Marcus Posted February 20, 2006 Report Share Posted February 20, 2006 How do I permanently remove host from my Windows Hosts File?I have a lot of "unwanted" hosts that I want to remove permanently.Please Helphijackthis log:Logfile of HijackThis v1.99.1Scan saved at 4:00:49 PM, on 2/20/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\AMD\PowerNow!\GemServ.exeC:\Program Files\AMD\PowerNow!\gemback.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\carpserv.exeC:\PROGRA~1\SwiftBtn\SwiftBtn.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Motive\AsstCommon\motmon.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\WLAN\WLAN\wlanutil.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exeC:\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [QT4StBtn] C:\PROGRA~1\SwiftBtn\SwiftBtn.EXEO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136869218214O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139290816122O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: AMD PowerNow! Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\PowerNow!\GemServ.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE Link to post Share on other sites
Matt Posted February 20, 2006 Report Share Posted February 20, 2006 Your log is clean, so you most likely have no malicous lines in your host file. However, to restore your Host file back to its original settings, follow these steps:Download the Hoster HerePlease do not use program yetUnzip Hoster to your desktopOpen up the Hoster program.Make sure that the "make hosts writable?" button in the upper right corner is enabled. Click back up Host files then click Restore orginal host files close programIf you are still having problems, please post back with a new HJT log. Link to post Share on other sites
Marcus Posted February 20, 2006 Author Report Share Posted February 20, 2006 Your log is clean, so you most likely have no malicous lines in your host file. However, to restore your Host file back to its original settings, follow these steps:Download the Hoster HerePlease do not use program yetUnzip Hoster to your desktopOpen up the Hoster program.Make sure that the "make hosts writable?" button in the upper right corner is enabled. Click back up Host files then click Restore orginal host files close programIf you are still having problems, please post back with a new HJT log.Thanks.I cleaned out my host log. But my computer is still moving slow. Here's my results from bandwith.com:Connection Capacity Time 33.6 K (Modem) 33,600 bps 56 K (Modem) 56,000 bps 64 K (DS-0) 64,000 bps 128 K (ISDN) 128,000 bps 256 K (DSL) 256,000 bps Your Connection 291,966.22 bps <----This is where I am now.640 K (DSL/Cable) 640,000 bps 768 K (DSL/Cable) 768,000 bps T1, DS-1 1.544 Mbps <----But I'm usually here.T3, DS-3 44.736 Mbps OC-1 51.840 Mbps OC-3 155.520 Mbps OC-12 622.080 Mbps OC-48 2.488 Gbps OC-192 10 Gbps Link to post Share on other sites
Matt Posted February 20, 2006 Report Share Posted February 20, 2006 Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Link to post Share on other sites
Marcus Posted February 21, 2006 Author Report Share Posted February 21, 2006 ActiveScan Report: Incident Status Location Dialer:Dialer.B Not disinfected C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe Adware:adware program Not disinfected C:\WINNT\ss3unstl.exe Adware:adware/zipclix Not disinfected Windows Registry Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt Adware:Adware/Comet Not disinfected C:\Documents and Settings\Administrator.bak\Local Settings\Temp\unpack\CC_43.inf Dialer:Dialer.B Not disinfected C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe Link to post Share on other sites
Matt Posted February 21, 2006 Report Share Posted February 21, 2006 Welcome back. Please print out these directions for use if/when you cannot access this page.Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINNT\ss3unstl.exe[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Reboot your computer, rescan with HJT, and post a fresh HJT log.Matt Link to post Share on other sites
Marcus Posted February 21, 2006 Author Report Share Posted February 21, 2006 hijackthis log:Logfile of HijackThis v1.99.1Scan saved at 8:33:20 PM, on 2/20/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\AMD\PowerNow!\GemServ.exeC:\Program Files\AMD\PowerNow!\gemback.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\carpserv.exeC:\PROGRA~1\SwiftBtn\SwiftBtn.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Motive\AsstCommon\motmon.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\WLAN\WLAN\wlanutil.exeC:\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [QT4StBtn] C:\PROGRA~1\SwiftBtn\SwiftBtn.EXEO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136869218214O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139290816122O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: AMD PowerNow! Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\PowerNow!\GemServ.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE Link to post Share on other sites
Matt Posted February 21, 2006 Report Share Posted February 21, 2006 Your log is still clean. How is your system running now?Matt Link to post Share on other sites
Marcus Posted February 21, 2006 Author Report Share Posted February 21, 2006 (edited) The download speed is still slower than normal, and now every minute I get a prompt to update this:Critical Update for Windows Media Player Script Commands (KB828026), or some sort of Script Command. Edited February 21, 2006 by Marcus Link to post Share on other sites
Matt Posted February 22, 2006 Report Share Posted February 22, 2006 Your system is clean, so I do not think your speed is due to a malware problem. About that alert, you need to run windows update (info provided below).The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep malware from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein Link to post Share on other sites
Marcus Posted February 25, 2006 Author Report Share Posted February 25, 2006 Thanks for the great tools Matt. Appreciate it. Link to post Share on other sites
Matt Posted February 25, 2006 Report Share Posted February 25, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts