Spybot detecting common hijacker

Discussion in 'privacy problems' started by Michael_aust, Mar 16, 2005.

Thread Status:
Not open for further replies.
  1. Michael_aust

    Michael_aust Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    101
    Location:
    Lancashire (UK)
    I just ran a scan with spybot and it detected 22 cases of common hijacker. I wasnt sure what it meant at first on the reults it said differntaddress and saying it had been changed to 127.0.0.1 which is my local machine address right?

    I recently put on a new host file from www.hosts-file.net like a member on here suggested. Is it just things in the host file that it is detecting because when i searched through the host file it contained all the sites that spybot found.

    So is it a hijacker or somethng or just my hosts file?

    I left them were they are just incase, any ideas?

    Thanks

    Michael.
     
  2. dog

    dog Guest

    Hi Micheal, ;)

    Yes, Spybot is just alerting you to the re-directs in your hosts file, they're likely OK. ;) Just double that they aren't legit sites ... some malware will try to add entries to your hosts to prevent you from getting help.

    If you want some here to discern the entries for you, you can post them, just make sure the links aren't active by either replacing HTTP with HXXP ie. (hxxp://www.wilderssecurity.com) or just short form them like wilderssecurity.com. Or you can decide for yourself if you're comfortable with that. ;)

    You can delete them if you wish, It will only result in you being able to access those particular sites.

    HTH, ;)

    Steve
     
  3. Michael_aust

    Michael_aust Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    101
    Location:
    Lancashire (UK)
    Ok thanks,

    I thougt they were just something innocent to do with my hosts file.

    Thanks

    Michael.
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is a valid issue that I've already communicated to Patrick several weeks ago.

    At the very least, the wording of the detection needs to be changed.

    An intrinsic problem with this is that - apparently - the "Bug Report" you send in with SBS&D doesn't show the same thing you see when you run a scan on your "Results" page - at least not as far as giving the actual names of the links involved via the bug report.

    I don't know why this hasn't been fixed yet. Hopefully, it will be. Pete
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I can make the problem re-appear by simply having Hostess re-"Write" the host file to the standard location here.

    The fact that I can run two consecutive scans with SBS&D, the first one having this result and the second one NOT having this result (even though I did NOT tell SBS&D to "fix" the problem the first time around), makes me wonder whether there's a problem there, too.
     

    Attached Files:

  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I've got a feeling that every one of those entries is part of HPGuru's hosts file - I hope I'm wrong and I'm going to try to make time to check, since I'm home tonight anyway.
     

    Attached Files:

  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, the ones that are not a part of HPGuru's hosts file are:

    secure.spykiller.com
    www.pestpatrol.com
    merijn.org
    www.merijn.org

    Neither can I find those four in: IE-SPYAD2 or SpyBlocker (which makes me wonder where in the hell I did get them from).

    I use one other hosts file, though. I'll have to think of what it is and check it out, too. Pete
     
  8. dog

    dog Guest

    Hi Pete, ;)

    The sunbelt (Counter Spy is licensed to use the Giant/M$ engine/DB) & spycop entries are OK. I had already previously deleted those ... but I never checked into any of the others from HpGuru's list that are Flagged. I've left them as is currently. ;)

    The others are another matter. They could've been Written my malware. But I'm not sure about - secure.spykiller.com as I do have that list in my mod'd Hosts.

    Pete do you compile/merge/maintain your own version of Hosts? What sources do you use? ... Do you use anything else to add to the Hosts, like Spybot, Spy Sweeper, etc. built in capability? Is your hosts, set to read-only and locked?

    Steve
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Steve - I use Hostess to manage the hosts files I use. I use the one in SpyBlocker, HpGuru's and someone else's whose name escapes me at the moment (it's been a long, very busy day).

    I don't use the one in SBS&D (I think! <g> ). I do use IE-SPYAD2 and SpywareBlaster.

    Nah - it ain't "read-only" or locked - how else would I manage to have so much fun with these kinds of issues if I did that? :D (Besides, I'd have to keep screwing with it if I had it set like that every single time someone updated their hosts file). Pete
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is what I'm talking about as far as the SBS&D "bug report" goes. This is a direct copy of what got sent to me (I have a copy sent to myself) when I submitted the last bug report after my first scan above:

    --- Search result list ---
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)
    Common hijacker: Redirected host (Redirected host, nothing done)

    As you can see, there are 24 "Common hijacker" results sent - but it doesn't say what they were, just that they were all "Redirected host" - if that's all they're seeing on the other end (when they get the bug report) it sure isn't telling them anything that'll enable them to help anyone - or if, indeed, it's actually a problem at all.

    My fear here has always been that un-informed people will simply let SBS&D "fix" these results - and thereby DEcrease their protection.

    I sincerely hope I'm making sense here. Pete
     
  11. dog

    dog Guest

    Bad Boy!! :D LOL

    BTW - I just double check my mod'd host and secure.spykiller.com is a HpGuru entry. When I mod my host (manually) I section it by sources (ie. # beginning of entries by ***** and ended it with # end of entries by ******) hehehe ... I alphabetize it too with a spreadsheet. :p :blink:

    If you open you Hosts with notepad use Ctrl + F and search for that entry you'll find it in Hp's stuff. ;)

    Those other 3 definitely need to be deleted though, and double check you don't have an infection that may have added those. (use the same method as the above and out of curiosity which section are they listed in ... because it could be an entry from one of those other hosts)

    Steve
     
  12. hpguru

    hpguru Privacy Expert

    Joined:
    Apr 6, 2003
    Posts:
    7
    Hi guys,

    I posted my response here.

    Btw I need volunteers to help identify and remove erroneously listed hostnames from hpHOSTS and as time goes on to develop a separate rating system for the sites listed. If anyone is interested and has the qualifications please contact me. :)

    http://www.hosts-file.net/phpbb2/viewtopic.php?t=30
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Aye, aye, sir - three rogue entries removed. (If there's any spyware on here, nothing's finding it. For all I know, I might have put those entries in there myself. Didn't Merijn have a problem a long time ago with his domain names being hi-jacked or something? Could those two have had anything to do with that? Or something to do with the CWShredder program? o_O Who knows - brain no work no more).

    I posted a link to this thread over on HPGuru's site, I'll probably do the same over on NI. Pete
     
  14. dog

    dog Guest

    Just so there's no misunderstanding regarding to the three mention in my last paragraph above - I was referring to these three. ;)

    www.pestpatrol.com
    merijn.org
    www.merijn.org

    Thanks to the member who PM'd me, regarding this. ;)

    ~Snipped by me~ :)

    Steve

    EDIT - LOL - I'm too slow :p ... Hi HP ;) :)
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yeah, dog, I know which ones you were referring to.

    Good night, all. Pete
     
  16. dog

    dog Guest

    I know you did Pete.

    I just wanted to clear it up for anyone else ... as one member did question which entries I was referring to - in a PM. ;)

    Good Night my Friend :)
     
  17. Hi, ive got SBS&D, i ra it and 'common hijacker' came up, im not really into computers and have read all your previuos posts, but they dont make much sense to me. Is common hijacker bad?how do i get rid of it?should i let SBS&D fix it?

    cheers people dan
     
Thread Status:
Not open for further replies.