My Browser history shows that every link I visit INCLUDING EMAIL LOGINS WITH
PASSWORDS is logged into a cookie and transmitted invisibly to
help.komsomolka.info. I've set my security to block every connection with
that domain; does not help. I've scanned the registry and files. Nothing.
I installed CounterSpy, ran Spybot, updated IE6 with Service Release and
security patches. IT REALLY WON'T DISAPPEAR.

(E-Mail Removed)

"tolstoi" <(E-Mail Removed)> wrote in message
news:A0E541F8-2729-4BB1-9ACA-(E-Mail Removed)...
My Browser history shows that every link I visit INCLUDING EMAIL LOGINS WITH
PASSWORDS is logged into a cookie and transmitted invisibly to
help.komsomolka.info. I've set my security to block every connection with
that domain; does not help. I've scanned the registry and files. Nothing.
I installed CounterSpy, ran Spybot, updated IE6 with Service Release and
security patches. IT REALLY WON'T DISAPPEAR.

(E-Mail Removed)

-----------------------------------------------------------
Try Rootkit Revealer

http://www.sysinternals.com/Utilitie...tRevealer.html
-----------------------------------------------------------

ER: Emergency Rescue: Hii add the url help.komsomolka.info to ur hosts file
addressing to home ip untill u find out the culprit on ur system. by adding
it to ur hosts nothin will go to the url as it gets routed to home.
add this to ur hosts file located at windows\system32\drivers\etc.

127.0.0.1 help.komsomolka.info

also report to the domain host for the following do a dns lookup and report
abuse!

"tolstoi" <(E-Mail Removed)> wrote in message
news:A0E541F8-2729-4BB1-9ACA-(E-Mail Removed)...
> My Browser history shows that every link I visit INCLUDING EMAIL LOGINS
> WITH
> PASSWORDS is logged into a cookie and transmitted invisibly to
> help.komsomolka.info. I've set my security to block every connection with
> that domain; does not help. I've scanned the registry and files.
> Nothing.
> I installed CounterSpy, ran Spybot, updated IE6 with Service Release and
> security patches. IT REALLY WON'T DISAPPEAR.
>
> (E-Mail Removed)

"Thota Umesh" wrote:
> ER: Emergency Rescue: Hii add the url help.komsomolka.info to ur hosts file
> addressing to home ip untill u find out the culprit on ur system. by adding it to
> ur hosts nothin will go to the url as it gets routed to home.
> add this to ur hosts file located at windows\system32\drivers\etc.
>
> 127.0.0.1 help.komsomolka.info
>
> also report to the domain host for the following do a dns lookup and report abuse!

Under typical circumstances, this would be most excellent advice, assuming the
user is running a custom HOSTS file.
Additionally, this site in question has been suspended - it is not active at this
time.

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

Site help.komsomolka.info IS NOT SUSPENDED. That's part of their scam. They
make it appear that the site is suspended. VERY CLEVER.

I am not familiar with the HOSTS file.
There is a file in c:\WINNT\system32\drivers\etc.

It contains these lines:
# System Hosts File
# DO NOT REMOVE IT !
127.0.0.1 localhost

I am adding one line, it now reads:
# System Hosts File
# DO NOT REMOVE IT !
127.0.0.1 localhost
127.0.0.1 help.komsomolka.info

--- end of file ---
Is this right?
Thanks.
- CarlD trimagna at yahoo dot com

"siljaline" wrote:

> "Thota Umesh" wrote:
> > ER: Emergency Rescue: Hii add the url help.komsomolka.info to ur hosts file
> > addressing to home ip untill u find out the culprit on ur system. by adding it to
> > ur hosts nothin will go to the url as it gets routed to home.
> > add this to ur hosts file located at windows\system32\drivers\etc.
> >
> > 127.0.0.1 help.komsomolka.info
> >
> > also report to the domain host for the following do a dns lookup and report abuse!
>
> Under typical circumstances, this would be most excellent advice, assuming the
> user is running a custom HOSTS file.
> Additionally, this site in question has been suspended - it is not active at this
> time.
>
> Silj
>

One forum suggested that I run RootkitRevealer.

Here's the report:
C:\Documents and Settings\d1\Application
Data\Mozilla\Profiles\trimagna\jqdx98re.slt\Cache\63103FC4d01 4/16/2006 11:41
AM 34.27 KB Hidden from Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\2QQLTPSA\showthread[1].htm 4/16/2006 11:42 AM 35.87
KB Hidden from Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\2QQLTPSA\showthread[1].php 4/16/2006 11:42 AM 11.15
KB Hidden from Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\JZP11512\CAC5GHWV 4/16/2006 11:42 AM 2.50 KB Hidden from
Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\JZP11512\j[7].js 4/16/2006 11:42 AM 374 bytes Hidden from
Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\JZP11512\post_old[1].gif 4/16/2006 11:42 AM 920
bytes Hidden from Windows API.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\JZP11512\showthread[2].htm 4/16/2006 11:29 AM 36.08
KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\JZP11512\showthread[2].php 4/16/2006 11:29 AM 11.18
KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\d1\Local Settings\Temporary Internet
Files\Content.IE5\YR8FP2R2\ads[4].htm 4/16/2006 11:42 AM 8.52 KB Hidden from
Windows API.

- - - end of file - - -
How should I interpret this info?

Disregard what you are attempting to do with your HOSTS file for *now*.

_Get Hijackware help_

Download and run HijackThis;
(http://aumha.org/downloads/hijackthis.zip)
Read this Tutorial *before* first use;
(http://www.bleepingcomputer.com/foru...howtutorial=42)
Once done > run HijackThis > save a scan log and post it to /any/ of the
following (expert) forums for analysis.
*Note, registration is required prior to posting a log.
- Not listed in any particular order -
(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/security)
(http://castlecops.com/forum67.html)
(http://www.cybertechhelp.com/forums/...splay.php?f=25)
(http://www.geekstogo.com/forum/Malwa..._Here-f37.html)
(http://gladiator-antivirus.com/forum...?showforum=170)
(http://forum.networktechs.com/forumdisplay.php?f=130)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)
(http://www.5starsupport.com/ipboard/...p?showforum=18)
(http://www.malwarebytes.org/forums/i...hp?showforum=7)
Note! Prior to running HijackThis, you must;
(http://wiki.castlecops.com/Malware_R...oring_Programs)

Post back the URL where you posted your log, *not* the entire log.

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

HijackThis log is posted at:
http://forums.majorgeeks.com/showthread.php?t=90119

"tolstoi" wrote:
> HijackThis log is posted at:
> http://forums.majorgeeks.com/showthread.php?t=90119

This is a record day! Two posters have replied back with the URLs
were they posted their logs to an expert forum.
Well done, the expert handlers at Major Geeks will take care of you.
If there are issues regarding this or if the post remains unresolved,
please post back a note to *this* thread!

Good luck and thank you for seeking assistance on the MS News
server.

Regards,
Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.