1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP: DNS Hijack and more. Nothing is working!

Discussion in 'Virus & Other Malware Removal' started by VirtualSteve, May 3, 2010.

Thread Status:
Not open for further replies.
  1. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    I hope there is an easy solution to this, as i'm pulling what's left of my hair out. I'll try to list the sequence of events that lead to this, as I remember them ....

    My Gateway MX series laptop (Running Windows XP) was reporting some kind of virus, though it has Norton Internet Security running. I did a virus scan, and Norton at first reported that nothing was found; then gave me a window (w/Norton's logo) reporting a virus, and asking if I wanted it repaired. I clicked YES and it seemed to delete the problem. HOWEVER, Internet Explorer (and also Google Crome) could not load any web site, even though the computer reported that the wireless signal was strong. Other computers in the house could get on the internet with no problem.

    I clicked in and out of network setup, wireless setup, and anything else in Control Panel that looked like it could help ... rebooted, etc., and STILL no internet access. THEN trying some other advice given to me, I opened MSCONFIG and tried to disable some non-microsoft (and non-intel) processes.

    THE RESULT, is that nothing works anymore. The system boots and gets to the desktop fine, but nothing works. Internet Explorer won't open. Windows Explorer will open but if I try to click and drag files to back them up, it doesn't work. The only thing in the tray on the bottom right corner of the screen is the Quick Time logo. It no longer shows the time, date, networks' status, etc. I don't think Norton is running anymore, and if I click on it's icon it doesn't respond.

    So I ran MSCONFIG again ... everything is checked yet many of the items have the status STOPPED.

    Finally, I tried to Restore a Prior Configuration, and I get an error something like "SYSTEM RESTORE CANNOT PROTECTE YOUR SYSTEM, REBOOT AND TRY AGAIN". I re-boot, but the same message keeps coming up.

    I was going to restore Windows, but I can't back the PC up so a lot of things would be lost, so I don't want to do this if I don't have to.


  2. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Use a working computer and a USB flash drive to copy the following fix. Then, plug the flash drive to your faulty computer and save the .reg file to your desktop.

    Try this fix: EXEFIX

    Save the .reg file to your desktop. Double-click it to merge it to the registry.


    If the fix only opens as a text file, right-click it and select Open With > Choose Program... Then, select the Registry Editor.

    If the Registry Editor is not in the list, browse to C:\WINDOWS and select regedit.
  3. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    Thanks Phantom ..... A couple of questions: 1). I should have no problem saving that .reg file to a flash drive on another computer, but since Windows Explorer on my computer doesn't seem to be allowing me to drag & drop files, I don't know if I will be able to move the .reg file from the flash drive. Will it work if I open it right from the flash drive (assuming that the bad computer will even let me open the file at all)? If i'm able to do this, will the reboot start all those processes that are STOPPED? Finally, I read something about SERVICES.MSC ..... do you think this ccould help my problem if I run it? .... Thanks again, i'll be trying this tonight.
  4. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    It's normal to see Stopped services. It only means they are set to Manual and will start when needed by applications.

    Don't drag and drop the file. Simply right-click the .reg file on the USB flash drive and select Save As... Or, copy and paste it.
  5. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    Okay .... I was able to bring the .reg file over and double-click on it. The computer asked if I wanted to include the file's contents in the registry, and I said yes; then I rebooted. NOTHING.

    Still, nothing is working. I get to the desktop, but no services are active. I went into Task Manager, and under the "Processes" tab, the only thing using any CPU is "System Idle Process". Also, this is the only item on this list with the user = SYSTEM.

    On my working computer, there is a whole list of things with user = SYSTEM, such as svchost.exe and alg.exe and a bunch of other things; but "System Idle Process" is the only thing with user = SYSTEM on the bad PC. I gotta get these things running.
  6. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Read the following about the default settings for Services:


    Check your services and set accordingly. To get to Services, click Start > Run > type services.msc

    As for your non-Microsoft services, start the ones you need, especially your antivirus, firewall, or connectivity service.
  7. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    Hi again .... I went to the link and compared all the settings to what is in my faulty computer. All but 4 of them match. The 4 that do not match are:
    1). Removable Storage ... default is Manual; my pc is Disabled.
    2). Security Center ... default is Automatic; my pc is disabled.
    3). SSDP Discovery Service ... default is Manuar; my pc is Automatic.
    4). Windows Image Aquisition (WIA) ... default is Manual; my pc is Automatic.

    Not that the above settings are causing my problem, HOWEVER I tried to change the settings .... When I right click, then click on Properties BUT the Properties Dialog Box will not display!?

    Is it possible that I do not have administrator rights, even though there is only one user profile, namly OWNER?

    Anyway, STILL NOTHING IS WORKING. For instance, Norton is set to Automatic, yet it is not running. This is driving me crazy.

    I appreciate all your help ... i hope you have something else for me to try.
  8. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    If you can get HijackThis running on that computer,

    Please click here to download and install version 2.0.2 of the HijackThis Installer.

    Run it and select Do a system scan and save a logfile.

    The log will be saved in Notepad. Copy and paste the log in your next post.

    Do not fix anything
  9. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    As for the services, if you can open the Registry Editor, click Start > Run > type regedit. You can change the Startup Type for the services, in the registry:

    For Removable Storage:

    Go to:


    For Security Center:

    Go to:


    For SSDP Discovery Service:

    Go to:


    For Windows Image Aquisition (WIA):

    Go to:


    In the right-hand pane, look at the DWORD Start.

    The last number at the end of the entry will be either:

    (0) for Boot.

    (1) for System.

    (2) for Automatic.

    (3) for Manual.

    (4) for Disabled.

    If you want to change the value, double-click on Start and change the number accordingly.
  10. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    I will try to download and install HijackThis tonight. I'll have to download it on a good pc and copy it to a flash drive to do it. I hope I can install it from the Flash Drive as the faulty PC is not letting me copy/move files at all ("Save As" doesn't even come up as an option). Also, I won't be able to move the Log file back to the good PC in order to copy/paste it, so i'll have to read it off of the bad PC and type it free-hand on the good one in a reply to you. I hope it won't be too long.

    Thanks for sticking with me!
  11. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Be prepared to spend the whole night at it! [​IMG]

    Why don't you copy the log to your flash drive?

    Have you tried the instructions from post #9?
  12. andyspeake


    May 10, 2007
  13. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    Ok. I was able to save the log file to the flash drive. It's the first time i was able to move any file anywhere off of the faulty PC. Here are the contents ... As instructed, I did not fix anything; just ran the program and created the log. I hope this helps. Thanks

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:08:45 PM, on 5/5/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    c:\program files\real\realplayer\RealPlay.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    F2 - REG:system.ini: Shell=
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Owner"
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.YOUR-46CDB6B949\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [] 
    O4 - HKUS\S-1-5-21-807075554-751005099-1671666195-1006\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
    O4 - HKUS\S-1-5-21-807075554-751005099-1671666195-1006\..\Run: [Google Update] "C:\Documents and Settings\Owner.YOUR-46CDB6B949\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
    O4 - HKUS\S-1-5-21-807075554-751005099-1671666195-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User '?')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\Program Files\PlaySushi\PSText.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3CFE3178-27FB-4EA8-A041-F50E669299BE}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7BC0227-5B47-4D80-9A12-739A964A7595}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3CFE3178-27FB-4EA8-A041-F50E669299BE}: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3CFE3178-27FB-4EA8-A041-F50E669299BE}: NameServer =,
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3CFE3178-27FB-4EA8-A041-F50E669299BE}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =,
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Filter hijack: text/html - {ff74ff31-fb76-4d07-9351-92e80748456e} - (no file)
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
    End of file - 8180 bytes
  14. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Your computer is infected with a DNS hijacker, among other things. Please click on Report and kindly ask to be moved to the Malware Removal & HijackThis Logs forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!
  15. VirtualSteve

    VirtualSteve Thread Starter

    May 3, 2010
    Phantom, Thank You for all your help. I'll ask to be moved as you suggested.
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920802

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice