NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2003-q4

Re: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file

From: Sean Kornish (countzero67HOTMAIL.COM)
Date: Wed Oct 01 2003 - 12:13:22 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is most likely this trojan:
http://www.europe.f-secure.com/v-descs/delude.shtml

Clean up your cookies, remove any erroneous entries in your hosts file, and
set it to read-only. Also, I would recommend downloading a copy of
HijackThis (http://www.tomcoyote.org/hjt/) and removing any possibly
malicious entries.

-Sean Kornish

----- Original Message -----
From: "Edward Sullivan" <esullivanKMA.COM>
To: <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Sent: Thursday, September 25, 2003 3:59 PM
Subject: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in
HOSTS file

http://www.tweakxp.com/readNews.aspx?id=2048

Has anyone else encountered this, and any news on what spyware application
or trojan is hijacking the hosts file? We have an infected system offsite,
and have used SpyBot, PestPatrol, and AdAware and none seem to detect the
culprit. NAV signatures are up to date, and do not detect it either.

A more detailed description of the symptoms can be found here:

http://forums.techguy.org/t165625/s5ec145a8ddc56bd0afb7ce46ecaaa70e.html

Ed Sullivan
Director of Information Technology
esullivankma.com <mailto:esullivankma.com>
KMA Direct Communications
Confidential and Proprietary

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

----

-----
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;

http://www.ntbugtraq.com/archives

-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]