Quote

---

Could be a remnant left over from from a SSD scan.

---

Ahh That makes sense. The file was probably removed by SSD but left the reg item and bogus Hosts file. I wonder if PMK is aware of any of this. I've been so busy lately that I just haven't been able to keep up with all the new nasty devs. Thx for all the help, Gail...much appreciated.

Holy crap! That IP belongs to a EV1 customer.

When going to the addy, a page comes up saying no website is cfged to that addy. The page belongs to cPanel http://www.cpanel.net/ Might be a good idea to get Ren to ask his buds @ ev1 about this.

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

So, it looks to me like the 207.XXX.XXX.XXX is here in town on one of the Rack boxes. (I think they are changing to EV1.Servers, BTW.)

That IP is resolving but not configed ? Hmmm...

So, does it make sense that LOP would use this IP for a redirect ?

Or I guess the question is why would anyone choose that IP ? Unless, it did have a site there... and it's already been 'corrected' ?

I'll make a call or two.

LurkHere

Nice work BTW, you all.

____

The folks in the data center are aware of the situation. Looks like it's a little early to tell if it's run it's course, but it is not being ignored. Your info has been submitted.

Thanx

LurkHere

I sure would like to get my hands on a copy of that file(iebs). It's location is very suspicious(LOP related or not) and I still can't find any ref to it containing any usefull info.

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

In Windows Explorer, from the 'Tools' menu at the top, choose 'Folder Options' and then the 'View' tab, and make sure 'Show hidden files and folders' is checked.

Probably a little late, in this case, but who knows ?

_____

They are going to check and see if that IP content changed recently. (The guys I talk with, and the group that pounds the keys be different.)

LurkHere

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

Being as I haven't been keeping up with things the past couple weeks, I didn't realize what might have happened. I think you might have been infected with a trojan. Could you please run a search for Aolfix.exe, o.reg, o2.reg, and o.vbs ? If these are found, I will give you further instructions.

Also, could you please get the new beta version of SSD found here; DirectDL http://www.safer-networking.org/files/spybotsd121.exe

Once installed(just overwrite...not necessary to uninstall present version this time), please update using the internal updater but in Settings/Settings/WebUpdate check the item detailed as 'Display also available beta versions' before updating and get the beta definitions as well.

EDIT: Almost forgot to mention, You'll need to choose from the mode tab; 'advanced mode' in order to see 'Settings'.

Then please run a scan but don't fix anything. Let me know if any new items appear.

I'm still working on 'iebs' but I can tell you it is not an executable. It is some type of script. It's real name and extension is; IEBS.EXE-03EE768C.pf

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

I ran the search on all those things the only one that I found was o.reg Viewinfo C:\Program Files\Yahoo!\messe...

Hope this helps

1)Download the FixQhost.exe file from: http://www.symantec.com/avcenter/FixQhost.exe.
2)Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).
3)To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.(Not really necessary unless you are extremely paranoid as I have already checked it out )
4)If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.

--------------------------------------------------------------------------------
Note: This is done as a precaution to prevent the worm from accidentally being restored at a later date or from being detected by a scan. However, due to the changes that the worm makes to the registry, you may not be able to do this at this time. If you cannot, skip this for now. We recommend, however, that you do so after you have restored access to your system; doing so, will empty the System Restore folder and prevent possible future problems.
--------------------------------------------------------------------------------

5)Double-click the FixQhost.exe file to start the removal tool.
6)Click Start to begin the process, and then allow the tool to run.
7)Restart the computer.
8)Run the removal tool again to ensure that the system is clean.
9)If you are running Windows Me/XP, then re-enable System Restore.

--------------------------------------------------------------------------------
Note: The removal procedure may not be successful if Windows Me/XP System Restore is not disabled as previously directed, because Windows prevents outside programs from modifying System Restore.

--------------------------------------------------------------------------------

When the tool has finished running, you will see a message indicating whether Trojan.Qhosts infected the computer. In the case of a worm removal, the program displays the following results:

Total number of the scanned files
Number of deleted files
Number of terminated viral processes
Number of fixed registry entries

Ref; http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

----
----

It wont hurt to run it even if you are clear of any leftover components. I've tested it on 9x, w2k, & XP with and without my own bogus reg items and it surprisingly did a good job even tho it is Symantec. If not on your first pass, perhaps by the second you'll get to see this;

bmeb.dll is a legit target. Remove it.
http://www.doxdesk.com/parasite/ILookup.html

Still haven't had time to check out the iebs yet.

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

IEBS appears to be a new or previously unknown component of WinShow. Info @ http://www.doxdesk.com/parasite/Winshow.html

When we finally get you all cleaned up. We need to discuss your security practices so that you will be able to avoid most of the garbage in the future.

Most important;

Anti-Virus

Application Firewall

Anti-Spy(bot killer)

Proper Browser Settings

Proper Email Practices

Blocking of Known Nasties

A good place to start learning; http://www.staff.uiuc.edu/~ehowes/main.htm Do not try to digest it all at once and always ask questions when in doubt. Also, try not to overdo...no sense having too many apps doing a single job. The best tools will USUALLY be the ones most acclaimed on the tech boards. Remember; the only dumb question is the one that doesn't get asked.

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD

FYI on cPanel(the alledged QHosts site)

Ref; http://www.cpanel.net/contact.cgi

I'd like to hear from EV1 about this. Since Ren hasn't said any more about this, I guess I'll shoot them a note myself.

To jdr, I hope we haven't scared you too much and that you will be a regular at LH now. Glad it all worked out for you.

--
-----
Spyware/Adware is NOT freeware, it costs all of us dearly. VOP SSD