steve1368 Posted April 12, 2005 Share Posted April 12, 2005 I did a scan several times with spybot S&D & even tried couple of times on reboot. There are items unable to be removed:- My Soft Redirect host desktop.kazaa.com=127.0.0.1 another one Log Activity.SchedLgu.Txt C:\Windows|SchedLgu.Txt Please guide me how to remove the above. Thanks Steve Link to comment Share on other sites More sharing options...
wllm55 Posted April 12, 2005 Share Posted April 12, 2005 If I was you I would download and run Ad-Aware also. Ad aware covers the other problems that SpyBot doesn't. Also while you are at it, download and run SpywareBlaster. It runs in the background and stops items BEFORE they get to your computer. I did a scan several times with spybot S&D & even tried couple of times on reboot. There are items unable to be removed:- My Soft Redirect host desktop.kazaa.com=127.0.0.1 another one Log Activity.SchedLgu.Txt C:\Windows|SchedLgu.Txt Please guide me how to remove the above. Thanks Steve <{POST_SNAPBACK}> Link to comment Share on other sites More sharing options...
Tarun Posted April 12, 2005 Share Posted April 12, 2005 I did a scan several times with spybot S&D & even tried couple of times on reboot. There are items unable to be removed:- My Soft Redirect host desktop.kazaa.com=127.0.0.1 another one Log Activity.SchedLgu.Txt C:\Windows|SchedLgu.Txt Please guide me how to remove the above. Thanks Steve <{POST_SNAPBACK}> The log you don't need to worry about. As for the redirect host, where did Spybot say it's located? If I was you I would download and run Ad-Aware also. Ad aware covers the other problems that SpyBot doesn't. Also while you are at it, download and run SpywareBlaster. It runs in the background and stops items BEFORE they get to your computer. <{POST_SNAPBACK}> I do believe he has all of those applications already. Ad-Aware can get pieces Spybot misses, and Spybot can get pieces Ad-Aware misses. Just one Anti-Malware utility is never enough. Link to comment Share on other sites More sharing options...
steve1368 Posted April 13, 2005 Author Share Posted April 13, 2005 The log you don't need to worry about. As for the redirect host, where did Spybot say it's located? I checked the result, it only shows this : --- Search result list --- MySoft: Redirected host (Redirected host, fixing failed) I do believe he has all of those applications already. Ad-Aware can get pieces Spyboy misses, and Spybot can get pieces Ad-Aware misses. Just one Anti-Malware utility is never enough. <{POST_SNAPBACK}> Yes I do have it. Link to comment Share on other sites More sharing options...
Tarun Posted April 13, 2005 Share Posted April 13, 2005 Check with Hijack This and see if anything Hosts related appears. Link to comment Share on other sites More sharing options...
Lee16 Posted April 13, 2005 Share Posted April 13, 2005 Did you download a host file latley?, i have been getting Spybot/Hijackthis moaning about my latest update to my host file. --lee Link to comment Share on other sites More sharing options...
steve1368 Posted April 14, 2005 Author Share Posted April 14, 2005 Check with Hijack This and see if anything Hosts related appears. <{POST_SNAPBACK}> Did you download a host file latley?, i have been getting Spybot/Hijackthis moaning about my latest update to my host file. --lee <{POST_SNAPBACK}> I didn't see anything to do with "Host". I must admit I've installed quite a few softwares lately & also deleted some old softwares. Kazaa was actually deleted from my pc. Anyway I copy my HijackThis report, in case my newbie eye didn't find what you were asking for. Logfile of HijackThis v1.99.1 Scan saved at 22:32:13, on 14/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\unzipped\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU) O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Steve Link to comment Share on other sites More sharing options...
Tarun Posted April 14, 2005 Share Posted April 14, 2005 Enumeration of existing IE's BHO's. Safe to remove: O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) Enumeration of suspicious auto-loading registry entries. Safe to remove: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Extra 'Tools' menu items and buttons. Safe to remove: O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU) Download Program Files item. Safe to remove: O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab Domain hijack, safe to remove. Safe to remove: O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5 Look into Real Alternative if you haven't already. Link to comment Share on other sites More sharing options...
Lee16 Posted April 14, 2005 Share Posted April 14, 2005 Hi steve, In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun ), its safe to remove these as they slow down boot up, This just creates logs of errors, and can only help you if you can read the logs it creates: O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u This just starts up MSN Messenger every boot up, it can still be started via the icon though: O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/ (click "Get it now") --lee Link to comment Share on other sites More sharing options...
Tarun Posted April 14, 2005 Share Posted April 14, 2005 Hi steve, In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun ), its safe to remove these as they slow down boot up, This just creates logs of errors, and can only help you if you can read the logs it creates: O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u This just starts up MSN Messenger every boot up, it can still be started via the icon though: O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/ (click "Get it now") --lee <{POST_SNAPBACK}> It's better to disable those via GUI, thus why I left them alone until his next reply. Link to comment Share on other sites More sharing options...
Lee16 Posted April 15, 2005 Share Posted April 15, 2005 It's better to disable those via GUI, thus why I left them alone until his next reply. May i ask why Tarun, iv never heard of removing the reg entries causing problems (but they say you learn something everyday ) --lee Link to comment Share on other sites More sharing options...
Tarun Posted April 15, 2005 Share Posted April 15, 2005 May i ask why Tarun, iv never heard of removing the reg entries causing problems (but they say you learn something everyday ) --lee <{POST_SNAPBACK}> That's something I'm going to have to ask DjLizard. do not ever use msconfig to disable services, only use services.msc (start, run, services.msc). and for some services, it is better to use standard UI to disable them instead of using services.msc, such as with System Restore (only disable it through My Computer-> Properties) Though that was for services, it's still a good question. Link to comment Share on other sites More sharing options...
steve1368 Posted April 15, 2005 Author Share Posted April 15, 2005 Hi steve, In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun ), its safe to remove these as they slow down boot up, This just creates logs of errors, and can only help you if you can read the logs it creates: O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u This just starts up MSN Messenger every boot up, it can still be started via the icon though: O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/ (click "Get it now") --lee <{POST_SNAPBACK}> It's better to disable those via GUI, thus why I left them alone until his next reply. <{POST_SNAPBACK}> Hi everyone, I've removed the items Tarun suggested, but did not what Lee told me, since I see there might be a better way to remove it , so I wait for further guidance. After removing, scanning with spybot...the result...the same 2 items still there!!! Anyway I'm copying the hijackthis list again. Tarun, have removed Real Player & Quicktime, substituted with "alternatives" Here is the list:- Logfile of HijackThis v1.99.1 Scan saved at 22:49:38, on 15/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\unzipped\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Steve P/S I sure wish I can get rid of those pesky items. Link to comment Share on other sites More sharing options...
Lee16 Posted April 15, 2005 Share Posted April 15, 2005 Im suprised LSPfix and Hijackthis are not picking up these host file redirects. OK for the kazza thing try running this program: http://www.spywareinfo.com/~merijn/files/kazaabegone.zip For the SchedLgu.Txt file, see here: http://www.safer-networking.org/en/faq/6.html --lee Link to comment Share on other sites More sharing options...
DjLizard Posted April 15, 2005 Share Posted April 15, 2005 O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u ^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report. O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background ^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is: With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows" You should simply delete your hosts file and start it over. 1) Start, Run... CMD 2) CD %systemroot%\drivers\etc 2) ATTRIB -R -H -S -A HOSTS 3) DEL HOSTS Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file" Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
Tarun Posted April 15, 2005 Share Posted April 15, 2005 O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report. <{POST_SNAPBACK}> Right click My Computer, Properties, Advanced , Startup and Recovery Settings, Uncheck "Write an event to the system log". I'd like Dj to verify that though. Link to comment Share on other sites More sharing options...
DjLizard Posted April 15, 2005 Share Posted April 15, 2005 Nope, and I DON'T recommend turning the thing you just mentioned off (it's not related - the system log = event viewer\system). If you really don't want dumprep, disable error reporting (on the same page as Startup and Recovery Settings) - I DO NOT RECOMMEND DISABLING ERROR REPORTING. Error reporting has given me perfect solutions to problems I've had in the past (both on my own machines and my customer machines). It also helps Microsoft collect aggregate crash data, to see how many people are affected by a given problem (the more error reporting everyone does for a given crash, the more priority it will get, and it will get fixed faster - so report those errors!) -u means usermode and -k means kernel mode a driver blows up, you get a -k Iexplore blows up, you get a -u if error reporting failed, sometimes it gets stuck as a startup entry (it's supposed to say Windows has recovered from a serious error, etc) Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
Tarun Posted April 15, 2005 Share Posted April 15, 2005 Nope, and I DON'T recommend turning the thing you just mentioned off (it's not related - the system log = event viewer\system). If you really don't want dumprep, disable error reporting (on the same page as Startup and Recovery Settings) - I DO NOT RECOMMEND DISABLING ERROR REPORTING. Error reporting has given me perfect solutions to problems I've had in the past (both on my own machines and my customer machines). It also helps Microsoft collect aggregate crash data, to see how many people are affected by a given problem (the more error reporting everyone does for a given crash, the more priority it will get, and it will get fixed faster - so report those errors!) -u means usermode and -k means kernel mode a driver blows up, you get a -k Iexplore blows up, you get a -u if error reporting failed, sometimes it gets stuck as a startup entry (it's supposed to say Windows has recovered from a serious error, etc) <{POST_SNAPBACK}> Really? I go to Advanced > Error Reporting and disable it but to still alert me on errors. Should I change that? Link to comment Share on other sites More sharing options...
steve1368 Posted April 16, 2005 Author Share Posted April 16, 2005 Domain hijack, safe to remove. Safe to remove:O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5 <{POST_SNAPBACK}> Tarun, something interesting for you to know. I removed the above item. Guess what I cannot open any webpage after that. I restarted & it worked fine, but the item is back on the HJT list after restart. Im suprised LSPfix and Hijackthis are not picking up these host file redirects. OK for the kazza thing try running this program: http://www.spywareinfo.com/~merijn/files/kazaabegone.zip For the SchedLgu.Txt file, see here: http://www.safer-networking.org/en/faq/6.html --lee <{POST_SNAPBACK}> Ran the Kazzabegone, came out with 21 ITEMS, now thats way too many items, don't you think ?? I read the link about the SchedLgu, but this brains didn't understand what it read .... just add to the ignore list, is that the message?? O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report. O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background ^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is: With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows" Understood this, will do it tonite. You should simply delete your hosts file and start it over. 1) Start, Run... CMD 2) CD %systemroot%\drivers\etc 2) ATTRIB -R -H -S -A HOSTS 3) DEL HOSTS Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file" <{POST_SNAPBACK}> Now this is alien to me ...mind telling me in simple non techy terms. Thanks Steve Link to comment Share on other sites More sharing options...
Tarun Posted April 16, 2005 Share Posted April 16, 2005 Tarun, something interesting for you to know. I removed the above item. Guess what I cannot open any webpage after that. I restarted & it worked fine, but the item is back on the HJT list after restart. Ran the Kazzabegone, came out with 21 ITEMS, now thats way too many items, don't you think ?? <{POST_SNAPBACK}> KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course). That might be why you can't open any website thereafter. Link to comment Share on other sites More sharing options...
DjLizard Posted April 16, 2005 Share Posted April 16, 2005 Steve: That last part you have to type as you see it. Click start, click on Run..., and type CMD, and hit enter. When the Command Prompt window appears, you type each line and hit enter: CD %systemroot%\drivers\etc ATTRIB -R -H -S -A HOSTS DEL HOSTS ---- The name servers (202.188.0.133 | 202.188.1.5) are OK. They resolve addresses to IPs and vice versa. You can use the command NSLOOKUP in Windows XP to access the nameserver. Each time you connect to, say, 'www.google.com', your nameserver looks it up -- here's what my output looks like from CMD: Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\DjLizard>nslookupDefault Server: tampfldns08-amp.tampabay.rr.comAddress: 65.32.2.147> www.google.comServer: tampfldns08-amp.tampabay.rr.comAddress: 65.32.2.147Non-authoritative answer:Name: www.l.google.com[b]Addresses: 64.233.161.147, 64.233.161.99, 64.233.161.104[/]bAliases: www.google.com At any rate, yeah, you wouldn't technically be able to access the internet, except by IP address, so don't remove the nameserver entries (when I give Windows custom nameservers, hijackthis says they're removable as well -- it's normal). Tarun must have been sleepy, because you shouldn't remove that Tarun - I also doubled up on the 'safe to remove' text in your program, sorry, haha (I'm sure you can fix it now). (Domain hijack, safe to remove. Safe to remove:) Change the wording to 'Custom nameserver, not recommended to remove' or something. Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
Tarun Posted April 16, 2005 Share Posted April 16, 2005 Steve: That last part you have to type as you see it. Click start, click on Run..., and type CMD, and hit enter. When the Command Prompt window appears, you type each line and hit enter: CD %systemroot%\drivers\etc ATTRIB -R -H -S -A HOSTS DEL HOSTS ---- The name servers (202.188.0.133 | 202.188.1.5) are OK. They resolve addresses to IPs and vice versa. You can use the command NSLOOKUP in Windows XP to access the nameserver. Each time you connect to, say, 'www.google.com', your nameserver looks it up -- here's what my output looks like from CMD: Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\DjLizard>nslookupDefault Server: tampfldns08-amp.tampabay.rr.comAddress: 65.32.2.147> www.google.comServer: tampfldns08-amp.tampabay.rr.comAddress: 65.32.2.147Non-authoritative answer:Name: www.l.google.com[b]Addresses: 64.233.161.147, 64.233.161.99, 64.233.161.104[/]bAliases: www.google.com At any rate, yeah, you wouldn't technically be able to access the internet, except by IP address, so don't remove the nameserver entries (when I give Windows custom nameservers, hijackthis says they're removable as well -- it's normal). Tarun must have been sleepy, because you shouldn't remove that Tarun - I also doubled up on the 'safe to remove' text in your program, sorry, haha (I'm sure you can fix it now). (Domain hijack, safe to remove. Safe to remove:) Change the wording to 'Custom nameserver, not recommended to remove' or something. <{POST_SNAPBACK}> O17 - Domain hijack, according to Merijn it's also O17 - Lop.com domain hijacks I'm also going to remake the app in Delphi this time on my own, referring to your port of it as a guide. Should be real easy. Link to comment Share on other sites More sharing options...
Lee16 Posted April 16, 2005 Share Posted April 16, 2005 That might be why you can't open any website thereafter. He already posted his hijackthis log remember, no domain hijacks were there, i wouldn't of suggested it otherwise , anyway, he already PM'ed me with his results from LSPfix. Merijn it's also O17 - Lop.com domain hijacks Not always to do with Lop.com malware, can be, but also some ISP's and computer manufacturers use it for reseting web settings to thier defaults rather then IE's. --lee Link to comment Share on other sites More sharing options...
steve1368 Posted April 17, 2005 Author Share Posted April 17, 2005 O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report. O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background ^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is: With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows" Done as told. You should simply delete your hosts file and start it over. 1) Start, Run... CMD 2) CD %systemroot%\drivers\etc 2) ATTRIB -R -H -S -A HOSTS 3) DEL HOSTS Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file" <{POST_SNAPBACK}> Did item 1 as above when typed item 2, I get this message: The filename,directory name, or volume label syntax is incorrect Tried many other ways, I get error msg like above or some other error msg. Steve Link to comment Share on other sites More sharing options...
DjLizard Posted April 17, 2005 Share Posted April 17, 2005 Ok, I have a better idea. (I missed the 'system32' on step 1') 1) Start, Run... CMD 2) %systemdrive% 3) cd \ 4) cd %systemroot%\system32\drivers\etc 5) attrib -r -h -s hosts 6) del hosts Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now