Help - Blocked Sites

Discussion in 'other security issues & news' started by Rich111, Sep 11, 2003.

Thread Status:
Not open for further replies.
  1. Rich111

    Rich111 Guest

    Hello there, I have a very bad problem which I cannot solve.

    After installing some of the programs from your site such as sygate, tds-3 and spywareblaster and testing them I have found a LOAD of sites have been blockedo_O!

    Some of these include www.mcafee.com, www.symantec.com , www.grisoft.com,www.f-secure.com/ and many many more!
    I can no longer update my Mcafee anti virus because of this problem.

    I checked internet options - no.

    I Uninstalled all the programs I got form your site.
    I disabled my firewall.
    I used mozilla to find the same problem.
    I did windows restore.

    Can someone please help... has 1 of these spyware programs done thiso_O

    It's so annoying - a tonne of sites blocked
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Rich,

    How exactly are they blocked - what I mean is, what error or message do you get that shows that you can't get to them? Is it that the web pages in your browser are now all blank? Or, is there a pop-up message that says the site hasn't responded, or maybe it times out...

    Anything at all you can tell us to further describe the problem may help point us in the right direction. There are a lot of different options for fighting a problem like this, but, narrowing it down will help a real lot.

    Thanks.
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I once had this problem too. I seemd that the hosts file was manipulated, all sites in that file are blocked.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Yes, that is certainly one possibility (i.e. the hosts. file, and a likely one) except for the fact that most good security packages (which is what Rich said he loaded) don't block good security sites. Usually, it's a hijack of some sort or spyware. It'd still be nice to hear exactly how these things are being blocked (was is being seen, any errors or messages, blank windows - a description of what the overall actual effect is that is being seen on the system).

    We need more information. :doubt:
     
  5. Rickster

    Rickster Guest

    Hi Rich111, I got the impression you loaded all these programs the same day. My XP had a similar problem with spywareblaster. Had to unload, do system restore, plus clean re-install on AV to restore the update engine. In your case it may not be swb's fault because you loaded several programs.

    Any program can have conflicts, so it's important to try one program at a time and run the system through it's paces before moving on. If restore hasn't helped, someone here might help with your hosts files. My solution was a novice means.

    Regards, Rickster.
     
  6. Rich111

    Rich111 Guest

    Hi all thanks for your replies but still no luck.

    I did un-install and set back the changes made by the programs i used (which were TDS-3, Spywarebuster and sygate firewallpro and SPybot)
    But still I cannot acess these sites.

    It occured to me i have a virus because all these sites blocked are security related...

    http://www.entertheportal.com/Pics/Error_01.jpg <-When I type in the address.
    http://www.entertheportal.com/Pics/Error_02.jpg <- When i click on the address from say - yahoo.
    http://www.entertheportal.com/Pics/Error_03.jpg <- When I use mozilla
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Let's start at the most logical place, the hosts file.

    It can be found here:
    Windows 95/98/ Me c:\windows\hosts
    Windows NT/2000 c:\winnt\system32\drivers\etc\hosts
    Windows XP c:\windows\system32\drivers\etc\hosts

    Locate the file, rename it to hosts.bak and try if that helped.

    Regards,

    Pieter
     
  8. Rich111

    Rich111 Guest

    Thanks a lot, I renamed it and it worked :D
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That's good, but I think it would be wise to establish what changed that file. It may have done more.

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Could you also please mail a copy of that hosts file to the address in my profile?

    Regards,

    Pieter
     
  10. Rich111

    Rich111 Guest

    Logfile of HijackThis v1.97.2
    Scan saved at 13:54:58, on 12/09/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    D:\Program Files\ISS\BlackICE\blackd.exe
    D:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    D:\Program Files\Eset\nod32krn.exe
    D:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\ICQPlus\vplus.exe
    D:\Program Files\ISS\BlackICE\blackice.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\WINDOWS\system32\ntvdm.exe
    D:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    D:\Program Files\Winamp\winamp.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Kazaa Lite\kazaalite.kpp
    D:\Documents and Settings\Richard\Desktop\Security\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [Tau Monitor] C:\Program Files\Agnitum\Tauscan 1.6\Taumon.exe
    O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ICQ Plus] "D:\Program Files\ICQPlus\vplus.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: BlackICE PC Protection.lnk = D:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37811.6869560185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E133B0D0-E290-46FF-AD30-21352A3FEDF8}: NameServer = 158.43.240.3 158.43.240.4
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rich111,

    Apart from a visit due at Windows Update that looks good to me.

    I take it nothing has tried to create a new hosts file sofar?

    Regards,

    Pieter
     
  12. Rich111

    Rich111 Guest

    Nope, nothing has attempted to make a new hosts file...i wonder what did it in the first place...

    Thanks again Pieter
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Me too. I'm afraid that if this was done on purpose, you won't be the last one.

    Regards,

    Pieter
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That imon.dll missing, shouldn't that be fixed?
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jooske,

    Well spotted, but no. HijackThis can't find it because the path is not specified, but imon.dll is there and Windows can find it, so everything works fine even though you would suspect otherwise.

    Regards,

    Pieter
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rich111,

    I had a look at your hosts file and I´m even more shocked. There are more security related sites being blocked in there then I knew existed. :eek:

    a short summary:
    mcafee, centralcommand, sygate, wingate.deerfield, moosoft, kaspersky, tinysoftware, zonelabs, zonealarm, winproxy, proxyplus, signal9, consealfirewall, avirt, wyvernworks, agnitum, jammer, sysinternals, symantec, trendmicro, vil.nai, norman, fsecure, quickheal, alwil, esafe, nod32 and many more.
    Not only the www. addresses, but ftp., update., download and support. as well.

    Unfortunately no clue as to where it came from.

    Regards,

    Pieter
     
  17. Rich111

    Rich111 Guest

    Done some looking up on this strange thing and found it may be W95.MTX ? http://www.symantec.com/avcenter/venc/data/w95.mtx.html

    Only thing is I never open attachments from people I don't know... especially .SCR or .PIF!
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hmmm. And I found one person with the same hosts file in the Google groups

    Regards,

    Pieter
     
  19. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    So, there are at least 3 known host manipulations :)
    I don't know when this happened, must have been long ago. I discoverd it over a year ago, the file must have been maniputaled a few months before.
     
  20. tzic

    tzic Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    12
    Hello to all,
    I had the same problem, I couldnt visit any security related site. I followed the threads instructions and renamed host to host.bak. I opened host file with notepad and this is what I got:

    127.0.0.1 dd.trackdata.com #add by quotelf
    127.0.0.1 quote.tdc.com #add by quotelf
    127.0.0.1 dial2.tdc.com #add by quotelf
    127.0.0.1 dial.tdc.com #add by quotelf
    127.0.0.1 dd1.tdc.com #add by quotelf
    127.0.0.1 dd.tdc.com #add by quotelf
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
    127.0.0.1 www.brilliantdigital.com
    127.0.0.1 desktop.kazaa.com
    127.0.0.1 shop.kazaa.com
    127.0.0.1 www.bonzi.com
    127.0.0.1 www.b3d.com


    Is there anything wrong with that? Any suggestions for a good and effective firewall?

    Regards,

    tziC
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi tzic,

    If you had the same hosts file hijack as the others, there should be a lot more further down. They also added a lot of linefeeds so the hijackt wouldn't be noticed at first sight.

    Since I'm not sure how this hijack is accomplished, I can't promise a firewall will help prevent it, but it is a good idea to have one.
    Recommended reading: http://www.wilders.org/firewalls.htm

    Regards,

    Pieter
     
  22. tzic

    tzic Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    12
    you were wright Pieter. Scrolling down the hosts.bak file I found these entries:

    127.0.0.1 download.mcafee.com www.download.mcafee.com ftp.download.mcafee.com update.download.mcafee.com support.download.mcafee.com centralcommand.com www.centralcommand.com #fwav
    127.0.0.1 www.centralcommand.com ftp.centralcommand.com update.centralcommand.com support.centralcommand.com popup.msn.com www.popup.msn.com ftp.popup.msn.com #fwav
    127.0.0.1 ftp.popup.msn.com update.popup.msn.com support.popup.msn.com ads.msn.com www.ads.msn.com ftp.ads.msn.com update.ads.msn.com #fwav
    127.0.0.1 update.ads.msn.com support.ads.msn.com sygate.com www.sygate.com ftp.sygate.com update.sygate.com support.sygate.com #fwav
    127.0.0.1 support.sygate.com wingate.deerfield.com www.wingate.deerfield.com ftp.wingate.deerfield.com update.wingate.deerfield.com support.wingate.deerfield.com moosoft.com #fwav

    there are alot more... what should I do? Should I delete them and rename hosts.bak file..?
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi tzic,

    Delete everything beneath:
    127.0.0.1 www.b3d.com

    and save the hosts file. That way you have the "bad" addresses blocked and the good ones are freely accessible again.

    Regards,

    Pieter
     
  24. tzic

    tzic Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    12
    thank you Pieter, everything works fine.. :)

    tziC
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That's good to hear. :)

    Any ideas how it might have happened?

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.