"Security site" address in my Hosts file

Discussion in 'Computer Security' started by George, Nov 2, 2004.

  1. George

    George Guest

    I've just noticed an extra address in my Hosts file. It is
    www.dcresearch.com , 64.91.255.87.

    This the only address in addition to my own, so it stands out like a sore
    thumb. I know I didn't put it there.

    When I go to the website it appears to be a site that sells software for
    security programs, eg Trojan Horses etc. My question is, why would this
    address be in my hosts file? I've never accessed this site before. Is it a
    genuine site?

    GM
     
    George, Nov 2, 2004
    #1
    1. Advertising

  2. George

    George Guest

    Sorry. That was www.dcsresearch.com I missed out the "s"


    "George" <> wrote in message
    news:DXEhd.12300$...
    > I've just noticed an extra address in my Hosts file. It is
    > www.dcresearch.com , 64.91.255.87.
    >
    > This the only address in addition to my own, so it stands out like a sore
    > thumb. I know I didn't put it there.
    >
    > When I go to the website it appears to be a site that sells software for
    > security programs, eg Trojan Horses etc. My question is, why would this
    > address be in my hosts file? I've never accessed this site before. Is it a
    > genuine site?
    >
    > GM
    >
    >
     
    George, Nov 2, 2004
    #2
    1. Advertising

  3. George

    Jim Watt Guest

    On Tue, 2 Nov 2004 01:55:04 -0500, "George"
    <> wrote:

    >Sorry. That was www.dcsresearch.com I missed out the "s"
    >
    >
    >"George" <> wrote in message
    >news:DXEhd.12300$...
    >> I've just noticed an extra address in my Hosts file. It is
    >> www.dcresearch.com , 64.91.255.87.
    >>
    >> This the only address in addition to my own, so it stands out like a sore
    >> thumb. I know I didn't put it there.
    >>
    >> When I go to the website it appears to be a site that sells software for
    >> security programs, eg Trojan Horses etc. My question is, why would this
    >> address be in my hosts file? I've never accessed this site before. Is it a
    >> genuine site?
    >>
    >> GM


    Its just a site running links and popunder ads telling you your clock
    is wrong, and download our synchroniser spyware crap.

    ignore it, its crap.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 2, 2004
    #3
  4. George

    Kerry Liles Guest

    Surely it is crap, BUT how did it write an entry into your hosts file????
    THAT is the real question.



    "Jim Watt" <_way> wrote in message
    news:...
    > On Tue, 2 Nov 2004 01:55:04 -0500, "George"
    > <> wrote:
    >
    > >Sorry. That was www.dcsresearch.com I missed out the "s"
    > >
    > >
    > >"George" <> wrote in message
    > >news:DXEhd.12300$...
    > >> I've just noticed an extra address in my Hosts file. It is
    > >> www.dcresearch.com , 64.91.255.87.
    > >>
    > >> This the only address in addition to my own, so it stands out like a

    sore
    > >> thumb. I know I didn't put it there.
    > >>
    > >> When I go to the website it appears to be a site that sells software

    for
    > >> security programs, eg Trojan Horses etc. My question is, why would this
    > >> address be in my hosts file? I've never accessed this site before. Is

    it a
    > >> genuine site?
    > >>
    > >> GM

    >
    > Its just a site running links and popunder ads telling you your clock
    > is wrong, and download our synchroniser spyware crap.
    >
    > ignore it, its crap.
    >
    > --
    > Jim Watt
    > http://www.gibnet.com
     
    Kerry Liles, Nov 2, 2004
    #4
  5. George

    Vanguardx Guest

    "George" <>
    wrote in news:DXEhd.12300$:
    > I've just noticed an extra address in my Hosts file. It is
    > www.dcresearch.com , 64.91.255.87.
    >
    > This the only address in addition to my own, so it stands out like a
    > sore thumb. I know I didn't put it there.
    >
    > When I go to the website it appears to be a site that sells software
    > for security programs, eg Trojan Horses etc. My question is, why
    > would this address be in my hosts file? I've never accessed this site
    > before. Is it a genuine site?
    >
    > GM


    Presumably you meant the fields within the extra or questionable entry
    were the other way around (where the IP address is listed first and then
    followed by the IP name).

    "nslookup www.dcsresearch.com" returns:
    Name: www.dcsresearch.com
    Address: 12.170.116.68

    "nslookup 64.91.255.87" returns:
    Name: diamondcs.com.au
    Address: 64.91.255.87

    So someone or something added an entry to your hosts file to redirect
    you from www.dcsresearch.com to diamondcs.com.au. You enter
    http://www.dcsresearch.com but end up at 64.91.255.87 (instead of
    12.170.116.68). ARIN's WhoIs (http://ws.arin.net/cgi-bin/whois.pl)
    lists 12.170.116.68 as allocated to AT&T Worldnet, so
    www.dcsresearch.com is a customer of AT&T. ARIN's WhoIs lists
    64.91.255.87 as allocated to LiquidWeb in Michigan, USA and yet the TLD
    (top-level domain) for the domain was ".au" which is Australia. If you
    run "tracert 64.91.255.87", you'll see it hit LiquidWeb.com and then
    diamondcs.com.au. Could be LiquidWeb is a webhost provider.
    http://whois.aunic.net/ lists the registrant for diamondcs.com.au
    Diamond Computer Systems Pty. Ltd. in Melbourne (AU). A domain lookup
    on dcsresearch.com says it is owned by Tri-State Computer Centre Ltd in
    Pennsylvania, USA (which was also found at
    http://tri-state-computer-centre-limited.9900118303001.worldpages-ads.com/).
    So this hosts file entry would redirect you from Tri-State's
    www.dcsresearch.com domain by IP name to Diamond's web site by IP
    address that is webhosted by LiquidWeb.

    When did you last run a full scan using a recently updated virus
    program? Have you scanned for malware by using Ad-Aware and Spybot?

    Isn't Diamond Computer Systems the makers of TDS-3, an anti-trojan
    program? I did a Google on TDS-3 and it brought back
    tds.diamondcs.com.au. I've seen lots of folks praise this anti-trojan
    hunter program. While malware might add an entry to a hosts file to
    keep you from getting to anti-virus/trojan/malware web sites, this entry
    directs you to such a site.

    --
    _________________________________________________________________
    ******** Post replies to newsgroup - Share with others ********
    Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
    _________________________________________________________________
     
    Vanguardx, Nov 2, 2004
    #5
  6. "Kerry Liles" <> wrote in message
    news:...
    > Surely it is crap, BUT how did it write an entry into your hosts file????
    > THAT is the real question.


    You are infected with spyware, which made the change to your hosts file.

    You could have either visited a site that exploited a hole in ActiveX,
    Javascript, VBScript, or Java - or you're running a program that runs the
    spyware such as P2P or a free screensaver.

    For a further analysis feel free to download HiJackThis, copy it to a
    dedicated folder, run it and copy/paste the log file for review.

    HiJackThis Log Analysis:
    http://www.antisource.com/forum/index.php?forum=51

    --
    Richard S. Westmoreland
    http://www.antisource.com
     
    Richard S. Westmoreland, Nov 2, 2004
    #6
  7. George

    George Guest

    > Presumably you meant the fields within the extra or questionable entry
    > were the other way around (where the IP address is listed first and then
    > followed by the IP name).


    Yes, you are right.

    > "nslookup www.dcsresearch.com" returns:
    > Name: www.dcsresearch.com
    > Address: 12.170.116.68
    >
    > "nslookup 64.91.255.87" returns:
    > Name: diamondcs.com.au
    > Address: 64.91.255.87
    >
    > So someone or something added an entry to your hosts file to redirect
    > you from www.dcsresearch.com to diamondcs.com.au. You enter
    > http://www.dcsresearch.com but end up at 64.91.255.87 (instead of
    > 12.170.116.68). ARIN's WhoIs (http://ws.arin.net/cgi-bin/whois.pl)
    > lists 12.170.116.68 as allocated to AT&T Worldnet, so
    > www.dcsresearch.com is a customer of AT&T. ARIN's WhoIs lists
    > 64.91.255.87 as allocated to LiquidWeb in Michigan, USA and yet the TLD
    > (top-level domain) for the domain was ".au" which is Australia. If you
    > run "tracert 64.91.255.87", you'll see it hit LiquidWeb.com and then
    > diamondcs.com.au. Could be LiquidWeb is a webhost provider.
    > http://whois.aunic.net/ lists the registrant for diamondcs.com.au
    > Diamond Computer Systems Pty. Ltd. in Melbourne (AU). A domain lookup
    > on dcsresearch.com says it is owned by Tri-State Computer Centre Ltd in
    > Pennsylvania, USA (which was also found at
    >

    http://tri-state-computer-centre-limited.9900118303001.worldpages-ads.com/).
    > So this hosts file entry would redirect you from Tri-State's
    > www.dcsresearch.com domain by IP name to Diamond's web site by IP
    > address that is webhosted by LiquidWeb.
    >
    > When did you last run a full scan using a recently updated virus
    > program? Have you scanned for malware by using Ad-Aware and Spybot?


    I found the Hosts entry while cleaning out my computer using Spybot. I use
    Norton AV regularly and have it running in the background all the time, but
    recently I was seeing a lot of popups and a run of Spybot found several
    spyware programs.

    >
    > Isn't Diamond Computer Systems the makers of TDS-3, an anti-trojan
    > program? I did a Google on TDS-3 and it brought back
    > tds.diamondcs.com.au. I've seen lots of folks praise this anti-trojan
    > hunter program. While malware might add an entry to a hosts file to
    > keep you from getting to anti-virus/trojan/malware web sites, this entry
    > directs you to such a site.


    Strange. Someone's obviously gone to a lot of trouble to do this.
    Thanks for your input.
    George

    >
    > --
    > _________________________________________________________________
    > ******** Post replies to newsgroup - Share with others ********
    > Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
    > _________________________________________________________________
    >
     
    George, Nov 2, 2004
    #7
  8. George

    Jim Watt Guest

    On Tue, 2 Nov 2004 10:24:41 -0500, "Kerry Liles" <>
    wrote:

    >Surely it is crap, BUT how did it write an entry into your hosts file????
    >THAT is the real question.


    No, the real question is WHY would anything bother
    if the address matches the site.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 2, 2004
    #8
  9. 1) Download the following three items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Adaware SE (personal free version)
    http://www.lavasoftusa.com/

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download sysclean.com and place it in that directory.
    Dowload the signature files (pattern files) by obtaining the ZIP file.
    For example; lpt230.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    sysclean.com.

    2) Update Adware with the latest definitions.
    3) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    4) Reboot your PC into Safe Mode
    5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
    platform and clean/delete any infectors/parasites found.
    (a few cycles may be needed)
    6) Restart your PC and perform a "final" Full Scan of your platform using both the
    Trend Sysclean utility and Adaware
    7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
    8) Reboot your PC.
    9) If you are using WinME or WinXP, create a new Restore point

    You can also try some of the below online scanners.

    Trend:
    http://housecall.antivirus.com
    http://housecall.trendmicro.com

    F-Secure:
    http://support.f-secure.com/enu/home/ols.shtml

    McAfee:
    http://www.mcafee.com/myapps/mfs/default.asp

    Panda:
    http://www.pandasoftware.com/activescan/

    Kaspersky:
    http://www.kaspersky.com/de/scanforvirus

    Symantec:
    http://security.symantec.com/

    BitDefender
    http://www.bitdefender.com/scan/license.php

    Freedom Online scanner
    http://www.freedom.net/viruscenter/index.html


    * * * Please report your results ! * * *

    Dave




    "George" <> wrote in message
    news:DXEhd.12300$...
    | I've just noticed an extra address in my Hosts file. It is
    | www.dcresearch.com , 64.91.255.87.
    |
    | This the only address in addition to my own, so it stands out like a sore
    | thumb. I know I didn't put it there.
    |
    | When I go to the website it appears to be a site that sells software for
    | security programs, eg Trojan Horses etc. My question is, why would this
    | address be in my hosts file? I've never accessed this site before. Is it a
    | genuine site?
    |
    | GM
    |
    |
     
    David H. Lipman, Nov 3, 2004
    #9
  10. George

    George Guest

    Thanks Dave.

    I did all of that, and was shocked to find over 340 critical events & files
    that I hastily quarantined and eliminated. This was within a day of running
    spybot and finding no problems, although I must say I have never flagged the
    trackers and cookies on the spybot program, so they may not have shown up
    just because I of the way I configured it.

    All this in the presence of NAV running up-to-date virus definitions and the
    Norton firewall.

    Gees!

    George


    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:E1Xhd.1048$7W.172@trnddc08...
    > 1) Download the following three items...
    >
    > Trend Sysclean Package
    > http://www.trendmicro.com/download/dcs.asp
    >
    > Latest Trend signature files.
    > http://www.trendmicro.com/download/pattern.asp
    >
    > Adaware SE (personal free version)
    > http://www.lavasoftusa.com/
    >
    > Create a directory.
    > On drive "C:\"
    > (e.g., "c:\New Folder")
    > or the desktop
    > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    >
    > Download sysclean.com and place it in that directory.
    > Dowload the signature files (pattern files) by obtaining the ZIP file.
    > For example; lpt230.zip
    >
    > Extract the contents of the ZIP file and place the contents in the same
    > directory as
    > sysclean.com.
    >
    > 2) Update Adware with the latest definitions.
    > 3) If you are using WinME or WinXP, disable System Restore
    > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    > 4) Reboot your PC into Safe Mode
    > 5) Using both the Trend Sysclean utility and Adaware, perform a Full
    > Scan of your
    > platform and clean/delete any infectors/parasites found.
    > (a few cycles may be needed)
    > 6) Restart your PC and perform a "final" Full Scan of your platform
    > using both the
    > Trend Sysclean utility and Adaware
    > 7) If you are using WinME or WinXP,Re-enable System Restore and
    > re-apply any
    > System Restore preferences, (e.g. HD space to use suggested 400 ~
    > 600MB),
    > 8) Reboot your PC.
    > 9) If you are using WinME or WinXP, create a new Restore point
    >
    > You can also try some of the below online scanners.
    >
    > Trend:
    > http://housecall.antivirus.com
    > http://housecall.trendmicro.com
    >
    > F-Secure:
    > http://support.f-secure.com/enu/home/ols.shtml
    >
    > McAfee:
    > http://www.mcafee.com/myapps/mfs/default.asp
    >
    > Panda:
    > http://www.pandasoftware.com/activescan/
    >
    > Kaspersky:
    > http://www.kaspersky.com/de/scanforvirus
    >
    > Symantec:
    > http://security.symantec.com/
    >
    > BitDefender
    > http://www.bitdefender.com/scan/license.php
    >
    > Freedom Online scanner
    > http://www.freedom.net/viruscenter/index.html
    >
    >
    > * * * Please report your results ! * * *
    >
    > Dave
    >
    >
    >
    >
    > "George" <> wrote in message
    > news:DXEhd.12300$...
    > | I've just noticed an extra address in my Hosts file. It is
    > | www.dcresearch.com , 64.91.255.87.
    > |
    > | This the only address in addition to my own, so it stands out like a
    > sore
    > | thumb. I know I didn't put it there.
    > |
    > | When I go to the website it appears to be a site that sells software for
    > | security programs, eg Trojan Horses etc. My question is, why would this
    > | address be in my hosts file? I've never accessed this site before. Is it
    > a
    > | genuine site?
    > |
    > | GM
    > |
    > |
    >
    >
     
    George, Nov 6, 2004
    #10
  11. George

    Jim Watt Guest

    On Sat, 6 Nov 2004 15:05:01 -0500, "George"
    <> wrote:

    <snip>

    On the original topic, I see there is a report of a new malicious
    attempt to obtain your bank details which involves writing a bogus
    entry in the hosts file which redirects a innocent looking URL to
    the evil bastards lookalike website;

    Hmmmm.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 6, 2004
    #11
  12. George

    Leythos Guest

    In article <R7ajd.29059$>,
    says...
    > All this in the presence of NAV running up-to-date virus definitions and the
    > Norton firewall.


    NAV is antivirus, not anti-spyware. NAV is reactionary, not proactive.
    Firewalls, running on a used computer are only as effective as the user
    that manages them.

    I just wiped and reinstalled a persons system, it was dialing out and
    cost them $700 last month on their phone bill. I used NAV 2004, updates,
    XP SP2, and SBS&D, and manually edited the registry and was unable to
    remove it completely. I used AA latest version and it found another 200+
    things, mostly cookies, but it also found 7 instances of DLL's with the
    dialer in it. SBS&D would detect the "registry" entries, but could not
    detect the files that were loading it.

    Even after cleaning the system I was uncomfortable with the solution,
    although it appeared clean, I didn't trust it, and I wiped/reinstalled.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Nov 6, 2004
    #12
  13. George

    patricio Guest

    "George" <> escribió en el mensaje
    news:R7ajd.29059$...
    > Thanks Dave.
    >
    > I did all of that, and was shocked to find over 340 critical events &

    files
    > that I hastily quarantined and eliminated. This was within a day of

    running
    > spybot and finding no problems, although I must say I have never flagged

    the
    > trackers and cookies on the spybot program, so they may not have shown up
    > just because I of the way I configured it.
    >
    > All this in the presence of NAV running up-to-date virus definitions and

    the
    > Norton firewall.
    >
    > Gees!
    >
    > George
    >
    >
    > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    > news:E1Xhd.1048$7W.172@trnddc08...
    > > 1) Download the following three items...
    > >
    > > Trend Sysclean Package
    > > http://www.trendmicro.com/download/dcs.asp
    > >
    > > Latest Trend signature files.
    > > http://www.trendmicro.com/download/pattern.asp
    > >
    > > Adaware SE (personal free version)
    > > http://www.lavasoftusa.com/
    > >
    > > Create a directory.
    > > On drive "C:\"
    > > (e.g., "c:\New Folder")
    > > or the desktop
    > > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    > >
    > > Download sysclean.com and place it in that directory.
    > > Dowload the signature files (pattern files) by obtaining the ZIP file.
    > > For example; lpt230.zip
    > >
    > > Extract the contents of the ZIP file and place the contents in the same
    > > directory as
    > > sysclean.com.
    > >
    > > 2) Update Adware with the latest definitions.
    > > 3) If you are using WinME or WinXP, disable System Restore
    > > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    > > 4) Reboot your PC into Safe Mode
    > > 5) Using both the Trend Sysclean utility and Adaware, perform a Full
    > > Scan of your
    > > platform and clean/delete any infectors/parasites found.
    > > (a few cycles may be needed)
    > > 6) Restart your PC and perform a "final" Full Scan of your platform
    > > using both the
    > > Trend Sysclean utility and Adaware
    > > 7) If you are using WinME or WinXP,Re-enable System Restore and
    > > re-apply any
    > > System Restore preferences, (e.g. HD space to use suggested 400 ~
    > > 600MB),
    > > 8) Reboot your PC.
    > > 9) If you are using WinME or WinXP, create a new Restore point
    > >
    > > You can also try some of the below online scanners.
    > >
    > > Trend:
    > > http://housecall.antivirus.com
    > > http://housecall.trendmicro.com
    > >
    > > F-Secure:
    > > http://support.f-secure.com/enu/home/ols.shtml
    > >
    > > McAfee:
    > > http://www.mcafee.com/myapps/mfs/default.asp
    > >
    > > Panda:
    > > http://www.pandasoftware.com/activescan/
    > >
    > > Kaspersky:
    > > http://www.kaspersky.com/de/scanforvirus
    > >
    > > Symantec:
    > > http://security.symantec.com/
    > >
    > > BitDefender
    > > http://www.bitdefender.com/scan/license.php
    > >
    > > Freedom Online scanner
    > > http://www.freedom.net/viruscenter/index.html
    > >
    > >
    > > * * * Please report your results ! * * *
    > >
    > > Dave
    > >
    > >
    > >
    > >
    > > "George" <> wrote in message
    > > news:DXEhd.12300$...
    > > | I've just noticed an extra address in my Hosts file. It is
    > > | www.dcresearch.com , 64.91.255.87.
    > > |
    > > | This the only address in addition to my own, so it stands out like a
    > > sore
    > > | thumb. I know I didn't put it there.
    > > |
    > > | When I go to the website it appears to be a site that sells software

    for
    > > | security programs, eg Trojan Horses etc. My question is, why would

    this
    > > | address be in my hosts file? I've never accessed this site before. Is

    it
    > > a
    > > | genuine site?
    > > |
    > > | GM
    > > |
    > > |
    > >
    > > Que bien escribes

    >
    >
     
    patricio, Nov 15, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MZ

    script to edit hosts file in xp?

    MZ, Jan 6, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    11,045
  2. Captain Infinity

    Mozilla & Firefox ignoring my Hosts file

    Captain Infinity, Aug 10, 2004, in forum: Firefox
    Replies:
    4
    Views:
    37,816
    Mikha
    Sep 3, 2009
  3. Replies:
    2
    Views:
    1,002
  4. spec
    Replies:
    7
    Views:
    1,320
    Peter
    Jun 5, 2006
  5. HangaS
    Replies:
    2
    Views:
    978
    HangaS
    Apr 19, 2007
Loading...

Share This Page