NOD32 detect virus on my HOST...

Discussion in 'NOD32 version 2 Forum' started by rdsu, May 11, 2005.

Thread Status:
Not open for further replies.
  1. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It looks like the hosts file was modified during a scan with spywareblaster. You should be able to find it in quarantine so please send the appropriate nqi and nqf files to support@eset.com with a link to this thread.
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Marcos beat me to it, but that is what I was going to say. I use that hosts file combined with the one from bluetack, and I just ran a complete scan with the lastest defs with no virus turning up.

    I also use Spywareblaster too, no probs here. I would follow the advice Marcos sent you tho.

    Regards,

    Jag
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    NOD32 doesn't put the file in Quarantine :(
    The file doesn't have any kind of protection...
    You can download the file to test it...

     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The "hosts" file should exist in that folder by default. Here is the content of the original file. If there are other records too (especially urls of AV vendors), it is very likely the file was modified by a trojan :

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
     
  7. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Marcos you keep beating me back to this post today man! :p

    VaMPiRiC_CRoW - You might also want to make your HOSTS file read only, to try to help prevent this in the future. ;)

    Regards,

    Jag
     
  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I was using the HostsMan and when I choose to download the MVPS Hosts file, then NOD32 detects the virus, but only after the new virus databases...

    I download the MVPS Hosts file from the source, and now NOD32 didn't detect nothing...

    Marcos, can you compare the files and see what it's wrong with "hosts.hostman". The source is "hosts.source".

    Jaguar, thanks for the advices ;)
     
  9. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Good advice! I almost forgot this way of protecting the HOSTS file. I've made mine read-only now ;)
     
  10. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    This attached file is the hosts file (just rename hosts.rar.log to hosts.rar to be able to unrar), I read it myself, don't know why it's a trojan since each line is 127.0.0.1, so no matter what's on the rest of it it won't be parsed as an error... still Qhosts.... I'm pretty sure that text file won't run any code!

    tisazalay
     

    Attached Files:

  11. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    BTW, don't worry, that file is not a virus, 100% sure, if this violates the terms for this site, please excuse me and erase my post, only meant to be of some help.... (My NOD32 program detects it when I click, but it's truly a FP).

    tisazalay
     

    Attached Files:

    Last edited: May 11, 2005
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Do you mean a program like Spybot for example :doubt:

    Spywareblaster does not scan for anything....it is a set and forget program....providing IE ActiveX protection, Cookie protection(IE and Mozilla) and Restricted Sites protection for IE....but no kind of scanning ability.
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I agree with you Bubba, but did you look at the original ss pointing to Spywareblaster?

    Seems strange tho right? o_O
     
  14. FanJ

    FanJ Guest

    Hi Jaguar,

    There is very most likely an explanation for that (Bubba and me talked in private about it).
    I don't know whether I'm allowed to quote Bubba ;)
     
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    FanJ,

    No problem. Bubba can come back and post if he wishes, or send me a PM. I would be curious as to what caused this.

    Sorry to go OT here. :blink:

    Jag
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Last edited: May 12, 2005
  17. FanJ

    FanJ Guest

    Hi,

    Sorry in case I added to the confusion :oops:

    As I see it, there are two issues here:

    1.
    The alert from NOD32 about that HOSTS-file from that freefile-site.

    2.
    The alert window from NOD32 in the first screenshot from VaMPiRiC_CRoW where SpywareBlaster is mentioned in the Comment from NOD32.


    About 1 :
    Yes, I too get a warning from NOD32 (latest beta).
    But not a warning when I get the file from the MVPS-Hosts-site.
    I disabled NOD32, downloaded the file from that Freefiles-site (TDS-3 and BOClean were both resident ;)).
    I checked the file at Jotti (obviously I wasn't the first one ;)):
    Only NOD32 gives a warning; see screenshot.
    I don't know why NOD32 gives a warning about that file.

    About 2 :
    That was about the question why SpywareBlaster was mentioned in that screenshot in reply # 1.
    It was about this issue that Bubba posted.

    Cheers, Jan.
     

    Attached Files:

    Last edited by a moderator: May 12, 2005
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Jan, that seems to be clear.

    Cheers :D
     
  19. Happy Bytes

    Happy Bytes Guest

    I'm back :cool: (from sleeping...) :D

    I'll take a look at this when i arrive in the company.
    Can take a while, coz CSSHS (coffee, shower, shaving, hair styling)... just the usually things.
    So stay tuned :D
     
  20. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Hi guys,

    I already sent an email to the HostMan authors to see this topic... ;)

    Regards
     
  21. Happy Bytes

    Happy Bytes Guest

    Ok under progress... will be fixed soon. :D
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Yeah....I saw that....but the only reason Spywareblaster has been brought into the mix is because it's finger prints\sticky fingers were on the Hosts file.

    That reference to spywareblaster.exe tells me VaMPiRiC_CRoW made a back-up of his Hosts file using Spywareblasters Hosts file backup feature. He then came along and restored his backup copy of his Hosts file using Spyareblasters Hosts file restore feature.

    The key to all of this is that the Hosts file itself was never created by Spywareblaster. The only part Spywareblaster played in this is that it backed it up and restored it. It ain't Spywareblasters Hosts file.

    Cool Daddy will fix this burp for sure :cool:

     
  23. FanJ

    FanJ Guest

    Thanks to all of you for your postings about this, warnings, explanations, fixing :D

    Warm regards, Jan.
     
  24. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Bubba, I didn't made any backup of my hosts file with SpywareBlaster...
     
  25. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Well....I sure want dispute that....but will only reiterate that the only feature Spywareblaster has in regards to a Hosts file is it's Hosts Safe feature. It will be interesting indeed to find out why spywareblaster.exe shown in your post # 1 was even mentioned by Nod32.

    There is one other thought....would you mind searching your drive for a file named hostslist.sss Please.
     

    Attached Files:

Thread Status:
Not open for further replies.