Help - Blocked Sites

Hello there, I have a very bad problem which I cannot solve.

After installing some of the programs from your site such as sygate, tds-3 and spywareblaster and testing them I have found a LOAD of sites have been blocked!

Some of these include www.mcafee.com, www.symantec.com , www.grisoft.com,www.f-secure.com/ and many many more!
I can no longer update my Mcafee anti virus because of this problem.

I checked internet options - no.

I Uninstalled all the programs I got form your site.
I disabled my firewall.
I used mozilla to find the same problem.
I did windows restore.

Can someone please help... has 1 of these spyware programs done this

It's so annoying - a tonne of sites blocked

 

I once had this problem too. I seemd that the hosts file was manipulated, all sites in that file are blocked.

 

Hi Rich111, I got the impression you loaded all these programs the same day. My XP had a similar problem with spywareblaster. Had to unload, do system restore, plus clean re-install on AV to restore the update engine. In your case it may not be swb's fault because you loaded several programs.

Any program can have conflicts, so it's important to try one program at a time and run the system through it's paces before moving on. If restore hasn't helped, someone here might help with your hosts files. My solution was a novice means.

Regards, Rickster.

 

Hi all thanks for your replies but still no luck.

I did un-install and set back the changes made by the programs i used (which were TDS-3, Spywarebuster and sygate firewallpro and SPybot)
But still I cannot acess these sites.

It occured to me i have a virus because all these sites blocked are security related...

http://www.entertheportal.com/Pics/Error_01.jpg <-When I type in the address.
http://www.entertheportal.com/Pics/Error_02.jpg <- When i click on the address from say - yahoo.
http://www.entertheportal.com/Pics/Error_03.jpg <- When I use mozilla

 

Let's start at the most logical place, the hosts file.

It can be found here:
Windows 95/98/ Me c:\windows\hosts
Windows NT/2000 c:\winnt\system32\drivers\etc\hosts
Windows XP c:\windows\system32\drivers\etc\hosts

Locate the file, rename it to hosts.bak and try if that helped.

Regards,

Pieter

 

Thanks a lot, I renamed it and it worked

 

That's good, but I think it would be wise to establish what changed that file. It may have done more.

Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Could you also please mail a copy of that hosts file to the address in my profile?

Regards,

Pieter

 

Logfile of HijackThis v1.97.2
Scan saved at 13:54:58, on 12/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\ICQPlus\vplus.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Kazaa Lite\kazaalite.kpp
D:\Documents and Settings\Richard\Desktop\Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\Program Files\Agnitum\Tauscan 1.6\Taumon.exe
O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ICQ Plus] "D:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BlackICE PC Protection.lnk = D:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37811.6869560185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E133B0D0-E290-46FF-AD30-21352A3FEDF8}: NameServer = 158.43.240.3 158.43.240.4

 

Hi Rich111,

Apart from a visit due at Windows Update that looks good to me.

I take it nothing has tried to create a new hosts file sofar?

Regards,

Pieter

 

Nope, nothing has attempted to make a new hosts file...i wonder what did it in the first place...

Thanks again Pieter

 

Me too. I'm afraid that if this was done on purpose, you won't be the last one.

Regards,

Pieter

 

That imon.dll missing, shouldn't that be fixed?

 

Hi Jooske,

Well spotted, but no. HijackThis can't find it because the path is not specified, but imon.dll is there and Windows can find it, so everything works fine even though you would suspect otherwise.

Regards,

Pieter

 

Hi Rich111,

I had a look at your hosts file and I´m even more shocked. There are more security related sites being blocked in there then I knew existed.

a short summary:
mcafee, centralcommand, sygate, wingate.deerfield, moosoft, kaspersky, tinysoftware, zonelabs, zonealarm, winproxy, proxyplus, signal9, consealfirewall, avirt, wyvernworks, agnitum, jammer, sysinternals, symantec, trendmicro, vil.nai, norman, fsecure, quickheal, alwil, esafe, nod32 and many more.
Not only the www. addresses, but ftp., update., download and support. as well.

Unfortunately no clue as to where it came from.

Regards,

Pieter

 

Done some looking up on this strange thing and found it may be W95.MTX ? http://www.symantec.com/avcenter/venc/data/w95.mtx.html

Only thing is I never open attachments from people I don't know... especially .SCR or .PIF!

 

Hmmm. And I found one person with the same hosts file in the Google groups

Regards,

Pieter

 

So, there are at least 3 known host manipulations
I don't know when this happened, must have been long ago. I discoverd it over a year ago, the file must have been maniputaled a few months before.

 

Hello to all,
I had the same problem, I couldnt visit any security related site. I followed the threads instructions and renamed host to host.bak. I opened host file with notepad and this is what I got:

127.0.0.1 dd.trackdata.com #add by quotelf
127.0.0.1 quote.tdc.com #add by quotelf
127.0.0.1 dial2.tdc.com #add by quotelf
127.0.0.1 dial.tdc.com #add by quotelf
127.0.0.1 dd1.tdc.com #add by quotelf
127.0.0.1 dd.tdc.com #add by quotelf
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.b3d.com


Is there anything wrong with that? Any suggestions for a good and effective firewall?

Regards,

tziC

 

Hi tzic,

If you had the same hosts file hijack as the others, there should be a lot more further down. They also added a lot of linefeeds so the hijackt wouldn't be noticed at first sight.

Since I'm not sure how this hijack is accomplished, I can't promise a firewall will help prevent it, but it is a good idea to have one.
Recommended reading: http://www.wilders.org/firewalls.htm

Regards,

Pieter

 

you were wright Pieter. Scrolling down the hosts.bak file I found these entries:

127.0.0.1 download.mcafee.com www.download.mcafee.com ftp.download.mcafee.com update.download.mcafee.com support.download.mcafee.com centralcommand.com www.centralcommand.com #fwav
127.0.0.1 www.centralcommand.com ftp.centralcommand.com update.centralcommand.com support.centralcommand.com popup.msn.com www.popup.msn.com ftp.popup.msn.com #fwav
127.0.0.1 ftp.popup.msn.com update.popup.msn.com support.popup.msn.com ads.msn.com www.ads.msn.com ftp.ads.msn.com update.ads.msn.com #fwav
127.0.0.1 update.ads.msn.com support.ads.msn.com sygate.com www.sygate.com ftp.sygate.com update.sygate.com support.sygate.com #fwav
127.0.0.1 support.sygate.com wingate.deerfield.com www.wingate.deerfield.com ftp.wingate.deerfield.com update.wingate.deerfield.com support.wingate.deerfield.com moosoft.com #fwav

there are alot more... what should I do? Should I delete them and rename hosts.bak file..?

 

Hi tzic,

Delete everything beneath:
127.0.0.1 www.b3d.com

and save the hosts file. That way you have the "bad" addresses blocked and the good ones are freely accessible again.

Regards,

Pieter

 

thank you Pieter, everything works fine..

tziC

 

That's good to hear.

Any ideas how it might have happened?

Regards,

Pieter