Hello there, I have a very bad problem which I cannot solve.

After installing some of the programs from your site such as sygate, tds-3 and spywareblaster and testing them I have found a LOAD of sites have been blocked???!

Some of these include www.mcafee.com, www.symantec.com , www.grisoft.com,www.f-secure.com/ and many many more!
I can no longer update my Mcafee anti virus because of this problem.

I checked internet options - no.

I Uninstalled all the programs I got form your site.
I disabled my firewall.
I used mozilla to find the same problem.
I did windows restore.

Can someone please help... has 1 of these spyware programs done this???

It's so annoying - a tonne of sites blocked

Hi Rich,

How exactly are they blocked - what I mean is, what error or message do you get that shows that you can't get to them? Is it that the web pages in your browser are now all blank? Or, is there a pop-up message that says the site hasn't responded, or maybe it times out...

Anything at all you can tell us to further describe the problem may help point us in the right direction. There are a lot of different options for fighting a problem like this, but, narrowing it down will help a real lot.

Thanks.

I once had this problem too. I seemd that the hosts file was manipulated, all sites in that file are blocked.

Yes, that is certainly one possibility (i.e. the hosts. file, and a likely one) except for the fact that most good security packages (which is what Rich said he loaded) don't block good security sites. Usually, it's a hijack of some sort or spyware. It'd still be nice to hear exactly how these things are being blocked (was is being seen, any errors or messages, blank windows - a description of what the overall actual effect is that is being seen on the system).

We need more information. :-\

Hi Rich111, I got the impression you loaded all these programs the same day. My XP had a similar problem with spywareblaster. Had to unload, do system restore, plus clean re-install on AV to restore the update engine. In your case it may not be swb's fault because you loaded several programs.

Any program can have conflicts, so it's important to try one program at a time and run the system through it's paces before moving on. If restore hasn't helped, someone here might help with your hosts files. My solution was a novice means.

Regards, Rickster.

Hi all thanks for your replies but still no luck.

I did un-install and set back the changes made by the programs i used (which were TDS-3, Spywarebuster and sygate firewallpro and SPybot)
But still I cannot acess these sites.

It occured to me i have a virus because all these sites blocked are security related...

http://www.entertheportal.com/Pics/Error_01.jpg <-When I type in the address.
http://www.entertheportal.com/Pics/Error_02.jpg <- When i click on the address from say - yahoo.
http://www.entertheportal.com/Pics/Error_03.jpg <- When I use mozilla

Let's start at the most logical place, the hosts file.

It can be found here:
Windows 95/98/ Me c:\windows\hosts
Windows NT/2000 c:\winnt\system32\drivers\etc\hosts
Windows XP c:\windows\system32\drivers\etc\hosts

Locate the file, rename it to hosts.bak and try if that helped.

Regards,

Pieter

Thanks a lot, I renamed it and it worked ;D

That's good, but I think it would be wise to establish what changed that file. It may have done more.

Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Could you also please mail a copy of that hosts file to the address in my profile?

Regards,

Pieter

Logfile of HijackThis v1.97.2
Scan saved at 13:54:58, on 12/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\ICQPlus\vplus.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Kazaa Lite\kazaalite.kpp
D:\Documents and Settings\Richard\Desktop\Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\Program Files\Agnitum\Tauscan 1.6\Taumon.exe
O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ICQ Plus] "D:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BlackICE PC Protection.lnk = D:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37811.6869560185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E133B0D0-E290-46FF-AD30-21352A3FEDF8}: NameServer = 158.43.240.3 158.43.240.4

Hi Rich111,

Apart from a visit due at Windows Update that looks good to me.

I take it nothing has tried to create a new hosts file sofar?

Regards,

Pieter

Nope, nothing has attempted to make a new hosts file...i wonder what did it in the first place...

Thanks again Pieter

-{ Quote: " quoting: Rich111 link=board=18;threadid=13664;start=0#msg87182 date=1063373929]
...i wonder what did it in the first place...

" }-

Me too. I'm afraid that if this was done on purpose, you won't be the last one.

Regards,

Pieter

That imon.dll missing, shouldn't that be fixed?

Hi Jooske,

Well spotted, but no. HijackThis can't find it because the path is not specified, but imon.dll is there and Windows can find it, so everything works fine even though you would suspect otherwise.

Regards,

Pieter

Hi Rich111,

I had a look at your hosts file and I´m even more shocked. There are more security related sites being blocked in there then I knew existed. :o

a short summary:
mcafee, centralcommand, sygate, wingate.deerfield, moosoft, kaspersky, tinysoftware, zonelabs, zonealarm, winproxy, proxyplus, signal9, consealfirewall, avirt, wyvernworks, agnitum, jammer, sysinternals, symantec, trendmicro, vil.nai, norman, fsecure, quickheal, alwil, esafe, nod32 and many more.
Not only the www. addresses, but ftp., update., download and support. as well.

Unfortunately no clue as to where it came from.

Regards,

Pieter

Done some looking up on this strange thing and found it may be W95.MTX ? http://www.symantec.com/avcenter/venc/data/w95.mtx.html

Only thing is I never open attachments from people I don't know... especially .SCR or .PIF!

Hmmm. And I found one person with the same hosts file in the Google groups (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&threadm=3b43835b.0302020938.269fdab1%40posting.google.com&rnum=1&prev=/groups%3Fq%3Dhosts%2B127.0.0.1%2Bdownload.mcafee.com%2Bwww.download.mcafee.com%2Bftp.download.mcafee.com%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26selm%3D3b43835b.0302020938.269fdab1%2540posting.google.com%26rnum%3D1)

Regards,

Pieter

-{ Quote: " quoting: Pieter_Arntz link=board=18;threadid=13664;start=15#msg87312 date=1063400014]
Hmmm. And I found one person with the same hosts file in the Google groups (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&threadm=3b43835b.0302020938.269fdab1%40posting.google.com&rnum=1&prev=/groups%3Fq%3Dhosts%2B127.0.0.1%2Bdownload.mcafee.com%2Bwww.download.mcafee.com%2Bftp.download.mcafee.com%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26selm%3D3b43835b.0302020938.269fdab1%2540posting.google.com%26rnum%3D1)

Regards,

Pieter
" }-

So, there are at least 3 known host manipulations :)
I don't know when this happened, must have been long ago. I discoverd it over a year ago, the file must have been maniputaled a few months before.

Hello to all,
I had the same problem, I couldnt visit any security related site. I followed the threads instructions and renamed host to host.bak. I opened host file with notepad and this is what I got:

127.0.0.1 dd.trackdata.com #add by quotelf
127.0.0.1 quote.tdc.com #add by quotelf
127.0.0.1 dial2.tdc.com #add by quotelf
127.0.0.1 dial.tdc.com #add by quotelf
127.0.0.1 dd1.tdc.com #add by quotelf
127.0.0.1 dd.tdc.com #add by quotelf
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.b3d.com


Is there anything wrong with that? Any suggestions for a good and effective firewall?

Regards,

tziC

Hi tzic,

If you had the same hosts file hijack as the others, there should be a lot more further down. They also added a lot of linefeeds so the hijackt wouldn't be noticed at first sight.

Since I'm not sure how this hijack is accomplished, I can't promise a firewall will help prevent it, but it is a good idea to have one.
Recommended reading: http://www.wilders.org/firewalls.htm

Regards,

Pieter

you were wright Pieter. Scrolling down the hosts.bak file I found these entries:

127.0.0.1 download.mcafee.com www.download.mcafee.com ftp.download.mcafee.com update.download.mcafee.com support.download.mcafee.com centralcommand.com www.centralcommand.com #fwav
127.0.0.1 www.centralcommand.com ftp.centralcommand.com update.centralcommand.com support.centralcommand.com popup.msn.com www.popup.msn.com ftp.popup.msn.com #fwav
127.0.0.1 ftp.popup.msn.com update.popup.msn.com support.popup.msn.com ads.msn.com www.ads.msn.com ftp.ads.msn.com update.ads.msn.com #fwav
127.0.0.1 update.ads.msn.com support.ads.msn.com sygate.com www.sygate.com ftp.sygate.com update.sygate.com support.sygate.com #fwav
127.0.0.1 support.sygate.com wingate.deerfield.com www.wingate.deerfield.com ftp.wingate.deerfield.com update.wingate.deerfield.com support.wingate.deerfield.com moosoft.com #fwav

there are alot more... what should I do? Should I delete them and rename hosts.bak file..?

Hi tzic,

Delete everything beneath:
127.0.0.1 www.b3d.com

and save the hosts file. That way you have the "bad" addresses blocked and the good ones are freely accessible again.

Regards,

Pieter

thank you Pieter, everything works fine.. :-)

tziC

That's good to hear. :)

Any ideas how it might have happened?

Regards,

Pieter

no, I dont have a clue..!

tziC

I installed Kerio Personal Firewall. Every time that a program tries to connect to the

internet I get these messages:

- 'Internet Explorer' from your computer wants to send UDP datagram to quote.tdc.com

[127.0.0.1], port 3115

- 'Internet Explorer' from your computer wants to send UDP datagram to quote.tdc.com

[127.0.0.1], port 3168

this is the first line of my "hosts" file

127.0.0.1 quote.tdc.com #add by quotelf

If I delete this entry, Kerio messages replace quote.tdc.com with the next entry of the

host file (127.0.0.1 dial2.tdc.com #add by quotelf) and the message is:

- 'Internet Explorer' from your computer wants to send UDP datagram to dial2.tdc.com

[127.0.0.1], port 3115

The same thing happens with MSN messenger

- 'Messenger' from your computer wants to send UDP datagram to quote.tdc.com [127.0.0.1],

port 3027

- 'Messenger' from your computer wants to send UDP datagram to 65.54.240.62, port 7001

- Someone from 65.54.240.62, port 7001 wants to send UDP datagram to port 3161 owned by

'Messenger' on your computer

Actually every program that connects to the internet wants to send an UDP datagram to the

first entry of the hosts file..! I have to click at least 5 times the deny button in

order messenger to load...

Any idea why this is happening?

thank you in advance

tzic

Continued here: http://www.wilderssecurity.com/showthread.php?t=13837

Regards,

Pieter