w32.chod.d and the hosts file

[Roland]

My sister had this virus and I removed it according to symantecs website and
it fixed everything except the area of the browser hijack not allowing
access to security related sites(i.e. symantec, mcaffee, etc.). Symantec
says this was done by adding lines to the hosts file located in
c:\windows\system32\drivers\etc. It also said that not all computers will
have this file and of course hers doesn't. Since she doesn't have this file
where did the changes occur? She has a Dell running the XP Media Center.

http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.d.html

 

[Beauregard T. Shagnasty]

My sister had this virus and I removed it according to symantecs
website and it fixed everything except the area of the browser hijack
not allowing access to security related sites(i.e. symantec, mcaffee,
etc.). Symantec says this was done by adding lines to the hosts file
located in c:\windows\system32\drivers\etc. It also said that not all
computers will have this file and of course hers doesn't. Since she
doesn't have this file where did the changes occur? She has a Dell
running the XP Media Center.

Did you make sure you have Windows set to view all files?

The HOSTS file has no extension.

 

[David H. Lipman]

From: "Roland" <[email protected]>

| My sister had this virus and I removed it according to symantecs website and
| it fixed everything except the area of the browser hijack not allowing
| access to security related sites(i.e. symantec, mcaffee, etc.). Symantec
| says this was done by adding lines to the hosts file located in
| c:\windows\system32\drivers\etc. It also said that not all computers will
| have this file and of course hers doesn't. Since she doesn't have this file
| where did the changes occur? She has a Dell running the XP Media Center.
|
| http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.d.html
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Roland]

Did you make sure you have Windows set to view all files?

The HOSTS file has no extension.

We did that yesterday but I gave her a call back just now to make sure and
it worked. She checked the wrong box yesterday. Two additional files did
show up in the folder that I do not think should be there.

"1hosts" and "hosts.msn"

It is safe to delete these two files isn't it? I know the the virus came
from msn messenger.

Thanks for the help.

 

[Beauregard T. Shagnasty]

My sister had this virus [and HOSTS file]

Did you make sure you have Windows set to view all files?

The HOSTS file has no extension.

We did that yesterday but I gave her a call back just now to make sure
and it worked. She checked the wrong box yesterday. Two additional
files did show up in the folder that I do not think should be there.

"1hosts" and "hosts.msn"

Open them with a text editor and see what is in them.

It is safe to delete these two files isn't it? I know the the virus
came from msn messenger.

Won't know that until you see what is their content.

(I don't use messenger programs.)

 

[Max]

We did that yesterday but I gave her a call back just now to make sure and
it worked. She checked the wrong box yesterday. Two additional files did
show up in the folder that I do not think should be there.

"1hosts" and "hosts.msn"

It is safe to delete these two files isn't it? I know the the virus came
from msn messenger.

Thanks for the help.

Yes it is safe to delete them.
The hosts file should look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

and is found here:
C:\WINNT\system32\drivers\etc\hosts
there is another one here:
C:\WINNT\system32\drivers\etc\lmhosts.sam

Spybot Search and Destroy has a hosts file locking feature that works
well,I have a link to it on my pages(see below)
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.

 

[James Egan]

My sister had this virus and I removed it according to symantecs website and
it fixed everything except the area of the browser hijack not allowing
access to security related sites(i.e. symantec, mcaffee, etc.). Symantec
says this was done by adding lines to the hosts file located in
c:\windows\system32\drivers\etc. It also said that not all computers will
have this file and of course hers doesn't. Since she doesn't have this file
where did the changes occur? She has a Dell running the XP Media Center.

c:\windows\system32\drivers\etc is only the default location for the
hosts file which is settable in the registry here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

If you run D Lipman's multi av utility then this will check and
restore it to its default location for you if the malware changed it.


Jim.

 

[David H. Lipman]

From: "Max" <[email protected]>


| Yes it is safe to delete them.
| The hosts file should look like this:
|
| # Copyright (c) 1993-1999 Microsoft Corp.
| #
| # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
| #
| # This file contains the mappings of IP addresses to host names. Each
| # entry should be kept on an individual line. The IP address should
| # be placed in the first column followed by the corresponding host name.
| # The IP address and the host name should be separated by at least one
| # space.
| #
| # Additionally, comments (such as these) may be inserted on individual
| # lines or following the machine name denoted by a '#' symbol.
| #
| # For example:
| #
| # 102.54.94.97 rhino.acme.com # source server
| # 38.25.63.10 x.acme.com # x client host
|
| 127.0.0.1 localhost
|
| and is found here:
| C:\WINNT\system32\drivers\etc\hosts
| there is another one here:
| C:\WINNT\system32\drivers\etc\lmhosts.sam
|
| Spybot Search and Destroy has a hosts file locking feature that works
| well,I have a link to it on my pages(see below)

etc/lmhost.sam has to to to not with IP to alias resulution by IP to NetBIOS name
resolution where "lm" stands for Lan Manager. The extension; .SAM stands for sample.
Therefotre lmhosts.sam is a sample resolver table for NetBIOS names.