something evill in my pc

Discussion in 'adware, spyware & hijack cleaning' started by Mr.Blaze, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    something evill in my pc

    bridge.dll

    TDS
    Scan Control Dumped @ 19:18:45 13-03-04
    RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

    Logfile of HijackThis v1.97.7
    Scan saved at 7:55:41 PM, on 3/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\God's Shild\pg_msgprot.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HHVcdV5Sys\VC5SecS.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Juno6\zCast.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Juno6\chkras.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\FlashGet\flashget.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
    O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Sothink SWF Decompiler (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133

    WHAT BLAZE KILL
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hey Blazey,
    Pieter and others will come soon. I just wanted to say that you can remove this from Hijack

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

    After that ,
    Start -> Run -> notepad c:\windows\system32\drivers\etc\hosts (You on XP)
    [Windows 95, 98 & ME: notepad c:\windows\hosts
    Windows NT & 2000: notepad c:\winnt\system32\drivers\etc\hosts
    Windows XP: notepad c:\windows\system32\drivers\etc\hosts]
    Then replace
    203.161.127.141 www.dcsresearch.com
    by
    64.91.255.87   www.dcsresearch.com

    Reboot or, I think the editing wont take place, and then post the fresh log

    good day mate
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :Dis this better?

    Logfile of HijackThis v1.97.7
    Scan saved at 7:29:06 AM, on 3/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\God's Shild\pg_msgprot.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HHVcdV5Sys\VC5SecS.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Juno6\zCast.exe
    C:\Program Files\Juno6\chkras.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
    O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Sothink SWF Decompiler (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Blazey,

    The log is OK now.

    Is the error at boot gone?

    Regards,

    Pieter
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :eek: error at boot no understand i dont remember haveing an error just knew spyware on my pc that spy bot and adaware dont killl


    like that bridge.dll

    me no like nastys on pc
    why is there eror in my registry :oops:
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Blazey,

    Bridge uses a very rare startup entry.
    Copy the part in bold below into notepad and save the file as whatrunpolicies.reg

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]


    Then doubleclick the file you made and confirm you want to merge it with the registry.

    Then reboot.

    Regards,

    Pieter
     
  7. FanJ

    FanJ Guest

    off topic

    1.
    Just for my understanding:

    I see in Blazies posting:

    TDS
    Scan Control Dumped @ 19:18:45 13-03-04
    RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

    Why not right click that warning from TDS-3 and let TDS-3 delete it?

    2.
    Again for my understanding:

    I see in the TDS-3 primary-list:
    TrojanDownloader.Win32.Winfavorites

    Is this the same one as Blaze got on his system, and as described here on the PestPatrol-site:
    http://pestpatrol.com/pestinfo/w/winfavorites_bridge.asp


    3.
    Blaze:

    As subratam told you:
    In your HOSTS file:
    Replace
    203.161.127.141 www.dcsresearch.com
    by
    64.91.255.87 www.dcsresearch.com

    Only when Pieter tells you that your system is clean and OK, then add your HOSTS file (the one without any extensions !!!) to your TDS-3 file crcfiles.txt (if it is not already there).
    Make sure it is added with its full path.
    The CRC32-checking by TDS-3 will then give you an alert in case your HOSTS file has been changed for some reason.


    sorry for my off-topic posting
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    No problem FanJ, :cool:

    And not really off topic either.

    As to 1. What's the difference? Both TDS-3 and HijackThis will remove the Run key. Not sure if TDS covers the startup location I posted. HijackThis doesn't.

    2. PestPatrol: Yes
    TDS-3: No(t yet, sample sent)

    3. There are lots of ways to protect your Hosts file. Not sure if, and if so which one, Blazey is using.

    Regards,

    Pieter
     
  9. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    is this better now

    lol if i only wasnt such a newbie lol

    Logfile of HijackThis v1.97.7
    Scan saved at 9:26:38 AM, on 3/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\God's Shild\pg_msgprot.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HHVcdV5Sys\VC5SecS.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Juno6\zCast.exe
    C:\Program Files\Juno6\chkras.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\FlashGet\flashget.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\GOD\My Documents\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
    O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Sothink SWF Decompiler (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.8340625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{27C4F970-7DFF-4A93-9D5F-49222C4658E8}: NameServer = 64.136.28.120 64.136.28.133
     
  10. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    i have a qustion when you guys told me to change my host file does that mean it was tampered with

    and what is a host file inquireing newbies want to know

    and how do we crc protect it

    not just to help me but others who to have no ideal what is a host file and why should you protect it?
     
  11. FanJ

    FanJ Guest

    Thanks Pieter ! :)

    Blaze,

    1.
    Too tired now to write everything about HOSTS.
    Maybe later I'll write (again...) in the TDS-3 forum about HOSTS and the CRC32-checking of TDS-3.

    2.
    Í have to admit that I'm surprised not to see BOClean starting up at your system; maybe I missed it there....
    I do know that you have a registred licence...
    What do I see in the BOClean covered list:
    391. BRIDGE
    But I don't know whether this is the same nasty....

    ;)
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol i use boclean to but only manuealy lol

    i onfig it to start up manualy


    only time i turn it off is when im not doing any heavy duty dowenloading and im at wilders
     
  13. FanJ

    FanJ Guest

    Your decision...
    It's completely beyond me why you don't, but.... o_O
    Are you running any AT at all resident?
    Eh, did you know that (if that is what you want.... o_O.....), you can configure BOClean to start up, do an initial scan, and then closing down?

    Anyhow, do you remember whether you have run BOClean while that "nasty" was still on your system?
    Did BOClean jump up?
    (Maybe we have to ask Pieter ( ;) ) to submit it too to Kevin).
     
  14. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego

    Hi Blazy! :)

    I don't know if the following will shed light, ANW, I found this explanation on a host file. Here:

    "The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

    If you put ad server names into your Hosts file with your own computer's IP address, your computer will never be able to contact the ad server. It will try to, but it will be simply calling itself and get a "busy signal" of sorts. Your computer will then give up calling the ad server and no ads will be loaded, nor will any tracking take place. Your choices for blocking sites are not just limited to blocking ad servers. You may block sites that serve advertisements, sites that serve objectionable content, or any other site that you choose to block."

    source: http://www.accs-net.com/hosts/what_is_hosts.html


    CU!
     
  15. FanJ

    FanJ Guest

    And BTW:
    download the latest AdAware definitions and scan again.

    Some quotes:

    A new reference file (01R268 14.03.2004) is now available.

    .
    .
    WinFavorites
    .
    .

    - end quote -
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hate to disappoint you FanJ. AdAware doesn't find this one either.
    I only submitted it today. Of course someone else may have done it before me.

    The Winfavorites that was detected for the first time with this Reffile:
    Vendor:WinFavorites
    Category:Malware
    Object Type:File
    Size:40960 Bytes
    Location:i:\manege (kijk uit)\oogst16-1\a.exe
    Last Activity:13-3-2004 23:00:00
    Risk LevelLow
    Comment:
    Description:No Detail Information Available.

    Regards,

    Pieter
     
  17. FanJ

    FanJ Guest

    Thanks Pieter !!!!!
    I didn't know that.....
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hmmm. I have to correct myself. :oops:

    AdAware does remove the file, but not the startup entries.

    Regards,

    Pieter
     
  19. FanJ

    FanJ Guest

    Hi Blaze,

    Oops sorry my dear friend; I sounded too hard in my postings. I definitely should not have posted while I was too tired.

    Sorry again buddy !

    A little bit more about your question with respect to the HOSTS file:

    What it is:
    Uguel already posted about that (thanks Uguel :D ).

    Why to protect it:
    It could be that some nasty might make some changes in it.
    For example (just only an example !) it could put the link to the Wilders-forum in it but with the wrong IP-address.
    In that case you will never be able to go to the Wilders-board.
    (Another discussion is whether there are actually nasties that could do such a thing...).

    How to protect it:
    There are all kind of ways to do that.
    Maybe we should make a separate thread for that in the future (if there isn't already such a thread).
    In general you can think of two different ways:
    1. pre-emptive
    Your HOSTS file cannot be changed.
    2. after the change has made:
    Some utility that warns you that your HOSTS file has been changed.

    HOSTS and the CRC32-checking by TDS-3:
    See my thread at the TDS-3 forum:
    https://www.wilderssecurity.com/showthread.php?t=13740
    Notes:
    The CRC32-test by TDS-3 will only alert you after your HOSTS file has been changed.
    So it is not pre-emptive.
    And you have to find out by yourself why and what has been changed.

    About dcsresearch:
    See the advise from Subratam earlier in this thread.
    For several reasons it is strongly be adviced to follow that advise.
    In the past the site dcsresearch was owned by DiamondCS.
    But that has been changed : that site no longer belongs to DiamondCS.
    If you now make that change (as Subratam described) in your HOSTS file, you will nevertheless always go to the DiamondCS site, even when you have typed that dcsresearch link.
    And: in TDS-3 is at the moment hard coded the original link to dcsresearch. It was meant to lead you by pressing F5 in TDS-3 to the DiamondCS private forum. By having the right line (as described by Subratam) in your HOSTS file, that Keyboard-Shortcut F5 in TDS-3 still leads you to the right place.

    I hope I made it a little bit more clear.
    Cheers, Jan.
     
  20. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    thx jan that clears up alot of stuff
     
Thread Status:
Not open for further replies.