Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adware_memwatcher infection


  • Please log in to reply
7 replies to this topic

#1 restless13

restless13

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 26 April 2009 - 05:30 PM

Hi.

I just used Trend Micro Housecall 6.5 to scan my computer. It found ADWARE_MEMWATCHER in my system.
I tried to remove it with Trend Micro. Then I scanned again, it says there are no infections on my computer. But, to be on the safe side, I did a little research and found this forum. I would appreciate if someone can help me with this problem. I am still not sure whether the adware is completely removed or not.

Thanks in advance.
Regards

I am using Windows XP Home Edition with SP2

Edited by restless13, 26 April 2009 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 PM

Posted 27 April 2009 - 09:00 AM

Did Trend Micro provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 restless13

restless13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 April 2009 - 06:21 AM

Did Trend Micro provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.


It is located at C:\WINDOWS\system32\drivers\etc\host\78.167.62.131

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 PM

Posted 28 April 2009 - 07:18 AM

That IP address resolves to TurkTelekom which is a Turkish telecommunications company. Is this organization your ISP?

The location points to the HOSTS file. Are you using a custom HOSTS file or have you made any modications to it?

In Windows Vista and XP, the HOSTS file is located in this default location: C:\Windows\system32\drivers\etc\hosts.Anything that appears in your HOSTS file without an # at the beginning, except from the "127.0.0.1 localhost" line, should be viewed with suspicion. Although malware can be responsible for altering the HOSTS file in an attempt to redirect your browser, it does not do so without infecting other areas of your system.

To view the folder containing your Hosts file, go to Start > Run and type: %windir%\system32\drivers\etc\

The Hosts file has as no extension. The easiest way to access and view the contents is by using notepad.
  • Double-click on the HOSTS file.
  • A message will appear saying Windows can't open the file or Choose the program you want to open this file.
  • Scroll down the list of programs until you see Notepad.
  • Select it and click OK.
To view the Hosts file in Notepad automatically, go to Start > Run and type: notepad %windir%\system32\drivers\etc\hosts
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 restless13

restless13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 April 2009 - 09:40 AM

Thanks for your quick reply. TurkTelekom is my ISP.

I used notepad to view the hosts file. The first line is fine but after that there is a list of entries inserted by SpyBot - Search & Destroy such as (I'll copy&paste just a few lines):

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com

and the file ends as:
# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 PM

Posted 28 April 2009 - 10:49 AM

Yes, there are several legitimate security programs like SpySweeper and Spybot S&D which can add numerous entries to the HOSTS file. See Spybot Search & Destroy: HOSTS file viewer. If you open the Hosts file as you did, the note at the top will show all the entries were inserted by Spybot.

It appears this is a false detection by Trend Micro on parts of the hosts file immunization as threats. See this discussion thread at Spybot.

Try removing Spybot's HOSTS list and see if you still get the detection. Launch Spybot S&D and go to Mode > Advanced Mode > Tools > Hosts file.
Click the "Remove Spybot S&D hosts list" button (at the top).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 restless13

restless13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 April 2009 - 12:00 PM

Yes, there are several legitimate security programs like SpySweeper and Spybot S&D which can add numerous entries to the HOSTS file. See Spybot Search & Destroy: HOSTS file viewer. If you open the Hosts file as you did, the note at the top will show all the entries were inserted by Spybot.

It appears this is a false detection by Trend Micro on parts of the hosts file immunization as threats. See this discussion thread at Spybot.

Try removing Spybot's HOSTS list and see if you still get the detection. Launch Spybot S&D and go to Mode > Advanced Mode > Tools > Hosts file.
Click the "Remove Spybot S&D hosts list" button (at the top).


I removed Spybot's HOSTS list and scanned again. This time Trend Micro Housecall 6.5 did not find any infections.

Thank you for your help.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 PM

Posted 28 April 2009 - 12:04 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users