Internet Suddenly Seems Slower (Host file virus?)

[hsncorrosion]

Recently I've began to think my internet may be slowing down.

I have good antivirus, havent downloaded anything except IE7 update.

I do have a server on the network (it has different antivirus) the servers antivirus is telling me that my hosts file in C:windowssystem32driversetchosts.txt

is a virus. Whats up with that?

[Sparda]

The hosts file is called 'hosts' just like it is on Linux, there is no file extension.

What do you mean "I have good antivirus"? Exacly what anti-virus software do you use? Ee will be the judges of weather it's good or not ;)

[VaKo]

start -> run -> "cmd /k cat C:windowssystem32driversetchosts.txt"

What does it say?

start -> run -> "cmd /k cat C:windowssystem32driversetchosts"

What does it say?

(sans quotation marks)

cat C:windowssystem32driversetchosts >> "c:Documents and Settings/<your username>/Desktop/hosts.txt"

That should make a file called hosts.txt on your desktop that should read:

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host



127.0.0.1       localhost

If there is more than that, you have a problem.

[hsncorrosion]

start -> run -> "cmd /k cat C:windowssystem32driversetchosts.txt"

What does it say?

start -> run -> "cmd /k cat C:windowssystem32driversetchosts"

What does it say?

(sans quotation marks)

cat C:windowssystem32driversetchosts >> "c:Documents and Settings/<your username>/Desktop/hosts.txt"

That should make a file called hosts.txt on your desktop that should read:

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host



127.0.0.1       localhost

If there is more than that, you have a problem.

Sorry the .txt extension was a typo. My anti virus is avast 4.7 pro.

Uhoh! heres my hosts file

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host



127.0.0.1       localhost



































127.0.0.1    www.symantec.com

127.0.0.1    securityresponse.symantec.com

127.0.0.1    symantec.com

127.0.0.1    www.sophos.com

127.0.0.1    sophos.com

127.0.0.1    www.mcafee.com

127.0.0.1    mcafee.com

127.0.0.1    liveupdate.symantecliveupdate.com

127.0.0.1    www.viruslist.com

127.0.0.1    viruslist.com

127.0.0.1    viruslist.com

127.0.0.1    f-secure.com

127.0.0.1    www.f-secure.com

127.0.0.1    kaspersky.com

127.0.0.1    kaspersky-labs.com

127.0.0.1    www.avp.com

127.0.0.1    www.kaspersky.com

127.0.0.1    avp.com

127.0.0.1    www.networkassociates.com

127.0.0.1    networkassociates.com

127.0.0.1    www.ca.com

127.0.0.1    ca.com

127.0.0.1    mast.mcafee.com

127.0.0.1    my-etrust.com

127.0.0.1    www.my-etrust.com

127.0.0.1    download.mcafee.com

127.0.0.1    dispatch.mcafee.com

127.0.0.1    secure.nai.com

127.0.0.1    nai.com

127.0.0.1    www.nai.com

127.0.0.1    update.symantec.com

127.0.0.1    updates.symantec.com

127.0.0.1    us.mcafee.com

127.0.0.1    liveupdate.symantec.com

127.0.0.1    customer.symantec.com

127.0.0.1    rads.mcafee.com

127.0.0.1    trendmicro.com

127.0.0.1    pandasoftware.com

127.0.0.1    www.pandasoftware.com

127.0.0.1    www.trendmicro.com

127.0.0.1    www.grisoft.com

127.0.0.1    www.microsoft.com

127.0.0.1    microsoft.com

127.0.0.1    www.virustotal.com

127.0.0.1    virustotal.com

I know I didn't put that there (this is from my ut2k4 game server)

Oh my main system anti virus is avast my server sadly only has avg free.

Help what do I do to fix this?

[VaKo]

Your totally fucked.

[Sparda]

lol, your box is hosed, you need to do a clean install of windows to properly fix it.

[hsncorrosion]

Had a bad felling u were going to say that.

Well, worst senerio, what will happen if I leave it.

This is on a lan with my main pc.

Also found this

Response Number 1

Name: Tufenuf

Date: May 08, 2004 at 04:54:51 Pacific

Subject: System32 hosts folder

Reply:

baza999, The hosts (no extension) file located in your C:WINNTSystem32driversetc folder for Windows XP comes as shown below between the lines.

____________________________________________

Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

____________________________________________

If you have downloaded some type of Spyware Removal Program it may have added those porn links so that you can't access them as a safety precaution or did you download another hosts file for protection against porn sites which are responsible for most spyware/adware/malware/hijackers entering your system? There are some viruses/trojans that add entries to AV sites/Spyware Removal Programs sites/etc. so that you can't reach any of them to fix the viruses/trojans and what you have to do is go into the hosts (no extension) file open it in Notepad and delete all entries below the 127.0.0.1 localhost.

DO NOT delete the 127.0.0.1 localhost.

Close Notepad and accept the changes when it asks, then right click the HOSTS (no extension)file, choose Properties and put a checkmark in front of Read only, click Apply/OK. This will prevent anything from altering it or writing to it.

HTH,

Tufenuf

Report Offensive Follow Up For Removal

Heres the url i copied this from.

http://www.computing.net/windowsxp/wwwboar...rum/104055.html

[Sparda]

Had a bad felling u were going to say that.

Well, worst senerio, what will happen if I leave it.

This is on a lan with my main pc.

You don't want to leave it, that would be the most stupid thing any one with an infected computer could do.

[VaKo]

I'll report your IP to the abuse contact of your ISP if you leave it. Its like allowing someone to deal heroin from your garden shed.

It would be the case that a virus has forced your computer to always resolve the domain names of popular anti-crapware sites to your local host, so you can't clean the infection. The only way to clear this type of compromise is to dump the install and start again. Its Saturday, so your going to have to purchase a stack of DVD-R's and cancel your weekend plans.

[hsncorrosion]

I'll report your IP to the abuse contact of your ISP.

What abuse???

[Sparda]

What abuse???

Sending spam and been part of a bot net.

[hsncorrosion]

What abuse???

Sending spam and been part of a bot net.

What? what am i spaming, what bot net

[Sparda]

What? what am i spaming, what bot net

The bot net you are probably a part of and is been used to spam as well as DDoS attacks and used as a means of not easily traceable attacks on other computers on the Internet.

You need to do a clean install of windows, no 'if's, 'but's or 'no's.

[hsncorrosion]

What? what am i spaming, what bot net

The bot net you are probably a part of and is been used to spam as well as DDoS attacks and used as a means of not easily traceable attacks on other computers on the Internet.

You need to do a clean install of windows, no 'if's, 'but's or 'no's.

Ok, I will clean install, I just wanted to know what would happen if i didnt. You dont need to report anything. Anyway I will run a clean install.

[VaKo]

abuse@Windstream.net

:twisted:

[hsncorrosion]

abuse@Windstream.net

:twisted:

why report, im takin care of the problem, in fact why audit? why not just fully wipe and reinstall?

Look at this (antivirus on server found somthing)

http://freewebtown.com/haroldsflash/hosts.JPG