A few weeks ago I started having problems. Couldn't get to google.com. Here are the basic steps I took that lead me to where I am now. This is on XP will all critical updates.
1) I knew google was still there but I just wasn't finding it. I pinged google.com just to see what IP I'd get for it. It was 207.44.220.30 and after a search of ww2.google.com which I was able to access I soon discovered that this was indeed not a google IP.
2) I learned of how the hosts file can affect this and after finding it in the proper directory of c:\windows\system32\drivers\etc I discovered it was unchanged and all original, so I gave up on it for a while.
3) My anti virus program is AVP and I have been using Spybot Search&Destroy for a long while now, both of which are always up to date. Neither found anything unusual.
4) Of course I know no program is fool proof so I decided to check out some other programs to detect what I suspected was a trojan of some sort. That's when I came to find a Qhosts trojan removal tool from Symantec at this address: I ran it but my problem persisted.
5) after searching some more on my hard drive for mysterious files I came to discover a file in my c:\windows\help folder with the name "hosts". That seemed mighty odd to me so I opened it up and sure enough it was the problem. It had a large list of search engine URLs all with the IP of 207.44.220.30.
6) Not knowing how it was that my PC was using this hosts file instead of the proper one I simply renamed it so it couldn't be accessed any more by what ever was accessing it.
7) Yea me! I could now go to google.com, but that was not the end of this search for me. I wanted to use my hosts file as intended and didn't like the idea of having to put it in the wrong directory because some malicious program wanted it there.
8) After much searching of the net I came to discover a small program on a different thread here. In this thread bcastner linked to a program ( that would do the following:
bcastner quote: "The utility first deletes the keys winsock and winsock2 from the registry. It then replaces the registry entries with winsock and winsock2 from a fresh XP install. Finally, it does a netsh int ip reset resetlog."
I knew this to be very similar to my problem so I figured some fresh socks couldn't hurt. I mean everyone likes fresh socks
9)After running that nifty little utility I was once again able to use my proper hosts file as my PC was once again looking at it for what it does.
10) Now I'm thinking is my problem really gone, I mean all of it? I want all traces of it out. So I discovered another utility on this lovely board. Hijackthis from I have ran this utility and am not entirely certain of it's results. I'll post them here in the hopes that someone with much more knowledge in this area could either identify anything suspicious or tell me I'm actually OK now.
Hijack this log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\AMERIC~2.0\aol.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Documents and Settings\Deez\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{A1A9264E-42DB-4259-8D3F-FAC82F60AE8A}: NameServer = 198.81.19.4
Sorry this post was so massive. What I'd really appreciate is if anyone could scan that hijack this log and tell me if I have anything to be concerned about.
Thank you very much if you've read my ramblings.
1) I knew google was still there but I just wasn't finding it. I pinged google.com just to see what IP I'd get for it. It was 207.44.220.30 and after a search of ww2.google.com which I was able to access I soon discovered that this was indeed not a google IP.
2) I learned of how the hosts file can affect this and after finding it in the proper directory of c:\windows\system32\drivers\etc I discovered it was unchanged and all original, so I gave up on it for a while.
3) My anti virus program is AVP and I have been using Spybot Search&Destroy for a long while now, both of which are always up to date. Neither found anything unusual.
4) Of course I know no program is fool proof so I decided to check out some other programs to detect what I suspected was a trojan of some sort. That's when I came to find a Qhosts trojan removal tool from Symantec at this address: I ran it but my problem persisted.
5) after searching some more on my hard drive for mysterious files I came to discover a file in my c:\windows\help folder with the name "hosts". That seemed mighty odd to me so I opened it up and sure enough it was the problem. It had a large list of search engine URLs all with the IP of 207.44.220.30.
6) Not knowing how it was that my PC was using this hosts file instead of the proper one I simply renamed it so it couldn't be accessed any more by what ever was accessing it.
7) Yea me! I could now go to google.com, but that was not the end of this search for me. I wanted to use my hosts file as intended and didn't like the idea of having to put it in the wrong directory because some malicious program wanted it there.
8) After much searching of the net I came to discover a small program on a different thread here. In this thread bcastner linked to a program ( that would do the following:
bcastner quote: "The utility first deletes the keys winsock and winsock2 from the registry. It then replaces the registry entries with winsock and winsock2 from a fresh XP install. Finally, it does a netsh int ip reset resetlog."
I knew this to be very similar to my problem so I figured some fresh socks couldn't hurt. I mean everyone likes fresh socks
9)After running that nifty little utility I was once again able to use my proper hosts file as my PC was once again looking at it for what it does.
10) Now I'm thinking is my problem really gone, I mean all of it? I want all traces of it out. So I discovered another utility on this lovely board. Hijackthis from I have ran this utility and am not entirely certain of it's results. I'll post them here in the hopes that someone with much more knowledge in this area could either identify anything suspicious or tell me I'm actually OK now.
Hijack this log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\AMERIC~2.0\aol.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Documents and Settings\Deez\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{A1A9264E-42DB-4259-8D3F-FAC82F60AE8A}: NameServer = 198.81.19.4
Sorry this post was so massive. What I'd really appreciate is if anyone could scan that hijack this log and tell me if I have anything to be concerned about.
Thank you very much if you've read my ramblings.