Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Doctor Displaying Something Fishy


  • Please log in to reply
12 replies to this topic

#1 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 19 June 2006 - 05:30 PM

After reformatting my computer (now it's Windows XP Pro... yey!), I installed various software of all types; games, security, etc. As some of you probably know, I've gone a little wild over the trial versions that never expire (Still can't decide between SpySweeper, Spyware Doctor, CounterSpy, or none). Currently, I'm using Spyware Doctor and it picked up 5 Possible Website HiJacks:

Infection Name Location Risk
Possible Website Hijack (1304) 127.0.0.1 freeware-ad.t35.com #[umaxsearch.com] High
Possible Website Hijack (1305) 127.0.0.1 hkvn99.t35.com High
Possible Website Hijack (1306) 127.0.0.1 spyware-re.t35.com #[umaxsearch.com] High
Possible Website Hijack (1307) 127.0.0.1 ud7swe.t35.com #[W32.Dinoxi][W32/Style-A] High
Possible Website Hijack (1308) 127.0.0.1 vbs.t35.com High

Anyways, these appear to be HOST files and I have no clue where to locate them. Killbox is dittoly clueless. I use HOSTs Secures and the MS-MVP HOSTs protection thing (they give the same protection no? but I use both anyways). So, I'm wondering whether Spyware Doctor mistakenly marked these and whether or not they're false positives.

PS: Ewido Anti-Malware, Ad-Aware SE, Spybot S&D, and Windows Defender don't detect anything during complete/full system scans.
Stanford '14
B.S. Candidate | Computer Science

BC AdBot (Login to Remove)

 


m

#2 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:17 AM

Posted 19 June 2006 - 07:28 PM

There is a great tutorial on the hosts file found HERE.

You hosts file can be found here:

C: > Windows > system32 > drivers > etc

Open it with Notepad.

BTW, 127.0.0.1 is the address of your computer. So if your hosts file has an entry like:

127.0.0.1 hkvn99.t35.com

That would mean your computer could not connect to the website hkvn99.t35.com as the browser would be directed to your own computer.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#3 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 20 June 2006 - 09:36 AM

Thanks for the helpful link (Now that I think about it, isn't that one of the material packets in the HJT Study Hall?) and reply! But, just to double-check and make sure, Spyware Doctor was giving me a false positive and there's nothing to worry about right?

Side Note:

Incidently, those five entries are listed consecutivlely exactly like this:

# [T]
127.0.0.1 freeware-ad.t35.com #[umaxsearch.com]
127.0.0.1 hkvn99.t35.com
127.0.0.1 spyware-re.t35.com #[umaxsearch.com]
127.0.0.1 ud7swe.t35.com #[W32.Dinoxi][W32/Style-A]
127.0.0.1 vbs.t35.com

(This was taken directly out my HOST files without any alterations whatsoever and I have no clue what the # [T] stands for I just copied and pasted it out of my HOSTs files.)

Edited by Elendil, 20 June 2006 - 09:40 AM.

Stanford '14
B.S. Candidate | Computer Science

#4 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:17 AM

Posted 20 June 2006 - 12:20 PM

isn't that one of the material packets in the HJT Study Hall?)

Yes it is.

I have no clue what the #

It should tell you right in your hosts file. At least mine does:


# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host


If you did not put those entries into your hosts file, then something else did. Seeing how the entries point back to 127.0.0.1 it would stand to reason that these entries were created to protect you from visiting these sites. But I don't know by what program, or why it is protecting you from these sites in the first place. Perhaps the program in question found a hijacker on your computer. It would not be a bad idea to run a HJT log and put it into the HJT forum to check it out.

BTW, your hosts file redirections show up in HJT as an O1 entry, however your entries won't show up in the scan as HJT ignores 127.0.0.1 entries.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#5 Harry83

Harry83

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Location:State College PA
  • Local time:08:17 AM

Posted 20 June 2006 - 12:46 PM

If you did not put those entries into your hosts file, then something else did.

Well he said he is using HOSTS Secure which definitely replaces the host file with a modified one that enters the domains of known offenders and points it to your computers address, killing malicious requests.

I don't use any of these programs but I would imagine the host file would be substantially longer than a couple entries when using one of these modified host files.

I use HOSTs Secures and the MS-MVP HOSTs protection thing (they give the same protection no? but I use both anyways).


Elendil, perhaps it is because you tried to use 2 different host file security programs that both modify your host...maybe it caused some sort of conflict, resulting in the current state of your Host file. I would suggest just using one of them.
--
Harry83
Posted Image
Liberating America From Spyware - 1 Computer at a time...

#6 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 20 June 2006 - 01:09 PM

Interesting ideas, thank you both for your help and advice! I think I'll stick with HOSTs Secure because it much quicker and easier to use :thumbsup:
Stanford '14
B.S. Candidate | Computer Science

#7 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:17 AM

Posted 20 June 2006 - 02:04 PM

I would imagine the host file would be substantially longer than a couple entries when using one of these modified host files

That crossed my mind also. For instance, the host file that is available for download from http://www.mvps.org/winhelp2002/hosts.htm contains hundreds, perhaps thousands of entries, not just 5.

To view this hosts file in text format, click HERE.

Edited by Albert Frankenstein, 20 June 2006 - 02:08 PM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#8 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 21 June 2006 - 01:37 PM

Oh no, those 5 weren't the only sites in my HOSTs files... there were thousands at the very least.
Stanford '14
B.S. Candidate | Computer Science

#9 Harry83

Harry83

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Location:State College PA
  • Local time:08:17 AM

Posted 21 June 2006 - 02:52 PM

Oh no, those 5 weren't the only sites in my HOSTs files... there were thousands at the very least.

Okay now that makes a little more sense...For some reason I was under a different impression from your posts.

Just stick with one host file security program and see if Spyware Doctor detects anything...if it does I'll download the modified host you are using, and see if my registered version of Spyware Doctor detects anything...then we'll know for sure if it's just false positives or not...
--
Harry83
Posted Image
Liberating America From Spyware - 1 Computer at a time...

#10 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 21 June 2006 - 04:14 PM

Still detects it.... which is bugging me because none of the four freeware scanners or Kaspersky's Online Scanning detect anything wrong with my computer.
Stanford '14
B.S. Candidate | Computer Science

#11 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 21 June 2006 - 04:18 PM

(This was taken directly out my HOST files without any alterations whatsoever and I have no clue what the # [T] stands for I just copied and pasted it out of my HOSTs files.)


Ah... this was probably what gave both of you the impression that those were the only ones in my HOSTs files along with a similar comment in my first post. My apologizes and to better phrase it, my previous post should say something like this:

Those five were taken out of a small section in my HOST files without altering the order of them whatsoever...
Stanford '14
B.S. Candidate | Computer Science

#12 Harry83

Harry83

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Location:State College PA
  • Local time:08:17 AM

Posted 21 June 2006 - 04:37 PM

Well I tried to install Hosts secure to check it out for you but alas, access to my Host file was denied...looks like one of the programs I use is protecting it and I didn't feel like messing with it haha...
--
Harry83
Posted Image
Liberating America From Spyware - 1 Computer at a time...

#13 Elendil

Elendil
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:08:17 AM

Posted 21 June 2006 - 07:31 PM

:thumbsup: No problem, I feel safe enough to ignore this incident. After all, I just reformatted my computer and right after it's first bootup, I set to work securing it.
Stanford '14
B.S. Candidate | Computer Science




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users