Recently I helped a friend who had an infected laptop running Windows. One of the first things you want to do is disable any network connection (wireless or wired) such that your computer cannot communicate with your own local area network or the Internet. This helps prevent further spread of the virus and collateral damage.

In order to run scans on the system, it is best to download them to a USB stick or burn to a CD, and then install from that removable device on the infected system. CD’s are the ideal because they are read-only and cannot be infected while the USB key could potentially carry a virus back to your other systems.

After running through a variety of scanning tools for spyware, malware, and viruses we felt we had cleaned it up quite well. (Note that the only way to truly know is to reinstall everything – not fun). (Second note, not all antivirus are the same and they scan for different issues).

I thought I would just check one last spot which I have seen some crafty (malicious) things done in the past:

c:\windows\system32\drivers\etc\hosts

Sure enough, this file had been hijacked. Here were the contents:

 

  • 74.125.45.100 4-open-davinci.com
  • 74.125.45.100 securitysoftwarepayments.com
  • 74.125.45.100 privatesecuredpayments.com
  • 74.125.45.100 secure.privatesecuredpayments.com
  • 74.125.45.100 getantivirusplusnow.com
  • 74.125.45.100 secure-plus-payments.com
  • 74.125.45.100 www.getantivirusplusnow.com
  • 74.125.45.100 www.secure-plus-payments.com
  • 74.125.45.100 www.getavplusnow.com
  • 74.125.45.100 safebrowsing-cache.google.com
  • 74.125.45.100 urs.microsoft.com
  • 74.125.45.100 www.securesoftwarebill.com
  • 74.125.45.100 secure.paysecuresystem.com
  • 74.125.45.100 paysoftbillsolution.com
  • 74.125.45.100 protected.maxisoftwaremart.com

 

What this accomplished was not only preventing your system from communicating with legitimate anti-virus websites, it was potentially hijacking your web browser and redirecting it to a site that looked and felt like the legitimate one (spoofed / phishing).

The hosts file had been hidden as a system file. It had been set as read-only. And no matter what we did, we could not overwrite it, delete it, save new contents…

We discovered a handy free utility called Unlocker (http://majorgeeks.com/download.php?det=4660) which resolved the problem and deleted the file for us.

Maybe check the contents of your hosts file and see if anything interesting lurks there.

7 Comments
  1. That is quite scary. This is why I use my blackberry playbook to complete important transactions. It’s quite safe to use with RIM’s security enforced. Computers make life easy and difficult at the same time. I guess I have to watch my back.

  2. I just checked it right now, thankfully it’s clean. Your list scared me because it did include websites that are related to payments or something equally important. I am a bit paranoid about our Windows machine which is good in a way, since I do run several tools for this PC’s security.

  3. From what I’ve seen, Windows look really vulnerable and prone to many different types of malware, because of all the different technologies that are coming up, the various files we download, websites we visit. Preventing the user from getting hold of legitimate anti virus is scary because we’re vulnerable and unable to stop the virus if they modified the hosts file. Looks like I’ll have to do a scan, I haven’t done one in a long time.

  4. This is scary to know that viruses can be located in your system files. When something goes wrong with my computer I usually just reset it to factory setting so that it deletes everything.

  5. That’s really scary. It’s just now that I’ve been keeping a lot of bank information on my computer and if something like that happens to me I would probably withdraw all my cash ASAP. It’s funny how most of the antivirus softwares can’t even clean up some of the most basic adwares in your browser.

    • This is why I’m so scared to download stuff from the internet nowadays. It seems all those ”free” softwares are loaded with a lot unwanted stuff 🙁 I wanted to burn a CD for my mom, but every single free CD burner I wanted to download caused my antivirus to freak out, Hence I couldn’t download a thing.

  6. Huh, I’ve seen viruses use proxy settings to block antivirus sites, but nothing like this. This is pretty crafty IMO because antiviruses wouldn’t even look here at all, and even if it was scanned, the contents wouldn’t be deemed malicious. Next time I’m fixing up a computer, I’ll be sure to look in the hosts file, especially if I can’t access certain websites.

Leave a Reply