Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hosts File keeps Populating 4

Status
Not open for further replies.
zoeythecat

zoeythecat

Technical User
May 2, 2002
1,666
0
0
US
Hi All,

I have an end user with WindowsXP Pro who had several viruses and spyware. I ran all the pre-requisites before posting. I have run virus scans. The system is virus free. I have run spyware scans (Adaware, Spybot) and installed the Microsoft Anti-Spyware version. The system appears to be virus free and spyware free. However, when surfing the net popups keep appearing. I have noticed the hosts file in c:\windows\system32\drivers\etc keeps repopulating with several websites. The strange thing is if I delete the entries and save the file the web site entries keep popluating. If I delete the hosts file the file gets created again as soon as it is deleted.

Anybody experience this issue? Any suggestions?

Thanks in advance,
Zoey
 
Sort by date Sort by votes
copy the file elsewhere and open it. Delete all the junk inside of the file and save it. Next, change the file's properties to "read-only" and then copy it back over the one that has likely been created. Verify that it's read only and then whatever virus or spyware has been altering it will be unable to do so.
 
Upvote 0 Downvote
You can use the advanced functions within Spybot to lock / backup the hosts file. Should be under "Tools" section within the advanced view on Spybot 3.1TX or greater.

HTH

TazUk

[pc] Blue-screening PCs since 1998
 
Upvote 0 Downvote
Thanks for the replies. I will try both suggestions and post back.

Thanks again.
 
Upvote 0 Downvote
My recommendation is to remove Spybot as the primary line of defense. Begin to utilize the Microsoft Spyware Beta.

There are a few reasons for this. The first being that it monitors the host file and will prompt you before allowing changes. The next reason, is you can actually view what has been added to the host file via the MS product and remove/block those changes from being readded.

The read only tag may not work. Much of the virus/spyware programs run in todays environment can remove and/or add attributes to the file. You can prevent this via a program called "Drop my rights". This program will run programs in a user level access shell. Preventing installation and attribute changes...


The above is the link to this application (written by Michael Howard).
 
Upvote 0 Downvote
Aquias,

Thanks for the link and the reply. I will try your suggestion as well. As an FYI I am using the Microsoft AntiSpyware and it is detecting Hosts trying to connect so I just block. However, the HOSTS file is still population so I will try copying the file back with the Read attribute and see what happens and then install the program from your link if I need to.

Thanks
 
Upvote 0 Downvote
Also,

Run HijackThis! and post back your results here. There may be an application installed that the spyware proggies aren't picking up.
 
Upvote 0 Downvote
Aquias,

Thanks for looking at this log.

___________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 11:26:21 AM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\w?auclt.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\job\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedUpMyPC] C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe traybar
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [RHSNGGXDc] C:\WINDOWS\txntqnid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DvdAnteExtraBase] C:\Documents and Settings\All Users\Application Data\DEADMETADVDANTE\viewcdrom.exe
O4 - HKLM\..\Run: [dumb creative slow inside] C:\Documents and Settings\All Users\Application Data\Dash Intra Dumb Creative\Lovemfcd.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefmw32.exe
O4 - HKLM\..\Run: [Cash Software Face Bin] C:\Documents and Settings\All Users\Application Data\beep this cash software\errorcurb.exe
O4 - HKLM\..\Run: [BI6fJ] C:\WINDOWS\ginld.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\job\Application Data\elat.exe
O4 - HKCU\..\Run: [Krxssiq] C:\WINDOWS\system32\w?auclt.exe
O4 - HKCU\..\Run: [Intra The] C:\DOCUME~1\job\APPLIC~1\Chicdupe\BalmRoam.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = brooksschool.org
O17 - HKLM\Software\..\Telephony: DomainName = brooksschool.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = brooksschool.org
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\en4ul1h91.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
 
Upvote 0 Downvote
zoeythecat
Based on an automated scan of your HijackThis log file, and some Google digging here's a list of what may be giving you troubles. Please wait for confirmation here before deleting, as this is based on my own reading, and (once ready to act) ensure that system restore is disabled before cleaning.
Note that I've listed some as unknown - you'll need to check with the user / on the local machine to establish whether they're legit.

aquias can you confirm / review the below please?

Dodgy entries:
C:\WINDOWS\system32\w?auclt.exe = PurityScan/Click adware

O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE = StartupList Deep Dive (VX2 / Look2Me related?)

O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe = popup generator

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefmw32.exe = popup generator (elite toolbar?)

O4 - HKCU\..\Run: [Krxssiq] C:\WINDOWS\system32\w?auclt.exe = PurityScan/Click adware

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe = Aurora spyware / trojan
related files: Bolger.dll, svcproc.exe, svcproc.exe, Poller.exe, uacupg.exe, Nail.exe, DrPMon.dll, thnall1ac.html

Unknown entries
O4 - HKLM\..\Run: [RHSNGGXDc] C:\WINDOWS\txntqnid.exe

O4 - HKLM\..\Run: [Cash Software Face Bin] C:\Documents and Settings\All Users\Application Data\beep this cash software\errorcurb.exe

O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\job\Application Data\elat.exe

HTH

TazUk

[pc] Blue-screening PCs since 1998
 
Upvote 0 Downvote
In addition to Tazuk's entries (they look all good Tazuk!), remove the following...

O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe

O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\job\Application Data\elat.exe

O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\en4ul1h91.dll

Can't identify these, see if you can find any information on these items.

O4 - HKLM\..\Run: [RHSNGGXDc] C:\WINDOWS\txntqnid.exe

O4 - HKLM\..\Run: [Cash Software Face Bin] C:\Documents and Settings\All Users\Application Data\beep this cash software\errorcurb.exe

O4 - HKLM\..\Run: [BI6fJ] C:\WINDOWS\ginld.exe

O4 - HKCU\..\Run: [Intra The] C:\DOCUME~1\job\APPLIC~1\Chicdupe\BalmRoam.exe

 
Upvote 0 Downvote
Oh and here's a site to utilize to help you figure out your HJK file.


I use this site because I like how it breaks out the different entries (Makes them easier to read and dissect).

Even with this site, you'll still need to verify each entry prior to removing any files. It's the only way to be safe about what you're removing.
 
Upvote 0 Downvote
Good advice... I have double checked and can confirm what the others have posted...

You should also fix this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =


You can also fix these, if you want, as they are not necessary and take up resources...

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpeedUpMyPC] C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe traybar

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DvdAnteExtraBase] C:\Documents and Settings\All Users\Application Data\DEADMETADVDANTE\viewcdrom.exe

O4 - HKLM\..\Run: [dumb creative slow inside] C:\Documents and Settings\All Users\Application Data\Dash Intra Dumb Creative\Lovemfcd.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Wow...Lot of help here and lots of suggestions. I will remove all suggested and post back.

Thanks to everyone who contributed here.
 
Upvote 0 Downvote
Dohp, last bit of advice on this. After you clear out all the above entries and verify the system is stable. I would recommend to create a new restore point and delete all the prior restore points that may have been infected.
 
Upvote 0 Downvote
C:\WINDOWS\system32\w?auclt.exe

How about this entry ?!?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
gotcha.. I had read his post but missed that somehow.. thanx.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Hey guys,

Thanks for all the help. Problem resolved.

Thanks
 
Upvote 0 Downvote
Zoey, you may still have an issue with part of this.

The R line and these four lines relate to something called lop.
O4 - HKLM\..\Run: [DvdAnteExtraBase] C:\Documents and Settings\All Users\Application Data\DEADMETADVDANTE\viewcdrom.exe
O4 - HKLM\..\Run: [dumb creative slow inside] C:\Documents and Settings\All Users\Application Data\Dash Intra Dumb Creative\Lovemfcd.exe
O4 - HKLM\..\Run: [Cash Software Face Bin] C:\Documents and Settings\All Users\Application Data\beep this cash software\errorcurb.exe
O4 - HKCU\..\Run: [Intra The] C:\DOCUME~1\job\APPLIC~1\Chicdupe\BalmRoam.exe

First, check your application data folder for any other folders with odd made up names like these.
Second, if you have any other users with application data folders, check all of them for these folders and similar madeup type names.
Third, check the program files folder for any of these. There is a very good possibility you will find one of them there. Also check program files for a c2media folder and delete if present (unless you are using messenger plus).
Fourth, run hjt again. Config button, misc tools, startup list.
Look in enumerate taskscheduler jobs. If you see any jobs that are a long string of letters/numbers, post that section of the log and I'll get you some instructions to remove the jobs.
Fifth, check favorites and your desktop for new, unwanted icons.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mscallisto
  • Locked
  • Question
Can I get a virus in a picture file (like .jpg etc.)? 3
Replies
5
Views
86
mscallisto
mscallisto
OsakaWebbie
  • Locked
  • Question
PHP file found on flash drive - how could it have been used? 1
Replies
12
Views
95
OsakaWebbie
OsakaWebbie
amanua
  • Locked
  • Question
vpn7x32.exe in program files folder
Replies
5
Views
82
goombawaho
goombawaho
crackoo
  • Locked
  • Question
Encrypted files by Win32.Mabezat.A
Replies
2
Views
60
crackoo
crackoo
2ffat
  • Locked
  • News
Antivirus2010/Antivirus1 alter hosts file
Replies
0
Views
12
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top