Jump to content


Photo

Trojan Virus in HOSTS --- NAV & PCCillin Won't Fix


  • Please log in to reply
5 replies to this topic

#1 jumpy23

jumpy23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 04:57 PM

Norton antivirus auto-detects a trojan virus in C:\WINDOWS\system32\drivers\etc\hosts. The virus alert pops up every 4 seconds.

I've run Adaware, spybot and CWS shredder.. all latest versions. Nothing fixed the trojan virus alerts.

I've disabled XP restore points, rebooted in safe mode, ran Norton Antivirus and quarantined the only infected file... the hosts file in the above folder. There were no other viruses found. The virus found in the hosts file was NOT part of the Temp Internet Files folder. I rebooted only to have the virus alert pop up again, every 4 seconds.

I've scanned the registery for hosts without finding anything in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run folder. A full registry search for hosts didn't show anything related to the C:\WINDOWS\system32\drivers\etc\ folder.

I've run PC-Cillin in safe mode without any results.

I've run NAV and PCCillin in NON-Safe (normal) mode, and NAV doesn't even find ANY virus in normal mode. But when I rerun it in safe mode... THEN it finds the file. But, again, only to quarantine (it's unable to delete/fix file) and only to have the hosts/trojan pop-up in 4 seconds when rebooted in normal mode.

Originally, (1 week ago) the problem started in the C:\WINDOWS\hosts file. All the problems listed above occured. So, tired of not finding the source of the trojan, I went into the CMD DOS shell to change hosts to 127.0.0.1 LOCALHOST and change permissions on hosts. Sure, the virus stopped popping up in the C:\WINDOWS\hosts file. But when rebooted in normal mode, the virus alert showed up in the folder listed at the beginning of this email (ie. C:\WINDOWS\system32\drivers\etc\hosts)

Here's my Hijack file:

Logfile of HijackThis v1.98.0
Scan saved at 7:36:54 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ShuttlePROEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Dudley\Desktop\Sys Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6BAC6123-EB67-2CBC-D120-62557FA62C4A} - C:\WINDOWS\System32\wcj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Dudley\Application Data\winup\winup.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ShuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Trto] C:\Documents and Settings\Dudley\Application Data\hbsu.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro...pr...ll_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...00...taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...77...xIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...03...scan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...do...Button.CAB

By the way, I can LiveUpdate my NAV.

And both NAV and PC-Cillin were using up-to-the minute latest virus definitions. And NAV had all page defaults restored before running.

Help, please.

Cheers,

#2 Guest_SirJon_*

Guest_SirJon_*
  • Guests

Posted 11 July 2004 - 06:04 PM

Do a search and find all HOSTS files on the PC. Make sure you set your PC to SHOW ALL FILES and uncheck HIDE EXTENSIONS. It could be that your real HOSTS file has been changed to another file extension and that the Trojan could be masquerading as a file named HOSTS. Check for the size of all the HOSTS files you find and try to open them. You can always make a new HOSTS file if you delete them. Here is a great tool:
http://software.brow...estorehosts.exe

Delete all contents from your TEMP folders, I.E. Temp Internet Files, C:Windows\Temp, and C:\Documents and Settings\Your Username\Local Settings\Temp

#3 jumpy23

jumpy23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 08:30 PM

Yup, deleted all hosts except the c:\windows\hosts. Edited the file so that it only read 127.0.0.1 localhost. Still had the trojan reinfect the file. (after all, we're not dealing with the source of the problem).

Later, I changed the permissions on the c:\windows\hosts file. The trojan then created a host file in c:\windows\system32\drivers\etc\ folder. Even when this hosts file is deleted, the trojan recreates it in the c:\windows\system32\drivers\etc folder.

Deleted all the temp files (redid them again today in all folders you listed) during safe mode. The virus reappears when rebooted in normal mode.

(funny side note, I changed the permissions on the c:\windows\hosts file so harsh that I don't have access to changing it or even listing its contents at DOS). Anyway, it's still only 21 bytes which is the original line I created... ie. 127.0.0.1 localhost.

Problem still exists in c:\windows\system32\drivers\etc\hosts.

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 11 July 2004 - 08:52 PM

FWIW c:\windows\system32\drivers\etc\hosts. is the default location for the hosts file in WinXP...

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
Put a check next to these in hijackthis:
O2 - BHO: (no name) - {6BAC6123-EB67-2CBC-D120-62557FA62C4A} - C:\WINDOWS\System32\wcj.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Dudley\Application Data\winup\winup.dll (file missing)
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKCU\..\Run: [Trto] C:\Documents and Settings\Dudley\Application Data\hbsu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog
O4 - HKLM\..\Run: [ShuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe" <-----The ONLY other listing in a Goggle search for this is your log at CC; If you didn't install this or know what it is; mark for removal
THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".


Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
C:\Program Files\Contour ShuttlePRO\ <---Optional, only delete if removed above in 04)
C:\WINDOWS\system32\explorer.exe Make certian of LOCATION, Don't delete any files other than system32\explorer..there are others in different locations that are GOOD
C:\Documents and Settings\Dudley\Application Data\hbsu.exe
c:\windows\system32\drivers\etc\hosts
If ANY of hte above won't delete reboot to safe mode for removal (instructions)

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


After a reboor replace the HOSTS file either with the default ie. localhost 127.0.0.1 or get one from the MS MVP link in my signature (my recommendation)
Then Reboot and post a fresh log back to this thread.

Edited for spelling*******

Edited by jwbirdsong, 11 July 2004 - 08:59 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#5 jumpy23

jumpy23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 10:05 PM

Hey jwbirdsong, it looks like you fixed it. It's been more than a few minutes, and no NAV virus alert.

Before your post, I had deleted the wcj, winup and all temp files without success. After your post, I kept the shuttlepro file because it is used.

So, it would appear that the explorer.exe or hbsu.exe was the culprit.

Thank you very much.

I'm pointing out the explorer and hbsu because someone from another posting had the same problem. Hopefully your solution, jwbirdsong, solves his virus like it did mine.

For posterity, I'm posting the hijacklog, just in case the virus comes back tonight... but it looks clear.

Cool, man.

Logfile of HijackThis v1.98.0
Scan saved at 7:56:51 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ShuttlePROEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Dudley\Desktop\Sys Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ShuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro...usecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB

P.S. I loved the OSA.EXE suggestion.

Thanks again.

#6 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 12 July 2004 - 07:25 AM

I believe the bogus explorer to be the culprit here....

Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button