Unsolved
This post is more than 5 years old
13 Posts
0
13517
May 5th, 2004 22:00
C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file keeps getting overwritten
I discovered and removed a W32.Gaobot virus variant this week and one thing that it appears to have left behind is a way, on start up, to overwrite the C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file.
The virus modifies this file to specify URLs of web sites to which you are prevented access (including Symantec & McAfee, among many others). So after removing the virus, and disabling XP System Restore, I accessed and modified this file (using NOtepad) by
deleting the list of URLs to sites to which you are prevented access, then saving it - this will allow you to then access all of the sites.
However, after restart, the C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file again contains the list of URLs - there must be some executable on start-up that finds the "HOSTS" file and overwrites it, thus preventing access to thoe aforementioned web sites; if
this is the case, does anyone know what this process is so I can delete it or is there a good way to search for this process to find and delete it?
Perhaps I'm mistaken about how the file gets overwritten - does anyone have any ideas? I've searched via google, and read information on both Symantc and McAfee but I did not see anything about this file getting overwritten an start up.
Thanks for any advice that you might share.
The virus modifies this file to specify URLs of web sites to which you are prevented access (including Symantec & McAfee, among many others). So after removing the virus, and disabling XP System Restore, I accessed and modified this file (using NOtepad) by
deleting the list of URLs to sites to which you are prevented access, then saving it - this will allow you to then access all of the sites.
However, after restart, the C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file again contains the list of URLs - there must be some executable on start-up that finds the "HOSTS" file and overwrites it, thus preventing access to thoe aforementioned web sites; if
this is the case, does anyone know what this process is so I can delete it or is there a good way to search for this process to find and delete it?
Perhaps I'm mistaken about how the file gets overwritten - does anyone have any ideas? I've searched via google, and read information on both Symantc and McAfee but I did not see anything about this file getting overwritten an start up.
Thanks for any advice that you might share.
0 events found
No Events found!
gryjhnhpe
2 Intern
•
2K Posts
0
May 5th, 2004 23:00
Click on a Program in list & it might display an extra POP-UP windows with info about Program.
The extra Program might not display a POP-UP.
If you can identify the extra Program , click on it & remove tick to Temp disable auto startup.
Then re-start Computer & check Hosts file again using Spybot Tools > Hosts file.
If that Program was the culprit you can permanently Delete by . click on Program & click on Delete button at the top.
If you delete extra sites , you should leave the line 127.0.0.1 localhost (it is the default).
You can get FREE program called Spybot from;
http://spybot.eon.net.au/
If you install with Blind Icons you also get a Desktop shortcut which shows extra "Immunize" Options
"Lock IE Home Page"
" Lock Hosts file"
"Lock use of Internet Options from IE > Tools > Internet Options
Also has other Tools , like list or Add/Remove of Auto Startup Programs & lists Hosts file
change the Shortcut link "Target" to
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" or use "All Programs" > "Spybot > Advanced Mode"