Phony Antivirus

Discussion in 'malware problems & news' started by WilliamP, May 10, 2010.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    While on the internet, a screen popped up on my daughters computer saying that her computer had all these viruses. I'm not sure what she did, but now she has a problem. I went to her house and ran Malwarebytes, Superantispyware and Hijackthis. Then I installed Avira and ran a scan. I got rid of a lot of junk but I'm not sure all is well. In Hijackthis it shows about 60 Host files that I can't get rid of. It says something to the effect that they can't be written to. Could there be a root kit?
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    C:\Windows\System32\Drivers\etc

    find HOSTS file there.
    right click it and properties.
    uncheck read only. apply
    open it with notepad and replace everything written there with the ff:

    Code:
    127.0.0.1       localhost
    
    close the notepad and save it. be sure to save and overwrite the HOSTS file.
    then place a check on read-only this time.
     
  3. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Just curious - was she running a realtime AV solution when this happened??
     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I am almost positive she was. The computer she has is my wifes old computer and it had Avira on it. It was no longer on it so I re-loaded it.
     
  5. Was it a current version with an up-to-date database?

    (Thought to be brutally honest, I've heard rather a lot about how bad most AVs are against rogues.)
     
  6. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I'm not sure if was up to date or not. I do know that the same thing could have happened to my wife on her new computer, but she called me into the room. These are smart. They panic people into clicking on anything. My wifes new computer has Avira Premium up to date.
     
  7. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Konata,I tried what you said but when I unchecked read only it wouldn't allow.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @WilliamP

    Some software also locks the HOSTS file as read only for protection, ZoneAlarm being one So you would need to use the options to unlock it whilst you made any changes, not forgetting to lock it again.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    While you may restore your HOSTS File to default if the HOSTS file has been compromised, it is a definite sign of an infection which should be completely investigated per my previous post

     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @siljaline

    Agreed :thumb: Wasn't saying there could not be an infection, in fact it sounds like there is, just pointing out something that not everyone might be aware of, or possibly have forgotten ;)
     
  12. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Malwarebytes removed a bunch of trash. I have also ran Superantispyware and Avira. It is now clean with no pop ups. What else could lock the host files?
     
  13. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    some legitimate apps? o_O
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    List all of your installed security software, we will sift through each one and try to determine what has locked your HOSTS File.

    There is a possibility that it is a leftover batch file from a previously used security app that has remained as a straggler, again, list your software other that resident MS Installed Programs and we will try to help you as best possible.

     
    Last edited: May 13, 2010
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047

    Why don't you install Unlocker and have a look instead of guessing? It can also unlock it BTW. :D

    EDIT: Oh, and make sure it's really the one that your OS is actually using, otherwise all your effort is futile wrt editing that file.

    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
    
     
    Last edited: May 14, 2010
  16. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    I know its an old program but IIRC Spybot Search and Destroy lets you lock your host file as read only and SpywareBlaster lets you do back ups of your host file. :D
     
  17. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I am not sure what to do. There is no longer any problems with her computer. I just wanted to get rid of the 62 host files that show up in a Hijackthis scan. With my computers host files don't show up. I don't understand. The entries are listed under 01 ,which I have found out is [Hijack of auto.search.msn.com with Hosts files].
     
    Last edited: May 14, 2010
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I already told you the registry location where to check..
     
  19. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Thank you. I will fix it the next time I'm at her house.
     
Thread Status:
Not open for further replies.