1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why does my system "hosts" file keep resetting

Discussion in 'BlackHat Lounge' started by Stu784, Dec 7, 2010.

  1. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    Hi,

    I've just noticed that when I check my systems 'hosts' file it seems to be resetting itself.

    I'm not sure if this is been done by my anti virus software when it updates or if its happening when I start up my PC.

    I have windows XP and I'm running the free version of Avast.

    Here's what's in there each time I've been checking and this doesn't seem to ever get removed:

    "127.0.0.1 virustotal.com
    127.0.0.1 scanner.novirusthanks.org
    127.0.0.1 scanner2.novirusthanks.org
    127.0.0.1 virusscan.jotti.org
    127.0.0.1 virscan.org"


    All the extra lines I add for all the tools I've gathered from this forum seem to be getting removed.

    For now I have a copy of my hosts file saved with all the lines I need and I'm just mindful, now, to makesure I change it before I run any of my tools... It's getting a little annoying now though!!

    Please help...

    Thanks in advance.
     
    Last edited: Dec 7, 2010
  2. paincake

    paincake Power Member

    Joined:
    Aug 18, 2010
    Messages:
    716
    Likes Received:
    3,099
    Home Page:
    I think you might have a virus
     
  3. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    I've done a thorough scan with my AV and nothing is coming up.

    I've also ran CCleaner.

    I'm gonna give Malwarebytes a scan now and see if anything shows up..

    Cheers.
     
  4. hamd01

    hamd01 Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 29, 2010
    Messages:
    560
    Likes Received:
    127
    You've got a problem if your hosts file is changing. that is defo not normal.
     
  5. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    Yeah I know... Hopefully looking for a solution if you know it?
     
  6. darshan1994

    darshan1994 BANNED BANNED

    Joined:
    Oct 9, 2009
    Messages:
    654
    Likes Received:
    318
    Its a virus. Virus spreaders dont like you to scan their file since if you do than their virus becomes more detectable. So what they do is patch your host file so you dont go to scanning sites.

    Do this
    Start > Run > msconfig > startup and see if anything unusual tries to turn on that you dont use. Try stop it and restart pc and if it work than the box should be unchecked as you left(which means virus inactive but the source file still on your pc) and if it doesn't stay as you wanted than its some stubborn virus that will need strong and thorough scanning through malwarebyte etc and if all fails you gotta reinstall your OS.
     
  7. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    5,881
    Likes Received:
    7,122
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    interesting, so technically you cannot access those sites modifying your host file again and again
    it must be an infection, there was another thread 2 days ago where OP had a very similar problem, he couldn't access those above mentioned file scanning sites:
    Code:
    http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/258925-help-virustotal-down-me.html
     
  8. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    Do I need to run:

    Normal
    Diagnostic
    or Selective

    Start Up?
     
  9. bertbaby

    bertbaby Elite Member

    Joined:
    Apr 15, 2009
    Messages:
    2,019
    Likes Received:
    1,496
    Occupation:
    Product marketing
    Location:
    USA
    Home Page:
    Yep, you got yourself some malware redirecting you to a crapware/ransomware site at novirusthanks. That sucker is buried deep into your registry so you got to take steps to remove the infection. Lookup novirusthanks and there are several youtube videos regarding its removal.
     
  10. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106

    I tried to go to: virustotal.com

    and I got this message:

    Code:
    Oops! Google Chrome could not connect to virustotal.com
    Try reloading: virustotal. com
    Additional suggestions:
    Access a cached copy of virustotal. com
    Go to www. virustotal. co
    Search on Google:
    So I then tried: 74.53.201.162

    and I got this:

    Code:
    ERROR
    
    The requested URL could not be retrieved
    
    While trying to retrieve the URL: http://74.53.201.162/
    
    The following error was encountered:
    
    Access Denied.
    Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
    
    Your cache administrator is webmaster@hispasec.com. 
    Generated Tue, 07 Dec 2010 11:29:51 GMT by viruskill2.hispasec.com (squid/2.7.STABLE9)
    I CAN access these 3 ok:

    Code:
    http://www.mcafee.com/
    www.avg.com
    www.symantec.com

    So is what is in my hosts file been added by the virus or by Avast when it updates?
     
  11. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    5,881
    Likes Received:
    7,122
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    Avast is not modifying your hosts file, i'm almost completely sure about that, it is the virus/malware
    if malwarebytes find nothing, you can try hitman pro as well (it has a fully functioning trial version, you can use/update it for a month)
    but if none of those find nothing, then your best bet is backing up your data, format your HDD and reinstall the OS
     
  12. Dellius

    Dellius Junior Member

    Joined:
    Jul 22, 2008
    Messages:
    106
    Likes Received:
    22
    Yeap. Start Task Manager and see if there are any processes you don't recognize. Then look them up.

    Also, check your startup items. See if there are any suspicious files. Disable them and proceed to install some real AV like Avast.
     
  13. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    So here's where my Afternoon has gone...

    I ran Malwarebytes and this was the results of the first scan:

    Code:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    
    Database version: 4160
    
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    
    07/12/2010 12:35:47
    mbam-log-2010-12-07 (12-35-47).txt
    
    Scan type: Full scan (C:\|)
    Objects scanned: 288335
    Time elapsed: 1 hour(s), 26 minute(s), 43 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    (No malicious items detected)
    
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startup (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update (Backdoor.IRCBot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    C:\Documents and Settings\User\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\User\Application Data\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\Updater.exe (Backdoor.IRCBot) -> Delete on reboot.
    C:\Documents and Settings\User\Application Data\Microsoft\System\Services\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\User\Application Data\Microsoft\System\Services\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    

    I then updated Malwarebytes (I know I should've done this first!!) and ran again. Here's the results of the second run:

    Code:
    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org
    
    Database version: 5260
    
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    
    07/12/2010 15:31:51
    mbam-log-2010-12-07 (15-31-51).txt
    
    Scan type: Full scan (C:\|)
    Objects scanned: 304940
    Time elapsed: 2 hour(s), 33 minute(s), 30 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
    
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender (Trojan.Agent) -> Value: Windows Defender -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Defender (Trojan.Agent) -> Value: Windows Defender -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender (Trojan.Agent) -> Value: Windows Defender -> Quarantined and deleted successfully.
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    c:\system volume information\_restore{c4030fa9-793c-407b-8559-2270f060e173}\RP312\A0043591.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{c4030fa9-793c-407b-8559-2270f060e173}\RP312\A0043639.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{c4030fa9-793c-407b-8559-2270f060e173}\RP312\A0043640.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
    c:\documents and settings\User\application data\data.dat (Stolen.Data) -> Quarantined and deleted successfully.
    

    I also changed my hosts file to add a line with a made up URL.

    I shutdown my PC and then rebooted it and the additional line I added to the hosts file was still there.

    So I then restarted my PC to get the same result.

    I then removed the following lines from my hosts file:

    "127.0.0.1 virustotal.com
    127.0.0.1 scanner.novirusthanks.org
    127.0.0.1 scanner2.novirusthanks.org
    127.0.0.1 virusscan.jotti.org
    127.0.0.1 virscan.org"

    And restarted my PC and the only line in my hosts file was the made up one I added.

    So it seems that I have cleaned up this without the need for a full reformat.

    I'm going to run Malwarebytes one more time just to see if it finds anything else.



    What should my hosts file default settings be?
     
  14. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    5,881
    Likes Received:
    7,122
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    yea, it seems from what you wrote that malwarebytes successfully got rid of the infection

    the default hosts file depends on your OS:
    Code:
    http://support.microsoft.com/kb/972034
    scroll down, there are 3 samples
     
  15. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106

    I looked at this earlier I believe I need this one:

    Code:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    127.0.0.1       localhost

    Do I add my list of urls below

    127.0.0.1 localhost

    or below

    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    # My line 1
    # My line 2
    # My line 3



    Do I even need this and can I just list my list of IP's & URLs
     
  16. bertbaby

    bertbaby Elite Member

    Joined:
    Apr 15, 2009
    Messages:
    2,019
    Likes Received:
    1,496
    Occupation:
    Product marketing
    Location:
    USA
    Home Page:
    Below 127.0.0.1 localhost. The rest of text with the * is an example.
     
  17. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    Nice one and thank you to everyone in the thread.

    And I hope if anyone has a similar issue they can use this to their advantage...!
     
  18. Stu784

    Stu784 Regular Member

    Joined:
    Nov 2, 2009
    Messages:
    426
    Likes Received:
    106
    Just to confirm the third scan with Malwarebytes result was clean:

    Code:
    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org
    
    Database version: 5260
    
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    
    07/12/2010 19:13:19
    mbam-log-2010-12-07 (19-13-19).txt
    
    Scan type: Full scan (C:\|)
    Objects scanned: 290840
    Time elapsed: 1 hour(s), 8 minute(s), 38 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    (No malicious items detected)
    
    Registry Values Infected:
    (No malicious items detected)
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    (No malicious items detected)
     
  19. gc420

    gc420 Newbie

    Joined:
    Jan 26, 2007
    Messages:
    28
    Likes Received:
    0
    try with resetting and reformatting, i wouldn't trust and have any compromise to my box.
     
  20. Dellius

    Dellius Junior Member

    Joined:
    Jul 22, 2008
    Messages:
    106
    Likes Received:
    22
    You can't format every time you get a virus. Why should he format if the computer doesn't misbehave anymore ? Even if it's a more resilient infection, there are a gazillion tools on the web available to fight it and if everything else fails he can just remove it manually.