• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jumpy23

Trojan Virus in HOSTS --- NAV & PCCillin Won't Fix

6 posts in this topic

Norton antivirus auto-detects a trojan virus in C:\WINDOWS\system32\drivers\etc\hosts. The virus alert pops up every 4 seconds.

 

I've run Adaware, spybot and CWS shredder.. all latest versions. Nothing fixed the trojan virus alerts.

 

I've disabled XP restore points, rebooted in safe mode, ran Norton Antivirus and quarantined the only infected file... the hosts file in the above folder. There were no other viruses found. The virus found in the hosts file was NOT part of the Temp Internet Files folder. I rebooted only to have the virus alert pop up again, every 4 seconds.

 

I've scanned the registery for hosts without finding anything in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run folder. A full registry search for hosts didn't show anything related to the C:\WINDOWS\system32\drivers\etc\ folder.

 

I've run PC-Cillin in safe mode without any results.

 

I've run NAV and PCCillin in NON-Safe (normal) mode, and NAV doesn't even find ANY virus in normal mode. But when I rerun it in safe mode... THEN it finds the file. But, again, only to quarantine (it's unable to delete/fix file) and only to have the hosts/trojan pop-up in 4 seconds when rebooted in normal mode.

 

Originally, (1 week ago) the problem started in the C:\WINDOWS\hosts file. All the problems listed above occured. So, tired of not finding the source of the trojan, I went into the CMD DOS shell to change hosts to 127.0.0.1 LOCALHOST and change permissions on hosts. Sure, the virus stopped popping up in the C:\WINDOWS\hosts file. But when rebooted in normal mode, the virus alert showed up in the folder listed at the beginning of this email (ie. C:\WINDOWS\system32\drivers\etc\hosts)

 

Here's my Hijack file:

 

Logfile of HijackThis v1.98.0

Scan saved at 7:36:54 PM, on 7/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\devldr32.exe

C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe

C:\WINDOWS\system32\explorer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\WINDOWS\system32\explorer.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\SYSTEM32\GEARSEC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ShuttlePROEngine.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Documents and Settings\Dudley\Desktop\Sys Tools\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {6BAC6123-EB67-2CBC-D120-62557FA62C4A} - C:\WINDOWS\System32\wcj.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Dudley\Application Data\winup\winup.dll (file missing)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [shuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe"

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Trto] C:\Documents and Settings\Dudley\Application Data\hbsu.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr...ll_pre.php (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04e4d9edb77...xIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do...Button.CAB

 

By the way, I can LiveUpdate my NAV.

 

And both NAV and PC-Cillin were using up-to-the minute latest virus definitions. And NAV had all page defaults restored before running.

 

Help, please.

 

Cheers,

Share this post


Link to post
Share on other sites

Do a search and find all HOSTS files on the PC. Make sure you set your PC to SHOW ALL FILES and uncheck HIDE EXTENSIONS. It could be that your real HOSTS file has been changed to another file extension and that the Trojan could be masquerading as a file named HOSTS. Check for the size of all the HOSTS files you find and try to open them. You can always make a new HOSTS file if you delete them. Here is a great tool:

http://software.brown.edu/dist/pub/tools/r...estorehosts.exe

 

Delete all contents from your TEMP folders, I.E. Temp Internet Files, C:Windows\Temp, and C:\Documents and Settings\Your Username\Local Settings\Temp

Share this post


Link to post
Share on other sites

Yup, deleted all hosts except the c:\windows\hosts. Edited the file so that it only read 127.0.0.1 localhost. Still had the trojan reinfect the file. (after all, we're not dealing with the source of the problem).

 

Later, I changed the permissions on the c:\windows\hosts file. The trojan then created a host file in c:\windows\system32\drivers\etc\ folder. Even when this hosts file is deleted, the trojan recreates it in the c:\windows\system32\drivers\etc folder.

 

Deleted all the temp files (redid them again today in all folders you listed) during safe mode. The virus reappears when rebooted in normal mode.

 

(funny side note, I changed the permissions on the c:\windows\hosts file so harsh that I don't have access to changing it or even listing its contents at DOS). Anyway, it's still only 21 bytes which is the original line I created... ie. 127.0.0.1 localhost.

 

Problem still exists in c:\windows\system32\drivers\etc\hosts.

Share this post


Link to post
Share on other sites

FWIW c:\windows\system32\drivers\etc\hosts. is the default location for the hosts file in WinXP...

 

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present

C:\WINDOWS\system32\explorer.exe

C:\WINDOWS\system32\explorer.exe

Put a check next to these in hijackthis:

O2 - BHO: (no name) - {6BAC6123-EB67-2CBC-D120-62557FA62C4A} - C:\WINDOWS\System32\wcj.dll

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Dudley\Application Data\winup\winup.dll (file missing)

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

O4 - HKCU\..\Run: [Trto] C:\Documents and Settings\Dudley\Application Data\hbsu.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog

O4 - HKLM\..\Run: [shuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe" <-----The ONLY other listing in a Goggle search for this is your log at CC; If you didn't install this or know what it is; mark for removal

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

 

 

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-

C:\Program Files\Contour ShuttlePRO\ <---Optional, only delete if removed above in 04)

C:\WINDOWS\system32\explorer.exe Make certian of LOCATION, Don't delete any files other than system32\explorer..there are others in different locations that are GOOD

C:\Documents and Settings\Dudley\Application Data\hbsu.exe

c:\windows\system32\drivers\etc\hosts

If ANY of hte above won't delete reboot to safe mode for removal (instructions)

 

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"

 

After a reboor replace the HOSTS file either with the default ie. localhost 127.0.0.1 or get one from the MS MVP link in my signature (my recommendation)

Then Reboot and post a fresh log back to this thread.

 

Edited for spelling*******

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Hey jwbirdsong, it looks like you fixed it. It's been more than a few minutes, and no NAV virus alert.

 

Before your post, I had deleted the wcj, winup and all temp files without success. After your post, I kept the shuttlepro file because it is used.

 

So, it would appear that the explorer.exe or hbsu.exe was the culprit.

 

Thank you very much.

 

I'm pointing out the explorer and hbsu because someone from another posting had the same problem. Hopefully your solution, jwbirdsong, solves his virus like it did mine.

 

For posterity, I'm posting the hijacklog, just in case the virus comes back tonight... but it looks clear.

 

Cool, man.

 

Logfile of HijackThis v1.98.0

Scan saved at 7:56:51 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\devldr32.exe

C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\SYSTEM32\GEARSEC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ShuttlePROEngine.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Documents and Settings\Dudley\Desktop\Sys Tools\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [shuttlePRO Helper] "C:\Program Files\Contour ShuttlePRO\ShuttlePRO Helper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04e4d9edb7750c...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

 

P.S. I loved the OSA.EXE suggestion.

 

Thanks again.

Share this post


Link to post
Share on other sites

I believe the bogus explorer to be the culprit here....

 

Congratulations, your log is clean.

 

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at link in my signature

 

And also see TonyKlein's good advice in

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0