
127.0.0.1 cdn.winsoftware.com
127.0.0.1 de.errorsafe.com
127.0.0.1 de.winantivirus.com
127.0.0.1 download.cdn.drivecleaner.com
127.0.0.1 download.cdn.errorsafe.com
127.0.0.1 download.cdn.winsoftware.com
127.0.0.1 download.errorsafe.com
127.0.0.1 download.systemdoctor.com
127.0.0.1 download.winantispyware.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 download.winfixer.com
127.0.0.1 drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 errorprotector.com
127.0.0.1 errorsafe.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 fr.winfixer.com
127.0.0.1 go.drivecleaner.com
127.0.0.1 go.errorsafe.com
127.0.0.1 go.winantispyware.com
127.0.0.1 go.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.errorsafe.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 instlog.winfixer.com
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 secure.errorsafe.com
127.0.0.1 secure.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 secure.winantivirus.com
127.0.0.1 support.winantivirus.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.errorsafe.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 utils.winfixer.com
127.0.0.1 winantispyware.com
127.0.0.1 winantivirus.com
127.0.0.1 winfixer.com
127.0.0.1 winfixer2006.com
127.0.0.1 winsoftware.com
127.0.0.1 www.drivecleaner.com
127.0.0.1 www.errorprotector.com
127.0.0.1 www.errorsafe.com
127.0.0.1 www.systemdoctor.com
127.0.0.1 www.utils.winfixer.com
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 www.winantispam.com
127.0.0.1 www.winantispy.com
127.0.0.1 www.winantispyware.com
127.0.0.1 www.winantivirus.com
127.0.0.1 www.winantiviruspro.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 www.winfixer.com
127.0.0.1 www.winfixer2006.com
127.0.0.1 www.winsoftware.com


I don't know what those other lines are and what they mean. My computer is running slower. Even when I open folders on my computer, they open slower with the little search flashlight with the folder icon thing coming up. That never happened like that before. My internet is slower also. Does anyone know if I'm infected with any malware, adware, virus, etc.?? Please help! Thanks!!

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:04 AM

Posted 24 October 2007 - 09:50 PM

The entries you see below the local host are really BAD sites which are being redirected back to nowhere (your computer), so they can't call out. I don't know what put those entries in, quite possibly AVG or some other application you've used. They're a good thing. But ...
In some computers, mine included, if a large hosts file is used, the DNS service has to be disabled. Otherwise the computer can get very, very slow for the internet access.

More and better details here
http://www.mvps.org/winhelp2002/hosts.htm
and a quote:

Editors Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs in W2000/XP/Vista. Windows 98 and ME are not affected.

To resolve this issue (manually) open the "Services Editor"
Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, or Disabled (recommended) click Apply/Ok and restart


restart = REBOOT is a must. You can also stop and then disable the DNS service from Control Panel.
See about the middle of that writeup. If I were you, I'd read the whole article. The thing that puzzles me a bit is that your hosts file isn't all that long and it sure is missing a lot of other very bad things.

Edited by tos226, 24 October 2007 - 09:55 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:04 AM

Posted 25 October 2007 - 07:43 AM

Reported changes in system files such as kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe are normal for AVG.

There are many valid reasons for those files to show changed, a Windows update, file system check that replaced them if corrupted, and others. As long as AVG doesn't say they are infected it is ok. If it continues to show changed, delete the following file(s) in the C:\ directory and AVG will create a new one(s)...AVG7DB_F.DAT, AVG7QT.DAT

kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe have "changed"

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in the %ALLUSERSPROFILE%\Application Data\avg7\ folder and AVG will rebuild it the next time it is run.

The %ALLUSERSPROFILE% is different for each version of Windows. The following are the typical locations for XP and Win9x

XP - C:\Documents and Settings\All Users\Application Data\avg7
Win9x -C:\Windows\All Users\Application Data\avg7

Changed File Alerts
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Americangirl2007

Americangirl2007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 25 October 2007 - 05:47 PM

Thank you everyone! I really appreciate the help.

tos226, you stated:

The thing that puzzles me a bit is that your hosts file isn't all that long and it sure is missing a lot of other very bad things.


Is my hosts file supposed to be very long? You said it's missing a lot of other very bad things. Does that mean that those things are on my computer or infecting it? Is my computer susceptible to those things since they are not in the Hosts file?? That scares me. :thumbsup:


I have another question. When I open Task Manager, I see that there are 6 instances of svchost.exe. Why is this? Many times my CPU Usage goes to 100%. Am I supposed to have 6 of those svchost.exe in my Task Manager? This is what I saw:

Posted Image

Like I mentioned earlier, my computer is slower. Does this have anything to do with it? Is there anything in my Task Manager that shouldn't be there? Why is one of the svchost.exe so high in K?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:04 AM

Posted 28 October 2007 - 07:54 AM

A HOSTS file maps an IP address to a name. The original purpose of hosts files was to map the proper address to a site's name but now its also used for blocking purposes. 127.0.0.1 localhost is the universal IP address of all local computers and is also called the "loopback" because it refers to the local computer only. The loopback address is used to stop web ads from displaying because 127.0.0.1 indicates home (the location of your computer) and whatever is redirected home will not leave the system. Anything that appears in your HOSTS file without an # at the beginning, except from the "127.0.0.1 localhost" line, should be viewed with suspicion.

To use the HOSTS file to block web ads, you add a list of hosts serving offensive or malicious content with these domains associated to the loopback address (127.0.0.1 localhost) which is your own computer. When you go to a site that contains ads, the browser looks on your computer for the ads and never visits the ad server. The "blocking effect" of a host file is not in the name being listed there, but rather by associating the name with the wrong IP address which prevents you from reaching that site. For example, when the entry "127.0.0.1 ad.doubleclick.net" is requested your computer thinks 127.0.0.1 is the location of the file. When this file is not located it skips onto the next file and thus the ad server is blocked from loading the banner, cookie, or malicious javascript file.

If you want to remove those entries, download HostsXpert - Hosts File Manager
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to start the program.
  • When the program opens, click the "Restore MS Hosts File" button in the left pane.
  • Click "Make Hosts Writable?" (if available).
  • Click "Restore Microsoft's Hosts file" when prompted and then click "OK".
  • Exit Hoster when done.
Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs). This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure of the spelling. If it is scvhost.exe, then that is Trojan.

There are several ways to investigate svchost.exe and related processes.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

The Process Explorer window shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

If you have XP Pro, you can use Tasklist /SVC to view the list of services processes that are running in Svchost. The /SVC switch shows the list of active services in each process.

Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

For help and syntax information, type the following command, and then press ENTER:
tasklist /?
Also see Syntax options and Tasklist Syntax.

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type: WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
or: WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

And you can search the process name using Google, BC's File Database and read "How to determine what services are running under a SVCHOST.EXE process".

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ZaxBack

ZaxBack

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 24 May 2008 - 10:42 PM

maybe i came late but i know hundred percent what is this from my old old experience this is a registery script that modifies ur host as the host for all the websites u mensioned below and this come from 2 things that take u for the same results which is a botnet trojan and there are 2 types one that is old write it self in the registery key in rungood luck so it will be executed with windows and it come with the aim of auto infecting through msn by sending this advertizing websites to all ur online contents and it can be deleted or stoped manualy by cleaning ur registery after killing its process and this is realy old and the new trojan is the one that write itself in the kernel32 file and in some dll files that is hard to delete and almost impossible for any anti virus to catch it so as an advice if u dont know how to stop this trojan try toformat ur pc if u r not an expert in cleaning ur registery files and restauring the windows file
any way i hope my informations can help u in something and any ferther informations about bots and trojans i am glad to reply to all ur post so good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users