Resolve Target Host Question

It seems obvious in hindsight as the odd behaviour began after I reinstalled Spybot. ::smacking hand repeatedly against forehead::

I reckon the test will be when I go back to the Yahoo Game rooms to see if anything happens and if I get odd port readings.

I do not feel lucky enough to try my hand at it right now.

THANK YOU for figuring it out FanJ!!

LS

 

I'm falling behind on the posts as I'm just getting the hang of posting here. I just sent a reply to your post about the Hosts file and it makes perfect sense.

I'm forever in your debt!

LS

 

Hi Lostsoul

No problem, I'm glad you seem to have fixed it

I have to admit that I myself only use Spybot S&D for on-demand scanning, so I have to leave the answer why it did that on your system to other more experienced users of Spybot S&D

If you like, since you're using TDS-3, you could add your HOSTS file to your CRCfiles.txt.
See for more:
TDS-3 CRC32-test Guidelines
Please keep in mind that the CRC32 check of TDS-3 will only show if a file has been changed, but not why nor what changes have been made.

If you like, you could always post your HijackThis-log following these guidelines:
HOW TO? Read here about how to post your log!!

 

Hi there,
followed this thread, lots to learn and to look at.

The HOSTS file, somewhere FanJ posted to lock it, if i remember well it is right-click to see the properties and change the attributes to "read only"
If i missed something FanJ will correct this.

You can view your HOSTS file as well (and edit if you did not just lock it) via TDS too: TDS > System Analysis > View File > Network Hosts
That should open your HOSTS file to look at.

You said you can't use the wordpad and most probably notepad either in such cases.
Look for files 0 bytes small in your TDS directory and maybe in more locations, which you can delete, certainly if they are named wordpad.exe or notepad.exe 0 bytes small. Windows makes them, TDS catches them in it's directory, and thus when trying to use one of them from TDS windows looks at the 0 bytes version and thus fails. My own solution: copy the original wordpad.exe and notepad.exe from the windows directory into the TDS directory (they're only around 56 kb small so that is not too bad) and you should be able to use your wordpad and notepad well again, no matter how many times windows creates the 0 bytes version again.

If you did not post your HiJackThis log in the forum yet, please do so for the experts to check; did not see an earlier one of you in the forums here yet?
You could also as an extra post the AutoStartViewer log (from the DiamondCS products page) which shows even more then the HJT, but needs an expert view from Gavin.

For the questions relating Port Explorer if you did not do so yet please open a new thread for that in that forum so we can help you with that information.


BTW: the portref.dat for Port Explorer (update via Port Explorer > Help > Check For > New Port and Domain Databases ) and portref.txt TDS (update downloading via the TDS website) have a different extension and way of updating, but the ports are the same.

 

Jooske - No one ever answered one of my questions above. How is it possible the host file infection was not eliminated after a reformat? His assertion that he just completed a reformat of the PC sent me completely off in a different direction. Thanks.

 

Had the impression that came with using the SpybotS&D which seems to have changed the HOSTS file sin this case after the reformat; it's the only possibility i see, unless a backup (with the same infections included) was put back on the cleansed discs.

If it is corrected now and comes back, it's either again a SBS&D activity or a nasty on the system somewhere still.......

 

Thanks, Jooske. I'm a little baffled as to why S&D would edit the Hosts file in that way. I use S&D, and have not seen that problem.

 

Me neither, and i'm between updating it myself to see what happens or wait till more is posted about it in the forum.

 

Hi D&C,

Sorry, I completely forgot your question.

Same as you and Jooske: I have to admit that I too am not sure what was causing this thing in the HOSTS file on the system of Lostsoul
I agree with Jooske: it would be a good idea if Lostsoul would post a HijackThis-log (and/or AutoStartViewer-log).

Sorry again D&C !
Cheers, Jan.

 

Very interesting! Thanks dvk01 for the info.

 

This explains why there was nothing added of the kind in my HOSTS file.
FanJ i was very brave and upgraded my SBS&D, forced to as the older did not update anymore.
Looks much better, more options.