Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Host File Modification


  • This topic is locked This topic is locked
3 replies to this topic

#1 boblob

boblob

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 23 July 2007 - 03:36 PM

Hi, appologies if this is an old chestnut, but my Kaspersky anti-virus recently started to ping up a warning about my host file being modified. Have been through the whole ad-aware/spybot/stinger routine, but am drawing a blank as to what this is. HiJackThis dump as attached (particularly interested in the "O1 - Hosts: 76.23.177.12 paypal.com" modifications). I'd be extremely grateful if anyone can help me out here.

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:57 PM

Posted 30 July 2007 - 05:54 PM

Hello boblob,

Welcome to the BleepingComputer Forums.


Thank you for your patience. :thumbsup:

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know.
There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

(particularly interested in the "O1 - Hosts: 76.23.177.12 paypal.com" modifications).


I did a whois on 76.23.177.12 and found it is Comcast Cable Communications in Mt Laurel, NJ.

(Asked whois.arin.net:43 about +76.23.177.12)

OrgName: Comcast Cable Communications Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
NetRange: 76.16.0.0 - 76.31.255.255





So everytime you enter www.palpay.com it is redirected to Comcast Cable Communications in Mt Laurel, NJ.

The same with these:
my.screenname.aol.com
webmail.aol.com
yahoo.com
www.yahoo.com
mail.yahoo.com
www.gmail.com
gmail.com

They are all being redirected to Comcast Cable Communications in Mt Laurel, NJ.

Is Comcast Cable Communications in Mt Laurel, NJ your Internet Provider?


If Comcast Cable Communications in Mt Laurel, NJ is NOT your Internet Provider then
download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Since it has been a few days, please post a new HijackThis log.
Please do not attach the log, just post it.

Edited by SifuMike, 30 July 2007 - 06:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 boblob

boblob
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 31 July 2007 - 04:07 AM

Thanks for the reply. It turned out to be one of the many IRC trojans out there. Fixed now.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:57 PM

Posted 31 July 2007 - 11:08 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users