Previous 1 2 3 4 Next 52 Replies Latest reply: Jul 15, 2012 5:11 PM by MadMacs0
foxone12 Level 1 Level 1 (0 points)

How do I remove HostMod-A malware?  It's located at Private/etc/hosts, but when I try to open that folder, it says I do not have permission.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    Check for the QHost.WD Trojan (courtesy of Linc Davis):

    In the Finder, select Go > "Go to Folder..." from the menu bar. Enter "/etc" (without the quotes) in the window that opens, and press return. A Finder window opens. Locate the file named "hosts" and double-click it. It should open in the TextEdit application. You should see this in the TextEdit window:

     

    ##

    # Host Database

    #

    # localhost is used to configure the loopback interface

    # when the system is booting.  Do not change this entry.

    ##

    127.0.0.1                              localhost

    255.255.255.255          broadcasthost

    ::1                                        localhost

    fe80::1%lo0                    localhost

     

    If you see anything else, post the entire contents of the window -- the text, please, not a screenshot.

  • foxone12 Level 1 Level 1 (0 points)

    Mad Mac,  I did as you suggested.  Got to 'hosts,' but when I double clicked I received the message:  You do not have permission.   I tried repairing my permissions with 'disc utility,' and all permissions repaired EXCEPT for private/etc/hosts, which was labelled:  Open error 13.

     

    I have run Sophos Anti-Virus software and while it will spot HostMod-A, it says I must manually remove it, leading me to exactly what you suggested.

     

    By the way, I am running OS 10.6.8, which I reinstalled, hoping that would clear the error.  No luck.

     

    Stymied.   Thanks for any additional suggestions you can think of.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    foxone12 wrote:

     

    Mad Mac,  I did as you suggested.  Got to 'hosts,' but when I double clicked I received the message:  You do not have permission.

    If you want to examine the file to make certain of what it is try the following:

     

    • Highlight the hosts file.
    • Select "Get Info" from the Finder's "File" menu or type Command-I.
    • At the bottom of the window in the Sharing & permissions section, click on the lock icon.
    • Enter your admin Name and Password in the dialog box.
    • There should be an entry for "everyone" and a popup menu next to it will allow you to change it to Read only.
    • Close the Get Info window and you should be able to examine the file.

    I'll next post instructions on how to fix it.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    By far the easiest way to fix the hosts file is to restore it from a Time Machine (or other) backup that predates the installation of the trojan. If that's not possible, then do the following.

     

    Some of what follows is redundant to what I've already said, but I'm repeating it here for completeness.

     

    Double-click the file named "hosts" in that folder. It should open in TextEdit. At the top of the file, you should see something like this:

     

    ##

    # Host Database

    #

    # localhost is used to configure the loopback interface

    # when the system is booting.  Do not change this entry.

    ##

    127.0.0.1                              localhost

    255.255.255.255          broadcasthost

    ::1                                        localhost

    fe80::1%lo0                    localhost

     

    Below that, you'll see some other lines. Delete everything below the last line shown above. Don't try to save; you won't be able to. Instead, select "Save As..." from the file menu in TextEdit. In the Save dialog, deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, having the contents shown above.

     

    Now comes the part that usually scares people. Launch the Terminal application, copy or drag -- do not type -- the line of text below into the window, and press return:

     

    sudo sh -c ' cat Desktop/hosts > /etc/hosts '

     

    You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Don't panic when you see that warning. Quit Terminal.

     

    Do not type anything into the Terminal window except your password.

     

    You should also look around for the installer that caused this situation so you won't be tempted to reinstall it. The sample I have is named "FlashPlayer.pkg.zip" but your's may be unzipped already. It would normally be found in your download folder. If you see anything in that folder you don't recognize or need to keep, it would be best to delete them.

  • foxone12 Level 1 Level 1 (0 points)

    Mad Mac,

     

    Tried to use my backup to restore hosts.  Opened hosts in backup.  Closed it and the file disappeared from the backup.  Tried an earlier backup file for hosts.  Nothing there either.

     

    Got to hosts in my /private/etc file.  Clicked on hosts. Went to Get Info and it says that 'everyone' has permission to read the file, everyone but me that is.  Hosts still will not open.  Unlocked the file and made sure that everyone on the list can read it.  Still no luck.  File will not open and I cannot read it.

     

    If I could restore, I would, but that didn't work for the reason listed above.

     

    If I could, I would simply remove the trojan from the hosts file, but the file will not open.

     

    Checked my download file.  No zips or programs there.

     

    Tried several approaches to the problem and greatly appreciate all your suggestions.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    Let's see if we can confirm that you are actually infected.

     

    Launch the Network Utility application by entering the first few letters of its name in a Spotlight search. Select the "Lookup" tab and enter "www.google.com" (without the quotes) in the address field. Press return. Post the output -- the text, please, not a screenshot. Then select the "Ping" tab and do the same.

  • foxone12 Level 1 Level 1 (0 points)

    Here's the text from the network utility, www.google.com

     

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.google.com +multiline +nocomments +nocmd +noquestion +nostats +search

    ;; global options: +cmd

    www.google.com.                    85237 IN CNAME www.l.google.com.

    www.l.google.com.          103 IN A 173.194.69.99

    www.l.google.com.          103 IN A 173.194.69.147

    www.l.google.com.          103 IN A 173.194.69.105

    www.l.google.com.          103 IN A 173.194.69.103

    www.l.google.com.          103 IN A 173.194.69.106

    www.l.google.com.          103 IN A 173.194.69.104

     

    Here's the Ping results:

     

     

    PING www.l.google.com (173.194.69.103): 56 data bytes

    64 bytes from 173.194.69.103: icmp_seq=0 ttl=49 time=62.809 ms

    64 bytes from 173.194.69.103: icmp_seq=1 ttl=49 time=63.565 ms

    64 bytes from 173.194.69.103: icmp_seq=2 ttl=49 time=62.130 ms

    64 bytes from 173.194.69.103: icmp_seq=3 ttl=49 time=61.904 ms

    64 bytes from 173.194.69.103: icmp_seq=4 ttl=49 time=62.986 ms

    64 bytes from 173.194.69.103: icmp_seq=5 ttl=49 time=61.218 ms

    64 bytes from 173.194.69.103: icmp_seq=6 ttl=49 time=62.425 ms

    64 bytes from 173.194.69.103: icmp_seq=7 ttl=49 time=62.810 ms

    64 bytes from 173.194.69.103: icmp_seq=8 ttl=49 time=63.596 ms

    64 bytes from 173.194.69.103: icmp_seq=9 ttl=49 time=62.566 ms

     

    --- www.l.google.com ping statistics ---

    10 packets transmitted, 10 packets received, 0.0% packet loss

    round-trip min/avg/max/stddev = 61.218/62.601/63.596/0.693 ms

     

    Thank you so much for your continuing help!

  • MadMacs0 Level 5 Level 5 (4,555 points)

    Sorry, but I desperately needed some sleep.

     

    I've been discussing your situation with a collegue and I think we have an idea of what's going on.

     

    The results indicate that you are not infected by the what I know as Trojan:BASH/QHost.WB and which Sophos calls Troj/QHost-CU and was probably the installation package I had you look for that modifies the hosts file.

     

    As far as I know the Trojan no longer exists in the wild, so you would have had to have downloaded it last July/August. c|net published this article on what it did. If you never saw this behavior, then chances are you never had the Trojan on your computer. If you recently are having problems reaching other sites, it could be something new. Also, was this the first time running Sophos and if not when was the last time.

     

    Around the same time Sophos posted a description of OSX/HostMod-A which describes it as an application. Then on this page they tell us that it "Detects a ‘hosts’ file that has been tampered with" which tells me it's just designed to warn you that you need to fix your hosts file. So I'm confused as to whether this is a different Trojan application or just a warning to fix your hosts file. Do you remember the exact words that Sophos used?

     

    I'd like to try one more time to ready the hosts file...

     

    Launch the Terminal app (found in Applicaitions/Utilities), copy and paste the following after the "$ " prompt:

     

         sudo cat /etc/hosts

     

    followed by the return key.

    You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Don't panic when you see that warning.

    Copy and paste the results (if any) here:

  • foxone12 Level 1 Level 1 (0 points)

    Here's what Sophos Anti-Virus had to say:

     

    'Virus/Spyware' OSX/HostMod-A has been detected and listed in Quarantine Manager. 

     

    (This pops up more or less continually.  If I close it, the warning comes back almost immediately, whether I'm online or offline.)

     

    When I open the Quarantine Manager, I'm told:

     

    Threat:  OSX/HostMod-A

     

    Date:  Jun 22, 2012  21:45 and Jun 24, 2012 8:57

     

    Path and Filename:  /private/etc/hosts

     

    Action Available:  The threat cannot be cleaned up.  Please click the threat name above for manual instructions.

     

     

    On to the developing problem:

     

    When I open Terminal, there is no $ prompt.  However I pasted  sudo cat /etc/hosts anyway.  Nothing happened.  There was no request to sign in, as there had been in the past.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    foxone12 wrote:

     

    When I open Terminal, there is no $ prompt.  However I pasted  sudo cat /etc/hosts anyway.  Nothing happened.  There was no request to sign in, as there had been in the past.

    What kind of prompt was it? Is the title of the Terminal window "Terminal -- bash -- 80 x 24"?

     

    If no prompt at all try opening a new window Shell->New Window->Basic or Command-N

     

    If the prompt is a "% " and the window title includes csh or tcsh it should still work.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    foxone12 wrote:

     

    Here's what Sophos Anti-Virus had to say:

     

    'Virus/Spyware' OSX/HostMod-A has been detected and listed in Quarantine Manager. 

     

    (This pops up more or less continually.  If I close it, the warning comes back almost immediately, whether I'm online or offline.)

     

    When I open the Quarantine Manager, I'm told:

     

    Threat:  OSX/HostMod-A

     

    Date:  Jun 22, 2012  21:45 and Jun 24, 2012 8:57

     

    Path and Filename:  /private/etc/hosts

     

    Action Available:  The threat cannot be cleaned up.  Please click the threat name above for manual instructions.

    And of course the manual instructions are not there. If you looked at the F-Secure article, at least they give you instructions, but you almost have to be a Unix expert to follow them.

     

    I've had Sophos running on my setup for the last couple of hours having modified my hosts file to look like the examples shown and have not been able to get a detection. I was able to verify that google.com url's were redirected to a p*** site, so I know I have the correct IP addresses entered in the hosts file. So I'm still at a total loss as to what Sophos is looking for and now that you tell me your getting continuous popups, I'm even more confused. Perhaps it has something to do with not being able to access the file and the permissions repair error you got (which I also have never seen before).

     

    I'm reasonably certain that a correct hosts file must be installed, so even if we are successful in deleting it, a replacement will have to be provided.

     

    Have you tried contacting Sophos Tech Support to at least find out what it's looking for?

  • foxone12 Level 1 Level 1 (0 points)

    Went to Terminal and brought up a couple of new windows.  New Window - basic, etc.  Neither offered a prompt.  I will contact Sophos techs to see if there's a solution available.

     

    Meanwhile, I'll go back to my downloads and apps folders to check once again if there's an errant app lurking.

     

    Thanks for your help!  Sticky problem, to be sure.

  • MadMacs0 Level 5 Level 5 (4,555 points)

    foxone12 wrote:

     

    'Virus/Spyware' OSX/HostMod-A has been detected and listed in Quarantine Manager.

     

    (This pops up more or less continually.  If I close it, the warning comes back almost immediately, whether I'm online or offline.)

    I had a thought about this. If you go to the Quarantine Manager, can you click on the Filename and use the "Clear from List" button to stop the continuous pop-ups? You will need to click on the lock and enter your admin password to make the button active.

  • foxone12 Level 1 Level 1 (0 points)

    Nice idea and I tried it.  Yes, I can 'clear from list' and the clearing lasts a full five seconds before the virus/spyware is again detected and Sophos gets very excited to tell me about it.

     

    By the way, I have written to Sophos tech folks and they have acknowledged receipt, but it's only been an hour or so and they have not yet replied.

Previous 1 2 3 4 Next