Hosts.bak

Hi there I have a small problem that I hope you wise people can help me out with.

I got sent a file that contained the following Trojan’s. PWSteal.Trojan(ibm00001.dll), Trojan.AleMod(oleext32.dll), Trojan.Startpage(paytime.exe), AdwareDollarRevenue(toolbar.exe). Downloader.Trojan(tool3.exe), Trojan.Desktophijack.B(oleext.dll).

I think that I have removed these using A few Antivirus and antispyware programs, but have 2(I hope) files that I just cannot remove without them reappeairng.

1 - Wininit.ini with the following text.
[Rename]
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\VQRFE.GLV=C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.BAK
The actual file being renamed changes everytime i delete this file.

2- Hosts.bak Size 354kb dated 21/11/2005 15:07 marked as read only and hidden.
If I try to do anything with this file at all I keep getting an Access Denied Error, and if I delete with cyberscrub It just reappears.

Can anybody help me

Hi Glorey Hornet,

There is a good tool to fix this troubles for you, by the name of Hostfix. Go to Jay Loden’s site to download it, here:
http://www.jayloden.com/hostfix.htm

Read the instructions and run it.

greets,

polonus

Thanks for the quick reply, The thing is the is nothing wrong with the actual Hosts file, mine is regularly updated with downloads from http://www.mvps.org. It is the Hosts.bak file that is the problem, it is undeletable, and is a different size to Hosts File.

1 - Hosts 366kb 12/12/2005 04.21
2 - Hosts.bak 354kb 21/11/2005 15:07

With this and the wininit.ini file it is causing me a headache as to where they came from and how to remove them.

Hi Glory Hornet,

Go to safe mode, and use this: http://www.softpedia.com/get/Security/Secure-cleaning/Pocket-Killbox.shtml
How to start in safe mode: see:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&ExpandSection=3&Src=sec_doc_nam
This will do it,

greets,

polonus

Hi polonus

tried that but to no avail, got rid of the wininit.ini file but Hosts.bak still remains Access Denied

Thanks for your help so far.

Glory

Doesn’ killbox allow for deletion on reboot?

[b]Usage Information:[/b] Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X).

It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.


I guess the words hopefully your file will be gone are relevant.

You could also try MoveOnBoot http://www.snapfiles.com/get/moveonboot.html

I have tried delete on reboot, replace on reboot, and standard file kill all to no avail. It just won’t go, even trying to put it into Avast Chest didn’t want to know. Keep getting access denied what ever I try to do.

Howdy Glory Hornet,

Probably this is a process running, and there is why you cannot touch it (just like a swap file), you could try to rename it fully. Give another name and extension, just like lousy.txt for instance and safe. Then try to delete, or you get replacer from the net, if you have Win2xxx or XP that should do the trick, get it from here: http://www3.telus.net/_/replacer/ and then try to kill this process. Else you might consider to put a HJT log to be analyzed.

greets,

polonus

Hi guys,
you are the best I used replacer that renamed it and also changed the permissions for it making it “available” for deleting with cyberscrub and now it is gone.

woo hoo

when it was deleting an odd file popped up 1 meg in size so do you think it may have beed an AD file.

cheers everybody,

Glory Hornet

Watford FC’s #1 fan.

Howdy Glory Hornet,

Well you are welcome, glad you could put that behind you then.
Secure your comp well as you can read about here on this forum.
I am glad the malware fighter won this time,

Yours sincerely,

polonus