dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1317

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft

Premium Member

IE Problem - HiJackThis Log

hijackthis3.zip
1,667 bytes
(hijackthis3.txt)
I have been trying to solve this problem in this post this post »[IE6.x] IE will not work and am still having the same problem: Can sign onto dialup ISP but cannot surf the 'net (cannot ping anything either).

I have tried Adaware, lspfix, winsockfix, cwshreader, trojanhunter, spybot, and using SFC/ scannow to repair IE6.x

I also you ran through all the available suggestions in »Security »I think my computer is infected or hijacked. What should I do? (»I think my computer is hijacked. What should I do?)
except for the online scans for obvious reasons.

This problem started when I used Spybot to get rid of some search toolbars that my wife "accidentally" let load and then started receiving alot of pop-ups. When I came home last week for 2 weeks leave (I am in the Army and stationed in Saudi Arabia) I tried to fix it like I have hundreds of times (use spybot, delete off HHD, delete from registry) and now cannot use IE 6.x Attached is my latest hijackthis log if someone can help me. I am going back to SA in 4 days.

Thanks

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

Sparrow

Premium Member

Logfile of HijackThis v1.97.7
Scan saved at 6:07:20 AM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\kxmixer.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TrojanHunter 3.7\TrojanHunter.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centurytel.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centurytel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DXXLFIVF] C:\WINDOWS\DXXLFIVF.exe
O4 - HKLM\..\Run: [WZADG] C:\WINDOWS\WZADG.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.7\THGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/x3ro1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

satburn
Premium Member
join:2003-06-03
Columbia, MO

satburn to jmkraft

Premium Member

to jmkraft
O4 - HKLM\..\Run: [DXXLFIVF] C:\WINDOWS\DXXLFIVF.exe
O4 - HKLM\..\Run: [WZADG] C:\WINDOWS\WZADG.exe

What are these???

Shooting off the hip, it would sound like a proxy setting issue. Since you can hook up to your ISP but can't go anywhere make sure something hasn't put a setting (that isn't normally there) under the LAN Settings under IE's connection options.

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

Sparrow

Premium Member

I am not an expert with HT logs, but this can be removed:
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

I can not find anything on these two:
O4 - HKLM\..\Run: [DXXLFIVF] C:\WINDOWS\DXXLFIVF.exe
O4 - HKLM\..\Run: [WZADG] C:\WINDOWS\WZADG.exe

These are cab files - do you have any idea what they are for?
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - »www.netpaloffers.net/NetpalOffers/DMO1..

Please check this one form SmileyCentral
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - »imgfarm.com/images/nocache/funwebprodu..
SmileyCentralInitialSetup1.0.0.6.cab

dp
MVM
join:2000-12-08
Greensburg, PA

dp to jmkraft

MVM

to jmkraft
No log expert but the following are troublesome.

Kill the running process - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

More info on this at »www.safersite.com/PestIn ··· arch.asp

Let HJT fix the following:

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

(belt.exe is Abetterinternet adware related)

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to jmkraft

Premium Member

to jmkraft

Re: IE Problem - DNS ?

Could be you have a DNS issue - if you can ping a site by IP but not by url, outbound DNS requests may be blocked somewhere on your PC or at the ISP - (UDP port 53, sometimes TCP port 53). It's also possible inbound replys are being blocked. If you can PING a known IP address like one of yahoo.com's at 66.218.71.198 but can't PING www.yahoo.com or the DNS IPs in your IP config, that would be a good clue.

This could be caused by a firewall setting, your IP configuration or a login problem that would be something for your ISP to resolve.

I haven't seen it in dialup connections, but some very early firmware releases of Netgear routers had problems in this area.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

1 recommendation

CalamityJane to Sparrow

Premium Member

to Sparrow

Re: IE Problem - HiJackThis Log

It is odd that Adaware could not fix some of these items. What is the latest ref. file you have for that?

You need to disable System Restore during the fixes if you have not done so already.
(How to disable or enable System Restore in Windows XP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

After a scan with HiJackThis,first close all browsers and open windows, place an x in the box next to the following items and hit *fix checked*.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »totalinternet.snap.com:8005/channel/se..

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = »www.websearch.com/ie.aspx?tb_id=50039

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [DXXLFIVF] C:\WINDOWS\DXXLFIVF.exe

O4 - HKLM\..\Run: [WZADG] C:\WINDOWS\WZADG.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - »www.netpaloffers.net/NetpalOffers/DMO1..

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - »imgfarm.com/images/nocache/funwebprodu..

Next, restart your computer in Safe Mode
If you don't know how to boot into safe mode, read this:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Delete the following:

MyWebSearch (folder)

belt.exe (file)

Submit (but don't delete yet) the two following suspicious files to Adaware & Spybot for analysis:
C:\WINDOWS\DXXLFIVF.exe
C:\WINDOWS\WZADG.exe


http://www.lavahelp.com/submit/
submissions@spywareinfo.com

You may also send them to the list in the FAQ
http://www.dslreports.com/faq/8428
...............
Reboot your PC back into normal mode, and run a fresh scan with HijackThis, post the log.

There may be some I missed and we need to find out what the two suspicious files are before proceeding on those (however, the fix above by HJT should have stopped them from running at startup).

crane
Premium Member
join:2000-12-31
Sebastian, FL

crane to jmkraft

Premium Member

to jmkraft
It may not mean anything,but the last 3 entries in my "hijack" log are registry items pertaining to DNS servers and TCP/IP. I don't see any such thing in his log.
Makes sense sorta... no internet.

I see alot of things in there I wouldn't be scared to delete.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

said by crane:
It may not mean anything,but the last 3 entries in my "hijack" log are registry items pertaining to DNS servers and TCP/IP.

If you are speaking of the Downloaded Program Files (016- DPF)items, only two are spyware parasites that I have included in the list to fix above.

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - »www.netpaloffers.net/NetpalOffers/DMO1.. =FavoriteMan Parasite »www.doxdesk.com/parasite ··· Man.html

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - »imgfarm.com/images/nocache/funwebprodu.. =Identified by SpywareBlaster as FunWebProducts (spyware)

The other two are harmless, but if deleted can just be downloaded again by the program when it is run.

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft to CalamityJane

Premium Member

to CalamityJane
I did what CJ suggested only the C:\WINDOWS\DXXLFIVF.exe and C:\WINDOWS\WZADG.exe were no longer there after deleting MyWebSearch and Belt.exe

New Log:

Logfile of HijackThis v1.97.7
Scan saved at 1:38:05 PM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\kxmixer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centurytel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centurytel.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

Sparrow to jmkraft

Premium Member

to jmkraft
It looks like everything CJ said to get rid of is gone. That's the good news.

Now, are you able to get back online yet?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jmkraft

Premium Member

to jmkraft
You new log looks good jmkraft I don't see anything else malicious in there.

dp
MVM
join:2000-12-08
Greensburg, PA

dp to jmkraft

MVM

to jmkraft
Kudos to CalamityJane See Profile , jmkraft See Profile, are you now able to surf and ping okay?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

CalamityJane to jmkraft

Premium Member

to jmkraft
said by dp:
are you now able to surf and ping okay?

I'm wondering that too, dp and Crystal Sky

Since you only have a short time left at home, take just a little bit of time to secure that PC before you leave.

Here are some great prevention tips and tools in a very nice short write up from TonyKlein See Profile

So how did I get infected in the first place?
»www.computercops.biz/pos ··· 736.html

You need to be sure to get the Windows Updates (all the critical ones if you don't have them yet).

At least get the SpywareBlaster & SpywareGuard and make sure your wife knows how to update them and does that often (at least once a week to check for updates)

Update your Adaware if you haven't done that.

Get an Antivirus Program (I don't see one running?) You can find several free ones and some very good paid ones listed up in the updates Sticky at the top of the forum.

I would also follow Tony's advice on some basic changes in your IE security settings (disable Active X and set to prompt or disable).

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft

Premium Member

No, I still cannot surf yet. Any other ideas?

Thanks.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

What kind of error are you getting?

If you have tried IE repair and the LSPfix, have you tried uninstalling/reinstalling IE?

jmkraft
Premium Member
join:2002-04-11
Paris, IL

1 edit

jmkraft

Premium Member

The error is the "The page cannot be displayed" message. I cannot ping any sites, I cannot browse to any sites. All I can do is sign on to my dial-up internet connection.

My IE is set to auto detect settings, no proxy server. IE just quit working when I deleted MySearch, Hotbar, and 2 others that highjacked my browser

I have not tried uninstalling/reinstalling IE yet.
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

Manually check your HOSTS file in Windows\System32\DRIVERS\etc and make sure that it is either blank or the nasties have been deleted.

Also, look in the Windows\Help folder to make sure that there are no HOSTS file in that folder.

Also, run the following command:

ipconfig/flushdns

in your command prompt.

Then double check your TCP/IP properties in your Dialup Adapter settings. Make sure that your Primary and Secondary DNS server settings have not been inadvertantly deleted or changed to something else that won't work.

Have you tried using another web browser to browse the web?

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft

Premium Member

I did the ipconfig/flushdns
No changes in the TCP/IP
The only thing in the hosts file is:
"127.0.0.1 local host"

No hosts files in the Windows\Help folder

I have no other browser (but I will d/l one right now to check it out.)
jmkraft

jmkraft

Premium Member

Netscape 7.1 did not work either
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

I think it's time for a System Restore, if you have a clean restore point. And then start over. Sorry, that is the only advice I have...

Zupe
MVM
join:2001-11-29
New York, NY

Zupe to jmkraft

MVM

to jmkraft
Did you try the suggestion Kramer See Profile posted in your other thread?

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft to anthrorules

Premium Member

to anthrorules
I would like to thank everyone for their help. System Restore did the trick (I should have thought of that 2 days ago...). Now I get to clean the computer out again...

Thanks.

dp
MVM
join:2000-12-08
Greensburg, PA

dp

MVM

said by jmkraft:
I would like to thank everyone for their help. System Restore did the trick (I should have thought of that 2 days ago...). Now I get to clean the computer out again...

Thanks.

I take it that you are connecting and surfing okay now? Before you let Spybot remove anything this time can you post a screenshot of what it is flagging?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jmkraft

Premium Member

to jmkraft
Hi jmkraft

When you run the various programs to clean, just remember to keep fixed items in recovery (Spybot) and quarantine (Adaware) until you are sure the PC is running properly. They are rendered harmless in the backups but also anything that might be causing a problem when fixed can be restored and brought to the attention of the developers for a new fix if necessary. HiJackThis will also keep backups of anything fixed with that program automatically.

Once the PC is clean and you are sure all programs are working properly you can then go back and remove the items Spybot/Adaware/HJT etc. have in those backups.

Good Luck!
CalamityJane

CalamityJane to jmkraft

Premium Member

to jmkraft
Also, be sure to get the latest updates for All of these: Spybot, Adaware, CWShredder - all have had recent updates added (Adaware had one just last night) and CWShredder had a new Ver. 1.37.0. Spybot last updated on Nov. 24th.

jmkraft
Premium Member
join:2002-04-11
Paris, IL

1 edit

jmkraft to dp

Premium Member

to dp
Click for full size
Click for full size
Click for full size
I have already started getting rid of them the correct way (add/remove programs) It was the MySearch and Search Assistant toolbars that were causing the problems when spybot removed them (I had to restore again) They also did not let me turn on the generic firewall in XP and they were unchecked in the spybot scan (everything else was checked) I checked them, then hit fix selected items, and could not connect again until I did a sytem restore again. I will post the remaining entries in a sec.
jmkraft

jmkraft to CalamityJane

Premium Member

to CalamityJane
Here is my new hijackthis log...

Logfile of HijackThis v1.97.7
Scan saved at 7:53:50 AM, on 11/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centurytel.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centurytel.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centurytel.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DXXLFIVF] C:\WINDOWS\DXXLFIVF.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [WZADG] C:\WINDOWS\WZADG.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/x3ro1.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/ASH19108/ashton.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www101.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37819.8343402778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A736FB9F-4F41-411E-B191-CF6103C02DC9}: NameServer = 209.142.136.85 209.206.199.16

crane
Premium Member
join:2000-12-31
Sebastian, FL

crane

Premium Member

said by crane:
It may not mean anything,but the last 3 entries in my "hijack" log are registry items pertaining to DNS servers and TCP/IP. I don't see any such thing in his log.
Makes sense sorta... no internet.

I see alot of things in there I wouldn't be scared to delete.

It was the last entry that was causing the "no internet" problem. See it there.... #017

jmkraft
Premium Member
join:2002-04-11
Paris, IL

jmkraft

Premium Member

Does that (O17 - HKLM\System\CCS\Services\Tcpip\..\{A736FB9F-4F41-411E-B191-CF6103C02DC9}: NameServer = 209.142.136.85 209.206.199.16)
have anything to do with MySearch and Search Assistant toolbars? When I did the add/remove programs with those 2, then used spybot and adaware for the rest, I kept my internet connection.