Remote hosts on my computer

My name is Jim and I live in Ball Ground, Ga. I am not a computer geek, but I have some knowledge of these things.
I have a Windows XP update that will not post. I am running a free version of AVG and also System Mechanic from Iolo for computer clean up. A technician for Iolo says I have remote hosts accessing my computer and wants $200 to fix this problem. My only clue that I am infected is the inability to process the Windows XP update.

I read some of the tutorials here and tried to run the recommended programs to confirm and identify my infection. When I tried to run DDS it returned an unreadable page so I am unable to continue. Can someone tell me what to do next?

Hello, I moved this from XP to I Am Infected forum.

Your HOSTS file may be infected. So let's replace it, reboot in Safe Mode with Networking.
Click on Start then Run and type: %windir%\system32\drivers\etc\
Delete the following file: C:\WINDOWS\system32\drivers\etc\hosts


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe

alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

• If Malwarebytes Anti-Malware results in any error messages, check the Help file's list of error codes within its program folder first. If you do not find any information, please refer to Common Issues, Questions, and their Solutions, Frequently Asked Questions. If the error you are receiving is not in the list, please report it here so the research team can investigate.

• Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware.

First, let me Thank you for your easy to understand response. I followed your directions with a small (I believe) hitch. When I went to delete the hosts file there were 4 of them. Three of them were identified as "back-up". I gambled and deleted all 4. When I ran MBAM 2 infections were found and subsequently removed. I have attached the log (I hope). As I mentioned in my first post, my only clue that I had a problem was a Windows update that would not post and would not go away. Strangely enough, now it is gone so I was unable to see if this infection was what was keeping the update from posting. How will I know if everything is fixed now, and what would you recommend I use to keep this from happening again? Thanks again for your quick and well-worded response. Jim


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4610

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/13/2010 7:20:12 PM
mbam-log-2010-09-13 (19-20-12).txt

Scan type: Quick scan
Objects scanned: 131491
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello, you are most welcome. We look very good here though we will do an online scan to be certain there are no remnants.

Good gamble,as I guess I should have beeen clearer. Wondows will put back the Default Hosts file when the active one is deleted.

The find in MBAM is due to the registry modifacation abilities in Iolo.
Let me quote miekiemoes, Administrators at Malwarebytes

Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows).
So you have 2 choices here... Or you ignore the detection in mbam, or you don't let System mechanic modify the default associations

Now we'll due the ESET Online scan. If alls clear I will give you the security info you requested and we'll mop up.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

• Click the green button.
• Read the End User License Agreement and check the box:
• Check .
• Click the button.
• Accept any security warnings from your browser.
• Check
• Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
• Click the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer.
• If offered the option to get information or buy software at any point, just close the window.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• When the scan completes, push
• Push , and save the file to your desktop as ESETScan.txt.
• Push the button, then Finish.
• Copy and paste the contents of ESETScan.txt in your next reply.

Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt

• Click Ok and the scan results will open in Notepad.
• Copy and paste the contents of log.txt in your next reply.

-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.

Thank You again. I ran ESET scanner per your directions. It took about 36 minutes and no threats were found. I would like to give you a little more depth into what brought me here. Several weeks ago, I'm not sure exactly when, I began getting the message at shutdown that updates to windows had been downloaded and would apply before shutdown occured. This was a fairly normal occurence so I wasn't concerned until I realized it was happening every night. I talked with a co-worker about this and he suggested that I turn off the automatic update feature thereby allowing me to control the download and update. When I did this I would receive a prompt at start-up from a sheild icon on the start-up line saying I had updates ready to download. I would click on the message to download the updates then I would get another message to start the update process. Within a matter of less than a minute I would get another message telling me that the updates were not applied. The next time I turned the system on I would get the same messages and the same results.

I received an e-mail from Iolo offering me free access to their 24/7 support to answer or investigate any computer problems I might have. I thought they might be able to solve the mystery of the never-ending update process. A technician who happened to be in India said he could help me and would I allow him access to my computer. He immediately displayed on my screen that I had multiple remote hosts and then showed me a list of error messages supposedly from my computer that was a couple of pages long and went back several months. He told me that my computer was badly infected. He also said that my free access covered only the analysis and that he could fix my computer in an hour for a charge of $199.95. I was born at night, but it wasn't last night so I told him I was going to research other options.

The most recent update on my problem is this: At start-up tonight I got the message that updates were ready to download. I clicked to download and saw a list of 5 or 6 fixes to update security, however I never got the option to apply these updates. I checked the list of applied updates from control panel and nothing has been applied since 8-11. Maybe these updates will apply when I shut down, maybe not. My computer has not been particularly fast lately, but I have no other indications of any infection. Thanks for patiently hearing me out! Jim

Lets do one more deep scan as even if i cannot get this we can get it fixed here at BC for free and day or night ,LOL. If it's not malware we'll find the other corupt process.
This is a long scan can run 2 hoiurs or a few more.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• Please be patient as this scan could take a long time to complete.
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
• Click Select All, then choose Cure > Move incurable.
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Because of my work schedule I did not have time to follow your last instructions until today. I will attach the log file from Dr. Web Cure it. One trojan was found in two places. I do not think this is a serious infection primarily because it was imbedded in photo editing software I received with my digital camera many years ago. It was incurable so I had it moved.

Since my previous post some things need to be mentioned. I downloaded a total of 9 updates to micosoft and all but 1 of them posted sucessfully. The one that did not appears to be the source of my ongoing problem. It is an update to Microsoft.NET Framework 1.1 SP1 Security update for Windows XP (KB979906). I did a search on this number and found a forum where a number of users have reported having the same problemI am having. In this forum several fixes were suggested but as far as I could tell, none of them were successful at completing the update or removing it fromtheir computer. I suspect we have been looking for a problem in my computer when the problem may be Micosoft"s.

AVI.GIM;C:\Program Files\DiMAGE Viewer\Importer;Trojan.Chow.origin;Incurable.Moved.;
MOV.GIM;C:\Program Files\DiMAGE Viewer\Importer;Trojan.Chow.origin;Incurable.Moved.;

See if the resolution here takes care of it.
http://support.microsoft.com/kb/889109