Jump to content


Photo

Zone Labs unreachable - a hijack?


  • Please log in to reply
3 replies to this topic

#1 Dave Blake

Dave Blake

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 July 2004 - 01:48 AM

Another friend with what sounds like a possible hijack problem (like buses nothing then 2 at once!). For the past week they have been unable to reach the Zonelabs web site. Initially they could reach the home page but not the subscription renewal, now they can't see any part of the site. I am on the same ISP and I can get to the pages no problem, the rest of the web is fine AKAIK.

When they enter www.zonelabs.com or even the direct IP address http://208.185.174.44 they get the timeout "page not found" for IP address 205.178.21.3.

Now 205.178.21.3 was the IP address of the Zone Labs servers in 2001, I don't know if they own that hardware any more but it does not have a web page. I wondered if it was a DNS lookup problem but the ISP insists that all their DNS servers are up to date and resolve to the correct IP address.

Why is their PC routing 208.185.174.44 to 205.178.21.3??

Same problem in both IE and Netscape.
No proxies defined (AFAIK).
Tried ipconfig /refresh
Tried deleting temporary files from IE.
Scanned clean with Adaware and Spybot (lastest versions)
Scanned clean with anti-virius tools

However the hijack this file is rather large, so I suspect there could be a problem. Could someone look at this please.

Logfile of HijackThis v1.98.0
Scan saved at 06:56:46, on 06/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\VTUNER\VTUNER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\DOWNLOADWIZARD\DOWNLOADWIZARD.EXE
C:\PROGRAM FILES\UKPHONE2\PHONE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\li4h32qf.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\li4h32qf.slt\prefs.js)
O1 - Hosts: 12.108.162.119 www.penny-arcade.com
O1 - Hosts: 216.151.100.131 www.tweak3d.net
O1 - Hosts: 64.246.15.57 www.tweaktown.com
O1 - Hosts: 207.115.64.44 www.3dspotlight.com
O1 - Hosts: 66.96.206.87 www.tweakersasylum.com
O1 - Hosts: 64.246.24.94 www.majorgeeks.com
O1 - Hosts: 212.46.120.56 www.tweakpc.de
O1 - Hosts: 216.151.100.102 www.anandtech.com
O1 - Hosts: 216.26.163.153 www.tweakxp.com
O1 - Hosts: 209.197.70.66 www.magictweak.com
O1 - Hosts: 12.96.164.109 www.guru3d.com
O1 - Hosts: 209.197.108.216 tweakcentral.com
O1 - Hosts: 195.161.114.15 www.hardwareportal.ru
O1 - Hosts: 66.45.6.44 www.tweakmax.com
O1 - Hosts: 207.178.137.30 www.techextreme.com
O1 - Hosts: 64.41.153.210 www.maximumpc.com
O1 - Hosts: 66.77.24.3 www.winmag.com
O1 - Hosts: 216.40.238.204 www.hardcoreware.net
O1 - Hosts: 194.200.132.34 www.bluescreenofdeth.net
O1 - Hosts: 142.31.214.210 www.rojakpot.com
O1 - Hosts: 205.188.137.185 members.aol.com
O1 - Hosts: 207.38.1.105 www.gamespy.com
O1 - Hosts: 206.16.0.151 www.gamespot.com
O1 - Hosts: 64.28.67.150 www.slashdot.org
O1 - Hosts: 207.199.1.103 www.planetquake.com
O1 - Hosts: 24.237.4.113 www.somethingaweful.com
O1 - Hosts: 207.0.114.195 www.tabworldonline.com
O1 - Hosts: 205.181.128.80 www.geek.com
O1 - Hosts: 199.105.102.131 www.happypuppy.com
O1 - Hosts: 205.229.72.80 www.hothardware.com
O1 - Hosts: 216.34.72.161 www.millisec.com
O1 - Hosts: 209.249.33.4 www.msicomputer.com
O1 - Hosts: 208.249.124.215 www.overclockers.com
O1 - Hosts: 213.207.14.141 zoiah.m3dzone.com
O1 - Hosts: 209.247.194.100 babelfish.altavista.digital.com
O1 - Hosts: 208.254.3.130 www.techconnect.com
O1 - Hosts: 209.126.167.4 www.motherboards.org
O1 - Hosts: 192.18.97.241 www.sun.com
O1 - Hosts: 216.62.153.3 www.pinkmonkey.com
O1 - Hosts: 159.33.1.85 cbc.ca
O1 - Hosts: 166.70.10.23 www.computerhope.com
O1 - Hosts: 208.47.252.43 www.bootdisk.com
O1 - Hosts: 137.82.195.9 careerowl.ca
O1 - Hosts: 209.66.74.94 www.techbargains.com
O1 - Hosts: 206.47.148.163 www.pccanada.com
O1 - Hosts: 206.161.202.96 www.skinz.org
O1 - Hosts: 208.228.126.53 www.express.com
O1 - Hosts: 207.168.8.2 www.egghead.com
O1 - Hosts: 216.241.100.190 www.computersurplusoutlet.com
O1 - Hosts: 209.67.181.21 www.buy.com
O1 - Hosts: 206.253.222.67 www.2cooltek.com
O1 - Hosts: 209.247.72.66 www.nbc.com
O1 - Hosts: 209.116.0.210 www.litestep.net
O1 - Hosts: 66.54.2.140 www.fox.com
O1 - Hosts: 193.125.199.4 www.icqplus.org
O1 - Hosts: 208.51.196.21 www.customize.org
O1 - Hosts: 63.227.17.77 www.cognitivedistortion.com
O1 - Hosts: 63.226.107.3 www.darkstep.com
O1 - Hosts: 64.225.121.225 www.designsbymark.com
O1 - Hosts: 207.228.228.14 www.98lite.net
O1 - Hosts: 128.242.228.49 www.examnotes.com
O1 - Hosts: 64.14.126.119 www.brainbench.com
O1 - Hosts: 212.100.224.151 www.freeskills.com
O1 - Hosts: 63.146.189.25 www.brainbuzz.com
O1 - Hosts: 130.94.22.181 www.cert21.com
O1 - Hosts: 209.207.169.163 www.examdumps.net
O1 - Hosts: 207.250.47.107 www.techskills.com
O1 - Hosts: 207.250.47.105 testprep.techskills.com
O1 - Hosts: 216.167.48.217 www.cheat-sheets.com
O1 - Hosts: 216.247.236.108 www.3dcool.com
O1 - Hosts: 209.223.117.234 www.coolerguys.com
O1 - Hosts: 207.207.242.92 www.coldcpu.com
O1 - Hosts: 206.16.0.129 downloads.cnet.com
O1 - Hosts: 208.189.120.138 www.drivershq.com
O1 - Hosts: 63.236.73.232 www.windrivers.com
O1 - Hosts: 209.68.46.122 www.driversguide.com
O1 - Hosts: 216.52.8.178 www.bigfix.com
O1 - Hosts: 64.39.31.20 www.pcnineoneone.com
O1 - Hosts: 65.220.224.30 www.pcworld.com
O1 - Hosts: 209.157.71.37 www.homestead.com
O1 - Hosts: 66.218.77.70 www.geocities.com
O1 - Hosts: 204.57.71.1 www.pricewatch.com
O1 - Hosts: 64.94.16.111 www.mysimon.com
O1 - Hosts: 206.16.0.132 www.cnet.com
O1 - Hosts: 205.181.112.65 www.zdnet.com
O1 - Hosts: 208.45.133.23 www.excite.com
O1 - Hosts: 64.12.180.19 www.netscape.net
O1 - Hosts: 208.185.160.77 www.directhit.com
O1 - Hosts: 205.188.160.121 www.aol.com
O1 - Hosts: 66.150.2.83 www.webcrawler.com
O1 - Hosts: 63.236.73.97 www.searchenginewatch.com
O1 - Hosts: 208.165.28.71 www.netstrider.com
O1 - Hosts: 66.54.217.83 www.web-search.com
O1 - Hosts: 66.150.2.69 www.dogpile.com
O1 - Hosts: 204.202.140.215 www.go.com
O1 - Hosts: 204.71.128.215 www.goto.com
O1 - Hosts: 64.15.202.151 www.goto.com
O1 - Hosts: 63.251.36.20 www.about.com
O1 - Hosts: 65.214.39.7 www.askjeeves.com
O1 - Hosts: 166.90.143.6 www.3dfx.com
O1 - Hosts: 212.4.208.117 www.x3dfx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\MSCONFIG.EXE /reminder
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [tkonnect] C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
O4 - HKCU\..\Run: [vTunerStartUp] C:\PROGRA~1\VTUNER\vTuner.exe WinStart=Yes
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: eBot.lnk = C:\WINDOWS\DownloadWizard\DownloadWizard.exe
O4 - Startup: UK Phone Codes Pop Up.lnk = C:\Program Files\ukphone2\phone.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalr...zard3.0.4.3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyond...tivePreQual.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\msero.dll
O18 - Protocol: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Sorry this post so long
Dave

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 July 2004 - 09:04 AM

Hi,
Your log is basically clean ...

Try renaming your HOSTS file. Whatever you are using to create those entries is not correct, or is redirecting you. I only checked the first few but it's wrong!

[Example]
www.penny-arcade.com = 66.205.194.9
However your entry:
O1 - Hosts: 12.108.162.119 www.penny-arcade.com

www.tweak3d.net = 168.143.107.6
However your entry:
O1 - Hosts: 216.151.100.131 www.tweak3d.net

After renaming the HOSTS file ...
http://www.mvps.org/...osts.htm#Rename

Start | Run (type) "winipcfg" (no quotes)
Use the options there to clear the DNS cache.

FYI: 205.178.21.3 = zonelabs2.brainstorm.net
208.185.174.44 = www.zonelabs.com
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Dave Blake

Dave Blake

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 July 2004 - 11:30 AM

Clean is good news, thank you.

I have now seen my friend's Hosts file and it has hundreds of entries, many as you note, out of date or incorrect. They have no idea how it got like that and have not consciously created *any* entries and do not recognise most of them. From the time stamp and backup copies it has been edited recently by something. The odd thing is none of the entries seems to be really malicious routing everything to some offensive site etc., they are just incorrect and route to varied IP address that just don't have web pages on them (any more?). For example it sends Zonelabs.com to the IP address they were using in 2001.

I guessed that replacing this Hosts file would help, but I worry about how it got in that mess. I presumed there would be something nasty lurcking somewhere. But you say the HJT log is basically clean, so the mystery remains.

Any ideas about what edited the Hosts file?

Thanks
Dave

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 July 2004 - 11:51 AM

Hi,

Any ideas about what edited the Hosts file?

Usually these so-called "web accelerators" are the cause. You know the ones ... they advertise use our program and your browser will be 100 times faster!

Only thing is they don't work! If you are worried about changes to the HOSTS file you can make it "read only", and\or use the "Hosts Monitor" feature in WinPatrol.
http://www.mvps.org/...p2002/hosts.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button