[needafix]

Does anyone know any specific badware that could open and edit the hosts file when it is hidden and read only and then put it back to hidden and read only?

Plus, the first L in 127.0.0.1 localhost was changed to one of those spacer symbols that you see in .dll files as they appear between almost every character in .dll's. The lowercase l and that symbol is identical.

I put it back to normal l but I used a capital L in Localhost in the hopes this won't slip by again but does anyone know what effect would be gained by doing that to the word localhost? Make the hosts file useless?

I know about the the L and the I replacement trick but this is the first time I caught it being used on 127.0.0.1 localhost.

Also, is there any font that actually makes a visible difference between I's and L's?

It would be handy to switch to that font when needed as a counter weapon.

[hewee]

Spybot - Search & Destroy and Ad-Aware and others can find things in the hosts file that are false but will come up on a scan and it will want to delete them.
I ran test a long time ago and even having the hosts file locked and read only they was still getting to them and deleting sites from it.
It was after I got WinPatrol that I found out what was going on because it will alert you of changes and it was coming up after running scans and doing what it said.
On the test Zone Alarm Pro was the only program I had that locked the hosts file and no other program could get to it and delete anything from it.

Ad-Aware found these...
Family Id: 563 Name: Redirected hostfile entry Category: Misc TAI:4
Item Id: 500000134 Value: IP Address: 127.0.0.1 Host Name: CLKOPTIMIZER.COM
Item Id: 500000137 Value: IP Address: 127.0.0.1 Host Name: SMARTESTSEARCH.COM
Item Id: 500000139 Value: IP Address: 127.0.0.1 Host Name: SCUMWARE-REMOVER.ORG
Item Id: 500000417 Value: IP Address: 127.0.0.1 Host Name: AWAPS.NET
Item Id: 500001832 Value: IP Address: 127.0.0.1 Host Name: WWW.YAHOO.COM

But all those site are sites I have and want in my host file so this is false.

Get WinPatrol and then your find out what is going on. It is a great program to have so I would get it any way. It will also make a backup of the hosts file. Then after doing a scan with a program and you get things found that say "Redirected hostfile entry" your know they are talking about the hosts file.

http://www.winpatrol.com/

But you don't know if other are really adding sites to the hosts file that should not and with WinPatrol you know anytime the hosts file changes so if you have not updated it or ran a scan to clean anything from it then your know something else is going on that you need to find out just what it is.

[needafix]

Hi hewee, good to see you're still hanging around.

No type of software I have free or paid even when upated doesn't find anything wrong but yet I KNOW something is wrong. I even considered purposely infecting a computer to prove that something behind the scenes with detection software just isn't right now days.

I quit using Ad-Aware because it refuses to update the definitions even if uninstalled and done over again new. I added a pic, it takes all of two seconds to get to 5% and dies and it's been like that over a year.

The connection wants to go to 82.99.19.110 at download.lavasoft.de and I don't have it blocked in any way. It's even OK in/out in the firewall too.

Most ware will report all redirections but not the ones listing 127.0.0.1 so that is suspicious of Ad-Aware and it is just one more instance to make me suspicious that the program is not in control of itself since I've never seen it report a 127.0.0.1 listing. The redirections that are in all my reports (including HiJack This) are the ones I put there with the proper ip address like:

209.183.226.152 forums.techguy.org
69.147.112.160 login.yahoo.com
74.125.45.100 google.com
192.149.252.76 arin.net
202.12.29.3 wq.apnic.net
193.0.19.25 ripe.net

I been using WinPatrol Plus for about 4 years, it finds nothing wrong except acceptable changes.

The real nasty is Trend Micro CWShredder. In my opinion for some reason after they got it from Merijn turned it into uselessware.

From my experience it no longer removes CWS but it will constantly detect it, report that it removed it, over and over again. It's nothing. When Merijn controlled it, and if CWS interfered with CWShredder doing its job, CWShredder would restart under a random/scrambled file name and continue to remove CWS. It no longer does that and what this program says that it did it no longer does because instead of fighting back it just keeps removing it over and over and that's meaningless.

The second beef with that is that it will report that it removed hosts file redirections. Lol. Not on my comp it won't because that file is hidden and read only and guarded by software to prevent its editing but the program will say it removed parts of it so that is the second false thing since it doesn't remove CWS or remove parts of the hosts file. It least not on any of my comps anyway.

I quit using ZAF and ZAP because my computer problems only increased since somehow that program is turned on and off and settings changed in it from the outside at that time but I havent used it in a couple years.

I switched to Sygate 5.6 which is free and all that malicious stuff stopped dead in its tracks. That is another program that actually works, was bought up by BigWare then 3 months later taken out of circulation.

So that is the 2nd piece of software that was gobble up by BigWare and no longer functions.

I think some interest out there does not want this functional stuff out there. Why I don't know.

I think there is a method going on of a person being in a persons computer in real time without their knowledge in order to make all the changes to locked files, edit them, put them back and all these other things and whatever this method is isn't yet detected or in my opinion is purposely not detected even if these interests were order to program their software to ignore it.

I think it is a back door in Windows and since the activity is malicious I would suspect the Chinese since the past year or so they have been having a heavy assault on US computers/networks. It could even be our own government spying and putting a malicious slant on things while they are in the system as a misdirection that way people would be looking at or looking for badware instead of a back door. That would explain to me why detection software in my opinion is an open failure and firewalls are so easily bent out of shape and why good and functional programs disappear.

Each of those items in itself doesn't mean much but when they are all put together in the span of a year or two it really looks like there is something more going on than meets the eye.

[hewee]

Yea still around. Good to see you also,

Well you can not get update on the free Ad-Aware SE anymore. They stopped that a long time ago. Then the manual update stopped working in May.

OK good you got WinPatrol so know when the hosts file changes and they are acceptable changes you know about.

Yes the CWShredder was what was deleting from the hosts file all the time and they way they listed things I did not know till after I got WinPatrol and that was when I ran the test.

I don't run CWShredder any more and one reason is it never found anything or never found anything after I found out it was deleted sites from the hosts file.
If you know your hosts file is all good and nothing bad is listed in it then disable it and do a scan and it will not scan the hosts file. That way your know if it comes up with the same things it is not from the hosts file but some place else. Like maybe the IE zones that get blocked but they are all listed in the registry.

The sites you listed are all good sites too are they not?
So why the redirections of the sites?

When you have the program removed hosts file redirections does WinPatrol pop up to alert you of changes?
Zone Alarm in test I made was the only way I could lock the host file. Other programs that locked it what was found to be removed it removed all or part from the hosts file still. Like spybot would remove some but then say it has to reboot the computer to remove the other but it still did not remove all the things it listed in the hosts file. Plus it was just the hosts file so it should not of had to reboot. Now if it was in the registry then I think it would do it on a reboot but it was the hosts file.

I guess your using windows 98 and that is why you got Ad-Aware SE still? On my old PC with 98 I got ZA still but it is the old version 4.x still that I have not upgraded but it still does it job. After some updates or upgrades of programs I may have to go into ZA program tab and delete like A2, firfox etc and lower the slider setting because somehow a component was not given rights on the newer version. But then with the slider setting to learning mode I open the A2 or what ever program and it gets added back to ZA again with the rights it needs. Then I turn the setting back up as high as they can go again.

I use Online Armor 2.x om my new XP Pro computer and it works great and has top rating too. I got the paid version I won from them and after the year is up I think I will pay to keep the paid version.

Yea the NSA checks everything from everyone. Comcast says they are not spying on us but I have done trace a trace many times over the years and after 9/11/2001 when they started the spying I know they started doing it with comcast. A trace shows it going down to the easy bay where they have there place and then back here again when before they started the spying it never went down there. Or if it did it did not come back up here again and go back down there.

Do you have a router? If not I would get one because it really help protect you by hiding your computer.
Have you run the Shields UP! test. http://www.grc.com/x/ne.dll?bh0bkyd2
What do you get from the test?
All ports should be close and better yet you should be "Stealth" on all ports. Do the "common ports" and "all service ports". Then do the other test on that menu bar also.

You know in a way there is a redirection of 209.183.226.152 because you got forums.techguy.org listed but do a search look up on 209.183.226.152 http://whois.domaintools.com/209.183.226.152 and it list only www.techguy.org. But look at your cookies and to get here to the fourm you still need www.techguy.org because that is where most of the sites cookes come from like user name, password etc. I think you could even block all cookies from "forums.techguy.org" and still get here ok and login and post. Your lose some board setting
But do a "Whois Lookup:" at http://www.domaintools.com/ and all those sites seem to check out ok. Google has Resolve Host: yx-in-f100.google.com but they have just the google and all there other sites link together.
Even here it say...
Resolve Host: www.techguy.org
Everyone you listed if you seach the IP address your also see a Resolve Host: listed. But darn you would have that at so many other sites too.

Can you post the scan or scans your getting that are showing these things?

[needafix]

I put sites and their IP addresses in my host file to save the DNS hangup so if I have them there it's directions. Its just the other software that says they are redirections.

The comp checks the hosts file first so if Yahoo is listed with its IP address it will send the info directly to that IP address instead of doing a DNS to resolve a hostname into an IP address. Domain names mean something to us but not to computers since they only comminicate by IP address and without that there's no internet. Like the function of your phone number.

My host file has 25,874 lines and all but about 10 of them are redirections, whatever all that trash is redirected to 127.0.0.1 lol.

It lists our directions as redirections because the IP's for popularly used sites aren't programmed into the software.

So you do this:

127.0.0.1 WWW.YAHOO.COM

and I do this:

69.147.112.160 login.yahoo.com

but yet the software will tell us both that they are redirects because "Yahoo" is programmed into the software as an alert on a hosts file entry but not Yahoo's IP address.

You can get the last known Merijn version of CWShredder v1.59.1 at Major Geeks. It works too. I think he should start again, different code, same functions, keep it updated.

You can right click on your hosts file and select properties then checkmark "hidden" and "read only." Then when you want to edit it just uncheck "read only."

My beef is that something or someone bypassed that and edited it and if they didn't bypass it they just did the same I said, change the settings then put them back.

Actually, if your hosts file has been maliciously altered it could be too late before some software finds the changes but WinPatrol at least lets you set it to monitor anywhere between in real time and 30 minutes.

Strangely enough, I have WinPatrol set to monitor the hosts file and critical system files in real time but it never tells my my hosts file has changed. Why it can't open it and look at it and compare it to whatever it uses I don't know. I grew bored of WinPatrol and turn it on about once a day now.

I'm still stuck using WinMe. It keeps getting out of compatibility date as time passes but it does what I need it to do. Ad-Aware SE works on it but the definitions never update. It never found anything but MRU's anyway so I'm not missing much.

I don't use a router. Other than a machine name given me by ISP's over the years I been invisible on the SheildsUp tests. That doesn't stop them from pounding your comp with packets and your ISP is more than happy to pass them along to you. I can be bombarded by Chinese IP addresses the second that I log on so that only means they are targeting all IP addresses in perpetuity and just waiting for someone to log on and be assigned that IP by their ISP.

Imagine the amount of packets dropped every day by ISP's as undeliverable but they forward that trash to you the second they assign you an IP. It's almost criminal because they enable them.

[Kenny94]

Here's a tool that will you help tinker with your hosts file. It's Standalone program. Read more at:


http://www.softpedia.com/progDownloa...oad-27041.html


I use it to Restore MS Hosts File with a user, but does a lot more.

[hewee]

Well I did not know you added the redirections to the hosts file.
If the scans are find just the ones you added then add it to the white list or ignore list so it well not bring then up again on a scan.

Like I said in test the only thing that worked on locking the hosts file was Zone Alarm Pro. All other programs failed and doing the read-only failed also. I think the read-only fails because it does not edit that file but a new one is made with the changes so it get around the read-only.

The WinPatrol alert on changes in real time should pop up right away but for me Scotty has not popped up right away in a very long time. Like version 9 or 10 was the last version that it popped up right away. Then after that if you made changes to the hosts file it would take a long time to pop up. I could make scotty pop up at times by opening WinPatrol and clicking the tabs and then the alert would pop up. But that is not something we should have to do but for me it can bring up the alert.

I don't use CWShredder any more.

You need to keep WinPatrol running all the time so keep in in the startup so it starts at bootup.

Your not going to get any more updates on Ad-Aware SE. But like you all I ever get from scans are MRU's and now and then redirections in the hosts file that are false.

You should get a router. It acts as a hardware firewall but also hides your computer. But it will stop all the hits from pings etc from getting to your computer.
When I got cable I started to see some added hits that Zone Alarm was alerting me on but then started getting 1000's a day and so was a whole lot of others at comcast. Checking the IP address it seem most was from comcast IP address all over the USA and then Chinese IP addresses also.
I waited for then to fix it but after a month or so I went and got a router and that put a stop to it.

http://www.mvps.org/winhelp2002/hosts.htm

Your see hosts file managers.
I use Hostsman but HostsXpert is also a good one and you get a no install version so check it out.
They are great at back up and restore and checks that you done have duplicates.
I used 4 hosts files on mine that I update all tru hostsman and I think HostsXpert lets you have more then one also.
On Spybot - Search & Destroy do not use there host file. It has never been any good. So turn that off.

May want to look at this too. How do I lock the HOSTS file to prevent other users from changing it?

Note what it also says...

Quote:

Steve C sends along this tip: ZoneAlarm Pro includes an option (in the "Firewall" section, "Main" tab, "Advanced" button) to "Lock host file", which seems to give extremely effective protection to the HOSTS file.

Editors Note: "locking" the HOSTS file does not prevent most applications from either deleting the file or editing the contents. It does add a Layer of Protection, but it is not the ultimate solution. In any case you should always have a backup copy of the file handy in case of any unwanted changes.

So I was right in all my test.
I forget just what came up from Zone Alarm but it was something that keep it from finding or getting to the hosts file in the first place.

So keep hosts file backups. Hostsman keeps all backup you make with dates so you can have many of them.

Then get a router to stop all that junk from hitting your computer. You be glad you got it once you start using it.
You just need to install the router and you do not have to install the software that comes with it.
But you need to renew your IP address when you add or take away a router.
http://www.pctechbytes.com/ip.htm

Then I think your Firewall will also see a new Network with the router added so you have to OK it. Then I think if it does not do it for you add it to the trust zone. It needs to be in the trust zone so when you ISP renews your IP address it will not get blocked. Then your wonder why you can't get online because your IP was not renewed.

[Kenny94]

Quote:

The WinPatrol alert on changes in real time should pop up right away but for me Scotty has not popped up right away in a very long time. Like version 9 or 10 was the last version that it popped up right away.

Yeah me too Frank! I guess Scotty was looking for a bone or taking a nap at that time..

[hewee]

What is odd on my XP Pro is I still can have the delay in Scotty popping up buy in the User account he does not bark but the Admin account he does bark.
I wish he add the sound file so you can pick it from the sounds options in the control panel. You can change the sounds if you don't want Scotty bark, but you can not pick the Scotty bark because he has that build in the program some where.

[needafix]

Have you ever used:

http://www.mynetwatchman.com/about.asp

It sends in your firewall logs regularly and compiles them from thousands of other users around the world to put the finger on badware users/perptrators/companies/IP addresses/servers.

This was good for me for about a year in order to give me a line and what the IP's were interested in on my comp.

After that I quit using it because every day for weeks, months and years it was the same old companies and servers who were the perpetrators or the enablers.

With enough hits, that function on that site sends an inquiry to the server/host (probably abuse@) in question but only a few reply (publicly posted too) saying that they informed the computer owner of this or they have discontinued their service until the comp has been disinfected.

The major players in this evil never respond or shut anything down and they been at the top of the list for years and years.

Once in a while I'll go log in just to see the recent who's who and nothing has really changed.

Owners of IP addresses are not responsible for the malicious use or spoofing of their IP's, they know that, which is why this goes on in perpetuity, the endless infection and hacking of the internet and those doing the infecting are only very rarely, veeeery rarely busted.

It's like a symbiotic relationship between them and their ISP. If the IP owner was a criminal they could easily set their criminal freinds up with IP's to use later on through a dozen freaking proxies and no one has any liability for the trillions of dollars in damags this has done to the world.

At some point, they will be made legally resonsible for what goes on under the guise of the IP addresses they own, especially if it is perpetual evil, or, major laws will be enacted to force them to stop this at their servers because the internet cannot survive the way it is.

After doing this so long the guy that runs that site must by now have massive records of who is who in the malicious internet underworld.

I could get on a plane and go to China or any other top 10 malicious internet countries and then point at the front door of the office of that server and say here they are, it's global public knowledge, they don't care, are they in on it, what's their cut? Then walk down the street and point my finger at the front door of the office of government and say here they are, it's global public knowledge, they don't care, are they in on it, what's their cut?

[hewee]

No never send in my firewall log. But once you get a router you will not have anything in your firewall but things that you know about because you did something like new software, upgraded software etc.

I see that chinanet.cn.net is at the top and I remember getting hits from there all the time before getting a router.

[needafix]

The firewall logs in this case only send in what was blocked and not a list of everywhere you went on the internet.

You said you use ZAP. Look in your "internet logs" folder and you will see that it only contains the blocked connections and not a record of your internet travels.

I never would have participated if I as exposing a complete history.

To the best of my knowledge ZAF and ZAP only log blocked requests/attempts.

Between the IP's and the ports they target they put me on to a lot of things to look for and get rid of and that was successful until I had shut it out completely.

[hewee]

I know you was only taking about the block logs.
Now ZAP I have seen the logs many times and they never got that big or never did after I got a router.
Now maybe it could get bigger if you changed your setting around and it did let you pick what to alert you on and what to log but I picked HIGH or high only. So all other things that are low or med it does not log.No need to log added things. Like pings from site you go to that I blocked from the start and who know what else.
I even used the custom blocking in ZA Pro.
From another site.

Quote:

ZoneAlarm Pro Firewall, Increasing security in the ZA firewall

A friend at another forum I frequent wrote these tips for me to help me increase the security of my ZoneAlarm Pro firewall, and so I am thinking that some of you guys might find it usefull as it turns the humble ZoneAlarm Pro into a force to be reckoned with. Actually, I think it was written not just for me, but for anyone (newbie or advanced computer user who hasn't tried this firewall before - but if you already run it and have yours configured the way you want it then you may not want to make any changes.

Configuring The Standard Settings

Launch ZoneAlarm Pro and click to highlight the "Overview" tab on the left hand side . In the pane that appears on the right hand side click the "Preferences" tab and in the section "Check for updates" check "Manually".
In the "General" section you can also configure ZoneAlarm to load at start up which is advisable because this software is your first line defence against uninvited invasion of your computer by a whole gamult of virues,trojans,spyware, adware and bots! Virus checking software does have its place but remember that prevention is always better than cure!

ZoneAlarm Pro's program control is automatically configured. When you run it for the first time it will ask on behalf of programs installed on your system for permission to access the Internet. Your Browser will be the first to request - just tick the "Yes" box and the "Remember this setting" box and ZoneAlarm will always allow your browser access automatically.

Unless you use online databases etc., there should be no reason for any application other than a browser, email client, ftp client, streaming media player or a download manager to gain access to the Internet.

So consider what type of program it is that needs Internet access before giving ZoneAlarm permission to allow it. If it is just a driver file (.DLL) that requests Internet access, always search Windows to try and identify it. Many seudo-virii such as AdWare and sub class seven Trojans access the Internet from your system using .dll files.


Configuring The Advanced Settings

(Note) If you are NOT on a LAN (connected to another computer in a network) you can use the following section of this guide to give your firewall some real muscle....

Launch ZoneAlarm Pro and click to highlight the "Firewall" tab on the left hand side . In the pane that appears on the right hand side in the section "Internet Zone Security" set the slider control to "High"
Then click the "Custom" button in the same section.
The next settings page is divided into two sections with tabs Internet Zone and Trusted Zone at the top of the page. Under the Internet Zone tab there is a list of settings that can be accessed by scrolling. At the top is the high security settings and the only thing that should check from there is "allow broadcast/multicast". The rest should be unchecked
Scroll down until you get to the medium security settings area. Check all the boxes in this section until you get to "Block Incomming UDP Ports". When you check that you will be asked to supply a list of ports, and in the field at the bottom of the page enter
1-65535
Then go back to the list and check the box alongside "Block Outgoing UDP Ports" and at the bottom of the page enter
1-19, 22-79, 82-7999, 8082-65535
Repeat this proceedure for the following settings
"Block Incomming TCP Ports": 1-65535
"Block Outgoing TCP Ports": 1-19, 22-79, 82-7999, 8082-65535
Then click "Apply", "Ok" at the bottom of the page.

Back in the right hand "Firewall" pane go next to the yellow "Trusted Zone Security" section and set it to "high" with the slider. Click "Custom" and repeat the above proceedure this time choosing the Trusted Zone tab at the top of the settings page.

These settings will stop all incoming packets at ports 1-65535 and also block all pings, trojans etc... this will also stop all spyware or applications from phoning home from your drive without your knowledge!

(Not sure but these tips may work with the *Freeware* version of ZA also. You would just have to try it and see.)

These tips helped me a lot, so maybe, they may be of use to someone here at the forum or someone who visits here.

[needafix]

I use dialup so I would not know what kind of router to hook up to that since I never looked into it and the routers I have seen have ethernet card plugs instead of regular phone plugs.

I have a second comp that needs a monitor so this may be an interesting project, using it as a router/firewall:

http://www.freesco.org/index.php?id=o

Then I assume that I would just need a 9 pin to 9 pin cable to hook them together.

[hewee]

You poor guy Sorry you don't have cable. Can you get high speed?
Not sure if you can hook up a router unless your dial up modem is External then maybe you can but really don't know.

So would that be so you hook up tru another computer Ethernet card to your computer Ethernet card and you can then have a router added and the modem in the other firewall computer?