Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinPatrol is reporting repeated attempts to change HOSTS file


  • This topic is locked This topic is locked
6 replies to this topic

#1 cllgegrl

cllgegrl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 18 April 2010 - 03:49 AM

Hi,

I recently got some kind of spyware on my computer that screwed me all up. I tried cleaning it up on my own but I have not been successful. About 2 days ago, I cleaned up my computer by running Spybot, CC Cleaner, MBAM, and IOBIT Security 360. Then suddenly, I noticed these pop up messages from WinPatrol saying it has detected a change in my HOSTS file. I checked to see what it was changing and of course it there are redirects. I reject the change but my hosts file is still being modified. I tried setting it to Read-Only but that doesnt hep either. My internet also seems a lot slower. I pull up Youtube vids and even when theyre about 3 min long, I have to pause them and wait a few secs for them to load to prevent freezing. My HSD speed is 8Mbps. Is there a way to find out what program is accessing my hosts file? and if this is related to my slow internet? MBAM came up with nothing and Spybot says it cleaned whatever it found. All of my programs are also up to date. Thank you.

Attached Files


Edited by elise025, 18 April 2010 - 05:50 AM.
Since a log is posted I am moving this from XP to Malware Removal forum ~ Elise


BC AdBot (Login to Remove)

 


#2 cllgegrl

cllgegrl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 18 April 2010 - 11:41 PM

ok Thank you elise. I wasnt sure where to post it. Ill wait for a response.

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:05 AM

Posted 19 April 2010 - 10:05 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the required logs when you reply and we will begin from there. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 cllgegrl

cllgegrl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 21 April 2010 - 08:14 AM

hello

I tried downloading the backup software and creating a backup file but I kept getting an error saying it was not a valid filename and to make to that I had access to the location I was trying to save the back up.

shortly afterwards, I started getting pop ups about antimalware doctor. I ended the processes that popped up but now I have ZERO access to all of my browsers so I'm stuck. I get an error when I launch any browser. It says something like 'firefox/ws2_32.dll is not a valid windows image' if I am remembering correctly. May I please get help with this so that I may finish the initial steps and post the requested logs?

I am posting from my cell phone at this point.

Thank you

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:05 AM

Posted 22 April 2010 - 07:55 AM

Hi cllgegrl,

If any of your browser does not work, we need to use another PC to download the tools and transfer them to your infected PC.


+++++++++++++++++++++++


1. Please run Flash Disinfector on both clean and infected PC.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



2. Please download RKill by Grinler.
Link 1
Link 2
Link 3
Link 4
  • Save it to your desktop.
  • Close/disable your anti virus program so they do not interfere with RKill. (Tutorials on how to disable your anti virus program can be found HERE.)
  • Double click the RKILL icon to start the program. (For Windows VISTA, right click the icon and run as administrator)
  • A window will appear and close automatically once completed. This indicates a successful run.
  • Do not reboot your computer and continue with step 3.
  • Post the rkill log when you reply. (C:\rkill.log)
Note:
  1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
  2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.



3. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:05 AM

Posted 26 April 2010 - 08:37 AM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:05 AM

Posted 27 April 2010 - 08:56 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users