Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Antivirus


  • Please log in to reply
5 replies to this topic

#1 Concept82

Concept82

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 14 February 2010 - 05:44 AM

Hey Guys, I have the security antivirus trojan and cant get rid of it :thumbsup:

I have followed the steps at http://www.bleepingcomputer.com/virus-remo...urity-antivirus

but when I rebooted it was still there. The only steps that I did slightly differently was


We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.

There was no file called Hosts file in the etc folder. There was a file called imhosts though so i deleted that? Maybe thats not it though?


and secondly the other step was

Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.
Windows XP HOSTS File Download Link
Windows 2003 HOSTS File Download Link
Windows Vista HOSTS File Download Link
Windows 2008 HOSTS File Download Link
Windows 7 HOSTS File Download Link

I clicked the windows xp link but it just brought to a webpage with info on it. i didnt know how to save it as a file so I pressed the microsoft automatically fix it option at the link http://support.microsoft.com/kb/972034


Every other step I followed exactly, removed nearly 800 infections from MBAM. Can anyone please help me out with this? Thanks very much

BC AdBot (Login to Remove)

 


#2 Shadow Slash

Shadow Slash

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 14 February 2010 - 07:09 AM

We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.

There was no file called Hosts file in the etc folder. There was a file called imhosts though so i deleted that? Maybe thats not it though?


I think you need to show the hidden system files to see the HOSTS file. You can do so by opening up explorer and going to Tools > Folder Options... and following my image below.

Posted Image

#3 Concept82

Concept82
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 14 February 2010 - 02:42 PM

Thanks , I've tried unhiding files but still cant see any hosts file?

#4 Concept82

Concept82
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 15 February 2010 - 12:13 PM

Hi Guys, does anyone know how I can rid of this trojan. Its says in the removal steps to delete hosts file at C:\Windows\System32\Drivers\etc\HOSTS but there is no hosts file in the etc folder for me. I have tried unhiding files but still no there. There is a file called imhosts is this the same thing? Can anyone please help me out, this thing is driving me crazy :thumbsup:

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 16 February 2010 - 11:52 AM

Hello, here's some info on the host's file and how to replace it. (I borrowed this from our quietman7,thanks)
The HOSTS file is a text file that maps an IP address to a name. It has no extension and can be viewed using notepad. At the top is an explanation of the simple syntax. Each line is an IP address, a domain name, and an optional comment placed after a # sign. In Windows XP, 127.0.0.1 localhost is the universal IP address of all local computers and is the standard hostname given to the address of the loopback network interface which refers to the local computer only.

The original purpose of HOSTS files was to map the proper address to a site's name but now its also used for blocking purposes. The loopback address is used to stop web ads from displaying because 127.0.0.1 indicates home (the location of your computer) and whatever is redirected home will not leave the system. Anything that appears in your HOSTS file without an # at the beginning, except from the "127.0.0.1 localhost" line, should be viewed with suspicion. In Windows Vista the IPv6 localhost is ::1 localhost by default. To learn more about this, you can read Hosts File FAQS and LMHosts and Hosts files.

Since the Hosts file is often used and altered by malware, some security programs (like Spybot S&D) will lock the file's read-only attributes as protection so it cannot be changed without your knowledge unless you disable that feature. As such, you may receive an access is denied message.

When you go into Spybot > Mode > Advanced Mode > Tools > Hosts File and do an "Add Spybot-S&D hosts list", Spybot..."lock" the HOSTS file by setting the attributes on the HOSTS file to read-only.

If you do not want the read-only attribute set on the HOSTS file after doing a "Add Spybot-S&D hosts list", go into Spybot > Mode > Advanced Mode > Tools > IE Tweaks. Under "Miscellaneous locks" uncheck the following: * Lock Hosts file read-only as protection against hijackers.

Spybot Forums: Host file - Access is Denied

There are several legitimate security programs like SpySweeper, STOPzilla, Spybot S&D, etc which can add entries to the HOSTS file and that action may be detected as a change. If you use Spybot's immunization facility the "Global (Hosts)" profile adds entries to the HOSTS file. If you downloaded and used a custom HOSTS file or made edits that too would trigger a change detection. If you did not make any changes or do not have security programs with these features, then you need to investigate what the changes are.To view the folder containing your Hosts file, go to Posted Image > Run..., and in the Open box, type: %windir%\system32\drivers\etc\
Click Ok.

The easiest way to access and view the contents is by using Notepad.
  • Double-click on the HOSTS file.
  • A message will appear saying Windows can't open the file or Choose the program you want to open this file.
  • Scroll down the list of programs until you see Notepad.
  • Select it and click OK.
To view the Hosts file in Notepad automatically, go to Posted Image > Run..., and in the Open box, type: notepad %windir%\system32\drivers\etc\hosts
Click Ok.

After unlocking the Hosts file, you can can restore the file to its default as follows:

Please download HostsXpert - Hosts File Manager
  • Create a new folder on your hard drive called HostsXpert (C:\HostsXpert) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.


Note: Vista’a UAC blocks access to the HOSTS file since it’s a system file. To get around this you can either turn off UAC and edit it normally, or copy the HOSTS file to your desktop and edit the copy there. Then rename the copied file on your desktop to HOSTS and drag it into the etc folder. When asked if you want to overwrite the existing hosts file, click yes. See Updating the HOSTS file in Windows Vista.


Did you run the MBAM scan?


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Concept82

Concept82
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 16 February 2010 - 04:25 PM

Thanks for the help boopme. According to the removal steps for this trojan given on this site I have to delete the host file

We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.

When I go into the etc file there is no hosts file. Yet when I tried the way you just posted:
start> run> notepad %windir%\system32\drivers\etc\hosts the notrpad file just came up. Im not sure whats happeing here, maybe this is being done by the trojan?

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users