w32.chod.d and the hosts file

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My sister had this virus and I removed it according to symantecs website and
it fixed everything except the area of the browser hijack not allowing
access to security related sites(i.e. symantec, mcaffee, etc.). Symantec
says this was done by adding lines to the hosts file located in
c:\windows\system32\drivers\etc. It also said that not all computers will
have this file and of course hers doesn't. Since she doesn't have this file
where did the changes occur? She has a Dell running the XP Media Center.

http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.d.html



Re: w32.chod.d and the hosts file

Roland wrote:

Quoted text here. Click to load it

Did you make sure you have Windows set to view all files?

The HOSTS file has no extension.

--
   -bts
   -Warning: I brake for lawn deer

Re: w32.chod.d and the hosts file


Quoted text here. Click to load it

We did that yesterday but I gave her a call back just now to make sure and
it worked. She checked the wrong box yesterday. Two additional files did
show up in the folder that I do not think should be there.

"1hosts" and "hosts.msn"

It is safe to delete these two files isn't it? I know the the virus came
from msn messenger.

Thanks for the help.



Re: w32.chod.d and the hosts file

Roland wrote:

Quoted text here. Click to load it

Open them with a text editor and see what is in them.

Quoted text here. Click to load it

Won't know that until you see what is their content.

(I don't use messenger programs.)

--
   -bts
   -Warning: I brake for lawn deer

Re: w32.chod.d and the hosts file

On 7/4/2006 10:59 AM, * Roland after much thought,came up with this gem:
Quoted text here. Click to load it

Yes it is safe to delete them.
The hosts file should look like this:

  # Copyright (c) 1993-1999 Microsoft Corp.
  #
  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  #
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  #
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  #
  # For example:
  #
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host

  127.0.0.1       localhost

and is found here:
C:\WINNT\system32\drivers\etc\hosts
there is another one here:
C:\WINNT\system32\drivers\etc\lmhosts.sam

Spybot Search and Destroy has a hosts file locking feature that works
well,I have a link to it on my pages(see below)
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u /
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.

Re: w32.chod.d and the hosts file



| Yes it is safe to delete them.
| The hosts file should look like this:
|
|   # Copyright (c) 1993-1999 Microsoft Corp.
|   #
|   # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
|   #
|   # This file contains the mappings of IP addresses to host names. Each
|   # entry should be kept on an individual line. The IP address should
|   # be placed in the first column followed by the corresponding host name.
|   # The IP address and the host name should be separated by at least one
|   # space.
|   #
|   # Additionally, comments (such as these) may be inserted on individual
|   # lines or following the machine name denoted by a '#' symbol.
|   #
|   # For example:
|   #
|   #      102.54.94.97     rhino.acme.com          # source server
|   #       38.25.63.10     x.acme.com              # x client host
|
|   127.0.0.1       localhost
|
| and is found here:
| C:\WINNT\system32\drivers\etc\hosts
| there is another one here:
| C:\WINNT\system32\drivers\etc\lmhosts.sam
|
| Spybot Search and Destroy has a hosts file locking feature that works
| well,I have a link to it on my pages(see below)

etc/lmhost.sam  has to to to not with IP to alias resulution by IP to NetBIOS
name
resolution where "lm" stands for Lan Manager.  The extension;  .SAM stands for
sample.
Therefotre lmhosts.sam  is a sample resolver table for NetBIOS names.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: w32.chod.d and the hosts file


| My sister had this virus and I removed it according to symantecs website and
| it fixed everything except the area of the browser hijack not allowing
| access to security related sites(i.e. symantec, mcaffee, etc.). Symantec
| says this was done by adding lines to the hosts file located in
| c:\windows\system32\drivers\etc. It also said that not all computers will
| have this file and of course hers doesn't. Since she doesn't have this file
| where did the changes occur? She has a Dell running the XP Media Center.
|
| http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.d.html
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: w32.chod.d and the hosts file


Quoted text here. Click to load it


c:\windows\system32\drivers\etc is only the default location for the
hosts file which is settable in the registry here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

If you run D Lipman's multi av utility then this will check and
restore it to its default location for you if the malware changed it.


Jim.


Site Timeline