IE toughy

(a) direct connect to dsl modem
(b) AAPT.net.au

(a) HOSTS
(b) HOSTS.MVP
(c) Imhosts.sam
Then there is networks - protocol - services that is all there is in the etc folder

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:44 PM, on 3/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Advanced WindowsCare V2\Awcl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ALPass\ALPass.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Back2zip\Back2zip.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Online_with_AAPT/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\WINDOWS\system32\ApsHelper08.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Personal] "C:\Program Files\Advanced WindowsCare V2\Awcl.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ALPass] C:\Program Files\ALPass\ALPass.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CS3\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CS4\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CS5\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 8016 bytes

 

Please click Start>Run and type services.msc then hit Enter. Locate the DNS Client service and tell us if it's running, and if set to Automatic, Manual or Disabled.

 

Disabled.......which I did in response to a post reply from this site

 

Roy,

RE: the hosts and hosts.mvp files ........

1 is approx 1 KB in size, the other possibly approx 647KB
Please verify which is 1 KB

 

HOSTS 625KB
HOSTS.MVP 1KB
Imhosts.sam 4KB

I have also auto'd the DNS Client service

EACH reboot gives me 3-5 minutes of perfect surfing then IE cannot display the webpage

 

As a test, rename hosts to hosts.old
Then rename hosts.mvp to hosts
You've already set the dns client service to Auto, so restart the computer and see if the behavior persists.

 

Wow that was hopeful
I thought we had it.
Got an 8 minute run that time.

 

Highlight and copy the bolded text below.

ipconfig /release
ipconfig /flushdns
ipconfig /renew
exit
cls

Close all browser windows and open a command window, then paste the text into the command window. It should close on it's own. Re-open your browser and let us know the results.

 

I'm aware of that as well. It was done prior to renaming the hosts file(s) and starting the dns client service.

 

But this post

Highlight and copy the bolded text below.

ipconfig /release
ipconfig /flushdns
ipconfig /renew
exit
cls

Blew it...it won't display any site at all now...just searches with numbers from from when it commences.

OK..rebooted and back to my 8minute special...so.No Change

 

Scan again with HijackThis and place a check next to all 017 entries.

O17 - HKLM\System\CCS\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer =

Close ALL open windows and programs except for HijackThis then click Fix Checked.

Close HijackThis and restart the computer. See if there's any change.

 

I'm well aware of who those addresses belong to, however what I don't know is if that is the correct DNS Server for his machine to be pointing to. Are you quite sure of that? His network connection is set to aquire DNS Server and IP addresses automatically ........ why then are they showing up in the HijackThis log as though they've been statically assigned?

 

Looks like I have the unique situation of an 8 minute websurf.

Pretty peculiar eh!

Boots OK.
IE connects OK.
Surfs great and fast.

But alas, only 8 minutes of satisfaction.

At least it has/is stimulating some intelectual consideration.

Thanks to all.

 

8 minutes ....... guess it beats the 3 you had when starting this topic. lol

Fix the following entry with HijackThis, with all other windows closed.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local


Do another scan and save the log when done, then post it here. Let us know if there's any change.

Did this problem begin after installing any particular software?

If there's no change, I'd like you to rule out some software by temporarily disabling it. The 2 I see as first choices are the Zone Labs firewall and ALPass.

Another test ...... go here and do some surfing through it's address window rather than the normal browser address window. Use the 'Open URL in a new window' option and paste in several links.