Here's an interesting tactic by hijackers

[DKSuddeth]

I'm still not sure how this happened but I'm researching it.

I found that I couldn't get to one of my technical forums the other day. Going to the site brought up a user name and password window when it shouldn't have. Turns out that something replaced my hosts file with this...

127.0.0.0 localhost
127.0.0.1 and.doxdesk.com
127.0.0.2 auditmypc.com
127.0.0.3 boards.cexx.org
127.0.0.4 bulletproofsoft.net
127.0.0.5 camtech2000.net
127.0.0.6 cexx.org
127.0.0.7 computercops.us
127.0.0.8 ct7support.com
127.0.0.9 doxdesk.com
127.0.0.10 eblocs.com
127.0.0.11 enigmasoftwaregroup.com
127.0.0.12 forum.aumha.org
127.0.0.13 free-spyware-scan.com
127.0.0.14 free-web-browsers.com
127.0.0.15 grc.com
127.0.0.16 grisoft.com
127.0.0.17 hackfaq.org
127.0.0.18 hazeleger.net
127.0.0.19 javacoolsoftware.com
127.0.0.20 kellys-korner-xp.com
127.0.0.21 kephyr.com
127.0.0.22 lavasoft.de
127.0.0.23 lavasoftusa.com
127.0.0.24 lurkhere.com
127.0.0.25 majorgeeks.com
127.0.0.26 merijn.org
127.0.0.27 mjc1.com
127.0.0.28 moosoft.com
127.0.0.29 mvps.org
127.0.0.30 net-integration.net
127.0.0.31 noadware.net
127.0.0.32 no-spybot.com
127.0.0.33 onlinepcfix.com
127.0.0.34 pchell.com
127.0.0.35 pestpatrol.com
127.0.0.36 safer-networking.org
127.0.0.37 secure.spykiller.com
127.0.0.38 secureie.com
127.0.0.39 security.kolla.de
127.0.0.40 spybot.info
127.0.0.41 spychecker.com
127.0.0.42 spychecker.com
127.0.0.43 spycop.com
127.0.0.44 spyguard.com
127.0.0.45 spykiller.com
127.0.0.46 spyware.co.uk
127.0.0.47 spyware-cop.com
127.0.0.48 spywareinfo.com
127.0.0.49 spywarenuker.com
127.0.0.50 spywareremove.com
127.0.0.51 spywareremove.com
127.0.0.52 stopzillapro.com
127.0.0.53 sunbelt-software.com
127.0.0.54 thiefware.com
127.0.0.55 tomcoyote.org
127.0.0.56 unwantedlinks.com
127.0.0.57 webattack.com
127.0.0.58 wilders.org
127.0.0.59 www.auditmypc.com
127.0.0.60 www.bulletproofsoft.net
127.0.0.61 www.cexx.org
127.0.0.62 www.computercops.us
127.0.0.63 www.ct7support.com
127.0.0.64 www.doxdesk.com
127.0.0.65 www.eblocs.com
127.0.0.66 www.enigmasoftwaregroup.com
127.0.0.67 www.free-spyware-scan.com
127.0.0.68 www.free-web-browsers.com
127.0.0.69 www.grc.com
127.0.0.70 www.grisoft.com
127.0.0.71 www.hackfaq.org
127.0.0.72 www.hazeleger.net
127.0.0.73 www.javacoolsoftware.com
127.0.0.74 www.kellys-korner-xp.com
127.0.0.75 www.kephyr.com
127.0.0.76 www.lavasoft.de
127.0.0.77 www.lavasoftusa.com
127.0.0.78 www.lurkhere.com
127.0.0.79 www.majorgeeks.com
127.0.0.80 www.merijn.org
127.0.0.81 www.mjc1.com
127.0.0.82 www.moosoft.com
127.0.0.83 www.mvps.org
127.0.0.84 www.net-integration.net
127.0.0.85 www.noadware.net
127.0.0.86 www.no-spybot.com
127.0.0.87 www.onlinepcfix.com
127.0.0.88 www.pchell.com
127.0.0.89 www.pestpatrol.com
127.0.0.90 www.safer-networking.org
127.0.0.91 www.secureie.com
127.0.0.92 www.security.kolla.de
127.0.0.93 www.spybot.info
127.0.0.94 www.spychecker.com
127.0.0.95 www.spychecker.com
127.0.0.96 www.spycop.com
127.0.0.97 www.spyguard.com
127.0.0.98 www.spykiller.com
127.0.0.99 www.spyware.co.uk
127.0.0.100 www.spyware-cop.com
127.0.0.101 www.spywareinfo.com
127.0.0.102 www.spywarenuker.com
127.0.0.103 www.spywareremove.com
127.0.0.104 www.spywareremove.com
127.0.0.105 www.stopzillapro.com
127.0.0.106 www.sunbelt-software.com
127.0.0.107 www.thiefware.com
127.0.0.108 www.tomcoyote.org
127.0.0.109 www.unwantedlinks.com
127.0.0.110 www.webattack.com
127.0.0.111 www.wilders.org

anyone else ever seen this before?

 

[jimnyc]

Yep, happened to me once before too! I forget which one, but it was a program that I installed. Obviously it was somce kind of security or antivirus program but it was a long time ago.

Just be happy you're knowledgeable to know what a hosts file is, the average user wouldn't have a clue!

Whatever software does this (or malicious program) is trying to restrict you from certain sites. In your case it would appear something was/is trying to prevent your from visiting sites that may help you fix/cure problems with your machine.

If you haven't already, I would suggest running adaware or spybot!

 

[DKSuddeth]

I do run ad aware, however, I don't think ad aware repairs host files. I made sure that it won't ever happen again though.

I made my hosts file read-only.

 

[jimnyc]

Originally posted by DKSuddeth
I do run ad aware, however, I don't think ad aware repairs host files. I made sure that it won't ever happen again though.

I made my hosts file read-only.

Good choice. These bastards are getting pretty crafty at ways of screwing with machines lately.

Just an idea, you may want to invest in adaware pro. It comes with an extra component called 'adwatch' that will monitor your program live time and prevent malicious programs and websites from doing anything to your computer.

 

[jimnyc]

Originally posted by Sir Evil
You go ahead and invest! I already have it with a minor investment!

Would that minor investment happen to be Kazaa?

 

[5stringJeff]

For the not-quite-so-intellegent, what exactly are host files, and how would one make them read-only?

 

[jimnyc]

Originally posted by gop_jeff
For the not-quite-so-intellegent, what exactly are host files, and how would one make them read-only?

It's more or less like a local DNS server. When you type in www.yahoo.com for example, your machine will look at your hosts file to see if you have an entry for that site that points to a specific IP address. If you don't have an entry, it will use your ISP to resolve that hostname to an IP address and then contact the site. Hosts files will be more prominent within companies that can use them to point pc's to internal machines.

If I put 127.0.0.1 www.yahoo.com in your hosts file you would never again get to yahoo by typing in their name, it would resolve to your local PC instead of their actual site.

 

[eric]

A now common spyware technique. Easily prevented and cured though.

 

[007]

Originally posted by jimnyc
Would that minor investment happen to be Kazaa?

Who pays for programs at all?

 

[NewGuy]

Spybot is a better program for spyware, and its free.

Running any form of *nix OS cuts this stuff down to a minimal percentage of occurance.

I still maintain all people need to learn a *nix OS just like driving a manual transmission and learning how to change a tire.

 

[NightTrain]

SE, you're talking about Cool Web. That sumbitch was really pissing me off before I got ahold of CWShredder. That damn spyware actually prevented download of that file from the site, I finally found a mirror that the hijacker program didn't block.

Yeah, Adaware is good, but you should use Spybot Search & Destroy too. A very cool feature to Spybot is that it will 'immunize' your computer so that it won't get reinfected again by placing bogus files so that the spyware thinks you're already infected and won't bother reinfecting your machine. Pretty nifty tactic.

It goes without saying, a firewall is mandatory these days. I use ZoneAlarm. It alerts me to 95% of the problems I've run across by asking me if a certain program can access the internet - and what good is spyware if it can't Phone Home?