Spybot S&D: False Positive On Some Hosts Entries?

Discussion in 'other anti-malware software' started by FanJ, Feb 3, 2004.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Hi,

    I just did a full scan with Spybot S&D (latest defs) on my W 98 SE box (Dutch).

    There were two alerts:

    CoolWWWSearch.SmartKiller: Redirected host
    grc.com = 204.1.226.226

    CoolWWWSearch.SmartKiller: Redirected host
    www.dslreports.com = 209.123.109.175

    See also screenshot.

    Both entries are (among others) in my HOSTS file:
    204.1.226.226 grc.com
    209.123.109.175 www.dslreports.com

    I guess these are false positives ;)

    Cheers, Jan.

    PS: also posted at the Spybot S&D forum at Net-Integration.
     

    Attached Files:

  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Jan,

    I had a problem with false positives also.... There were 5 that showed up on my system.... They are listed below....

    Regards,
    Kent
     

    Attached Files:

  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re:Spybot S&D: False Positive On Some Hosts Entries?

    Hi Jan,

    I understand why these are reported. I think Patrick forgot to include a check if these entries were pointing to 127.0.0.1

    The reason why the hosts file is checked for these entries was first posted here: https://www.wilderssecurity.com/showthread.php?t=19885

    Since the link to the Tom Coyote forums does not work at the time, I will post a part of the hosts file installed by that CWS variant.

    Regards,

    Pieter
     
    Last edited by a moderator: Apr 11, 2004
  4. FanJ

    FanJ Guest

    Thanks Kent and Pieter :)

    Yep, I too was thinking that ;)

    What a r*ts that CWS :blink:

    PS:
    An hint for the people who are using TDS-3:
    Put your HOSTS file in your file crcfiles.txt
    The crc32-test of TDS-3 will then alert you in case your HOSTS has been changed !
    FileChecker from Javacool will do the same for you !
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Lol. Here is a trick I learned from the QHosts trojan, how to change the location of the hosts file.

    This only works for Win2k and XP, so it is not of much use to you FanJ (sorry)

    What I did is create a folder called fooledya in
    Windir\System32\drivers\etc
    where you will normally find the hosts file.

    Then copy the part in bold below into notepad and save it as hostsmove.reg

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
    00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
    64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,5c,00,66,\
    00,6f,00,6f,00,6c,00,65,00,64,00,79,00,61,00,00,00


    Doubleclick hostsmove.reg and confirm you want to merge it with the registry.

    Then move the hosts file you are sure to be correct into the fooledya folder and preferably create a useless dupe (you can use the almost empty Windows example) in the normal directory.

    In fact I use two regfiles to switch between those two hosts files (that is a trick I learned from LWM)

    Most hosts-hijackers check the windows version and then plant a new hosts file, or change the hosts file, in the default location.

    Note 1: Windir is the active Windows directory which would be C:\Windows for the majority.
    Note 2: Some programs may alert you to the hosts file not being in the default location.

    Regards,

    Pieter
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hello all,

    I was all of a sudden having a problem updating Trojan Hunter and A2. I was beating my head trying to figure out what was going on. I went to the TH forum and was looking at the topics involving update problems, and read a post by Randy Bell. He had the exact same problem as me, the only difference was he had deleted his hosts file. He had to put one back in order to update TH. This got me to thinking.

    Well, to make a long story short, I had just 2 days prior used the above registry tweak to move my host file. I did it exactly as Pieter posted including leaving a dummy hosts in the original location. I know the moved hosts was working properly as I use eDexter to show the blocked sites. I changed everything back to the way it was originally and now TH and A2 both update with no problem.

    So I guess what I am getting to is this. If you have used the above registry tweak and suddenly have problems with something updating, try changing back to the original configuration and see if that solves your problem. This is probably a rare thing to happen because I imagine not too many people have moved their hosts file by this registry tweak, and of the ones that have, not many use TH or A2. Although if it affects those two programs, it could affect others.

    Regards,
    Kent
     
Loading...
Thread Status:
Not open for further replies.