I had one of the Sassers this weekend which I think I eradicated. But I now have precisely the same problem you describe--the exact file as you have it set out. I go in and delete the HOSTS, then I am able to access Symantec and McAfee. When I run one of the sasser removal tools (Stringer) without first deleting HOSTS, Stringer recognizes the problem and calls it a QHOSTS Trojan, and purports to fix it. But its back everytime I reboot. I did a little more research and found a Symantec removal tool for the QHOSTS Trojan that didn't even recognize that I have a problem. So that didn't help any. You may want to take a look at my thread about problems after clearing sasser in which I ask questions about the same problem. So far nobody has really had an answer. There is one other on there with the problem as well. Please post if you find a fix and will certainly do the same. Again, in my case this problem is subsequent to the Sasser Worm.
Try doing hijackthis logs from the instructions below. One to a thread please. We can then try to help you.
==============
Use these to remove Malware (Virus, Spyware and Adware).
First :-
Spybot S&D and Ad-aware using the settings and links provided
Here
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder.
(See this link for graphical instructions) Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called
Copy and Paste Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of
http://tomcoyote.org/forums/index.php fame)
YoKenny (Expert at TomCoyotes, Trusted Advisor Spywareinfo)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
Texruss (In Training at TomCoyotes and Spywareinfo) - Regular poster at DellTalk
PGPhantom (In Training at TomCoyotes, Trusted Advisor Spywareinfo)
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
Try the info here http://mvps.org/winhelp2002/hosts.htm and the lockhost.bat at the end of the article BUT only after your Hosts file is reset to its original settings.
I finaly found a fix to this at http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.afj.html
After updating virus definitions, running a scan and deleting infected files, the real culprit (overwriting of hosts file and denying access to sites) resided in one of the executable files I deleted and elimination of some values in the registry that the virus put there.
just one question why do i keep getting spyware on my computer. just got a couple of days ago and already have it on my computer. its really getting on my nerves.
i guess what i should have said in my last reply is what can i do to prevent spyware from getting on my computer. i thought a fire wall would stop some of it from getting on but i was wrong. so any any help would be appreciated.
breaker35
15 Posts
0
May 6th, 2004 01:00
I had one of the Sassers this weekend which I think I eradicated. But I now have precisely the same problem you describe--the exact file as you have it set out. I go in and delete the HOSTS, then I am able to access Symantec and McAfee. When I run one of the sasser removal tools (Stringer) without first deleting HOSTS, Stringer recognizes the problem and calls it a QHOSTS Trojan, and purports to fix it. But its back everytime I reboot. I did a little more research and found a Symantec removal tool for the QHOSTS Trojan that didn't even recognize that I have a problem. So that didn't help any. You may want to take a look at my thread about problems after clearing sasser in which I ask questions about the same problem. So far nobody has really had an answer. There is one other on there with the problem as well. Please post if you find a fix and will certainly do the same. Again, in my case this problem is subsequent to the Sasser Worm.
breaker35
ChrisRLG
3.9K Posts
0
May 6th, 2004 06:00
==============
Use these to remove Malware (Virus, Spyware and Adware).
First :-
Spybot S&D and Ad-aware using the settings and links provided
Here
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. (See this link for graphical instructions)
Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste
Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Expert at TomCoyotes, Trusted Advisor Spywareinfo)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
Texruss (In Training at TomCoyotes and Spywareinfo) - Regular poster at DellTalk
PGPhantom (In Training at TomCoyotes, Trusted Advisor Spywareinfo)
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
Navin kurian
526 Posts
0
May 6th, 2004 08:00
Try the info here http://mvps.org/winhelp2002/hosts.htm and the lockhost.bat at the end of the article BUT only after your Hosts file is reset to its original settings.
t-writer
13 Posts
0
May 11th, 2004 02:00
After updating virus definitions, running a scan and deleting infected files, the real culprit (overwriting of hosts file and denying access to sites) resided in one of the executable files I deleted and elimination of some values in the registry that the virus put there.
at at walker
2 Posts
0
May 14th, 2004 09:00
at at walker
2 Posts
0
May 14th, 2004 09:00
ChrisRLG
3.9K Posts
0
May 14th, 2004 11:00
Can I repeat - do a hijackthis log so we can help. Its a diagnostic tool used by most malware fighters.