1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Important Hijack this log.

Discussion in 'Virus & Other Malware Removal' started by Nardito, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Nardito

    Nardito Thread Starter

    Joined:
    Aug 16, 2003
    Messages:
    17
    Yo this one is weird.

    Logfile of HijackThis v1.96.0
    Scan saved at 8:59:21 PM, on 9/28/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.retrogames.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    O1 - Hosts: 88.88.88.88 elite
    O1 - Hosts: 207.44.220.30 www.google.akadns.net
    O1 - Hosts: 207.44.220.30 www.google.com
    O1 - Hosts: 207.44.220.30 www.altavista.com
    O1 - Hosts: 207.44.220.30 altavista.com
    O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
    O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
    O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
    O1 - Hosts: 207.44.220.30 au.search.yahoo.com
    O1 - Hosts: 207.44.220.30 de.search.yahoo.com
    O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
    O1 - Hosts: 207.44.220.30 www.lycos.de
    O1 - Hosts: 207.44.220.30 www.lycos.ca
    O1 - Hosts: 207.44.220.30 www.lycos.jp
    O1 - Hosts: 207.44.220.30 www.lycos.co.jp
    O1 - Hosts: 207.44.220.30 alltheweb.com
    O1 - Hosts: 207.44.220.30 web.ask.com
    O1 - Hosts: 207.44.220.30 ask.com
    O1 - Hosts: 207.44.220.30 www.ask.com
    O1 - Hosts: 207.44.220.30 www.teoma.com
    O1 - Hosts: 207.44.220.30 search.aol.com
    O1 - Hosts: 207.44.220.30 www.looksmart.com
    O1 - Hosts: 207.44.220.30 ca.search.msn.com
    O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
    O1 - Hosts: 207.44.220.30 search.fr.msn.be
    O1 - Hosts: 207.44.220.30 search.fr.msn.ch
    O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
    O1 - Hosts: 207.44.220.30 search.msn.at
    O1 - Hosts: 207.44.220.30 search.msn.be
    O1 - Hosts: 207.44.220.30 search.msn.ch
    O1 - Hosts: 207.44.220.30 search.msn.co.in
    O1 - Hosts: 207.44.220.30 search.msn.co.jp
    O1 - Hosts: 207.44.220.30 search.msn.co.kr
    O1 - Hosts: 207.44.220.30 search.msn.com.br
    O1 - Hosts: 207.44.220.30 search.msn.com.hk
    O1 - Hosts: 207.44.220.30 search.msn.com.my
    O1 - Hosts: 207.44.220.30 search.msn.com.sg
    O1 - Hosts: 207.44.220.30 search.msn.com.tw
    O1 - Hosts: 207.44.220.30 search.msn.co.za
    O1 - Hosts: 207.44.220.30 search.msn.de
    O1 - Hosts: 207.44.220.30 search.msn.dk
    O1 - Hosts: 207.44.220.30 search.msn.es
    O1 - Hosts: 207.44.220.30 search.msn.fi
    O1 - Hosts: 207.44.220.30 search.msn.fr
    O1 - Hosts: 207.44.220.30 search.msn.it
    O1 - Hosts: 207.44.220.30 search.msn.nl
    O1 - Hosts: 207.44.220.30 search.msn.no
    O1 - Hosts: 207.44.220.30 search.msn.se
    O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
    O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
    O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
    O1 - Hosts: 207.44.220.30 search.yupimsn.com
    O1 - Hosts: 207.44.220.30 uk.search.msn.com
    O1 - Hosts: 207.44.220.30 search.lycos.com
    O1 - Hosts: 207.44.220.30 www.lycos.com
    O1 - Hosts: 207.44.220.30 www.google.ca
    O1 - Hosts: 207.44.220.30 www.google.uk
    O1 - Hosts: 207.44.220.30 www.google.co.uk
    O1 - Hosts: 207.44.220.30 www.google.com.au
    O1 - Hosts: 207.44.220.30 www.google.co.jp
    O1 - Hosts: 207.44.220.30 www.google.jp
    O1 - Hosts: 207.44.220.30 www.google.at
    O1 - Hosts: 207.44.220.30 www.google.be
    O1 - Hosts: 207.44.220.30 www.google.ch
    O1 - Hosts: 207.44.220.30 www.google.de
    O1 - Hosts: 207.44.220.30 www.google.se
    O1 - Hosts: 207.44.220.30 www.google.dk
    O1 - Hosts: 207.44.220.30 www.google.fi
    O1 - Hosts: 207.44.220.30 www.google.fr
    O1 - Hosts: 207.44.220.30 www.google.com.gr
    O1 - Hosts: 207.44.220.30 www.google.com.hk
    O1 - Hosts: 207.44.220.30 www.google.ie
    O1 - Hosts: 207.44.220.30 www.google.co.il
    O1 - Hosts: 207.44.220.30 www.google.it
    O1 - Hosts: 207.44.220.30 www.google.co.kr
    O1 - Hosts: 207.44.220.30 www.google.com.mx
    O1 - Hosts: 207.44.220.30 www.google.nl
    O1 - Hosts: 207.44.220.30 www.google.co.nz
    O1 - Hosts: 207.44.220.30 www.google.pl
    O1 - Hosts: 207.44.220.30 www.google.pt
    O1 - Hosts: 207.44.220.30 www.google.com.ru
    O1 - Hosts: 207.44.220.30 www.google.com.sg
    O1 - Hosts: 207.44.220.30 www.google.co.th
    O1 - Hosts: 207.44.220.30 www.google.com.tr
    O1 - Hosts: 207.44.220.30 www.google.com.tw
    O1 - Hosts: 207.44.220.30 go.google.com
    O1 - Hosts: 207.44.220.30 google.at
    O1 - Hosts: 207.44.220.30 google.be
    O1 - Hosts: 207.44.220.30 google.dk
    O1 - Hosts: 207.44.220.30 google.fi
    O1 - Hosts: 207.44.220.30 google.fr
    O1 - Hosts: 207.44.220.30 google.com.hk
    O1 - Hosts: 207.44.220.30 google.ie
    O1 - Hosts: 207.44.220.30 google.co.il
    O1 - Hosts: 207.44.220.30 google.it
    O1 - Hosts: 207.44.220.30 google.co.kr
    O1 - Hosts: 207.44.220.30 google.com.mx
    O1 - Hosts: 207.44.220.30 google.nl
    O1 - Hosts: 207.44.220.30 google.co.nz
    O1 - Hosts: 207.44.220.30 google.pl
    O1 - Hosts: 207.44.220.30 google.com.ru
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37814.8791435185
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    an also when I try to acces a site i can't and on the status bar it says proxy settings or something like that. So i turn off my cable modem and turn it on again and it works. But i cant connecto to msn messenger. what the hell is wrong?
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    See if this helps.

    Put checks in ALL the 01 entries in the HijackThis Scanlog.

    Also check:

    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL


    >> Close all browser windows and click "fix checked".

    Then find and delete: c:\windows\winshow.dll
     
  3. Nardito

    Nardito Thread Starter

    Joined:
    Aug 16, 2003
    Messages:
    17
    Whenver i open an Internet explorer window, the status bar says:Detecting Proxy settings. And just stays there and doesn't open any website. Sometimes it opens but its when i turn off the cable modem and turn it on again when the dial up connection tries to connect.

    I did what you told me but the same thing keeps happening.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
    looking at your log, you have both pcccillin firewall & sygate firewall running, that is not a good idea as each will block the other, you only need one firewall

    some ISP have inline proxies and that is often detected by IE

    open IE/tools/options/connections/and press lan settings/untick use a proxy server and see if that helps, but pcccillin pop check uses an inbuilt proxy to check email and that might be the problem
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I agree and also think you have a problem with a PC-Cillin conflict.

    Possibly the "Poptrap" component, but it's hard to say. I've seen quite a few PC-cillin issues now.

    Leave Sygate's firewall in place temporarily at least and run msconfig and try unchecking all PC-cillin entries under the startup tab long enough to test. If the problem does not persist, re-enable components selectively to see when it starts.

    Be careful with your browsing and e-mail habits during any period in which you are without antivirus protection.

    I would also leave either one or the other firewall running at all times.

    I don't see any indication of a proxy configuration in the Scanlog, but go to Internet Options > Connections, and under the "settings" tab for your connection, make sure "use proxy server" and "use configuration script" are NOT checked. (I believe this might be under LAN, for a DSL connection)

    If "automatically detect settings" is not checked, try checking it.
     
  6. Nardito

    Nardito Thread Starter

    Joined:
    Aug 16, 2003
    Messages:
    17
    I did all that and the problem is still there.

    maybe i should remove this??

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Good point, those entries in theory should be pointing to your ISP's domain name servers. But that doesn't look like it is.
     
  8. Nardito

    Nardito Thread Starter

    Joined:
    Aug 16, 2003
    Messages:
    17
    so what should i do? should i remove that??
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes, definitely.

    Sometimes these will get recreated, but I wouldn't expect that to.

    Also post a fresh HijackThis Scanlog if the problem is not resolved so we can see if everything that should have been removed, has been.
     
  10. Nardito

    Nardito Thread Starter

    Joined:
    Aug 16, 2003
    Messages:
    17
    Logfile of HijackThis v1.96.0
    Scan saved at 10:58:07 PM, on 9/29/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MIRC\MIRC.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37814.8791435185
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    .
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well if the problem is still occuring and you have followed all the previous instructions to ensure there is no proxy service being configured in your Internet Options > Connections settings, I'm not sure what else there is.

    You still have two firewalls going which is not good practice.

    I would run msconfig and UNcheck EVERY entry under the Startup tab except the Sygate firewall, ScanRegistry and StateMgr and see if you still have the problem.

    You can also try "fixing" this entry with HijackThis, as I'm not sure it is installed by your ISP:

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    By the way, I have seen some cases where HijackThis does not detect all the entries in the Hosts file. So it might be a good idea to find hosts in the Windows directory and rename it ghosts

    It is not a default startup. Ignore hosts.sam and lmhosts.sam, these are sample files and not the active one, which has no extension.
     
  12. cniehaus

    cniehaus

    Joined:
    Oct 4, 2003
    Messages:
    4
    The problem you are seeing is caused by a virus that was identified Sep 30th as the QHOSTS-1 Virus, (AKA Trojan.Qhosts)

    I just removed it from my computer - had me baffled for 2 days.
    :mad:

    For more info check: (Partial quote below)
    I used the remover, and that did not do the job. I had to turn off the system restore for XP and do the manual removal
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
    (quoted @ bottom), and perform the critical updates before it was wiped out. :D
    I did notice from the removal program that the viral file was sitting in an internet temp folder under my wife's login (on XP) - Thanks Honey!

    More info see Symantic Security Response:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

    *****(Quote from Symantic Security Response)*****
    Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

    Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

    Symantec Security Response has developed a removal tool to repair damage from infections of Trojan.Qhosts.

    Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed that redirected the visitor to a different web page. Being redirected to the web page appears to have caused the trojan to be downloaded to a visitor's system and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself.

    Microsoft has released a cumulative patch for this vulnerability, available here.

    ***** Removal Instructions That Worked for Me *****
    Removal Instructions

    All Windows Users :
    Use current engine and DAT files for detection and removal.

    The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).

    EXTRA.DAT
    SUPER EXTRA.DAT

    Manual Removal Instructions

    Apply the MS03-040 patch
    Delete the following files:

    %WinDir%\Help\hosts
    %WinDir%\winlog
    Set the following registry key value (Information on editing registry keys ):
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
    Delete the following registry key value (Information on deleting registry keys ):
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\windows "r0x"
    Reconfigure your DNS server settings as desired
    Reconfigure your Internet Explorer settings as desired
    Additional Windows ME/XP removal considerations
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168164

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice