Quick Question

Discussion in 'adware, spyware & hijack cleaning' started by Rainwalker, May 25, 2004.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Please take a look...i have been having some problems with my coming through my firewall of late and Process Explorer shows what looks to me strange stuff indeed....security scans turn up nothing,,,,the Hijack log i am interested in is the one with only a file number and no infomation...also, anything else here i can 'Fix' ?
    TIA.....very kind of you folks to help us with this service

    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rainwalker,

    If you mean this line:
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    That CLSID belongs to Windows Update. Why it is now blank after the dash, I don't know.

    Could you please post your entire HijackThis log so we can see if there is anything else going on that could be causing your problems.

    Regards,

    snap
     
  3. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi snapdragin.....here it is

    Logfile of HijackThis v1.97.7
    Scan saved at 3:24:22 PM, on 5/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\TBPanel.exe
    C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\program files\spybot - search & destroy\teatimer.exe
    C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Highjackthis\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\teatimer.exe
    O4 - Startup: ID-Blaster Plus.lnk = C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard\procguard.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3439E5-11B9-4C6F-A9AE-57926DA9B297}: NameServer =
     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Anyone with any thoughts on this posting :doubt:
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rainwalker,

    The items you listed in your first post are all fine. :)

    You could change this line in your Hosts file though to bring it up-to-date.
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    As FanJ advises In This Thread to replace this line in your Hosts file with the new one.

    About this line:
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    Do not fix it as the 'imon.dll' file is NOT missing but in fact is actually there, as it should be when IMON is enabled. Right now HijackThis isn't detecting it properly so it is saying it is missing. Hopefully that will be fixed in a future release of HijackThis and that line won't show up as it is at the present. So this one is good and nothing to worry about.

    With this line:
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    As I mentioned in my first post above, am not sure why it isn't showing the entire line. It is actually the first time I've seen it like that. The CLSID does belong to Windows Update. If you can still get to windows update ok, then I wouldn't worry about it. I dont' want to say fix it incase it causes any troubles with not letting you get to Windows Update site afterwards. Probably the next time you go to Windows Update the line will fix itself as the cab file will be reinstalled (enable ActiveX when you visit Microsoft Update site.)


    I am not seeing anything in your log that would cause you problems with your firewall. You mentioned seeing "strange stuff in Process Explorer". Do you mean Process Guard, or Port Explorer? You might want to ask over in the DiamondCS forum about what you are seeing there. Other's will be able to post replies in the other forum, whereas they cannot in the hijack cleaning forum.

    Regards,

    snap
     
    Last edited: May 27, 2004
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    One more thing. Maybe you edited it out, but this looks kind of orphaned:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3439E5-11B9-4C6F-A9AE-57926DA9B297}: NameServer =

    There should either be a network name or an IP address (most likely belonging to your provider) after the "=" sign.

    Regards,

    Pieter
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hello snapdragin...thank you..helpful :) ....... BTW..Process Explorer

    Hello Pieter ....thank you for mentioning that...yes, i edited it out
     
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    How do i change the host file ( where is it ) ?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands

    C:\WINDOWS\system32\drivers\etc\hosts

    The file has no extension, open it in notepad and you can edit it like any text-file.

    Regards,

    Pieter
     
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Pieter...thanks but it seems i am unable to remove the old host file .....i highlight ...>>edit..>>delete and the bloody thing keeps coming back....wondering if TDS hosts file has been updated? ......if so then i can reinstall TDS
    TIA
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rainwalker,

    You do not have to remove the HOSTS file. Just open it up in notepad, then where the old entry that looks like this:

    203.161.127.141 www.dcsresearch.com

    Just take that part out and put in the new entry (below)

    64.91.255.87 www.dcsresearch.com

    Then save the HOSTS file, but be sure it has no exention added to it.

    I did post a link above where FanJ explains it very well. :)

    Regards,

    snap
     
  12. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi snapdragin......sorry..i was not clear enough...i did not delete the file itself but attempted to delete 203.161.127.141 www.dcsresearch.com after which i typed in 64.91.255.87 www.dcsresearch.com
    ...........when i tried to close the window i received error messages saying that the path was wrong....i tried various combinations hoping something would take but the change attempt always reverted back to 203.161.127.141 www.dcsresearch.com
    Maybe there is something i am doing wrong but can not imagine what.....i'll do a chkdsk later and maybe that will help.....i'll post results
     
  13. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    ran chkdsk /r to no avail......will go to TDS forum ( here ) and see if host file has been updated....if so will reinstall
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rainwalker,

    I can't understand why you are unable to save the HOSTS file again with just changing a line in it. That is strange.

    Make sure you are still saving the Hosts file to the correction location:
    C:\WINDOWS\system32\drivers\etc\ <--in this folder.

    Regards,

    snap
     
  15. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi again snapgragin....yes, i am in the correct location and although i have tried different ways to change it there 'Replace' ect. nothing works.....interesting that it will change and stay changed in the Hosts.txt but not in the file itself ...the error message i get is.... Cannot create C:\windows\ststem32\drivers\etc\hosts file......make sure that the path and file name are correct
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  17. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks again for hanging in there snapdragin....that fixed it :D
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi snapdragin
    You wrote:

    With this line:
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    As I mentioned in my first post above, am not sure why it isn't showing the entire line. It is actually the first time I've seen it like that. The CLSID does belong to Windows Update. If you can still get to windows update ok, then I wouldn't worry about it. I dont' want to say fix it incase it causes any troubles with not letting you get to Windows Update site afterwards. Probably the next time you go to Windows Update the line will fix itself as the cab file will be reinstalled (enable ActiveX when you visit Microsoft Update site.)

    Updated and it fixed it......you were right ;)
     
Thread Status:
Not open for further replies.