Hosts file and suspicious activity

  Handy Spinner 12:57 29 Mar 2005
Locked

The hosts file was until yesterday infected with a virus which Norton AV would repeatedly warn me about, but would also claim was unable to repair the file. The wanings came every few seconds, preventing me from opening the hosts file to edit it, so I started the machine in safe mode and removed all the lines apart from "127.0.0.1 localhost". After this, Norton no longer indicated an infection, although it found several viruses when I did a full scan of the computer (Backdoor.Sdbot and W32.Randex).

Upon every reboot, however, the hosts file was rewritten with the old settings, until I made it read-only by way of SpyBot S&D, which also picked up a few various nasties. I also downloaded Ad-aware, but that hangs after a while during scanning.

Looking at the firewall (Sygate Personal) logs, it indicates repeated (blocked) attempts made by two programs to access the Internet. One is "C:\WINNT\system32\IMAPI.EXE" and tries to connect to a rather suspicious-sounding site called "pda.teensmutbox.com"; the other is "C:\WINNT\system32\msbeta32.exe" trying to connect to "cybersmash.cjb.net".

What I would like to know is, what was causing the rewriting of the hosts file? Presumably whatever was doing so is still present on the system. And what are these strange firewall log entries? Could the two be connected?

Thanks for your help,

Spinner

  pauldonovan 13:02 29 Mar 2005

... I'd recommend running winpatrol or startup control panel (by mike lin).

It will tell you what is in your startup. It is almost certainly something running in your startup that is doing this.

Go through each thing in your startup and try to identify what it is. Post on here or search google if you are unsure.

I would've thought the tools you mention would've found it but they're not 100% reliable as new things come out but if something is running and changing things, it needs to be 'executed' and the startup programs is a good place to start.

  Fruit Bat /\0/\ 13:09 29 Mar 2005

imapi.exe click here
do not delete somethimg else is using this to connect.

C:\WINNT\system32\msbeta32.exe, safe to get rid of.

Your virus are hiding in system restore files and are reappaering and rewriting the host file at every start up.

Switch off system restore to delete all restore points. Rescan with your AV and spyware progs. When system is clean set anew restore point.

  Handy Spinner 13:23 29 Mar 2005

@pauldonovan: As a matter of fact, I had checked in Startup Control Panel, but I haven't noticed anything suspicious, save indeed IMAPI.exe and msbeta32.exe (which claims to be "Windows Beta").

@fruit bat: I forgot to mention I'm running Windows 2000, I thought that 2000 doesn't have System Restor e?

I'll try deleting this msbeta32.exe program, it doesn't exactly sound above board. What about this IMAPI.exe trying to connect to that site, though?

Thanks for your help.

Spinner

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

Alice Saey's mesmerising animation for Dutch singer Mark Lotterman

iPad Pro 10.5in (2017) review

Comment booster votre iPhone ?