Escrow-Fraud.com Forums

[dominus]

Ok... if I get it-the only thread for my pc was when I entered the escrow-europa site? Is my pc safe now-after deleting the host entries? And how the *spammer* can be my computer harmed by a stupid e-mail? Sry for language but microsoft makes me mad now...

[peg]

Dominus (and others that got the email) sorry, I sent you the wrong email accusing you as the scammer.... I have "Resent" the email that was intended for you.

Also, your HOSTS file should read as follows:

Code: Select all

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


You generally do not need anything other than that..... If you have more than that one line (those preceded with # are just comments and harmless) lf the 127.0.0.1 localhost especially if it's pointing to a site that you are questioning... you should delete it (or atleast put a # at the beginning of that line)


Here is a site that gives more detail about the HOSTS file http://accs-net.com/hosts/what_is_hosts.html but suffice it to say.... You only need that one line!

[georg]

and make the host
"write-protected"
..is not absolut secure, but better then nothings

[dominus]

np peg

guys I would offer You a beer if possible

[dominus]

And that is the car I wanted(still want) to buy http://www.autoscout24.it/Details.aspx?id=89450005

[CapriceFéline]

Una bella macchina. Anche io la voglio. Siamo d'accordo. Ma...che..
Caprice

[lightfair]

Ok... if I get it-the only thread for my pc was when I entered the escrow-europa site? Is my pc safe now-after deleting the host entries? And how the *spammer* can be my computer harmed by a stupid e-mail? Sry for language but microsoft makes me mad now...

dominus:

Please think back a bit: Did you get an email from the scammer containing an attachment, like a picture or an invoice? This is the most typical way to manipulate the hosts file.

(Excurs: While I was baiting a scammer a long time ago he tried to make me open the attachment he sent me. Unfortunately I was on a Mac and hence his nice little trojan horse went nowhere. Finally I opened up the attachment in an emulator, and it actually displayed a picture with the "terms and conditions" - but at the same time it was changing my hosts file in the emulator. The virus scanners did not detect this; a couple of days later they did though.)

It is REALLY important that you do a thorough virus check on your computer. Update the virus signatures first. If there actually WAS such an attachment I would like to have a look at it.

Now a short description of what has happened to you.

At the core of the Internet are so called "IP addresses". Each computer and each server on the Internet has such an address (actually it's a bit more complicated but let's stick to this). For example, the server "www.autoscout24.de" has the IP address 212.18.30.44; ot the server "www.autoscout24.it" has the IP address 212.18.30.45. All communication is done with those addresses. If you type "www.autoscout24.it" into your browser your computer actually connects a so called "Domain Name Server" first; this server tells your computer the IP address (212.18.30.45 in our case) and then your computer makes the connection to this IP address.
This is done for all domain names (web addresses) with one exception: addresses found in the "hosts" file. For those the IP address found in the hosts file is used.
So something (probably a trojan horse) changed your hosts file and added entries for "escrow-europa.com". Now let's see what is happening now. Normally, when calling up "escrow.europa.com" or "www.escrow-europa.com" from your browser your computer would contact the Domain Name server to obtain the IP address. This would have been 80.207.87.67 and you computer would afterwards make the connection to this address. BUT because there were entries for escrow-euopa.com and http://www.escrow-europa.com in your hosts file the IP addresses found in the hosts file are used; and so your computer goes to IP address 208.179.102.59 (instead of the correct one). Of course this is a completely different server which has nothing to do at all with escrow-europa.com!
The really scary thing is that the user does not even notice this because the address bar in the web browser displays "www.escrow-europa.com"; it is not at all appearent that one is sent to a completely different server.

Bottom line: The "bad guys" somehow managed to manipulate your computer, and actually this must have happened before you went to the fake version of escrow-europa.com. As described please try to remember if there were any files or attachments involved. Those are very likely the culprits.

[georg]

bewuscht fallllsch jeschribben....

llass dän spiinner in ruhhe, är "schnallllt" es nicht...
gruss
georg

[dominus]

lightfair
Tnx for explanation, I allready learned that today
I have avast antivirus fully updated+spybot updated and they both didn't detect anything.

I can mail You the attachment(allready mailed to some friendly guys), just send me a pm with your e-mail address

[dominus]

I have bought a car today
A real one Sry for spamming but I'm so happy