1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] cannot use search engines

Discussion in 'Virus & Other Malware Removal' started by robnshan, Oct 4, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. robnshan

    robnshan Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Hello,

    I had the "internet Optimizer" on my computer. I ran ad aware and deleted all the reference to money/DfLy... Anyhow, I also deleted the folder with internet optimizer in it. Now, I cannot use any search engines to search on the web. When I type a URL, no problem. Only trying to search. Here is a copy of my hijack this file after ad aware was run. I seem to have a lot of host files but do not know how to take care of this. I need step by step instructions. Anything else you see hindering me, please let me know.

    Thanks in advance

    Rob

    Logfile of HijackThis v1.97.2
    Scan saved at 10:04:19 AM, on 10/4/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\IVASION\WINPOET\WINPPPOVERETHERNET.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\SAITEK\SAITEK GAMING EXTENSIONS\SAICNFIG.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\OLD HARD DRIVE\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 127.127.127.127 elite
    O1 - Hosts: 207.44.194.56 www.google.com
    O1 - Hosts: 207.44.194.56 google.com
    O1 - Hosts: 207.44.194.56 www.altavista.com
    O1 - Hosts: 207.44.194.56 altavista.com
    O1 - Hosts: 207.44.194.56 search.yahoo.com
    O1 - Hosts: 207.44.194.56 uk.search.yahoo.com
    O1 - Hosts: 207.44.194.56 ca.search.yahoo.com
    O1 - Hosts: 207.44.194.56 jp.search.yahoo.com
    O1 - Hosts: 207.44.194.56 au.search.yahoo.com
    O1 - Hosts: 207.44.194.56 de.search.yahoo.com
    O1 - Hosts: 207.44.194.56 search.yahoo.co.jp
    O1 - Hosts: 207.44.194.56 www.lycos.de
    O1 - Hosts: 207.44.194.56 www.lycos.ca
    O1 - Hosts: 207.44.194.56 www.lycos.jp
    O1 - Hosts: 207.44.194.56 www.lycos.co.jp
    O1 - Hosts: 207.44.194.56 alltheweb.com
    O1 - Hosts: 207.44.194.56 web.ask.com
    O1 - Hosts: 207.44.194.56 ask.com
    O1 - Hosts: 207.44.194.56 www.ask.com
    O1 - Hosts: 207.44.194.56 www.teoma.com
    O1 - Hosts: 207.44.194.56 search.aol.com
    O1 - Hosts: 207.44.194.56 www.looksmart.com
    O1 - Hosts: 207.44.194.56 search.msn.com
    O1 - Hosts: 207.44.194.56 auto.search.msn.com
    O1 - Hosts: 207.44.194.56 ca.search.msn.com
    O1 - Hosts: 207.44.194.56 fr.ca.search.msn.com
    O1 - Hosts: 207.44.194.56 search.fr.msn.be
    O1 - Hosts: 207.44.194.56 search.fr.msn.ch
    O1 - Hosts: 207.44.194.56 search.latam.yupimsn.com
    O1 - Hosts: 207.44.194.56 search.msn.at
    O1 - Hosts: 207.44.194.56 search.msn.be
    O1 - Hosts: 207.44.194.56 search.msn.ch
    O1 - Hosts: 207.44.194.56 search.msn.co.in
    O1 - Hosts: 207.44.194.56 search.msn.co.jp
    O1 - Hosts: 207.44.194.56 search.msn.co.kr
    O1 - Hosts: 207.44.194.56 search.msn.com.br
    O1 - Hosts: 207.44.194.56 search.msn.com.hk
    O1 - Hosts: 207.44.194.56 search.msn.com.my
    O1 - Hosts: 207.44.194.56 search.msn.com.sg
    O1 - Hosts: 207.44.194.56 search.msn.com.tw
    O1 - Hosts: 207.44.194.56 search.msn.co.za
    O1 - Hosts: 207.44.194.56 search.msn.de
    O1 - Hosts: 207.44.194.56 search.msn.dk
    O1 - Hosts: 207.44.194.56 search.msn.es
    O1 - Hosts: 207.44.194.56 search.msn.fi
    O1 - Hosts: 207.44.194.56 search.msn.fr
    O1 - Hosts: 207.44.194.56 search.msn.it
    O1 - Hosts: 207.44.194.56 search.msn.nl
    O1 - Hosts: 207.44.194.56 search.msn.no
    O1 - Hosts: 207.44.194.56 search.msn.se
    O1 - Hosts: 207.44.194.56 search.ninemsn.com.au
    O1 - Hosts: 207.44.194.56 search.t1msn.com.mx
    O1 - Hosts: 207.44.194.56 search.xtramsn.co.nz
    O1 - Hosts: 207.44.194.56 search.yupimsn.com
    O1 - Hosts: 207.44.194.56 uk.search.msn.com
    O1 - Hosts: 207.44.194.56 search.lycos.com
    O1 - Hosts: 207.44.194.56 www.lycos.com
    O1 - Hosts: 207.44.194.56 www.google.ca
    O1 - Hosts: 207.44.194.56 google.ca
    O1 - Hosts: 207.44.194.56 www.google.uk
    O1 - Hosts: 207.44.194.56 www.google.co.uk
    O1 - Hosts: 207.44.194.56 www.google.com.au
    O1 - Hosts: 207.44.194.56 www.google.co.jp
    O1 - Hosts: 207.44.194.56 www.google.jp
    O1 - Hosts: 207.44.194.56 www.google.at
    O1 - Hosts: 207.44.194.56 www.google.be
    O1 - Hosts: 207.44.194.56 www.google.ch
    O1 - Hosts: 207.44.194.56 www.google.de
    O1 - Hosts: 207.44.194.56 www.google.dk
    O1 - Hosts: 207.44.194.56 www.google.fi
    O1 - Hosts: 207.44.194.56 www.google.fr
    O1 - Hosts: 207.44.194.56 www.google.com.gr
    O1 - Hosts: 207.44.194.56 www.google.com.hk
    O1 - Hosts: 207.44.194.56 www.google.ie
    O1 - Hosts: 207.44.194.56 www.google.co.il
    O1 - Hosts: 207.44.194.56 www.google.it
    O1 - Hosts: 207.44.194.56 www.google.co.kr
    O1 - Hosts: 207.44.194.56 www.google.com.mx
    O1 - Hosts: 207.44.194.56 www.google.nl
    O1 - Hosts: 207.44.194.56 www.google.co.nz
    O1 - Hosts: 207.44.194.56 www.google.pl
    O1 - Hosts: 207.44.194.56 www.google.pt
    O1 - Hosts: 207.44.194.56 www.google.com.ru
    O1 - Hosts: 207.44.194.56 www.google.com.sg
    O1 - Hosts: 207.44.194.56 www.google.co.th
    O1 - Hosts: 207.44.194.56 www.google.com.tr
    O1 - Hosts: 207.44.194.56 www.google.com.tw
    O1 - Hosts: 207.44.194.56 google.at
    O1 - Hosts: 207.44.194.56 google.be
    O1 - Hosts: 207.44.194.56 google.de
    O1 - Hosts: 207.44.194.56 google.dk
    O1 - Hosts: 207.44.194.56 google.fi
    O1 - Hosts: 207.44.194.56 google.fr
    O1 - Hosts: 207.44.194.56 google.com.hk
    O1 - Hosts: 207.44.194.56 google.ie
    O1 - Hosts: 207.44.194.56 google.co.il
    O1 - Hosts: 207.44.194.56 google.it
    O1 - Hosts: 207.44.194.56 google.co.kr
    O1 - Hosts: 207.44.194.56 google.com.mx
    O1 - Hosts: 207.44.194.56 google.nl
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37592.9154398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Check and "fix" all the 01 entries in the Scanlog.

    Also check and fix:

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    >> you are also a good candidate for the new IE cumulative Patch. See the pinned link at the top of the forum.
     
  3. amthmi

    amthmi

    Joined:
    Mar 23, 2002
    Messages:
    519
    Rollin' Rog , I have a question on what procedure a person should perform first.
    It looks as if ( I could be incorrect) robnshan was a victim of the Trojan.Qhosts which
    was just discovered October 1st.
    Reference:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

    If that is the case then....
    Should a person run the "Fix" from Symantec prior to having HijackThis fix the entries ?
    Should a person have HijackThis fix the entries and then run the Symantec fix ?
    The Symantec fix isn't needed if the entries are fixed with HijackThis.

    If it is the Trojan.Qhost, it seems to make alot of registry changes that should be addressed.

    Then install the new IE cumulative Patch which you referenced.

    Would appreciate any clarification you could provide.
     
  4. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It really won't matter which way you do it, but the problem won't be "fixed" until those Hosts entries are removed, and I don't think that is something the Symantec tool can figure out.
     
  6. amthmi

    amthmi

    Joined:
    Mar 23, 2002
    Messages:
    519
    Thanks Rollin' Rod. I also read the additional post to your pinned thread.
    Thanks hewee that link was helpful also.
     
  7. robnshan

    robnshan Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Well it took me two times to get rid of all those host files by checking the boxes and clicking fix. I do have my browsers back - wahooo !!! I downloaded the patches from microsoft. However, I did not see anything to download from symantic? Was there something on that page to download for the ghost trojan? I did not see anything. Also, how do I get rid of the trojan from showing up again. Thanks for your help guys !!!!!

    rob
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The Symantec tool can be found on this page:

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

    I grant you it didn't stand out very much on the original liink, just a "named" url called "tool".

    Best to run it as it probably checks for registry entries that don't appear in the HijackThis scanlog.

    The cumulative update and the Windows Media Player patches should be sufficient. I think, but I'm not absolutely sure, that a similar hijack can be run exploiting an older version of Virtual Machine.

    If you want to avoid the Windows Update site for that, you can get it here:

    http://www2.whidbey.com/djdenham/VM.htm

    If you want to know your current version number for Virtual Machine, open a command prompt and enter:

    jview

    The one on the Whidbey site is the last and will be 3810
     
  9. robnshan

    robnshan Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Well I think I am rid of it. Thanks very much for your help. I cant believe how great everyone is to help out each other here !!!

    The only problem I have now is when I boot up, It takes several times. I come up with a warning saying my display adapter is damaged or incompatible. Could I have done something in the removal of my Qhost? Should I reload my video drivers or is it the monitor drivers?

    Thanks
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I can't imagine what in the qhosts removal might have damaged the display adapter, but that sounds like what the message is referring to. So yes, those should be removed and reinstalled.

    Sometimes it is sufficient just to remove them from the Device Manager and reboot. Windows "may" automatically redetect and reload the drivers.

    But the better method is to check the Vendors page for any updates, and make sure you have the latest. Just follow their instructions for installing, which in most cases is just running their setup program.
     
  11. robnshan

    robnshan Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Thanks rollin' rog. You have been a great help. Everything seems back to normal.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Good to hear and thanks for the follow-up.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169495

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice