HOSTS file problems

[Warren]

Hi all,
Got a problem with the HOSTS file on this machine. All web browser and
PING requests just seem to be completely ignoring it. I can confirm:

- the file is called HOSTS (without an extension located in
%SystemRoot%\System32\drivers\etc)
- The registry key
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
points to this directory
- I have tried reseting the TCP/IP stack (with netsh int ip reset
<logpath>)
- Done a full malware scan
- Used winsock fix

All of which are to no avail and I am now completely stumped. Can
anyone please help?

Many Thanks
Warren

 

[Chuck]

Hi all,
Got a problem with the HOSTS file on this machine. All web browser and
PING requests just seem to be completely ignoring it. I can confirm:

- the file is called HOSTS (without an extension located in
%SystemRoot%\System32\drivers\etc)
- The registry key
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
points to this directory
- I have tried reseting the TCP/IP stack (with netsh int ip reset
<logpath>)
- Done a full malware scan
- Used winsock fix

All of which are to no avail and I am now completely stumped. Can
anyone please help?

Many Thanks
Warren

Warren,

The TCP/IP reset, and WinsockFix, are 2 of the 6 possible LSP repairs that you
can do.
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>
http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html

You looked at your Hosts file contents? What is the problem? Are there
specific entries in there that don't get used? Are they for external
(Internet), or for internal (LAN) access?

Did you search for Hosts, explicitly, on the computer? Did you examine the
contents, exhaustively?
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html#Hosts>
http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html#Hosts
<http://nitecruzr.blogspot.com/2005/10/check-your-hosts-file-very-carefully.html>
http://nitecruzr.blogspot.com/2005/10/check-your-hosts-file-very-carefully.html

How did you look for malware? Did you post a HijackThis log on an expert help
forum (if so can you provide the link to your thread there?)?
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html#Hosts>
http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html#Hosts

 

[Guest]

Try this: Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters and
make sure that the "DataBasePath" is set to "REG_EXPAND_SZ" without the "".

-Javi

 

[Warren]

The highjack log is below:

Logfile of HijackThis v1.99.1
Scan saved at 23:12:12, on 26/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.gayporn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH -
{12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} -
C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: (no name) - {52B4854D-9FF5-449E-8C71-1B55C6515001} -
C:\WINDOWS\System32\jcefdg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program
Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia
PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [HostsFileMgr] C:\Program
Files\GSD\AdBin\winHostsEdit.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common
Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [AdBin] C:\Program Files\GSD\AdBin\AdBin.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI
CONTROL PANEL\ATIPTAXX.EXE
O4 - Startup: MSNP13 Downgrader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: FHM - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} -
C:\Program Files\FHM\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl
Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
Class) -
http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

thoughts aappreciated. thanks

 

[Chuck]

The highjack log is below:

thoughts aappreciated. thanks

Warren,

I highly suggest that you post your log in a couple expert forums:
DSLR Security Cleanup: http://www.dslreports.com/forum/cleanup
SpywareInfo: http://forums.spywareinfo.com/index.php?showtopic=227

You have several dodgy entries, which I think the experts should interpret.

Please read, and heed, the instructions in each forum about what to do before
posting. The instructions are to help you get the best service possible.
http://nitecruzr.blogspot.com/2005/05/interpreting-hijackthis-logs-with.html#Experts

I will be glad to follow your progress with you, if you will post links to your
threads in the forums. I'll spend a while looking thru references, but I think
you would be better off in the above forums, to start.

 

[Warren]

Thanks for that Chuck, unfortunatly am tied up away from the machine at
the moment but will do just that when I get back to it and will keep
you informed

Cheers