something evill in my pc

something evill in my pc

bridge.dll

TDS
Scan Control Dumped @ 19:18:45 13-03-04
RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

Logfile of HijackThis v1.97.7
Scan saved at 7:55:41 PM, on 3/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\God's Shild\pg_msgprot.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Juno6\zCast.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Juno6\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133

WHAT BLAZE KILL

 

Hey Blazey,
Pieter and others will come soon. I just wanted to say that you can remove this from Hijack

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

After that ,
Start -> Run -> notepad c:\windows\system32\drivers\etc\hosts (You on XP)
[Windows 95, 98 & ME: notepad c:\windows\hosts
Windows NT & 2000: notepad c:\winnt\system32\drivers\etc\hosts
Windows XP: notepad c:\windows\system32\drivers\etc\hosts]
Then replace
203.161.127.141 www.dcsresearch.com
by
64.91.255.87   www.dcsresearch.com

Reboot or, I think the editing wont take place, and then post the fresh log

good day mate

 

is this better?

Logfile of HijackThis v1.97.7
Scan saved at 7:29:06 AM, on 3/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\God's Shild\pg_msgprot.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Juno6\zCast.exe
C:\Program Files\Juno6\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133

 

Hi Blazey,

The log is OK now.

Is the error at boot gone?

Regards,

Pieter

 

error at boot no understand i dont remember haveing an error just knew spyware on my pc that spy bot and adaware dont killl


like that bridge.dll

me no like nastys on pc
why is there eror in my registry

 

Hi Blazey,

Bridge uses a very rare startup entry.
Copy the part in bold below into notepad and save the file as whatrunpolicies.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]


Then doubleclick the file you made and confirm you want to merge it with the registry.

Then reboot.

Regards,

Pieter

 

off topic

1.
Just for my understanding:

I see in Blazies posting:

TDS
Scan Control Dumped @ 19:18:45 13-03-04
RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

Why not right click that warning from TDS-3 and let TDS-3 delete it?

2.
Again for my understanding:

I see in the TDS-3 primary-list:
TrojanDownloader.Win32.Winfavorites

Is this the same one as Blaze got on his system, and as described here on the PestPatrol-site:
http://pestpatrol.com/pestinfo/w/winfavorites_bridge.asp


3.
Blaze:

As subratam told you:
In your HOSTS file:
Replace
203.161.127.141 www.dcsresearch.com
by
64.91.255.87 www.dcsresearch.com

Only when Pieter tells you that your system is clean and OK, then add your HOSTS file (the one without any extensions !!!) to your TDS-3 file crcfiles.txt (if it is not already there).
Make sure it is added with its full path.
The CRC32-checking by TDS-3 will then give you an alert in case your HOSTS file has been changed for some reason.


sorry for my off-topic posting

 

No problem FanJ,

And not really off topic either.

As to 1. What's the difference? Both TDS-3 and HijackThis will remove the Run key. Not sure if TDS covers the startup location I posted. HijackThis doesn't.

2. PestPatrol: Yes
TDS-3: No(t yet, sample sent)

3. There are lots of ways to protect your Hosts file. Not sure if, and if so which one, Blazey is using.

Regards,

Pieter

 

is this better now

lol if i only wasnt such a newbie lol

Logfile of HijackThis v1.97.7
Scan saved at 9:26:38 AM, on 3/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\God's Shild\pg_msgprot.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Juno6\zCast.exe
C:\Program Files\Juno6\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133

 

i have a qustion when you guys told me to change my host file does that mean it was tampered with

and what is a host file inquireing newbies want to know

and how do we crc protect it

not just to help me but others who to have no ideal what is a host file and why should you protect it?

 

Thanks Pieter !

Blaze,

1.
Too tired now to write everything about HOSTS.
Maybe later I'll write (again...) in the TDS-3 forum about HOSTS and the CRC32-checking of TDS-3.

2.
Í have to admit that I'm surprised not to see BOClean starting up at your system; maybe I missed it there....
I do know that you have a registred licence...
What do I see in the BOClean covered list:
391. BRIDGE
But I don't know whether this is the same nasty....

 

lol i use boclean to but only manuealy lol

i onfig it to start up manualy


only time i turn it off is when im not doing any heavy duty dowenloading and im at wilders

 

Your decision...
It's completely beyond me why you don't, but....
Are you running any AT at all resident?
Eh, did you know that (if that is what you want.... .....), you can configure BOClean to start up, do an initial scan, and then closing down?

Anyhow, do you remember whether you have run BOClean while that "nasty" was still on your system?
Did BOClean jump up?
(Maybe we have to ask Pieter ( ) to submit it too to Kevin).

 

Hi Blazy!

I don't know if the following will shed light, ANW, I found this explanation on a host file. Here:

"The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

If you put ad server names into your Hosts file with your own computer's IP address, your computer will never be able to contact the ad server. It will try to, but it will be simply calling itself and get a "busy signal" of sorts. Your computer will then give up calling the ad server and no ads will be loaded, nor will any tracking take place. Your choices for blocking sites are not just limited to blocking ad servers. You may block sites that serve advertisements, sites that serve objectionable content, or any other site that you choose to block."

source: http://www.accs-net.com/hosts/what_is_hosts.html


CU!

 

And BTW:
download the latest AdAware definitions and scan again.

Some quotes:

A new reference file (01R268 14.03.2004) is now available.

.
.
WinFavorites
.
.

- end quote -

 

Hate to disappoint you FanJ. AdAware doesn't find this one either.
I only submitted it today. Of course someone else may have done it before me.

The Winfavorites that was detected for the first time with this Reffile:
Vendor:WinFavorites
Category:Malware
Object Type:File
Size:40960 Bytes
Location:i:\manege (kijk uit)\oogst16-1\a.exe
Last Activity:13-3-2004 23:00:00
Risk LevelLow
Comment:
Description:No Detail Information Available.

Regards,

Pieter

 

Thanks Pieter !!!!!
I didn't know that.....

 

Hmmm. I have to correct myself.

AdAware does remove the file, but not the startup entries.

Regards,

Pieter

 

Hi Blaze,

Oops sorry my dear friend; I sounded too hard in my postings. I definitely should not have posted while I was too tired.

Sorry again buddy !

A little bit more about your question with respect to the HOSTS file:

What it is:
Uguel already posted about that (thanks Uguel ).

Why to protect it:
It could be that some nasty might make some changes in it.
For example (just only an example !) it could put the link to the Wilders-forum in it but with the wrong IP-address.
In that case you will never be able to go to the Wilders-board.
(Another discussion is whether there are actually nasties that could do such a thing...).

How to protect it:
There are all kind of ways to do that.
Maybe we should make a separate thread for that in the future (if there isn't already such a thread).
In general you can think of two different ways:
1. pre-emptive
Your HOSTS file cannot be changed.
2. after the change has made:
Some utility that warns you that your HOSTS file has been changed.

HOSTS and the CRC32-checking by TDS-3:
See my thread at the TDS-3 forum:
https://www.wilderssecurity.com/showthread.php?t=13740
Notes:
The CRC32-test by TDS-3 will only alert you after your HOSTS file has been changed.
So it is not pre-emptive.
And you have to find out by yourself why and what has been changed.

About dcsresearch:
See the advise from Subratam earlier in this thread.
For several reasons it is strongly be adviced to follow that advise.
In the past the site dcsresearch was owned by DiamondCS.
But that has been changed : that site no longer belongs to DiamondCS.
If you now make that change (as Subratam described) in your HOSTS file, you will nevertheless always go to the DiamondCS site, even when you have typed that dcsresearch link.
And: in TDS-3 is at the moment hard coded the original link to dcsresearch. It was meant to lead you by pressing F5 in TDS-3 to the DiamondCS private forum. By having the right line (as described by Subratam) in your HOSTS file, that Keyboard-Shortcut F5 in TDS-3 still leads you to the right place.

I hope I made it a little bit more clear.
Cheers, Jan.

 

thx jan that clears up alot of stuff