Jump to content
CCleaner Community Forums
Sign in to follow this  
steve1368

Spybot

Recommended Posts

I did a scan several times with spybot S&D & even tried couple of times on reboot.

 

There are items unable to be removed:-

 

My Soft

Redirect host

desktop.kazaa.com=127.0.0.1

 

another one

 

Log

Activity.SchedLgu.Txt

C:\Windows|SchedLgu.Txt

 

Please guide me how to remove the above.

 

Thanks

 

Steve

Share this post


Link to post
Share on other sites

If I was you I would download and run Ad-Aware also. Ad aware covers the other problems that SpyBot doesn't. Also while you are at it, download and run SpywareBlaster. It runs in the background and stops items BEFORE they get to your computer.

I did a scan several times with spybot S&D & even tried couple of times on reboot.

 

There are items unable to be removed:-

 

My Soft

Redirect host

desktop.kazaa.com=127.0.0.1

 

another one

 

Log

Activity.SchedLgu.Txt

C:\Windows|SchedLgu.Txt

 

Please guide me how to remove the above.

 

Thanks

 

Steve

 

 

 

Share this post


Link to post
Share on other sites
I did a scan several times with spybot S&D & even tried couple of times on reboot.

 

There are items unable to be removed:-

 

My Soft

Redirect host

desktop.kazaa.com=127.0.0.1

 

another one

 

Log

Activity.SchedLgu.Txt

C:\Windows|SchedLgu.Txt

 

Please guide me how to remove the above.

 

Thanks

 

Steve

 

 

 

The log you don't need to worry about. As for the redirect host, where did Spybot say it's located?

 

If I was you I would download and run Ad-Aware also. Ad aware covers the other problems that SpyBot doesn't. Also while you are at it, download and run SpywareBlaster. It runs in the background and stops items BEFORE they get to your computer.

 

 

 

 

I do believe he has all of those applications already. Ad-Aware can get pieces Spybot misses, and Spybot can get pieces Ad-Aware misses. Just one Anti-Malware utility is never enough.

Share this post


Link to post
Share on other sites
The log you don't need to worry about.  As for the redirect host, where did Spybot say it's located?

I checked the result, it only shows this :

--- Search result list ---

MySoft: Redirected host (Redirected host, fixing failed)

I do believe he has all of those applications already.  Ad-Aware can get pieces Spyboy misses, and Spybot can get pieces Ad-Aware misses.  Just one Anti-Malware utility is never enough.

 

 

 

Yes I do have it.

Share this post


Link to post
Share on other sites

Did you download a host file latley?, i have been getting Spybot/Hijackthis moaning about my latest update to my host file.

 

--lee

Share this post


Link to post
Share on other sites
Check with Hijack This and see if anything Hosts related appears.

 

 

 

 

Did you download a host file latley?, i have been getting Spybot/Hijackthis moaning about my latest update to my host file.

 

--lee

 

 

 

 

 

I didn't see anything to do with "Host". I must admit I've installed quite a few softwares lately & also deleted some old softwares. Kazaa was actually deleted from my pc.

 

Anyway I copy my HijackThis report, in case my newbie eye didn't find what you were asking for.

 

Logfile of HijackThis v1.99.1

Scan saved at 22:32:13, on 14/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

 

Steve ;)

Share this post


Link to post
Share on other sites

Enumeration of existing IE's BHO's. Safe to remove:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

 

Enumeration of suspicious auto-loading registry entries. Safe to remove:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Extra 'Tools' menu items and buttons. Safe to remove:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

 

Download Program Files item. Safe to remove:

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab

 

Domain hijack, safe to remove. Safe to remove:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5

 

Look into Real Alternative if you haven't already. ;)

Share this post


Link to post
Share on other sites

Hi steve,

 

In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun ;) ), its safe to remove these as they slow down boot up,

 

 

This just creates logs of errors, and can only help you if you can read the logs it creates:

 

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

 

This just starts up MSN Messenger every boot up, it can still be started via the icon though:

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

 

BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/ (click "Get it now")

 

--lee

Share this post


Link to post
Share on other sites
Hi steve,

 

In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun  ;) ), its safe to remove these as they slow down boot up,

This just creates logs of errors, and can only help you if you can read the logs it creates:

 

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

 

This just starts up MSN Messenger every boot up, it can still be started via the icon though:

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/  (click "Get it now")

 

--lee

 

 

 

It's better to disable those via GUI, thus why I left them alone until his next reply. ;)

Share this post


Link to post
Share on other sites
It's better to disable those via GUI, thus why I left them alone until his next reply.

 

May i ask why Tarun, iv never heard of removing the reg entries causing problems :rolleyes: (but they say you learn something everyday :D )

 

--lee

Share this post


Link to post
Share on other sites
May i ask why Tarun, iv never heard of removing the reg entries causing problems  :rolleyes:  (but they say you learn something everyday  :D  )

 

--lee

 

 

 

That's something I'm going to have to ask DjLizard.

 

do not ever use msconfig to disable services, only use services.msc (start, run, services.msc). and for some services, it is better to use standard UI to disable them instead of using services.msc, such as with System Restore (only disable it through My Computer-> Properties)

 

Though that was for services, it's still a good question.

Share this post


Link to post
Share on other sites
Hi steve,

 

In addition to what Tarun analyzer has said (i'm impressed with that analyzer Tarun  ;) ), its safe to remove these as they slow down boot up,

This just creates logs of errors, and can only help you if you can read the logs it creates:

 

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

 

This just starts up MSN Messenger every boot up, it can still be started via the icon though:

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

BTW, the latest MSN Messenger is MSN 7, you can get it from here: http://imagine-msn.com/messenger/en-us/  (click "Get it now")

 

--lee

 

 

 

 

 

It's better to disable those via GUI, thus why I left them alone until his next reply.  ;)

 

 

 

 

Hi everyone, I've removed the items Tarun suggested, but did not what Lee told me, since I see there might be a better way to remove it , so I wait for further guidance.

 

After removing, scanning with spybot...the result...the same 2 items still there!!!

Anyway I'm copying the hijackthis list again.

 

Tarun, have removed Real Player & Quicktime, substituted with "alternatives"

 

Here is the list:-

 

Logfile of HijackThis v1.99.1

Scan saved at 22:49:38, on 15/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

 

Steve :)

 

P/S I sure wish I can get rid of those pesky items.

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report.

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is:

With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows"

 

You should simply delete your hosts file and start it over.

 

1) Start, Run... CMD

2) CD %systemroot%\drivers\etc

2) ATTRIB -R -H -S -A HOSTS

3) DEL HOSTS

 

Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file"

Share this post


Link to post
Share on other sites
O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report.

 

 

 

Right click My Computer, Properties, Advanced , Startup and Recovery Settings, Uncheck "Write an event to the system log".

 

I'd like Dj to verify that though. ;)

Share this post


Link to post
Share on other sites

Nope, and I DON'T recommend turning the thing you just mentioned off (it's not related - the system log = event viewer\system).

 

If you really don't want dumprep, disable error reporting (on the same page as Startup and Recovery Settings) - I DO NOT RECOMMEND DISABLING ERROR REPORTING. Error reporting has given me perfect solutions to problems I've had in the past (both on my own machines and my customer machines). It also helps Microsoft collect aggregate crash data, to see how many people are affected by a given problem (the more error reporting everyone does for a given crash, the more priority it will get, and it will get fixed faster - so report those errors!)

 

-u means usermode and -k means kernel mode

a driver blows up, you get a -k

Iexplore blows up, you get a -u

if error reporting failed, sometimes it gets stuck as a startup entry (it's supposed to say Windows has recovered from a serious error, etc)

Share this post


Link to post
Share on other sites
Nope, and I DON'T recommend turning the thing you just mentioned off (it's not related - the system log = event viewer\system).

 

If you really don't want dumprep, disable error reporting (on the same page as Startup and Recovery Settings) - I DO NOT RECOMMEND DISABLING ERROR REPORTING.  Error reporting has given me perfect solutions to problems I've had in the past (both on my own machines and my customer machines).  It also helps Microsoft collect aggregate crash data, to see how many people are affected by a given problem (the more error reporting everyone does for a given crash, the more priority it will get, and it will get fixed faster - so report those errors!)

 

-u means usermode and -k means kernel mode

a driver blows up, you get a -k

Iexplore blows up, you get a -u

if error reporting failed, sometimes it gets stuck as a startup entry (it's supposed to say Windows has recovered from a serious error, etc)

 

 

 

Really? I go to Advanced > Error Reporting and disable it but to still alert me on errors. Should I change that?

Share this post


Link to post
Share on other sites
Domain hijack, safe to remove. Safe to remove:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2A6F5F-8BAF-4972-ABC6-DA099E47B685}: NameServer = 202.188.0.133 202.188.1.5

 

 

 

Tarun, something interesting for you to know. I removed the above item. Guess what I cannot open any webpage after that. I restarted & it worked fine, but the item is back on the HJT list after restart.

Im suprised LSPfix and Hijackthis are not picking up these host file redirects.

 

OK for the kazza thing try running this program: http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

For the SchedLgu.Txt file, see here: http://www.safer-networking.org/en/faq/6.html

 

--lee

 

 

 

Ran the Kazzabegone, came out with 21 ITEMS, now thats way too many items, don't you think ??

 

I read the link about the SchedLgu, but this brains didn't understand what it read :blink: .... just add to the ignore list, is that the message??

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report.

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is:

With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows"

 

Understood this, will do it tonite.

 

You should simply delete your hosts file and start it over.

 

1) Start, Run... CMD

2) CD %systemroot%\drivers\etc

2) ATTRIB -R -H -S -A HOSTS

3) DEL HOSTS

 

Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file"

 

 

 

Now this is alien to me :( ...mind telling me in simple non techy terms. Thanks

 

Steve B)

Share this post


Link to post
Share on other sites
Tarun, something interesting for you to know. I removed the above item. Guess what I cannot open any webpage after that. I restarted & it worked fine, but the item is back on the HJT list after restart.

 

Ran the Kazzabegone, came out with 21 ITEMS, now thats way too many items, don't you think ??

 

 

 

KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it.

Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course).

 

That might be why you can't open any website thereafter.

Share this post


Link to post
Share on other sites

Steve: That last part you have to type as you see it.

 

Click start, click on Run..., and type CMD, and hit enter.

 

When the Command Prompt window appears, you type each line and hit enter:

 

CD %systemroot%\drivers\etc

ATTRIB -R -H -S -A HOSTS

DEL HOSTS

 

----

The name servers (202.188.0.133 | 202.188.1.5) are OK. They resolve addresses to IPs and vice versa. You can use the command NSLOOKUP in Windows XP to access the nameserver. Each time you connect to, say, 'www.google.com', your nameserver looks it up -- here's what my output looks like from CMD:

 

 

Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\DjLizard>nslookupDefault Server:  tampfldns08-amp.tampabay.rr.comAddress:  65.32.2.147> www.google.comServer:  tampfldns08-amp.tampabay.rr.comAddress:  65.32.2.147Non-authoritative answer:Name:    www.l.google.com[b]Addresses:  64.233.161.147, 64.233.161.99, 64.233.161.104[/]bAliases:  www.google.com

 

 

At any rate, yeah, you wouldn't technically be able to access the internet, except by IP address, so don't remove the nameserver entries (when I give Windows custom nameservers, hijackthis says they're removable as well -- it's normal). Tarun must have been sleepy, because you shouldn't remove that ;)

 

Tarun - I also doubled up on the 'safe to remove' text in your program, sorry, haha (I'm sure you can fix it now). (Domain hijack, safe to remove. Safe to remove:) Change the wording to 'Custom nameserver, not recommended to remove' or something.

Share this post


Link to post
Share on other sites
Steve: That last part you have to type as you see it.

 

Click start, click on Run..., and type CMD, and hit enter.

 

When the Command Prompt window appears, you type each line and hit enter:

 

CD %systemroot%\drivers\etc

ATTRIB -R -H -S -A HOSTS

DEL HOSTS

 

----

The name servers (202.188.0.133 | 202.188.1.5) are OK.  They resolve addresses to IPs and vice versa. You can use the command NSLOOKUP in Windows XP to access the nameserver.  Each time you connect to, say, 'www.google.com', your nameserver looks it up -- here's what my output looks like from CMD:

 

 

Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\DjLizard>nslookupDefault Server:  tampfldns08-amp.tampabay.rr.comAddress:  65.32.2.147> www.google.comServer:  tampfldns08-amp.tampabay.rr.comAddress:  65.32.2.147Non-authoritative answer:Name:    www.l.google.com[b]Addresses:  64.233.161.147, 64.233.161.99, 64.233.161.104[/]bAliases:  www.google.com

 

 

At any rate, yeah, you wouldn't technically be able to access the internet, except by IP address, so don't remove the nameserver entries (when I give Windows custom nameservers, hijackthis says they're removable as well -- it's normal).  Tarun must have been sleepy, because you shouldn't remove that ;)

 

Tarun - I also doubled up on the 'safe to remove' text in your program, sorry, haha (I'm sure you can fix it now). (Domain hijack, safe to remove. Safe to remove:)  Change the wording to 'Custom nameserver, not recommended to remove' or something.

 

 

 

O17 - Domain hijack, according to Merijn it's also O17 - Lop.com domain hijacks

 

I'm also going to remake the app in Delphi this time on my own, referring to your port of it as a guide. Should be real easy.

Share this post


Link to post
Share on other sites
That might be why you can't open any website thereafter.

 

He already posted his hijackthis log remember, no domain hijacks were there, i wouldn't of suggested it otherwise ;), anyway, he already PM'ed me with his results from LSPfix.

 

 

 

Merijn it's also O17 - Lop.com domain hijacks

 

Not always to do with Lop.com malware, can be, but also some ISP's and computer manufacturers use it for reseting web settings to thier defaults rather then IE's.

 

--lee

Share this post


Link to post
Share on other sites
O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

^^ This item is safe to remove using HJT, and usually won't come back, unless you get another 'serious error' from Windows to report.

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

^^ This one usually comes back, unless you do what Tarun said, which is "using the GUI", which actually means to use the appropriate interface for disabling MSNM startup, which is:

With MSNM running, go to Tools, Options, Preferences (or in MSN 7, "General"), and uncheck "Automatically run messenger when I log on to Windows"

 

 

Done as told.

 

 

You should simply delete your hosts file and start it over.

 

1) Start, Run... CMD

2) CD %systemroot%\drivers\etc

2) ATTRIB -R -H -S -A HOSTS

3) DEL HOSTS

 

Then run spybot s&d, go to advanced mode, then Tools, then checkmark Hosts file, then click the button to "add spybot s&d's hosts file"

 

 

 

 

Did item 1 as above

when typed item 2, I get this message: The filename,directory name, or volume label syntax is incorrect

 

Tried many other ways, I get error msg like above or some other error msg.

 

:blink: Steve

Share this post


Link to post
Share on other sites

Ok, I have a better idea. (I missed the 'system32' on step 1')

1) Start, Run... CMD

2) %systemdrive%

3) cd \

4) cd %systemroot%\system32\drivers\etc

5) attrib -r -h -s hosts

6) del hosts

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...