spyware

joeskys,

Ad-Aware is a very good spyware removal tool to run in addition to Spybot. Each finds some things the other does not. Always check for updates before running them. I recommend running once a week if you do alot of surfing. CWShredder is not a utility to be run on a regular basis, but when an infection is present or suspected. Try to keep an updated version at all times. As you have seen, once infected by some things, you can't get to the sites you need to to get removal tools. There is a sample HOSTS file on all XP machines. There are many hosts files available that can be used to block undesireable sites, ads, etc. The hosts file in this thread, which was on Adella's machine, was dropped there by a nasty. It's purpose was to allow the hijacker to stay securely on her machine by blocking access to help sites. A hosts file can also be manually configured and added to or subracted from. HijackThis can be set to exclude known good entries from latter scans, which allows you to easily see what, if anything, has changed. To do so, after being given an 'all clean' by someone experienced with the logs, scan again, check all entries and then click the 'add checked to ignorelist'. When submitting a scan for review by the 'experts', include everything previously excluded. Click config, ignorelist and delete all, then scan.

I outlined maximum scanning settings for both Spybot and Ad-Aware here.

Newt,

If Adella is absolutely sure that the location of that hosts file was not in the etc. folder, what I had previously assumed may well be correct. When dropped onto someone's PC, it somehow also makes the computer search in it's location, wherever that may be, rather than the default location. I don't know where in the registry the search location command for the hosts file comes from, but I see no reason that it can't be manipulated, as are all these other registry settings that spyware/malware do their thing with. I suppose the idea behind the hosts file reader is faster detection of the malicious hosts file, as I'm confident they try to hide it.

 

I did some checking around and at this point I think the registry setting to specify the location to check for hosts (and 3 or 4 other files like networks, protocol, services) is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

The value should be %systemroot%\system32\drivers\etc for any NT4 or above system. If it is anything else, it should be set to this. Further, if the value is %systemroot%\help then the change for sure was made by a baddie. The Qhost trojan was the first I find that did this sort of thing but likely there are others by now.

If CurrentControlSet is changed, good chance that ControlSet001, ControlSet002, etc. were as well so they should be fixed.

I can't play right now (work machine and I gotta leave the settings as they are) but maybe someone else could gen up a bogus hosts file that mis-directs a couple listings and put it somewhere other than the proper location then tweak the reg setting to look there and see if it does.

127.0.0.2 windowsbbs.com
in the hosts file should stop access to this site and maybe put the hosts file in c:\temp just to check things.

If no one has done so by tomorrow AM, I'll try it from home and let you know what happened.

 

Well good homework Newt! I just added 127.0.0.2 windowsbbs.com to my sample hosts file and moved it to C:\windows\nohelp, then modified the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\DataBasePath
to reflect that path and I could no longer access windowsBBS.com from a typed URL or my homepage button. I was however able to do a search for windowsbbs which produced some thread links and was able to access the site that way with full access, even to bbs home. After modifying the value back to the default location, I was still unable to access via typed URL/homepage. It was necessary to remove the entry from the hosts file, even though it was still in the wrong location. Think I'll go back and move the file again and add the site without the regedit and see what happens.

 

This confirmed info about the changed locations of the HOSTS file is definitely something to keep in mind. This info can be used or misused.

 

Well, I think some further testing is needed. I can only manage to get the hosts file to block this site like 1 in 5 times regardless of where I put it and edit the key to point to. I've tried logging off after making changes and still they don't always seem to take. I can say I was able to recreate the block 1 more time with the file in an other than default location. But as I stated before, if the registry can be changed to redirect your search page, homepage, etc, etc, I see no reason it can't be changed to look for a hosts file in an other than default location.

Adella,
If you're still following along, would you check the string value of the entry Newt pointed out? As stated, it should be %systemroot%\system32\drivers\etc by default. Check under the ControlSet001, ControlSet002, etc, locations also.

Wish I could just surf around and pick up one of these hosts files. Maybe if I visit the isearch site with my firewall off. Gonna have to think on that a bit before doing it.

BTW, anyone know what's wrong with the EEK smilie?

 

Yeah I'm still here. Checked the registry ControlSet1 and ControlSet2, both were %systemroot%\system32\drivers\etc
I am able to get to most sites, but I noticed that I'm unable to get spywareinfo.com and merijn.org. I really don't know much about the hosts file. Can it be edited? What should be there?
Adella

 

I've also noticed that when I click the back button when searching the web, it trys to take me back to 127.0.0.1. Click it a couple more times and I can get back to Google. This happens on the sites that I couldn't get to before.
Adella

 

Yes the hosts file can be edited. You can open it with notepad. By default the HOSTS file looks like this;

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost



and as previously stated, should be located at C:\Windows\System32\drivers\etc. Most edited HOSTS files contain addresses for undesireable sites and ads. Good description of the HOSTS file here. (hope you can get there ) Another way to find, view and edit the hosts file is to use the HOSTS file reader. See if that works for you and please advise of the results.

Did you also check the registry at ControlSet? Also, did you ever run an updated CWShredder, Ad-Aware and Spybot configured to the max since fixing with HJT?

 

Yes I did check the registry at Controlset and everything looked alright. Looked at the hosts file and it had been edited. The addresses that Spybot had added were located below the ones that had been changed. Did load the hosts file reader and chose to reset default. Now I can get to merijn.org and load cwshredder.
Should I reload spybots list into the hosts file? I noticed it slowed browsing just a bit.
Adella

 

A little bit more information. My spouse was browsing, said Avg found virus. He ran avg. I just looked in the virus vault and saw msits.exe. Now that I am finally able to access merijn.org, I found something that sounds like some of the problems I've been having, although it never changed my homepage. Maybe you might want to check it out and see if that could be the problem. Its the first news article at merijn.org.
Adella

 

What I've been able to find on the msits.exe was an ActiveX plugin pointing to this address http ://ww w.008k.com which is a **** site that instantly installed this run entry O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Dave\Application Data\ootr.exe and my firewall asked to permit ootr.exe and rs.exe internet access. I have C:\Docs and settings\Dave\local settings\temps\rs.exe, C:\Windows\Prefetch\RS.exe-2CE3E4OD.pf, C:\Documents and Settings\Dave\Application Data\ootr.exe, C:\Windows\Prefetch\OOTR.EXE-22A2554C.pf, ootr.exe running process and have not searched the registry yet. Will report back what I find.

What, if any, HOSTS file you use is totally up to you. I don't use one myself.

 

In the registry, besides the run entry, HKEY_LOCAL_MACHINE\ControlSet001\Control\Terminal Server\SysProcs
Dword NETSTRS.exe value 0

These executables both come up as adware from what I've found so far. What was the location of the msits.exe file?

 

It was found in c:\documents and settings\local settings\temporaryinternet files.
I was finally able to run cw shredder. It restored IE pages and removed 1 infected registry file. Also suggested using the windows xp1 service pack, which I've done for the second time.
The first time it slowed system to a crawl, so I uninstalled it. This time it seems to be alright.
Adella

 

msits.exe Like this ?

O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!h~~~~.008k.com//f//31377/msits.exe

This is the chm exploit thats supposed to have been solved by the two updates that were put out this mounth

One for IE and one for OE, both of which show in IE's help about.
q831167 Q837009

 

Yeah like that. Downloaded all critical updates from Microsoft. I guess I'll stay tuned for the next round of patches and fixes that I'm sure will be out soon.
Adella

 

Adella,

Seems all is working well for you now? Glad for you.

Lonny,

Is this chm exploit msits.exe being considered a virus? Worm, trojan, other? Or is it malware? And do you happen to know if Spybot or Ad-aware have added it to their reference files yet?

 

About all I know is the file is random and also where it is put to
there a 016 (adella should be ok since it was only in the temp folders)
and so is the scdl (random)
But this is only on of the chm exploits

Spywareblaster can stop them/those, (most) that one is called
O16 - DPF: {10000000-1000-0000-1000-000000000000}
-TrojanDropper.Win32.Small.cw

Spywareblaster has two.
Ive seen a couple they seems to download an exe to the IE folder, and the restore folder to

For more/better information search that csdl at netinegration or
S-I

are you sure your rid of it ?

 

Thanks Lonny. I tried searching it at SI and came up blank. Will check NetInt.

Me?? Oh yeah, no problems here. Load stuff up quite a bit to see what it does. I didn't get that 016 dropped on me either. Just some other executables. Took longer to report what all I got than to find and clean it out. Wondering about Adella's though since AVG vaulted it when she could have just dumped TIF's, and if it installed anything else. Also curious as to why it didn't show up on the HJT log.

 

Du that was a stupid suggestion since its a random csdl
http://www.spywareinfo.com/forums/index.php?showtopic=42592&hl=

If I spot more Ill link to them

"Also curious as to why it didn't show up on the HJT log. "
avg stoped it before it install a dpf

Did you get a DPF ? If I had I would probaly had used system restore