Uh-Oh. The Hosts Files Came Back ...

[Linda W.]

I hope it's okay to post this as a new thread. It's a follow-up issue
and I was afraid it would get buried in the middle of the other
thread.

As those who read about my problems with the hosts files know, I
resolved the problem last night by deleting all the files that were
preventing me from accessing anti-virus Web sites.

But -- this morning, the same thing happened. I was trying to get to
Symantec's Web site and couldn't access it.

So I went back to the hosts files -- and again, there were a lot of
anti-virus Web sites listed.

So I deleted them again.

Do you know why this would happen again? Did I miss a step somewhere?

Also .. yesterday when I was trying to figure out what was going on, I
was following some instructions about Sasser in the Washington Post,
trying to see if I still had the worm.

As I did control, alt, delete to look at things for which I could do
"end program" -- I saw ...

lsass.exe

Does this mean I still have some version of the worm on my computer?

According to the test at the Microsoft Web site, it said I don't have
it. But doesn't lsass.exe have something to do with Sasser?

Is that why the hosts files came back again?

Any ideas or suggestions?

Many thanks.

Linda W.

 

[SAG]

(e-mail address removed) (Linda W.) wrote in @posting.google.com:

As I did control, alt, delete to look at things for which I could do
"end program" -- I saw ...

lsass.exe

A quick google search will take you here:
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

lsass.exe is the local security authority service.

avserv.exe is associated with sasser, coming in through a vulnerability in
the lsass.exe service on win2k and XP systems that don't have the 040-011
835732 patch installed, if I understand the documentation correctly.

 

[Rick]

(e-mail address removed) (Linda W.) wrote in @posting.google.com:

As those who read about my problems with the hosts files know, I
resolved the problem last night by deleting all the files that were
preventing me from accessing anti-virus Web sites.

But -- this morning, the same thing happened. I was trying to get to
Symantec's Web site and couldn't access it.

So I went back to the hosts files -- and again, there were a lot of
anti-virus Web sites listed.

So I deleted them again.

Do you know why this would happen again? Did I miss a step somewhere?

Sounds like you have a spyware/adware/malware (different folks call them
by different names) program running on your system. Clear the hosts file
again and download the free version of AdAware at:

http://lavasoftusa.com

Update it to the latest definitions and run it. It should find the vast
majority of the ad/spy/malware on your system. If that doesn't take care
of the problem for you, then you may want to download and use a copy of
Spybot S&D from:

http://www.safer-networking.org/

It's been my experience that what one of them (AdAware or Spybot)
doesn't get, the other one does.

 

[Dr.X]

Linda W.

After fixing the hosts file, You should have gone to your AV software's site
to do a full update. They should have the fix there.
Sorry I didn't mention updating yesterday but I thought that was what you
were trying to do in the first place when you ran into the hosts file issue.
:-(

If you suspect your av software has been compromised, clean your hosts file
again and try an online scan like they have at trend micro.

http://housecall.trendmicro.com/housecall/start_corp.asp

Then do as others in this group suggested; download and install a good
adware scanner like AD-Aware, Spy Bot Search and destroy, or combinations of
such. One or all of them can be configured to LOCK your hosts file from
being changed.

None of this will fix the virus you have unless you update as soon as you
clear out your hosts file. I have not heard that Sassar makes changes the
hosts file but I have also not read on the latest versions of that
particular nasty so anything is possible.

Just clean the hosts file, update your av, try the online scan, install and
learn spybot and adaware. Hopefully this will be some help.

Dr.X

PS: you may want to check out avg6 by grisoft if you're looking for a
freebie anti virus. Install and update, then do a full scan.

 

[Linda W.]

After fixing the hosts file, You should have gone to your AV software's site
to do a full update. They should have the fix there.
Sorry I didn't mention updating yesterday but I thought that was what you
were trying to do in the first place when you ran into the hosts file issue.
:-(

If you suspect your av software has been compromised, clean your hosts file
again and try an online scan like they have at trend micro.

http://housecall.trendmicro.com/housecall/start_corp.asp

Then do as others in this group suggested; download and install a good
adware scanner like AD-Aware, Spy Bot Search and destroy, or combinations of
such. One or all of them can be configured to LOCK your hosts file from
being changed.

None of this will fix the virus you have unless you update as soon as you
clear out your hosts file. I have not heard that Sassar makes changes the
hosts file but I have also not read on the latest versions of that
particular nasty so anything is possible.

Just clean the hosts file, update your av, try the online scan, install and
learn spybot and adaware. Hopefully this will be some help.

Dr.X

PS: you may want to check out avg6 by grisoft if you're looking for a
freebie anti virus. Install and update, then do a full scan.

Dear Dr. X ...

Yes, you are right that that's what I was trying to do when I ran into
the hosts issue.

What I didn't do after I deleted those hosts files was go ahead and
download either a free or trial AV program. I was planning to do that
today.

I think if I had kept the computer turned on, the files wouldn't have
come back, but I inadvertently shut down the computer.

I have run the scan at trendmicro and it found 18 viruses, but none of
the were Sasser. Most of them were Agobot. I have deleted them all.

The trendmicro program also found a Trojan and had me restart the
computer. Interestingly, the host files didn't come back this time.

I'll check out the suggested adware scanner, too.

So now I need to install an AV program -- at least something temporary
while I decide.

Panda has a free trial period.

Or I could renew my expired Norton 2003 for $29.95, or upgrade to 2004
for $39.95.

McAfee seems to have a rebate right now that makes the AV program free
for a year.

Speaking of all these -- you mentioned the avg6. Do you like that
one? Do you recommend trying it?

Again, you are a wonderful person.

Thanks.

Linda W.

 

[Linda W.]

(e-mail address removed) (Linda W.) wrote in @posting.google.com:


A quick google search will take you here:
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

lsass.exe is the local security authority service.

avserv.exe is associated with sasser, coming in through a vulnerability in
the lsass.exe service on win2k and XP systems that don't have the 040-011
835732 patch installed, if I understand the documentation correctly.

Thanks for this.

That's probably where I first saw lsass.exe. When the Sasser worm was
shutting down my computer, it was making some reference to lsass.exe
in the message.

This was before I installed the patch.

Thanks!

Linda W.

 

[Linda W.]

(e-mail address removed) (Linda W.) wrote in @posting.google.com:


Sounds like you have a spyware/adware/malware (different folks call them
by different names) program running on your system. Clear the hosts file
again and download the free version of AdAware at:

http://lavasoftusa.com

Update it to the latest definitions and run it. It should find the vast
majority of the ad/spy/malware on your system. If that doesn't take care
of the problem for you, then you may want to download and use a copy of
Spybot S&D from:

http://www.safer-networking.org/

It's been my experience that what one of them (AdAware or Spybot)
doesn't get, the other one does.

Thanks so much, Rick. I will check this out.

Linda W.

 

[Dr.X]

"Dr.X" <dr.x@null> wrote in message

Dear Dr. X ...

Hi Linda.

Yes, you are right that that's what I was trying to do when I ran into
the hosts issue.

That's usually when it's found.

What I didn't do after I deleted those hosts files was go ahead and
download either a free or trial AV program. I was planning to do that
today.

I think if I had kept the computer turned on, the files wouldn't have
come back, but I inadvertently shut down the computer.

I have run the scan at trendmicro and it found 18 viruses, but none of
the were Sasser. Most of them were Agobot. I have deleted them all.

The trendmicro program also found a Trojan and had me restart the
computer. Interestingly, the host files didn't come back this time.

That's because one or more of those 18 were responsible for playing games
with your hosts file.

I'll check out the suggested adware scanner, too.

So now I need to install an AV program -- at least something temporary
while I decide. ....
Speaking of all these -- you mentioned the avg6. Do you like that
one? Do you recommend trying it?

That's one of my favorites. In the last few large virus outbreaks, Grisoft
has experienced overload on their update servers due to everyone and their
mother trying to update at once (grisoft's fault) but other than that, I've
been very happy with AVG6 for my home machines. So much that I purchaced the
pro version for our corporate systems at work. Others in this group have had
better luck with other av solutions.

Again, you are a wonderful person.

aww, thanks. ;-)

Thanks.

Linda W.

Don't forget to have a look around for a decent firewall too. It will help
prevent attacks like sasser.

Good Luck.
Dr.X

 

[Linda W.]

Hi Linda.


That's usually when it's found.


That's because one or more of those 18 were responsible for playing games
with your hosts file.


That's one of my favorites. In the last few large virus outbreaks, Grisoft
has experienced overload on their update servers due to everyone and their
mother trying to update at once (grisoft's fault) but other than that, I've
been very happy with AVG6 for my home machines. So much that I purchaced the
pro version for our corporate systems at work. Others in this group have had
better luck with other av solutions.


aww, thanks. ;-)


Don't forget to have a look around for a decent firewall too. It will help
prevent attacks like sasser.

Good Luck.
Dr.X

Dr. X ...

Thanks so much.

I just went to the AVG Web site, as I'm thinking it would be a good
one to try, based on your recommendation.

I notice that AVG makes a point of mentioning that the free software
does not include technical support. Do you think that's a significant
issue? Or is it generally a user-friendly program? (Of course,
probably the best way for me to determine that is to try it, right?)

May I ask another question? If you can stand it? With these AV
programs -- do they provide an automatic notification when virus
updates are available? Or would I need to make a point of visiting
their Web site periodically in order to see if there are any updates?
Or does that depend on the program?

Well, that was more than one question.

So could I ask another one? You're also recommending that I
investigate using a firewall other than the one that came with Windows
XP?

Again, many thanks. And if you're getting tired of this, please feel
free to just ignore me.

Linda W.

 

[Gabriele Neukam]

On that special day, Linda W., ([email protected]) said...

I have run the scan at trendmicro and it found 18 viruses, but none of
the were Sasser. Most of them were Agobot.

Ouch. The Agobots are trojan horses, that can turn your computer into
anything, like a mass mailing spewer, or a storehouse for stolen movies
and child porn. If I were you, I would format the entire hard disk(s),
and start installing from scratch.

And before entering the internet again, I would first ask a friend to
fetch the most critical patches for me from Microsoft, so that I can fix
the RPC/Dcom, MCDAV, lsass vulnerabilities, and only *then* I would
connect to the net again.

See, if you get a puppy dog, the first thing you take care of, is that
it will be properly vaccinated; why don't you do that with your PC, too?


Gabriele Neukam

(e-mail address removed)

 

[Dr.X]

"Dr.X" <dr.x@null> wrote in message

Dr. X ...

Thanks so much.

I just went to the AVG Web site, as I'm thinking it would be a good
one to try, based on your recommendation.

Don't base it only on my recomendation. I'm sure there are other solutions
out ther that could be just as good if not better.

I notice that AVG makes a point of mentioning that the free software
does not include technical support. Do you think that's a significant
issue? Or is it generally a user-friendly program? (Of course,
probably the best way for me to determine that is to try it, right?)

I have never needed tech support from them. It's a pretty simple setup and
you seem capable of learning quickly as evidenced by your actions in dealing
with the hosts file issue.
Besides, you can always uninstall it.

May I ask another question? If you can stand it? With these AV
programs -- do they provide an automatic notification when virus
updates are available? Or would I need to make a point of visiting
their Web site periodically in order to see if there are any updates?
Or does that depend on the program?

It really does depend on the program but most of the good av programs offer
an auto update feature (avg does). They also usually offer an on demand
update check.

Well, that was more than one question.

I'm not counting. ;-)

So could I ask another one? You're also recommending that I
investigate using a firewall other than the one that came with Windows
XP?

I didn't realize you were using XP. I've never used the XP firewall feature
since I have a tendancy to avoid XP. The few systems that I do have here
that run it are protected by a hardware firewall on the network so I never
needed to use it. I can't comment on how good the XP Firwall solution is.
Others may be able to answer that question. Remember, no firewall will
protect you if it isn't properly configured.

Again, many thanks. And if you're getting tired of this, please feel
free to just ignore me.

I won't ignore you. If I don't answer right away, it's just that I'm busy at
work.

Linda W.

Dr.X

 

[Peter Seiler]

Linda W. - 07.05.2004 16:07 :

I just went to the AVG Web site, as I'm thinking it would be a good
one to try, based on your recommendation.

trying out is mostly a good idea.

May I ask another question? If you can stand it? With these AV
programs -- do they provide an automatic notification when virus
updates are available? Or would I need to make a point of visiting
their Web site periodically in order to see if there are any updates?
Or does that depend on the program?

if you read (and I think you did) this NG for a time, you should also
have read, that especially AVG, AVAST, NAV make trouble more often
especially with database updates.

So could I ask another one? You're also recommending that I
investigate using a firewall other than the one that came with
Windows XP?

there is/was a discussion here about how usefull are PWs (personal
firewalls). Generally: First: Safe Hex followed by AV and firewall.

Some programs combines both AV *and* a firewall under one (hopefuly
userfriendly) GUI.

All that was the reason why I personally recommended BitDefenderPro 7.2.

This program naturally makes automated updates, timed or when ever you
starts your computer. I prefer manual dayly updates. And: The (email-)
service is exemplary fast (max. 3 days), competent, and friendly - not
natural in these days especially in AV cases. And for me: This is one of
the few programs that works perfect with my browser and mailprogram
Mozilla/Netscape from the very first moment. And yes: I dont use MS
browser and/or Outlook because of security and some other reasons) from
the very first moment without any special konfigurations needed within
the emailer for example. AFAIR AvastPro for example needs some special
mailer configurations which I would hate.

And, last not least, the scanning results are excellent.

Did you visited http://www.anti-virus-software-review.com/ ?

Only reason against BD Standard and Pro is, that it is no freeware but
perhaps share-/trialware? But the price would be very suitable. See http
also.

Linda, BTW please: There is no need always quoting to much, because one
can read back within the threads. THX.

Finito.

 

[Duane Arnold]

I didn't realize you were using XP. I've never used the XP firewall
feature since I have a tendancy to avoid XP. The few systems that I do
have here that run it are protected by a hardware firewall on the
network so I never needed to use it. I can't comment on how good the
XP Firwall solution is. Others may be able to answer that question.
Remember, no firewall will protect you if it isn't properly
configured.

The XP FW is a stateful application and provides the same basic
protection of NAT router, which is to stop unsolicted inbound traffic
from reaching the machine.

http://support.microsoft.com/default.aspx?scid=kb;en-us;q321050#appliesto

There is a second element on the Win 2k, XP and 2K3 O/S's as well that's
very powerful that I use behind the NAT router.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

Duane

 

[Gabriele Neukam]

On that special day, Peter Seiler, ([email protected]) said...

This program naturally makes automated updates,

Hi Peter. Please replace "natural" with "of course"

timed or when ever you

timed = scheduled

starts your computer. I prefer manual dayly updates. And: The (email-)
service is exemplary fast (max. 3 days), competent, and friendly - not

There is no "exemplary" in English. Maybe "especially" can replace it;
but a notion of anything being "a good example" in the sense of its
being a model for others, is alien to English.

natural in these days especially in AV cases. And for me: This is one of

Again, "natural" should be replaced, this time with "usual".


I know, the getting the command of a language is a challenging task; I
guess it took me more than twenty years to attain it. And I can in no
way claim that I am understanding any language well besides German and
English, although I had lessons in Latin and Spanish.

I think the best way to learn a language is yet to buy a book in the
specific language, and read it entirely. As the English Harry Potter
books are available in Germany as paperbacks in the Karstadt shopping
centers (except for the newest one), I recommend them. They are very
comprehensive (it shows that the writer is a teacher), and cost me less
than the German hardcovers (which I haven't read yet).


Gabriele Neukam

(e-mail address removed)

 

[null]

There is no "exemplary" in English.

Sure there is.

Maybe "especially" can replace it;
but a notion of anything being "a good example" in the sense of its
being a model for others, is alien to English.

The word "exemplary" has historically meant simply "serving to fit as
an example". But the usual connotation is "outstanding example". For
example, we might say "His service to his country is exemplary". We
mean by that that the individual represents a extraordinay example of
fine service ,,, one that others admire and look up to. Or, to use
your words, the individual's service is a "good example" and a model
for others.


Art
http://www.epix.net/~artnpeg

 

[Peter Seiler]

Gabriele Neukam - 08.05.2004 17:37 :

On that special day, Peter Seiler, ([email protected]) said...


Hi Peter. Please replace "natural" with "of course"

THX for your lesson. But I thought reading/posting in an anti-virus
NG not in an English lesson school group. Sorry, so your posting this
way IMHO is deplaced and OT. I only wanted to give Linda W. a (OnTop!)
hint for her threaded problems. And I hope, that she understand my
writing as in the past - even with all the faulty English expressions.
Well, my English is really not as good as yours but hopefuly should be
"good" enough that people understand the substance I mean. OT discussion
finished.

 

[Linda W.]

Don't base it only on my recomendation. I'm sure there are other solutions
out ther that could be just as good if not better.


I have never needed tech support from them. It's a pretty simple setup and
you seem capable of learning quickly as evidenced by your actions in dealing
with the hosts file issue.
Besides, you can always uninstall it.


It really does depend on the program but most of the good av programs offer
an auto update feature (avg does). They also usually offer an on demand
update check.


I'm not counting. ;-)


I didn't realize you were using XP. I've never used the XP firewall feature
since I have a tendancy to avoid XP. The few systems that I do have here
that run it are protected by a hardware firewall on the network so I never
needed to use it. I can't comment on how good the XP Firwall solution is.
Others may be able to answer that question. Remember, no firewall will
protect you if it isn't properly configured.


I won't ignore you. If I don't answer right away, it's just that I'm busy at
work.


Dr.X

Dr. X ...

Thanks so much.

I've downloaded the free AVG6. I'll install it and see how I do.

Thanks again.

Linda W.

 

[Linda W.]

On that special day, Linda W., ([email protected]) said...


Ouch. The Agobots are trojan horses, that can turn your computer into
anything, like a mass mailing spewer, or a storehouse for stolen movies
and child porn. If I were you, I would format the entire hard disk(s),
and start installing from scratch.

I don't think there's any way for me to reformat the entire hard
disk(s) and re-install because Windows and most of the other programs
came pre-installed on my Hewlett Packard computer.

The only disk I have for the programs that were pre-installed is the
one that came with the computer -- the one that returns the entire
computer to factory status. I really can't do that, for obvious
reasons, and hope I won't have to for any reason.If I receive mass mailings, can't I just delete them? My ISP has a
filter, too, and a good bit of spam is intercepted before reaching my
computer.

I can only hope that there has been no storehouse created outside of
my control on my computer for stolen movies, et cetera, as you mention
above. Is there any way for me to know if this is the case?

And before entering the internet again, I would first ask a friend to
fetch the most critical patches for me from Microsoft, so that I can fix
the RPC/Dcom, MCDAV, lsass vulnerabilities, and only *then* I would
connect to the net again.

On Sunday, I went to the Microsoft Security Web site and downloaded
and installed all the critical patches recommended for Windows XP. Is
that what you meant? I did it myself, though.

See, if you get a puppy dog, the first thing you take care of, is that
it will be properly vaccinated; why don't you do that with your PC, too?

Well, I'm trying. And continuing to learn, I hope.

And thanks so much for your help.

Linda W.

 

[Linda W.]

if you read (and I think you did) this NG for a time, you should also
have read, that especially AVG, AVAST, NAV make trouble more often
especially with database updates.

I guess the best thing to do is to try one and see how it goes.

there is/was a discussion here about how usefull are PWs (personal
firewalls). Generally: First: Safe Hex followed by AV and firewall.

Some programs combines both AV *and* a firewall under one (hopefuly
userfriendly) GUI.

All that was the reason why I personally recommended BitDefenderPro 7.2.

Thank you for that recommendation.

Did you visited http://www.anti-virus-software-review.com/ ?

It was kind of a crazy weekend. So that's something I still need to
check out. Thanks.

Linda, BTW please: There is no need always quoting to much, because one
can read back within the threads. THX.

I'm sorry. I didn't mean to be a nuisance or anything. I have
snipped most of the quoting for this message. I hope that is okay.

Thanks.

Linda W.

 

[Jan Il]

Well, I'm trying. And continuing to learn, I hope.

And this is a very good place to learn. But, like all else, there's bound
to be a few Crab trees in every grove, so don't let 'em ruffle your feathers
too much. There's plenty of others to keep you out of trouble. <g>

Jan