Antivirus software, usually bundled in an internet security suite, is frustrating to me.
First off, you have to pay for this software (yes, there are free alternatives -but…) only because there are bad people out there.
Second, it slows your PC down. In the case of Symantec’s Norton, sometimes, with some versions, it slows down A LOT!
Third, many times it will tell you that it found the virus, but cannot clean or delete it – the rest is up to you. WHAT? This usually has to do with the malware actually running within Windows, and Windows places a “lock” on a file that is running in order to protect it. Good through the normal course of operation, bad when it comes to cleaning trojans, viruses and other malware from your PC.
The above three items are fairly well known. Here is one that isn’t:
One more step to clean malware from your PC
Current malware is using a basic operation of Windows networking to maintain itself even after your PC has been cleaned.
The Windows hosts file.
The Windows hosts file resides in the C:\Windows\system32\drivers\etc (or, more precisely, %SystemRoot%\system32\drivers\etc since some versions may use WINNT or some other directory instead of Windows).
What it does is help Windows resolve the IP address for some domain names. By default, it doesn’t do much at all. But a network administrator in a corporate environment will likely make use of the file to assist with network connectivity.
The hosts file can also be used to BLOCK access to certain known malicious sites. It does that by pointing, say, www.badsite.com right back to the local machine with the entry 127.0.0.1 (known as localhost). That prevents the web browser from opening the known malicious site.
But turn that around.
Plug in your malicious site IP address and connect it to updates.microsoft.com in your victims hosts file and next time automatic (or manual) Windows updates kicks in, voila, they come to your site and get reinfected all over again!
Here is what a default Windows XP host file usually looks like:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost
The lines beginning with the pound sign are comments. The only line that does anything in this file is the one assigning the term “localhost” to the address 127.0.0.1, also known as the loopback address. It simply points back to the computer itself.
Thus if you add this line to the file:
127.0.0.1 microsoft.com
then your computer will try to access the web server on YOUR OWN COMPUTER (if installed, usually not) when you type www.microsoft.com in a browser address bar; thus preventing you from getting to Microsoft’s website. But if you replace the 127.0.0.1 with an ip address of your own malicious server, then anything the user, or automatic updates, tries to access Microsoft’s servers, you get reinfected by the malicious server instead.
Here is the takeaway:
If you have been infected, it’s worth a look at the Windows hosts file just to make sure there aren’t any entries that shouldn’t be there. If you are on a company network, ask the IT department – don’t make any changes yourself. If it’s your own PC, back up the file first before making changes just in case.
