Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Host File with 127.0.0.1 entries

Posted on 2005-04-27
16
Medium Priority
?
1,236 Views
Last Modified: 2008-02-01
Hi, I have an xp pro machine that got infected with some virus. I have run Adaware and spybot and removed tons of traces. Also, ran Stinger and found traces of the beggel virus, removed manually as it couldn't be cleaned.

I install Norton SystemWorks 2005 but can't activate it to download latest def files. I discovered that the host file gets populated with alls these entries everytime I reboot. I keep deleting them but they keep reappering.
Please help, kind of urgent.
Juan

127.0.0.1 localhost
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 ftp.kasperskylab.ru
127.0.0.1 ftp.avp.ch
127.0.0.1 www.kaspersky.ru
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates4.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates5.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www3.ca.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-us2.kaspersky-labs.com
127.0.0.1 downloads-us3.kaspersky-labs.com
127.0.0.1 ftp.downloads2.kaspersky-labs.com
0
Comment
Question by:jibarra
  • 4
  • 3
  • 2
  • +7
16 Comments
 
LVL 5

Expert Comment

by:sysandprog
ID: 13882386
If your HOSTS file continues to get corrupted every time you start your system, you have additional problems, but here is a temporary work-around...

Go to...

http://home.ntelos.net/~write/spam.html

Go down the page until you see a Gorilla picture icon.  Click on that.

Look for the FREE download of a standard HOSTS file.  Download it and replace the corrupted one in your system.

Now, and this is important, change the ATTRIBUTE to READ ONLY.

Unfortunately, I am not familiar with your operating system, so I can't tell you how to get into a DOS mode or pseudo-DOS mode.  If you can figure that out, the commands to use would be...

CD C:\{directory}\ATTRIB +R HOSTS

From your question statement it appears you already know {directory} for your system.

This should prevent any script from changing the content of the HOSTS file.
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 13882397
Correction to the DOS code above...

CD C:\{directory}
ATTRIB +R HOSTS

...OR...

ATTRIB C:\{directory}\HOSTS

(Sorry - fat fingers}
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 13882464
One more thing...

In looking over your corrupted HOSTS file listing, it appears that the virus is changing it to block your system from accessing the more popular anti-virus programs and also the Pest Patrol anti-spyware program.

After the system startup you could try to rename the corrupted HOSTS file to something like HOSTStmp so that it is not effective.  That way the HOSTS file would no longer block access to Norton or any of the other security programs.

If your don't have a FIREWALL program running, you really should get one active.  I think Zone Alarm still has a free version that you can download.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 6

Expert Comment

by:parkerig
ID: 13882919
In the past I have done the following.
To me it is the easiest and best method. Others may not agree.

To do this you need another pc.
Make sure this PC is upto date with Virus Checker, Adaware ( I now use Microsoft's Beta ).
Take the Hard disk out of of the infected PC and make it a slave drive in the other PC.

Boot the other PC and do a full virus scan, spyware scan etc etc on the SLAVE.

Cheers
Ian
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 13883198
I agree with Ian, that it is safer to move the hard drive to a clean machine as a slave and test it there.

However, the critter appears to be the

W32.Agobot worm as described at...

http://www.resnet.ucla.edu/virusalert.html

Unfortunately, the anti-virus companies have not set standard naming conventions for these things.  So, Symantec will probably call it something else.

If this is the culprit, it has the nasty capability of taking over your computer for remote control operation.  However, it doesn't seem to delete any critical files, so you may still be able to get rid of it without moving the hard drive to another computer.

When you look at places like Symantec, they will usually show the names of "bad guy" files that are unique to a particular virus or worm. With that information, you can identify the bandit.  Then you can follow their cleanup instructions.

The cleanup instructions will often suggest that you can do a lot of the work without using their tools, including messing with the Registry.  I have not had good luck doing it that way.  It is far better to use whatever program tools they have made available.
If you do mess with the Registry with Regedit, be sure to EXPORT a backup before starting. I send mine to...

C:\BACKUP\REGISTRY\20050428.reg (by date)

In your case, if you can't get past the HOSTS file block, you can always try one of the FREE anti-virus sites that offer one-time scanning.  This may not be possible if their URL is one of those that has been blocked by the corrupted HOSTS file.

By the way, your system will run just fine without a HOSTS file.  Then it depends on the other anti-virus, anti-spyware, anti-popup programs and firewalls for protection.  Some viruses mess with these, too.  From what you wrote above, my guess is that the culprit is a newer one, which is why you need current signature updates.  Hopefully the invader hasn't corrupted the basic code in these defenders.

0
 
LVL 4

Expert Comment

by:FalconHawk
ID: 13883494
It almost seems like a virus is still on the PC. all those things in the lists are AV programs, and their update services. I THINK some kind of virus is trying to make your pc believe that their update services are located at 127.0.0.1, which is your own pc. so if you run such a service, it doesnt connect to the host, but to the local pc.

Now, how to solve it? First, have a look in the system registery at which programs run on bootup. If there is some malicious file between it, delete it. Delete the host file, and see if it works. if it STILL keeps appearing, delete again, and run the PC in safe mode (F8 on boot). The file shouldnt be appearing then. if it does, something has infected windows critical bootup files. but i dont think so. if not, have a look in the {systemroot}/windows/system and the {systemroot}/windows/system32 directory. all the files should be created and modified at the day of the purchase. some files excluded trough, since some av and firewalls install themselves there. Sort the files on date modified, and see if there is any .exe or .dll that you cant identify, and thats recently created. if so, rename it and move it to a c:\ directory , delete the origional and reboot. Now several things can happen.

1) The host file is clean. If this happends, then your all done. just delete the file you moved
2) The file is comming back to its origional directory. If this happends, it most probally is a part of the virus, but isnt all. Search further for dlls or exes that could have re-created it
3) The host is still crowded, and the file isnt there. If this happends, its the wrong file
4) the pc doesnt boot at all. Congrats, it was a windows critical file ^^ (very unlikely trough :) no need to worry). If this happends, simply rename the file in dos again, and replace it.

btw, there is 1 good av scanner missing. If you want to be temporally update with a good virus scanner before you switch it, try AVG (www.grisoft.com) i use it, and it works just fine.
0
 
LVL 5

Expert Comment

by:mnb93
ID: 13884157
Try making it:

----------------
127.0.0.1 localhost
----------------

Then run Anti-Virus (Google ClamWin)
0
 
LVL 3

Expert Comment

by:JamesHarrison
ID: 13885129
Also, run: http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml.  This baby finds everything and should be able to point you to the root of your problems.

If you need any more help just shout!

J
0
 
LVL 12

Expert Comment

by:kneH
ID: 13885401
One small addition to the above.

cd c:\%system%\drivers\etc\
attrib hosts +r +s

Bit more secure :)
0
 
LVL 6

Expert Comment

by:BILJAX
ID: 13891608
OK

http://pcpitstop.com  has a great free AV Scanner.

If you want a free desktop-based scanner that works well, check out.

AVG-7 by GRISOFT
http://www.grisoft.com/doc/71/lng/us/tpl/tpl01

You can also try the Microsoft beta AntiSpam...
http://www.microsoft.com/athome/security/spyware/software/default.mspx





0
 
LVL 6

Expert Comment

by:BILJAX
ID: 13891624
Also, don't use the computer as a user with Admin rights.   If you want to install something, Shift+right click and Run-As to install programs.



AC
0
 
LVL 1

Accepted Solution

by:
easymage earned 1500 total points
ID: 13892581
I belive this is the file that gets modified by the probable virus "C:\WINDOWS\system32\drivers\etc\hosts"
the host file is a bit like a phone book where the system goes and searches up computers on the network or addresses and if it finds it there it automaticly gives the IP to it so no more searching is needed (works a bit like DNS)the fact that it all points to 127.0.0.1 which is loopback (ur computer) means that in theory u should have problems going to those sites.
I did a bit of researching on viruses that modify this file and there are a few one of the best places I can advise to you is here :
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.html
http://www.f-secure.com/v-descs/qhost.shtml
http://www.sophos.com/virusinfo/analyses/w32agobotpr.html
in these sites you should find the information needed.
Hope it helps;)
0
 
LVL 4

Expert Comment

by:FalconHawk
ID: 13893132
Comment from easymage
Date: 04/29/2005 09:40AM CEST
 
I belive this is the file that gets modified by the probable virus "C:\WINDOWS\system32\drivers\etc\hosts"
the host file is a bit like a phone book where the system goes and searches up computers on the network or addresses and if it finds it there it automaticly gives the IP to it so no more searching is needed (works a bit like DNS)the fact that it all points to 127.0.0.1 which is loopback (ur computer) means that in theory u should have problems going to those sites.

Comment from FalconHawk
Date: 04/28/2005 09:12AM CEST

It almost seems like a virus is still on the PC. all those things in the lists are AV programs, and their update services. I THINK some kind of virus is trying to make your pc believe that their update services are located at 127.0.0.1, which is your own pc. so if you run such a service, it doesnt connect to the host, but to the local pc.

hmmmm...... double post ^^ i guess :)
FHawk
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13895956
I don't see it mentioned here, but if running XP, besure to turn off system restore, THEN remove the pest/viri this includes spy-ware as windows will back up the bad files and restore them for you if you do not disable system restore first, then run the removal tools:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
-rich
0
 
LVL 10

Expert Comment

by:NetworkArchitek
ID: 13899126
Well, first download SpyBot Search+Destroy and run it and then enable the option to "Lock hosts file." Then continue  with your virus removalm, etc.
0
 
LVL 4

Expert Comment

by:FalconHawk
ID: 13915544
So far for solution giving...... Gratz easymage....
jibarra, what part of his solution gave you the answer? the description of what the infection did, or the tools?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question