Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > "Security site" address in my Hosts file

Reply
Thread Tools

"Security site" address in my Hosts file

 
 
George
Guest
Posts: n/a
 
      11-02-2004
I've just noticed an extra address in my Hosts file. It is
www.dcresearch.com , 64.91.255.87.

This the only address in addition to my own, so it stands out like a sore
thumb. I know I didn't put it there.

When I go to the website it appears to be a site that sells software for
security programs, eg Trojan Horses etc. My question is, why would this
address be in my hosts file? I've never accessed this site before. Is it a
genuine site?

GM


 
Reply With Quote
 
 
 
 
George
Guest
Posts: n/a
 
      11-02-2004
Sorry. That was www.dcsresearch.com I missed out the "s"


"George" <(E-Mail Removed)> wrote in message
newsXEhd.12300$(E-Mail Removed). ..
> I've just noticed an extra address in my Hosts file. It is
> www.dcresearch.com , 64.91.255.87.
>
> This the only address in addition to my own, so it stands out like a sore
> thumb. I know I didn't put it there.
>
> When I go to the website it appears to be a site that sells software for
> security programs, eg Trojan Horses etc. My question is, why would this
> address be in my hosts file? I've never accessed this site before. Is it a
> genuine site?
>
> GM
>
>



 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      11-02-2004
On Tue, 2 Nov 2004 01:55:04 -0500, "George"
<(E-Mail Removed)> wrote:

>Sorry. That was www.dcsresearch.com I missed out the "s"
>
>
>"George" <(E-Mail Removed)> wrote in message
>newsXEhd.12300$(E-Mail Removed) ...
>> I've just noticed an extra address in my Hosts file. It is
>> www.dcresearch.com , 64.91.255.87.
>>
>> This the only address in addition to my own, so it stands out like a sore
>> thumb. I know I didn't put it there.
>>
>> When I go to the website it appears to be a site that sells software for
>> security programs, eg Trojan Horses etc. My question is, why would this
>> address be in my hosts file? I've never accessed this site before. Is it a
>> genuine site?
>>
>> GM


Its just a site running links and popunder ads telling you your clock
is wrong, and download our synchroniser spyware crap.

ignore it, its crap.

--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Kerry Liles
Guest
Posts: n/a
 
      11-02-2004
Surely it is crap, BUT how did it write an entry into your hosts file????
THAT is the real question.



"Jim Watt" <(E-Mail Removed)_way> wrote in message
news:(E-Mail Removed)...
> On Tue, 2 Nov 2004 01:55:04 -0500, "George"
> <(E-Mail Removed)> wrote:
>
> >Sorry. That was www.dcsresearch.com I missed out the "s"
> >
> >
> >"George" <(E-Mail Removed)> wrote in message
> >newsXEhd.12300$(E-Mail Removed) ...
> >> I've just noticed an extra address in my Hosts file. It is
> >> www.dcresearch.com , 64.91.255.87.
> >>
> >> This the only address in addition to my own, so it stands out like a

sore
> >> thumb. I know I didn't put it there.
> >>
> >> When I go to the website it appears to be a site that sells software

for
> >> security programs, eg Trojan Horses etc. My question is, why would this
> >> address be in my hosts file? I've never accessed this site before. Is

it a
> >> genuine site?
> >>
> >> GM

>
> Its just a site running links and popunder ads telling you your clock
> is wrong, and download our synchroniser spyware crap.
>
> ignore it, its crap.
>
> --
> Jim Watt
> http://www.gibnet.com



 
Reply With Quote
 
Vanguardx
Guest
Posts: n/a
 
      11-02-2004
"George" <(E-Mail Removed)>
wrote in newsXEhd.12300$(E-Mail Removed):
> I've just noticed an extra address in my Hosts file. It is
> www.dcresearch.com , 64.91.255.87.
>
> This the only address in addition to my own, so it stands out like a
> sore thumb. I know I didn't put it there.
>
> When I go to the website it appears to be a site that sells software
> for security programs, eg Trojan Horses etc. My question is, why
> would this address be in my hosts file? I've never accessed this site
> before. Is it a genuine site?
>
> GM


Presumably you meant the fields within the extra or questionable entry
were the other way around (where the IP address is listed first and then
followed by the IP name).

"nslookup www.dcsresearch.com" returns:
Name: www.dcsresearch.com
Address: 12.170.116.68

"nslookup 64.91.255.87" returns:
Name: diamondcs.com.au
Address: 64.91.255.87

So someone or something added an entry to your hosts file to redirect
you from www.dcsresearch.com to diamondcs.com.au. You enter
http://www.dcsresearch.com but end up at 64.91.255.87 (instead of
12.170.116.6. ARIN's WhoIs (http://ws.arin.net/cgi-bin/whois.pl)
lists 12.170.116.68 as allocated to AT&T Worldnet, so
www.dcsresearch.com is a customer of AT&T. ARIN's WhoIs lists
64.91.255.87 as allocated to LiquidWeb in Michigan, USA and yet the TLD
(top-level domain) for the domain was ".au" which is Australia. If you
run "tracert 64.91.255.87", you'll see it hit LiquidWeb.com and then
diamondcs.com.au. Could be LiquidWeb is a webhost provider.
http://whois.aunic.net/ lists the registrant for diamondcs.com.au
Diamond Computer Systems Pty. Ltd. in Melbourne (AU). A domain lookup
on dcsresearch.com says it is owned by Tri-State Computer Centre Ltd in
Pennsylvania, USA (which was also found at
http://tri-state-computer-centre-lim...ages-ads.com/).
So this hosts file entry would redirect you from Tri-State's
www.dcsresearch.com domain by IP name to Diamond's web site by IP
address that is webhosted by LiquidWeb.

When did you last run a full scan using a recently updated virus
program? Have you scanned for malware by using Ad-Aware and Spybot?

Isn't Diamond Computer Systems the makers of TDS-3, an anti-trojan
program? I did a Google on TDS-3 and it brought back
tds.diamondcs.com.au. I've seen lots of folks praise this anti-trojan
hunter program. While malware might add an entry to a hosts file to
keep you from getting to anti-virus/trojan/malware web sites, this entry
directs you to such a site.

--
__________________________________________________ _______________
******** Post replies to newsgroup - Share with others ********
Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
__________________________________________________ _______________

 
Reply With Quote
 
Richard S. Westmoreland
Guest
Posts: n/a
 
      11-02-2004
"Kerry Liles" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Surely it is crap, BUT how did it write an entry into your hosts file????
> THAT is the real question.


You are infected with spyware, which made the change to your hosts file.

You could have either visited a site that exploited a hole in ActiveX,
Javascript, VBScript, or Java - or you're running a program that runs the
spyware such as P2P or a free screensaver.

For a further analysis feel free to download HiJackThis, copy it to a
dedicated folder, run it and copy/paste the log file for review.

HiJackThis Log Analysis:
http://www.antisource.com/forum/index.php?forum=51

--
Richard S. Westmoreland
http://www.antisource.com


 
Reply With Quote
 
George
Guest
Posts: n/a
 
      11-02-2004
> Presumably you meant the fields within the extra or questionable entry
> were the other way around (where the IP address is listed first and then
> followed by the IP name).


Yes, you are right.

> "nslookup www.dcsresearch.com" returns:
> Name: www.dcsresearch.com
> Address: 12.170.116.68
>
> "nslookup 64.91.255.87" returns:
> Name: diamondcs.com.au
> Address: 64.91.255.87
>
> So someone or something added an entry to your hosts file to redirect
> you from www.dcsresearch.com to diamondcs.com.au. You enter
> http://www.dcsresearch.com but end up at 64.91.255.87 (instead of
> 12.170.116.6. ARIN's WhoIs (http://ws.arin.net/cgi-bin/whois.pl)
> lists 12.170.116.68 as allocated to AT&T Worldnet, so
> www.dcsresearch.com is a customer of AT&T. ARIN's WhoIs lists
> 64.91.255.87 as allocated to LiquidWeb in Michigan, USA and yet the TLD
> (top-level domain) for the domain was ".au" which is Australia. If you
> run "tracert 64.91.255.87", you'll see it hit LiquidWeb.com and then
> diamondcs.com.au. Could be LiquidWeb is a webhost provider.
> http://whois.aunic.net/ lists the registrant for diamondcs.com.au
> Diamond Computer Systems Pty. Ltd. in Melbourne (AU). A domain lookup
> on dcsresearch.com says it is owned by Tri-State Computer Centre Ltd in
> Pennsylvania, USA (which was also found at
>

http://tri-state-computer-centre-lim...ages-ads.com/).
> So this hosts file entry would redirect you from Tri-State's
> www.dcsresearch.com domain by IP name to Diamond's web site by IP
> address that is webhosted by LiquidWeb.
>
> When did you last run a full scan using a recently updated virus
> program? Have you scanned for malware by using Ad-Aware and Spybot?


I found the Hosts entry while cleaning out my computer using Spybot. I use
Norton AV regularly and have it running in the background all the time, but
recently I was seeing a lot of popups and a run of Spybot found several
spyware programs.

>
> Isn't Diamond Computer Systems the makers of TDS-3, an anti-trojan
> program? I did a Google on TDS-3 and it brought back
> tds.diamondcs.com.au. I've seen lots of folks praise this anti-trojan
> hunter program. While malware might add an entry to a hosts file to
> keep you from getting to anti-virus/trojan/malware web sites, this entry
> directs you to such a site.


Strange. Someone's obviously gone to a lot of trouble to do this.
Thanks for your input.
George

>
> --
> __________________________________________________ _______________
> ******** Post replies to newsgroup - Share with others ********
> Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
> __________________________________________________ _______________
>



 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      11-02-2004
On Tue, 2 Nov 2004 10:24:41 -0500, "Kerry Liles" <(E-Mail Removed)>
wrote:

>Surely it is crap, BUT how did it write an entry into your hosts file????
>THAT is the real question.


No, the real question is WHY would anything bother
if the address matches the site.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      11-03-2004
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt230.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave




"George" <(E-Mail Removed)> wrote in message
newsXEhd.12300$(E-Mail Removed). ..
| I've just noticed an extra address in my Hosts file. It is
| www.dcresearch.com , 64.91.255.87.
|
| This the only address in addition to my own, so it stands out like a sore
| thumb. I know I didn't put it there.
|
| When I go to the website it appears to be a site that sells software for
| security programs, eg Trojan Horses etc. My question is, why would this
| address be in my hosts file? I've never accessed this site before. Is it a
| genuine site?
|
| GM
|
|


 
Reply With Quote
 
George
Guest
Posts: n/a
 
      11-06-2004
Thanks Dave.

I did all of that, and was shocked to find over 340 critical events & files
that I hastily quarantined and eliminated. This was within a day of running
spybot and finding no problems, although I must say I have never flagged the
trackers and cookies on the spybot program, so they may not have shown up
just because I of the way I configured it.

All this in the presence of NAV running up-to-date virus definitions and the
Norton firewall.

Gees!

George


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:E1Xhd.1048$7W.172@trnddc08...
> 1) Download the following three items...
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend signature files.
> http://www.trendmicro.com/download/pattern.asp
>
> Adaware SE (personal free version)
> http://www.lavasoftusa.com/
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download sysclean.com and place it in that directory.
> Dowload the signature files (pattern files) by obtaining the ZIP file.
> For example; lpt230.zip
>
> Extract the contents of the ZIP file and place the contents in the same
> directory as
> sysclean.com.
>
> 2) Update Adware with the latest definitions.
> 3) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
> 4) Reboot your PC into Safe Mode
> 5) Using both the Trend Sysclean utility and Adaware, perform a Full
> Scan of your
> platform and clean/delete any infectors/parasites found.
> (a few cycles may be needed)
> 6) Restart your PC and perform a "final" Full Scan of your platform
> using both the
> Trend Sysclean utility and Adaware
> 7) If you are using WinME or WinXP,Re-enable System Restore and
> re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~
> 600MB),
> Reboot your PC.
> 9) If you are using WinME or WinXP, create a new Restore point
>
> You can also try some of the below online scanners.
>
> Trend:
> http://housecall.antivirus.com
> http://housecall.trendmicro.com
>
> F-Secure:
> http://support.f-secure.com/enu/home/ols.shtml
>
> McAfee:
> http://www.mcafee.com/myapps/mfs/default.asp
>
> Panda:
> http://www.pandasoftware.com/activescan/
>
> Kaspersky:
> http://www.kaspersky.com/de/scanforvirus
>
> Symantec:
> http://security.symantec.com/
>
> BitDefender
> http://www.bitdefender.com/scan/license.php
>
> Freedom Online scanner
> http://www.freedom.net/viruscenter/index.html
>
>
> * * * Please report your results ! * * *
>
> Dave
>
>
>
>
> "George" <(E-Mail Removed)> wrote in message
> newsXEhd.12300$(E-Mail Removed). ..
> | I've just noticed an extra address in my Hosts file. It is
> | www.dcresearch.com , 64.91.255.87.
> |
> | This the only address in addition to my own, so it stands out like a
> sore
> | thumb. I know I didn't put it there.
> |
> | When I go to the website it appears to be a site that sells software for
> | security programs, eg Trojan Horses etc. My question is, why would this
> | address be in my hosts file? I've never accessed this site before. Is it
> a
> | genuine site?
> |
> | GM
> |
> |
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Access from internal hosts to internal servers using external address HangaS Cisco 2 04-19-2007 10:14 AM
hosts can only ping other hosts after router has pinged them? spec Cisco 7 06-05-2006 08:06 AM
Industry Leaders to Address Shifting XML Terrain in Keynotes at IDEAlliance's Annual Conference; XML 2005 Chair Recognizes Key Role of Sponsors, Co-Hosts & Exhibitors melledge XML 0 09-30-2005 05:33 PM
UNIX Script To Remove Hosts from Hosts file Bla Perl Misc 1 04-10-2005 04:14 PM
UNIX Script To Remove Hosts from Hosts file Bla Perl 0 04-08-2005 12:46 AM



Advertisments