Resolve Target Host Question

Discussion in 'Trojan Defence Suite' started by lostsoul, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    I've recently noticed that when I resolve the host for the default 127.0.0.1 on my computer, I get a result of coolwwwsearch.com. Is this indicative of being plagued by the CWS Google nuisance, or is there a plausible explanation for this such as some protective software changing settings? (Pest Patrol, Spybot S&D, Adaware, TD3, Wormguard, NAV 20004)

    I was infected with the CWS Google a little while ago and I THOUGHT I was clean after a reformat and testing did not result in any positive findings. TD3 even comes up clean for trojans or anything suspicious. Is it possible that I have an unknown CWS variant and is showing up when I resolve the local host? I've run both the Smart CWS and CWS Shredder and come up clean.

    Is this something to be concerned about or am I suffering from paranoia from the hassle of dealing with removing CWS in the past? :doubt:

    Any information would be appreciated.

    Thanks.
    LS
     
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Welcome, LS. Sorry to see you suffering so. Something is definitely wrong there. As you probably know, the resolved name should be Local Host. See this site to try to rid yourself of coolwwwsearch. Let us know if your successful.


    Edit: See this site for more info on your problem...
     
    Last edited: Jun 25, 2004
  3. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    Been there, done that. Everything comes back clean. :(

    In the Hijack this forum they said they could find nothing wrong in my log. My search page, nor my homepage are hijacked. Both the Smart Killer and CWS Shredder come up clean. Which is why I ended up reformatting since no one could find anything.

    The place where the pest seems to show itself is in Yahoo Game rooms. Text ads are sent in to visit a free 'P' site as well as for chess games. My browser seems to slow down tremendously as well when it happens.

    Port Explorer does not give an unusual reading when I resolve the local host. Only TDS3. Yet nothing suspicious comes up in scans. I know CWS is not a trojan but TD3 is the only thing showing a reference to it. Which is why I thought I'd ask here if anyone had any ideas.

    All this makes me think that this may be a new or unknown variation.

    I am at wits end. Any other suggestions aside from taking a sledgehammer to my computer? ;)

    LS
     
  4. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Wild Guess here - did you try turning System Restore off? And then turn it back on.
     
  5. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    I have Win 98SE so no system restore. I do have Go Back however that was disabled during the reformat and everything was supposedly wiped clean from the two hard drives. In fact, I did two reformats just cuz I wanted to be sure to get rid of everything, and was a bit peeved with this nuisance and felt like venting. :p Apparently it was ineffective.

    LS
     
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Wow. I'm at a point here way beyond my expertise. I'm hoping someone from DCS might be listening. I'm sure they could help.

    I've always thought a format of the hard drive would cure most ills. I'm not familiar with this pest, but is it possible that it could have infected something else in your home network (router, server, etc...)? o_O
     
  7. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    Thanks for your help. I would almost believe it was a root kit IF I were susceptible to one. As far as I know Win 98 is not. I too thought reformatting would solve things. Shows me how little I know.

    I'm learning how to use Port Explorere so maybe that will help me to track down the problem and maybe they can help me out in their forum.

    Again thanks for trying. It was very much appreciated.

    LS
     
  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Root kit? Sounds like you know more about this stuff than I do. I have read where some malware can infect the BIOS. I don't believe that is changed with a format.

    Edit: Also see this thread about using CWShredder. But I would think if a reformat didn't do the trick, CWShredder wouldn't either.
     
  9. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, lostsoul

    Me thinks if you have the latest PE database and shows nothing [red], then TDS is giving you a wrong reading.

    The was a post about TDS domain database [old] and and update for it.

    Which make sense as that is PE's job.

    Take Care,
    TheQuest :cool:

    Edit: Read this Link:-#5 & # 10 portref. txt updates
     
    Last edited: Jun 25, 2004
  10. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    I only know about root kits cuz of this nuisance. I am no techie geek believe me. Trying to find a solution tends to take me in many different directions and picking up things here and there along the LONG and well-traveled roads.

    I had not thought about a BIOS infection. Although come to think of it I did have a problem with Windows identifying the hard drives after the first reformat.

    Any idea on where I can look up information about a BIOS Malware infection or just do a search on Google and hope I am acutally using Google?

    LS
     
  11. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    Thanks. I have not updated PE since I just installed it last night. I was concentrating on protection and cleaning updates primarily. I'll do that right now and see what happens.

    Although TD3 did give me the expected resolve result right after the reformat and only started giving the coolweb late afternoon yesterday.

    LS
     
  12. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I would just do a web search. And I may be wrong in my prognosis. I hate to continue with suggestions from here on. It would just be the blind leading the blind, if you know what I mean. I may do more damage than good.
     
  13. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, lostsoul

    Your BIOS should be protected by default from being wrote to.

    Unless you have turn it off if not, and if you do not know how to turn if off.

    Then your BIOS is safe as nothing can turn it protection off.

    Because it is done with DEL at Boot.

    Take Care,
    TheQuest :cool:

    PS: To date I have Updated my BIOS 11 times. [I am aways playing with my BIOS to Overclock]
     
  14. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    Ok here is probably a dumb question. If I've updated TDS3 earlier today (the databases) using the update feature is this the same thing you are talking about in this post?

    Also, if I've just downloaded PE would it be up to date in the database? If not, how would I go about updating it. I have not read through the entire help files yet, so if you can point me in the right direction I'd really appreciate it.

    Thanks,

    LS

    As for red entries in PE, I do get them with Time Waiting as their status but they disappear relatively quickly once they appear once I switch PE on to view. I've just starting logging everything so I can go back to view things once I get more familiar with the program.
     
  15. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    I've not changed the default settings for the BIOS so I reckon I'm safe.

    Thanks TheQuest!

    LS
     
  16. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Click HELP>CHECK FOR>NEW PORT AND DOMAIN DATABASES

    No. You have to go to this site and download the text file containing the port references.

    EDIT: Read Quest's POST #9 above for more details on updating TDS's port reference database
     
    Last edited: Jun 25, 2004
  17. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    TheQuest settled things for me. I'm safe in this ONE area. Thanks for the suggestion though, it allowed me to scratch one thing off the list of things to check.

    LS
     
  18. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    OK, PE was up to date so I'm fine there and I'm off to finish resaving the txt file I downloaded earlier to update TDS3. Thanks.

    I've noticed a lot of strange behavior in PE. ( a lot of red that disappears once I notice it in the program, AND my logging was turned off even though I had set it to log earlier today) I reckon I need to focus on that program to get a handle on the coolweb problem. At least now I have a place to keep digging in instead of going around in circles.

    LS
     
  19. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    You can set PE to highlight those dead sockets for longer (up to 10 seconds). Change that setting. Make sure your logging to your text file, and set it to unlimited size for now.
     
  20. FanJ

    FanJ Guest

    Hi,

    First of all:
    I have to leave the HijackThis-logs to the HJT-experts !

    I was wondering:

    1.
    How is your HOSTS file looking (the one without any extension).

    2.
    Can you show us exactly what your TDS-3 says when you do a Resolve Target Host.

    3.
    Are you using a firewall?


    =======
    About 1:
    Your HOSTS file should begin with this line (at least as the first line without beginning the character #):

    127.0.0.1 localhost


    About 2:
    2-A.
    When I (also at W 98 SE) do a Resolve Target Host, I get:
    [DNS] Resolve IP: 127.0.0.1
    [DNS] Full name: localhost
    [DNS] IP address 1: 127.0.0.1
    [DNS] Resolve time: 5.957031E-02 seconds.

    2-B.
    Now I changed my first line in HOSTS (the first line not beginning with a character #) into:
    127.0.0.1 coolwwwsearch.com

    And then TDS-3, Resolve Target Host, tells me:
    [DNS] Resolve IP: 127.0.0.1
    [DNS] Full name: coolwwwsearch.com
    [DNS] IP address 1: 127.0.0.1
    [DNS] Resolve time: 4.980469E-02 seconds.
     
  21. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Great idea, FanJ! :D I'm sure that's it. Do you have any idea why a reformat didn't take care of this? I have to assume he was reinfected after the reformat.
     
  22. lostsoul

    lostsoul Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    13
    That's what I have it set to and they disappear quickly anyway. Also, when I go to view the log file I get a 'there was a failure launching Word Pad' error.

    Me thinks I need to switch forums.

    Problems, problems, an endless supply.

    LS

    LS
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Navigate to your PE directory and open it manually (pelog.txt).
     
  24. FanJ

    FanJ Guest

    Hi Lostsoul,

    May I kindly ask you to run HijackThis and post your HJT-log, so the experts could have a look at it?

    May I also please ask you to answer my questions, a few postings earlier? ;)

    Regards, Jan.
     
  25. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I would follow FanJ's advise. I changed my hosts file to show:

    [DNS] Resolve IP: 127.0.0.1
    21:40:50 [DNS] Full name: coolwwwsearch.com
    21:40:50 [DNS] IP address 1: 127.0.0.1

    At minimum, your hosts file is being changed.

    Nick
     
Thread Status:
Not open for further replies.