Virus Scan Question

[Graueradler]

Using AVG Free. Tried to log in to their website with my question but wasn't successful.

The complete scan report has two tabs.

Under the Results Overview tab, it reports:

Complete Test; No Threats Found;, Scanning Completed Successfully.

So everything is OK, right?

But then, under the Virus Results tab, it reports:

system32\kernal32.dll.; Result - Change; Status - Changed.

It reports the same thing for system32\drivers\etc\hosts

It didn't raise any flags or anything. After it was done, it closed the window. If my wife hadn't noticed these things pop up when it was running, we wouldn't even have been aware of it.

Do we have a problem or not???

 

[jesse]

U

But then, under the Virus Results tab, it reports:

system32\kernal32.dll.; Result - Change; Status - Changed.

It reports the same thing for system32\drivers\etc\hosts

Both of these are interesting. The kernel32.dll one--wouldn't catch my eye near as bad as a Windows Update can provide that result. But it's still worth looking into.

The second one I find very interesting though--because generally the hosts file does not change. 99.9999% of Windows system out there have a real simple hosts file with one entry: 127.0.0.1 localhost

Open that file up in notepad. C:\Windows\System32\drivers\etc\hosts and paste the contents in this thread.

Could be spyware. Could be a virus. Could be a lot of things.

 

[Dustin]

I also use AVG. Is AVG Free a good anti-virus?

 

[RJM62]

In my opinion, AVG free is as good as most paid virus scanners. But the paid version of AVG anti-malware is worth the extra money because of the additional anti-spyware and system setting protection it offers.

I personally use Trend Micro PC-Cillin Internet Security on freestanding Windows machines because I love their OfficeScan product for LANs, and it's easier to just stick with one vendor. I really don't think PC-Cillin is any better than the paid version of AVG (although it does have an edge over the free version, in my opinion).

I would definitely use AVG free before I would use anything made by Symantec or McAfee, however.

I wholeheartedly agree with Jesse that the changed hosts file is suspicious. If you really want to know why, I can explain in detail; but basically, the hosts file is the first place the computer looks to find a host's IP address. So it can be used by security software to block a computer's access to certain malicious sites, but it can also be used by malware to block access to sites that might help remove the malware (anti-malware companies, well-known security messageboards, and so forth).

Another malicious use of the hosts file would be to re-route requests for certain sites to impostor sites. So, for example, an identity thief could redirect requests for, say, Citibank to a server that the thief controls, put up a phony Citibank site and login, and collect your personal information.

Please do post the contents of the hosts file. Chances are that anyone here with malware removal experience will be able to quickly tell whether the changes were malicious.

Rich

 

[Graueradler]

I need to get smarter on computers. It appears that the HOSTS file is being used by one of the protective programs on teh computer to block access for spyware , tracking cookies, etc. It must have been going on for a long time but we just noticed it yesterday. Here is a small portion of the file:

# This MVPS HOSTS file is a free download from: #
# http://www.mvps.org/winhelp2002/ #
# #
# Notes: the browser does not read this "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
# ********************************************************#
# ------------------Updated: 08-18-07---------------------#
# ********************************************************#
# Entries marked with Parasite or Trojan comments should #
# be placed in the Internet Explorer Restricted Zone. #
# http://mvps.org/winhelp2002/restricted.htm #
# #
# Entries with other comments are searchable via Google. #
# #
# Disclaimer: this file is free to use, however it is NOT #
# permitted to post on any other site without permission. #
# #
# This work is licensed under the Creative Commons #
# Attribution-NonCommercial-ShareAlike License. #
# http://creativecommons.org/licenses/by-nc-sa/2.0/ #

127.0.0.1 localhost

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 t.abnad.net
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 gtcc1.acecounter.com
127.0.0.1 gtp1.acecounter.com #[eTrust.Tracking.Cookie]
127.0.0.1 acestats.com
127.0.0.1 www.acestats.com
127.0.0.1 ads.active.com
127.0.0.1 am1.activemeter.com
127.0.0.1 www.activemeter.com #[eTrust.Tracking.Cookie]
127.0.0.1 ads.activepower.net
127.0.0.1 stat.active24stats.nl #[eTrust.Tracking.Cookie]
127.0.0.1 at.ad2click.nl
127.0.0.1 cms.ad2click.nl
127.0.0.1 banner.ad.nu
127.0.0.1 ad-up.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.adagencypro.com
127.0.0.1 ad.pop1.adbn.ru
127.0.0.1 adserv.adbonus.com
127.0.0.1 www.adbonus.com
127.0.0.1 james.adbutler.de #[Tenebril.TrackingCookie]
127.0.0.1 www.adbutler.de #[SunBelt.AdButler.de]
127.0.0.1 adcp.adcentriconline.com
127.0.0.1 bell.adcentriconline.com #[Wildcard DNS]
127.0.0.1 media.adcentriconline.com
127.0.0.1 publicis.adcentriconline.com
127.0.0.1 adcomplete.com
127.0.0.1 www.adcomplete.com
127.0.0.1 www.adcopy.info
127.0.0.1 axa.addcontrol.net #[Ewido.TrackingCookie.Addcontrol]
127.0.0.1 ads.addynamix.com #[SpySweeper.Spy.Cookie]
127.0.0.1 e13.media.addynamix.com
127.0.0.1 www.adeos.eu
127.0.0.1 adcode.adengage.com
127.0.0.1 stats2.adengage.com
127.0.0.1 www.adengage.com
127.0.0.1 pt.server1.adexit.com
127.0.0.1 www.adexit.com
127.0.0.1 www.ad4ever.com
127.0.0.1 track.adform.net
127.0.0.1 www.adfusion.com
127.0.0.1 harvest.adgardener.com
127.0.0.1 harvest6.adgardener.com
127.0.0.1 harvest7.adgardener.com
127.0.0.1 harvest8.adgardener.com
127.0.0.1 harvest11.adgardener.com
127.0.0.1 harvest12.adgardener.com
127.0.0.1 harvest13.adgardener.com
127.0.0.1 harvest163.adgardener.com
127.0.0.1 harvest176.adgardener.com
127.0.0.1 seeds.adgardener.com
127.0.0.1 www.adgroups.net
127.0.0.1 www.ad-groups.com #[Ban Man Pro Banner Code]
127.0.0.1 www.adgauge.com
127.0.0.1 host1.adhese.be #[Adhese Datamine Tag]
127.0.0.1 host2.adhese.be
127.0.0.1 host3.adhese.be #[ad.be.doubleclick.net]
127.0.0.1 host4.adhese.be
127.0.0.1 ssl3.adhost.com
127.0.0.1 www2.adhost.com
127.0.0.1 ads.adhostingsolutions.com #[eTrust.Tracking.Cookie]
127.0.0.1 www.adimpact.com
127.0.0.1 www.adinventoryrecorder.com
127.0.0.1 adfarm1.adition.com
127.0.0.1 imagesrv.adition.com
127.0.0.1 ad.adition.net
127.0.0.1 adsearch.adkontekst.pl

 

[Greebo]

Interesting approach, but probably effective. What those entries mean, if you don't know already, is that for all of those domains listed, any internet requests are being sent to your OWN computer, instead of to the owners of those domains. (127.0.0.1 is the standard map for localhost - or in computer terms, 127.0.0.1 = me (the computer, not the person))

 

[wbarnhill]

Interesting approach, but probably effective. What those entries mean, if you don't know already, is that for all of those domains listed, any internet requests are being sent to your OWN computer, instead of to the owners of those domains. (127.0.0.1 is the standard map for localhost - or in computer terms, 127.0.0.1 = me (the computer, not the person))

I've got a nice AdHOSTS file on my desktop at home. It's nice to just see placeholders when I visit sites instead of the stupid ads.

Biggest downside is that you have to wait for every one of the requests to your localhost to timeout before the page will be "Done".

 

[wsuffa]

I've got a nice AdHOSTS file on my desktop at home. It's nice to just see placeholders when I visit sites instead of the stupid ads.

Biggest downside is that you have to wait for every one of the requests to your localhost to timeout before the page will be "Done".

And there are a handful of sites that outright won't load until they get confirmation that the advertisement has loaded. Add to that the sites that serve the ads from their own domain, and you really don't have a solution.

I tried blocking at the router for a while, and finally pulled it off. I now use a program that allows me to turn flash on and off to eliminate some of the most obnoxious ads.

 

[mikea]

Interesting approach, but probably effective. What those entries mean, if you don't know already, is that for all of those domains listed, any internet requests are being sent to your OWN computer, instead of to the owners of those domains. (127.0.0.1 is the standard map for localhost - or in computer terms, 127.0.0.1 = me (the computer, not the person))

There are LONG lists of host files like this with new spammers and miscreant domains added all of the time. The problem with this approach is Windows gets SLOW when having to check a long hosts file.

But if there's an site you really hate, Like doubleclick.net or sites like goat.se You can prevent it from ever working this way. Just keep the hosts file small.

Note that an entry like:

google.com nnn.nn.nnn

can be used to intercept all of your search requests and send you to mafia.ru/google

 

[RJM62]

Ads are the price we pay for free content. I have no problem with them as long as they're neither intrusive nor spyware-laden, and I have no problem with Web designers blocking visitors who block the ads. That's my opinion, anyway.

As for your hosts file, there's nothing on there that's going to hurt your computer, so there's nothing to worry about. AVG was correct, but the change is not harmful.

Rich

 

[Graueradler]

Loads of Thanks to Everyone.

 

[wsuffa]

Ads are the price we pay for free content. I have no problem with them as long as they're neither intrusive nor spyware-laden, and I have no problem with Web designers blocking visitors who block the ads. That's my opinion, anyway.

Non-intrusive, I agree are not a problem - like display ads in the newspaper. However, the latest trend is to be very intrusive, such as the ones that scroll the page up and down, or the ones that move objects across the screen you're trying to view.

Those are the kind that a Flash-blocker is useful for.

BTW, we'll have do disagree about web designers who block visitors that block ads. Make the ads non-intrusive and I'll accept them. When they impede my browsing, when they put invasive stuff on the computer, or where they're on slow servers that slow things down, then blocking them is a duty...

 

[RJM62]

Non-intrusive, I agree are not a problem - like display ads in the newspaper. However, the latest trend is to be very intrusive, such as the ones that scroll the page up and down, or the ones that move objects across the screen you're trying to view.

Those are the kind that a Flash-blocker is useful for.

BTW, we'll have do disagree about web designers who block visitors that block ads. Make the ads non-intrusive and I'll accept them. When they impede my browsing, when they put invasive stuff on the computer, or where they're on slow servers that slow things down, then blocking them is a duty...

Oh, no disagreement from me on the intrusive ads. I block them, as well. Pop-ups, pop-unders, DHTML sliders, Intellitxt, etc. have all earned places in my Adblock extension. But when my blocking an ad results in my being blocked from a site, I just accept that as part of the deal. (And if I'm blocked from a site that serves malware, then they're doing me a favor.)

Ultimately, I think that webmasters who use excessive or intrusive advertising hurt themselves. I can't even imagine why designers use pop-ups anymore. Every browser in the world blocks them by default, so what's the point? And the DHTML sliders will repel me from a site like a cockroach scurrying from the light.

But normal banners (not the really annoying Flash banners that expand when mouse-overed), Google Adwords, ordinary text ads (not Intellitxt), and the like are all quite acceptable to me and, I think, to most people. My typical setup is Google adwords on one side, a few text links, and a banner on the bottom, as with

http://www.flysportusa.com

I do vary the layout a bit; for example, that site's forum uses a different layout than the rest of the site because I'm basically too lazy to redesign the canned forum template. But I still keep the ads as unobtrusive as possible because I've come to the conclusion that the less intrusive an ad is, the better it performs.

In fact, I got my check from Google Adsense today (Google Adsense is the publisher side of Google Adwords), and as usual, it was higher than the totals for all the banners combined.

Rich