Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

invisible host file


  • Please log in to reply
2 replies to this topic

#1 chtyrone

chtyrone

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 30 April 2010 - 08:17 AM

PC running XP Service Pack 3. Running Norton.

Hijackthis was throwing up a load of redirection O1s (50-60 no).

I've ran malwarebytes and combofix and avira and neither worked.
I've actually went and deleted the hosts file in windows/system32/drivers/etc but they were still there in Hijackthis.

I Went to the hosts directory (see above) through the recovery console.
Using the cacls command, it showed the hosts file as still being there but with a permission of
"NT authority authorised user - special access."

The bottom line to this is that you it doesn't show up in windows directory listings (hidden file or not).
As well as that, you can't delete it or edit it, in recovery mode, command line, safe mode - any mode.
Combofix nor any about any other of about 6 other antispyware/rootkit programs can do anything with the invisible hosts file.

I moved hard drive to second pc (secondary drive) at this stage. After trawling the internet I found a program called gmer which is a rootkit killer, but has a utility for deleting files. This is the only thing I found which would delete it.

Programs that tried and failed to delete/edit the hosts file....
Avira Free version.
Malwarebytes
Combofix
SuperAntispyware.
WinPatrol
Spybot

Include HostsXpert in that list. It was able to read the "invisible" hosts file but not edit or delete it.

Anybody come across this before?

Edited by Pandy, 30 April 2010 - 09:43 AM.
Moved from Breaking Virus & Security News to a more appropriate forum ~Pandy


BC AdBot (Login to Remove)

 


#2 chtyrone

chtyrone
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 07 May 2010 - 03:34 AM

Strange that this is being ignored as I believe it to be a very dangerous development, not only in terms of the "hosts" file, but the possibility that any file can be hidden (or at least made read-only) using this "special access" protection.

Edited by chtyrone, 07 May 2010 - 03:36 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,594 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:52 PM

Posted 10 May 2010 - 04:30 AM

This is Spybots immunization and perfectly normal, no dangerous hidden hostsfile :thumbsup:
Most likely those hosts entries start with 127.0.0.1 and then a bad site, which means that, were you to access a site listed there, you will not go there but instead be presented with a "page not found".

Can you tell me what problems you have other than this that make you think you might be infected?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users