Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill - Hosts - Clueless !


  • Please log in to reply
9 replies to this topic

#1 Habesque

Habesque

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:England, UK
  • Local time:02:56 PM

Posted 20 May 2015 - 10:42 AM

Yes I am still using XP and yes I know there is a trojan on the computer, I have been chasing it for weeks using various downloads without success and so have turned to Rkill on advice where Rkill tells me there are hosts to edit 15493 of them and from the 20 Rkill displayed yes I can see there are some questionable ones in there.

 

But how, what am I doing, I have no idea as I have never ' messed ' around with the nuts and bolts of an operating system before and I really don't want to blunder in and destroy the operating system as I need this machine as a back up as the one I am using now is not that healthy either, ( Linux Live disk- it's that bad ), where the idea of course is fix one then fix the other.

 

But an observation, after running Rkill and my chosen anti malware-  the free versions of superantispyware, malwarebytes and spybot my machine appears to have lost it's WIFI login data and I can no longer access the net, where instead of reinputting the data I wonder, could this be the action of the trojan?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 20 May 2015 - 04:15 PM

Rkill will display the first 20 valid entries in the HOSTS file which sometimes is altered (modified) by malware infection. Rkill will also check the permissions on the HOSTS file and reset them if the administrator does not have proper permissions. Modification of this file does not necessarily mean your system is infected since some legitimate security programs and custom HOSTS files can also add numerous entries.

For example, Spybot S&D offers four levels of protection to include...Immunization, Resident SDHelper, TeaTimer, Hosts file protection (adding entries).

If you used Spybot's immunization feature, the "Global (Hosts)" profile typical adds about 15493 entries to the HOSTS file starting with 127.0.0.1. If you open the Hosts file, the note at the top and bottom will show the entries were inserted by Spybot:
# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1	007guard.com
127.0.0.1	www.007guard.com
127.0.0.1	008i.com
127.0.0.1	008k.com
127.0.0.1	www.008k.com
127.0.0.1	00hq.com
127.0.0.1	www.00hq.com
127.0.0.1 	legal-at-spybot.info
127.0.0.1 	www.legal-at-spybot.info
127.0.0.1...
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
If you perform an "Undo" via the Immunize button on the Spybot main screen, the entries Spybot added should be removed.

RKill should have created a log file named RKill.log and saved it to the root directory, usually C:\. Open it in Notepad...then copy and paste the contents of the RKill.log in your next reply.


Internet connectivity problems can occur for a variety of reasons to include corrupted networking software installation, third-party software inserting itself into the network adapter settings, misconfiguration or corruption issues with TCP/IP protocol stack and Winsock due to malformed LSP, deletion or incorrect removal of networking software and removal of a malware component which had inserted itself into the winsock. There are some common (but simple) solutions which can help resolve connectivity issues...refer to these instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Habesque

Habesque
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:England, UK
  • Local time:02:56 PM

Posted 20 May 2015 - 09:21 PM

Thank You for your reply Quietman7, it is much appreciated though I will admit much of what you said went right over my head, but I will look again tomorrow as it is late now and my concentration has just about had it.

 

The computer that I have the issue with, well one of them is a Dell Inspiron 1501 I was given in the hope I could get it working where I was told a repair agency said it was not worth repairing due to it's age and the fact that there is a mean trojan on it, the afore mentioned I have been chasing on and off for weeks as I need a back up computer and this is it, if I can get it working properly, where it is destined for dual boot between XP and Linux when I can find a Linux distro that works out of the box with a Dell/Broadcom wireless card as I have heard about this computer and Linux.

 

Now the WIFI issue, it was working with no problems prior to the security sweeps I did today and the security programs mentioned reported no infections but it seems all the connection data has somehow disappeared disabling the WIFI signal detection of which I thought was strange behaviour given it was working an hour before hence my wondering if it was the action of the trojan of which none of my security programs are detecting at the moment which has got my kind of worried.

 

But of course the Rkill created a log file and I will upload it at some point tomorrow.

 

Again thanks.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 21 May 2015 - 05:24 AM

I understand so not a problem.

See Step 5 in the topic link I provided with suggestions for regaining loss of Internet Connectivity. It is not uncommon for security tools to remove third-party software it deems unsafe (PUPs). If not removed properly or inadvertently removed by security tools, loss of connectivity often results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Habesque

Habesque
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:England, UK
  • Local time:02:56 PM

Posted 21 May 2015 - 04:31 PM

Hi, the Rkill log;

 

---------------------------------

 

* No issues found.
Checking HOSTS File:
* Cannot edit the HOSTS file. * Permissions Fixed. Administrators can now edit the HOSTS file.
* HOSTS file entries found:

  127.0.0.1       localhost
  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com

  20 out of 15493 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 05/20/2015 02:32:27 PM
Execution time: 0 hours(s), 1 minute(s), and 4 seconds(s)

---------------------------------------------------------------------------------------------------------

 

But interesting researching some of the above names, I see some are Spybot but when I came across another Rkill log in Pastebin that had all of what is above but without the 100sexlinks entry.
 

 

And interesting as regards my Wifi, turning the machine off and on again restored the connection.


Edited by Habesque, 21 May 2015 - 04:33 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 21 May 2015 - 05:29 PM

Sometimes a simple reboot can resolve a lot of issues.

Yes...www.100sexlinks.com is an entry added by Spybot years ago. More example entries shown here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Habesque

Habesque
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:England, UK
  • Local time:02:56 PM

Posted 21 May 2015 - 05:42 PM

Curious Firefox reports the link provided as an Untrusted Connection, but is Rkill reporting an issue on my computer or is what has been generated Spybot ?



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 21 May 2015 - 06:25 PM

Rkill is displaying (reporting) the first 20 valid entries in the HOSTS file...which in your case was created by Spybot.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Habesque

Habesque
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:England, UK
  • Local time:02:56 PM

Posted 22 May 2015 - 08:30 PM

So, am I to understand Rkill found no infections on this computer ?

 

If so, thank you for your help.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 22 May 2015 - 08:44 PM

RKill is a specialized tool designed to terminate the most common malicious processes[/b] that prevent other security tools from being executed, complete a scan or used to disinfect the system. When RKill is able to terminate malicious processes and fix certain registry keys, that action usually allows other tools to perform scans and clean up routines to remove the infection. Therefore a scan with Malwarebytes Anti-Malware or similar tool should be completed immediately after running RKill.

Since RKill is not designed to be a comprehensive malware removal tool, using it is not required in all situations. If you are able to run other security tools without them terminating, there is no need to run RKill. However, if RKill is run separately without or after other security tools, it's log can provide useful information to help diagnose the presence of malware or report other issues as the developer (Grinler) added some basic enumeration to the tool for various infections.

Your log said No issues found.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users