Solved

Malware Hosts file hidden and attrib un editable XP

Posted on 2010-09-22
10
2,104 Views
Last Modified: 2013-11-22
G'day all

Just finished removing a painful last aprt of a infection and wanted some advice.

Rmoved a rootkit with combo fix ,
cleaned up other multiple threats with malwarebytes.
cleanup browser with hijack this.

but the client still complained of google redirects.

After much pain
I found the host file missing under c:\%systemroot%\system32\drivers\etc
when i tried to copy a fresh HOSTS back i got a replace existing file warning.
But acces was denied.
unhid files in folder options still couldnt see the host file , tried command prompt aswell.

So i booted from my falcon four boot disk, into mini XP ( ramdisk)
And i could the see the host file (transparent)

opened it up and it had a heap of IP redirects for all things google , to a chinese Proxy i assume to facilitate some sort of piggy in the middle data collection.

anyways i tried to delete it and it said access denied
I tried to change the file attributes via attrib command again with access denied
I tried to change NTFS permissions with command also with access denied.

All I could do to facilitate a repair was rename it the file to  "hostsold" which it allowed me to do.
then I copied a fresh hosts file in its place..

Viola problem solved !

My question is ?
How come i couldn't modify the comprimsed file and see it under the normal windows , is there some sort of file system hack going around?

Even the recovery console acces denied me under administrator account. nor could i see it under DOS.

This worries me that there is some file system exploit allowing this file to exist in limbo, invisble when the OS is running
and uneditable outside the operating system.

Any Help would put my mind at ease
0
Comment
Question by:Kramer8u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
10 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 33741516
I don't know how it's hiding but I use Linux Live CDs to remove malware files.  Linux doesn't care about Windows permissions.  Knoppix is what I use the most but I've used my Ubuntu 8.04 CD for something I couldn't do with Knoppix.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 33741528
I use Linux Live CDs to remove malware files.  Linux doesn't care about Windows file permissions.  I use Knoppix the most but Ubuntu 8.04 did one job Knoppix couldn't.
0
 
LVL 3

Accepted Solution

by:
AnakiMana earned 250 total points
ID: 33741529
In these scenarios, I usually have to take ownership of the file/folder before access is restored.  Here's an article on how to do so: http://support.microsoft.com/kb/308421

By the way, did you run Malwarebytes using a quick scan or the full scan?  I've found the full scan in many cases will find the trickiest malware that gets missed sometimes by ComboFix.

Before running Malwarebytes (quick or full scan) I always empty temp files to speed up scans.  A good utility for this is TFC (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/) as it will empty temp files for ALL Windows user accounts instead of only the one you're logged into currently (Comodo System Cleaner & Ccleaner don't get all accounts).

Hope this helps.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 22

Assisted Solution

by:optoma
optoma earned 125 total points
ID: 33741552
Trt this the next time. Works :)

1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

>Or slaving the drive and using unlocker to delete it
0
 
LVL 7

Expert Comment

by:Robby Swartenbroekx
ID: 33741561
First in the mini XP try to take ownership of the file.
Then give everyone full access on security level.

boot into the full Windows and change the file security to
- administrators: full access
- system: full access
- users: read and 'read and execute'


0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 125 total points
ID: 33743730
ComboFix would've already replaced the Hosts file when it removed the rootkit.

Do you still have the ComboFix log?


Also try using TDSSKiller.
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 

Extract the file and run it.
Make sure all other windows are closed and to let it run uninterrupted.
Reboot your machine and see if the infection is gone
 

0
 

Author Comment

by:Kramer8u
ID: 33749050
Nah combofix froze just b4 stage 1
and I tried resetingbtge permissions and attributes via bot disk.
Again I have removed and checked with root repeal the rootkit ( fake sys driver) and Trojans. Just was curious why I couldn't see in os or edit out of os the compromised host file

 
0
 
LVL 22

Expert Comment

by:optoma
ID: 33749767
Usually when you unhide folders etc, you can see it.
Using Mini Xp will also lead to the file being "locked", hence using unlocker to delete it or use a Linux boot cd :)
0
 

Author Comment

by:Kramer8u
ID: 33749788
Ok well it doesn't sound like I should be too concerned then.
I'll split the points across those who suggested additional tools a processes to refine my removal process.

Thankyou all

0
 
LVL 3

Assisted Solution

by:AnakiMana
AnakiMana earned 250 total points
ID: 33751706
Since you mentioned that ComboFix froze, I should mention another tool that I'll run when either CF or Malwarebytes won't run.  To kill malware processes that prevent your other tools from running, or prevents executables or task manager, run rkill.com or any of its renamed variants, which you can obtain here: http://www.bleepingcomputer.com/forums/topic308364.html

It has become a favorite tool of mine and my fellow road-techs... one of our "secret weapons".
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question