A strange hack of sorts...which my anti virus does not find

[EtherealFlash]

So basically, I believe some program has changed some setting on my computer so that whenever I try to connect to a certain server (in this case Blizzard's battle.net) it is either:

1) rerouting me to another server (probably the hackers' own server in an attempt to steal my CD key during the CD key verification process)

or

2) just blocking the connection

I heard that there is some file on the computer which directs this whole rerouting the connection stuff, but I have no idea where it is. Also my antiviral/antispyware software has no clue what the heck is going on. Any ideas on what to do?

[EtherealFlash]

btw I have a T43

[richk]

Look for a file named LMHOSTS. It is the way IP addresses can be redirected. A virus could redirect by sticking an address mapping in there.

[GomJabbar]

I suggest you download Spybot, install it, download and install all the updates, then boot up into Windows SAFE MODE and run a full scan.

http://www.safer-networking.org/en/index.html

[jargoone]

Your name resolution is being affected somehow.

Look in c:\windows\system32\drivers\etc\hosts. Any line beginning with "#" is ignored. You should only see this line at the bottom:

Code: Select all

127.0.0.1       localhost

If you see anything that's an IP address followed by something.blizzard.com, remove it.

Also, check your DNS settings by opening a command prompt (Start|Run|cmd) and checking the output of "ipconfig /all". Your DNS server should be set to your router (if you have one) and/or some IP belonging to your ISP. It's hard to debug this, so post what the IP is and I can probably tell you if it's right.

[egibbs]

It's much more likely a mis-configuration than a hack, but Trend Micro has a pretty good online scanner - www.trendmicro.com

Ed Gibbs

[EtherealFlash]

So the two files:

first the one in system 32:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost














Then the one you get from cmd:


Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 11a/b/g Wireless LAN Mini PCI Adapter II
Physical Address. . . . . . . . . : 00-14-A4-0E-A5-2F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-11-25-D1-3C-A0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ac6d:9496:8788:1871%9(Preferred)
IPv4 Address. . . . . . . . . . . : 152.23.210.169(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Lease Obtained. . . . . . . . . . : Thursday, August 23, 2007 5:06:34 PM
Lease Expires . . . . . . . . . . : Friday, August 24, 2007 1:30:25 AM
Default Gateway . . . . . . . . . : 152.23.208.1
DHCP Server . . . . . . . . . . . : 152.2.253.100
DHCPv6 IAID . . . . . . . . . . . : 218108197
DNS Servers . . . . . . . . . . . : 152.2.253.100
152.2.21.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{616D246D-0F7A-4A15-9DCD-E61810CD5
4BF}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::200:5efe:152.23.210.169%13(Preferre
d)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 152.2.253.100
152.2.21.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8BC1CDCF-FCFF-4F26-84F6-CCDD5B4D7
E53}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Temporary IPv6 Address. . . . . . : 2002:9817:d2a9::9817:d2a9(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 152.2.253.100
152.2.21.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4136:e390:34a3:96b:67e8:2d56(Prefe
rred)
Link-local IPv6 Address . . . . . : fe80::34a3:96b:67e8:2d56%11(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

[GACrabill]

A number of the anti-virus programs will not find this type of infection.

If I had to fix this (and I have fixed a number of things like this for family, friends, neighbors, etc), I would start by running all of the following free anti-crapware software :
- SpywareBlaster
- Spybot
- Ad-Aware
- AVG Anti-Spyware
- AVG Anti-Rootkit
- Super AntiSpyware

What anti-virus software are you currently using?