Re: Search Engine Block

From: fantomaster (googlegroups_at_fantomaster.com)
Date: 10/03/03

• Next message: Kent W. England [MVP]: "Re: my browser hijacked Help!"
• Previous message: Phil Weldon: "Re: This news server is in a sorry state"
• In reply to: Bill Sanderson: "Re: Search Engine Block"
• Next in thread: Bill Sanderson: "Re: Search Engine Block"
• Reply: Bill Sanderson: "Re: Search Engine Block"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 2 Oct 2003 19:47:46 -0700

There's even more to it than outlined at McAfee's, which only gives
you the bare minimum of advice on how to get rid of this trojan's
registry manipulations:

1.
You may, for instance, have further entries under:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\"

such as e.g.:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EFF392BC-CB47-4852-8AA2-AD5C20D0D825}"

or
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D268EF90-996F-4347-B8DD-1AACAD3E312C}"

etc.

In some or all each of these, you may find a REG_SZ key tagged
"NameServer" with the rogue IP entries "64.57.146.14,69.57.147.175"
(or, possibly, similar).

Make sure you either delete these values or overwrite them with the
proper
DNS data you are normally using.

2.
If your registry contains several different ControlSets (e.g.
"ControlSet001", "ControlSet002", etc.) you will want to proceed with
these as above.

3.
The same applies to deletion of the registry key value
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x"
mentioned on McAfee's site.

Thus, you may also have to delete key values such as
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\windows
"r0x"", etc.

Note that there may be another "NameServer" key value featuring the
rogue IPs (see above) here, too, which you should delete.

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:<eBO4zGKiDHA.1796@TK2MSFTNGP10.phx.gbl>...
> Yes--this is real. Here's McAfee's take on this:
>
> http://vil.nai.com/vil/content/v_100719.htm

---

• Next message: Kent W. England [MVP]: "Re: my browser hijacked Help!"
• Previous message: Phil Weldon: "Re: This news server is in a sorry state"
• In reply to: Bill Sanderson: "Re: Search Engine Block"
• Next in thread: Bill Sanderson: "Re: Search Engine Block"
• Reply: Bill Sanderson: "Re: Search Engine Block"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Norton Personal Firewall 2003 ... Most applications do not get rid of all the registry ... entries when you do an uninstall from the control panel applet. ... NPF is trying to make their firewall less ... So i'm using nav on all machines, ... (comp.security.firewalls) Re: registry cleaner ... on the add/remove tool when removing programs from your ... The amount of disk space used by left-over registry ... removing such entries. ... (microsoft.public.windowsxp.general) Re: Conclusions ... If you plan on using MRU-Blaster, ... The path, in the registry, to where attachments are ... See Ramesh's site for some MRU info. ... > 2) Upon deciding to delete such registry entries, ... (microsoft.public.windowsxp.perform_maintain) Re: Conclusions ... > See Ramesh's site for some MRU info. ... > Registry MRU Locations ... >> 2) Upon deciding to delete such registry entries, ... >> Protect your privacy - find and remove over 30,000 MRU lists! ... (microsoft.public.windowsxp.perform_maintain) Re: Conclusions ... > See Ramesh's site for some MRU info. ... > Registry MRU Locations ... >> 2) Upon deciding to delete such registry entries, ... >> Protect your privacy - find and remove over 30,000 MRU lists! ... (microsoft.public.windowsxp.perform_maintain)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)