Member Avatar for Matt P

Hi Guys.

This is the first time I've posted an enquiry, so I wll try my best to keep it clear and understandable.

Infection was detected a few days ago on my girlfriends Laptop while she was on a genuine British newspaper website. The Virus protection which is always kept up to date (Dr.Web) threw up a window suggesting a file is infected.

Unfortunately she doesn't remember exactly what happened after this point. She succesfully Quarantiened/blocked this file at the time by one of the options Dr.Web offers.

I was away, so when I returned a couple of days later, I ran a full Dr.Web Scan and AdAware scan, and little more was found than a few tracking cookies etc. (Dr.Web didn't find anything).

My Girlfriend had noticed that when she goes to Login to Natwest the page which ask for specific numbers of her PIN (either first, third or fourth etc digit) was also requesting the full PIN too. I took a look at this page and it looked identical to the proper Natwest page, but just had one extra box requesting full PIN.

I don't know if this was redirecting the browser (IE7), as the whole page supported geniune links to other parts of Natwest, and the web address was identical to what it should be.

I then ran the various checks/scans suggested on this page inc:

1. Ran the Microsoft® Windows® Malicious Software Removal Tool (found nothing)
2. Ran ATF-Cleaner
3. Ran Malwarebytes' Anti-Malware (and this detected a number of infections and removed them)
4. Ran the ESET Online scanner (found nothing)

After doing all this, IE still showed the page incorrectly with this extra box present. Firefox (and Google Chrome that I was trying out the other day) didn't have this issue, they displayed the page correctly.

I then looked into HOSTS file related topics, which whatever I have done, seems to have sorted out the issue, and this is where my question lies...

I really don't understand how to manage HOSTS file utilities yet, however I downloaded HostsMan (abelhadigital.com) and 'Updated' the HOSTS file. Merely doing this seems to have fixed the issue.

When I view the HOSTS file in C:/Windows/Sys32/Drivers/etc/hosts it is huge ! And has hundreds of entries within it. Is this correct ?

Would someone be able to advise what I should to to ensure this issue does not occur again.

Also, I have finally made a decision to always use FireFox (which may have been the first suggestion!)

Thanks for reading, and any logs or reports needed, ask away.

  • 2 Contributors
  • 1 Reply
  • 271 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by jbennet
Member Avatar for jbennet

Vista or XP?

Open up notepad (Right click it and choose run as administrator, if you are on vista)

open the file HOSTS, which normally lives in somewhere like "C:\Windows\System32\drivers\etc" (depending on OS version)

The hosts file, on a clean install of windows should contain only:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

but some programs like spybot add extra entries to block bad sites.

Also, DR. Web isnt that good, in fact i have never heard of it until today. I reccomend using AVG and Spybot instead.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.