Hi,

I just did a full scan with Spybot S&D (latest defs) on my W 98 SE box (Dutch).

There were two alerts:

CoolWWWSearch.SmartKiller: Redirected host
grc.com = 204.1.226.226

CoolWWWSearch.SmartKiller: Redirected host
www.dslreports.com = 209.123.109.175

See also screenshot.

Both entries are (among others) in my HOSTS file:
204.1.226.226 grc.com
209.123.109.175 www.dslreports.com

I guess these are false positives ;)

Cheers, Jan.

PS: also posted at the Spybot S&D forum at Net-Integration.

Jan,

I had a problem with false positives also.... There were 5 that showed up on my system.... They are listed below....

Regards,
Kent

Hi Jan,

I understand why these are reported. I think Patrick forgot to include a check if these entries were pointing to 127.0.0.1

The reason why the hosts file is checked for these entries was first posted here: http://www.wilderssecurity.com/showthread.php?t=19885

Since the link to the Tom Coyote forums does not work at the time, I will post a part of the hosts file installed by that CWS variant.

{QUOTE->
127.0.0.1 forums.spywareinfo.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.computercops.biz
127.0.0.1 computercops.biz
127.0.0.1 dslreports.com
127.0.0.1 www.dslreports.com
127.0.0.1 www.lavasoftsupport.com
127.0.0.1 lavasoftsupport.com
127.0.0.1 www.lurkhere.com
127.0.0.1 lurkhere.com
127.0.0.1 forums.net-integration.net
127.0.0.1 www.pctalk.info
127.0.0.1 pctalk.info
127.0.0.1 www.suggestafix.com
127.0.0.1 suggestafix.com
127.0.0.1 forums.thiefware.com
127.0.0.1 www.tomcoyote.org
127.0.0.1 tomcoyote.org
127.0.0.1 www.wilderssecurity.com
127.0.0.1 wilderssecurity.com
127.0.0.1 www.winguides.com
127.0.0.1 winguides.com
127.0.0.1 www.spybot-spyware.com
127.0.0.1 spybot-spyware.com
127.0.0.1 1spybot.com
127.0.0.1 www.1spybot.com
127.0.0.1 www.lavasoftusa.com
127.0.0.1 lavasoftusa.com
127.0.0.1 www.spychecker.com
127.0.0.1 spychecker.com
127.0.0.1 www.grc.com
127.0.0.1 grc.com
127.0.0.1 www.cexx.org
127.0.0.1 cexx.org
127.0.0.1 security.kolla.de
127.0.0.1 www.security.kolla.de
127.0.0.1 simplythebest.net
127.0.0.1 www.simplythebest.net
127.0.0.1 www.spywareguide.com
127.0.0.1 spywareguide.com
127.0.0.1 www.spyware.co.uk
127.0.0.1 spyware.co.uk
127.0.0.1 www.lavasoft.de
127.0.0.1 lavasoft.de
127.0.0.1 www.webopedia.com
127.0.0.1 webopedia.com
127.0.0.1 www.ZeroSpyWare.com
127.0.0.1 ZeroSpyWare.com
127.0.0.1 www.spectorsoft.com
127.0.0.1 spectorsoft.com
127.0.0.1 www.Spy--Software.com
127.0.0.1 Spy--Software.com
127.0.0.1 www.sunbelt-software.com
127.0.0.1 sunbelt-software.com
127.0.0.1 www.spycleaner.net
127.0.0.1 spycleaner.net
127.0.0.1 www.EnigmaSoftwareGroup.com
127.0.0.1 EnigmaSoftwareGroup.com
127.0.0.1 www.no-spybot.com
127.0.0.1 no-spybot.com <-QUOTE}

Regards,

Pieter

Thanks Kent and Pieter :)

{QUOTE-> I think Patrick forgot to include a check if these entries were pointing to 127.0.0.1
<-QUOTE}
Yep, I too was thinking that ;)

What a r*ts that CWS :-X

PS:
An hint for the people who are using TDS-3:
Put your HOSTS file in your file crcfiles.txt
The crc32-test of TDS-3 will then alert you in case your HOSTS has been changed !
FileChecker from Javacool will do the same for you !

Lol. Here is a trick I learned from the QHosts trojan, how to change the location of the hosts file.

This only works for Win2k and XP, so it is not of much use to you FanJ (sorry)

What I did is create a folder called fooledya in
Windir\System32\drivers\etc
where you will normally find the hosts file.

Then copy the part in bold below into notepad and save it as hostsmove.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,5c,00,66,\
00,6f,00,6f,00,6c,00,65,00,64,00,79,00,61,00,00,00

Doubleclick hostsmove.reg and confirm you want to merge it with the registry.

Then move the hosts file you are sure to be correct into the fooledya folder and preferably create a useless dupe (you can use the almost empty Windows example) in the normal directory.

In fact I use two regfiles to switch between those two hosts files (that is a trick I learned from LWM)

Most hosts-hijackers check the windows version and then plant a new hosts file, or change the hosts file, in the default location.

Note 1: Windir is the active Windows directory which would be C:\Windows for the majority.
Note 2: Some programs may alert you to the hosts file not being in the default location.

Regards,

Pieter

Hello all,

I was all of a sudden having a problem updating Trojan Hunter and A2. I was beating my head trying to figure out what was going on. I went to the TH forum and was looking at the topics involving update problems, and read a post by Randy Bell. He had the exact same problem as me, the only difference was he had deleted his hosts file. He had to put one back in order to update TH. This got me to thinking.

Well, to make a long story short, I had just 2 days prior used the above registry tweak to move my host file. I did it exactly as Pieter posted including leaving a dummy hosts in the original location. I know the moved hosts was working properly as I use eDexter to show the blocked sites. I changed everything back to the way it was originally and now TH and A2 both update with no problem.

So I guess what I am getting to is this. If you have used the above registry tweak and suddenly have problems with something updating, try changing back to the original configuration and see if that solves your problem. This is probably a rare thing to happen because I imagine not too many people have moved their hosts file by this registry tweak, and of the ones that have, not many use TH or A2. Although if it affects those two programs, it could affect others.

Regards,
Kent