Mike,
Thank you very much for your help - it is appreciated.
GoZilla is version 3.9 and is the paid for version which does not contain
spyware.
I know Kazaa Lite is the cracked version and would prefer not to use it at
all. However try telling that to teenagers.
Clearing the cache made no difference at all. The Hosts file does not appear
to be the problem either. I can type an address in the first time and it
goes there fine. If I type the exact same address in on a 2nd or third
attempt, it will hang. Occasionally it will hang on the 1st attempt too.
I have a new log from Hijack This;
Logfile of HijackThis v1.97.2
Scan saved at 14:27:48, on 14/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\J. Mason\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=cache1-edin.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 192.168.*.*
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://windowsupdate.microsoft.com/
N3 - Netscape 7: user_pref("browser.startup.homepage",
"
http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and
Settings\J. Mason\Application
Data\Mozilla\Profiles\default\fhcldmpt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBW
eb_01.src"); (C:\Documents and Settings\J. Mason\Application
Data\Mozilla\Profiles\default\fhcldmpt.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite
5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common
Files\Nokia\NCLTools\NclTray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache
Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess -
http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Dots -
http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakke
n/us/win/QuickTimeInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment
1.4.0_03) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://208.158.118.13/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37586.330902
7778
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment
1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
Class) -
http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{43B878E1-0899-42B4-8095-8249F994DDDD}:
NameServer = 194.168.4.100,194.168.8.100
O17 -
HKLM\System\CS1\Services\Tcpip\..\{43B878E1-0899-42B4-8095-8249F994DDDD}:
NameServer = 194.168.4.100,194.168.8.100
O17 -
HKLM\System\CS2\Services\Tcpip\..\{43B878E1-0899-42B4-8095-8249F994DDDD}:
NameServer = 194.168.4.100,194.168.8.100
Janice
Mike Burgess said:
Janice,
The HOSTS file entries are actually redirecting you to:
http://216.40.230.4/kazaa/ (then begs for you to send $$ to: hsds.net)
Rename your HOSTS file and see if that resolves the problem.
You can use a simple batch file to rename the HOSTS file "on-the-fly".
Download: RenHosts.bat
http://www.mvps.org/winhelp2002/hosts.htm
--
As for "Kazza Lite"
http://www.spywareinfo.com/articles/p2p/
As for "GoZilla!"
http://www.oit.duke.edu/ats/support/spyware/gozilla.html
It is also listed here:
http://www.spywareinfo.com/bhos/
X {CD4C3CF0-4B15-11D1-ABED-709549C10000}: Goiehlp.dll - Go'Zilla
Finally I would suggest completely clearing your cache:
How To: Delete the Internet Explorer Temporary Internet Files
http://www.mvps.org/winhelp2002/delcache.htm
_______________________________________
Mike Burgess
http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-12-03]
Please post replies to this Newsgroup, email address is invalid
--
Janice said:
Mike,
He uses Kazaa Lite and only has it running when he's actually using it -
should I still remove the 01 entry?
We ran Spybot as well and cleaned all entries to do with Browser hijacking
and Comet cursor. Still no luck - problem is still there.
I pointed out the problem of Messenger Plus to him last night as this seemed
to happen when he updated Messenger Plus. However even after uninstalling
the program we still have the problem.
The strange thing is that it works fine when we just type in www etc for the
first time and sometimes even the second time. It will usually hang after
the third time.
Janice
Mike Burgess said:
Janice,
You still have some leftovers .......
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
Although I don't see Kazaa running, your HOSTS file *was* edited.
O2 - BHO: (no name) - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293}
- C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
Leftover entry from Comet spyware ....
Note: Messanger Plus is *highly* questionable .......
You also need to reduce the amount of unneeded apps running at startup.
_______________________________________
Mike Burgess
http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-12-03]
Please post replies to this Newsgroup, email address is invalid
<snip>