#54 First ever HJT scan, incomprehensible to me

Art Carlson

Hello, all around.

I have a dns problem that I hope HJT and you all will help me solve. I've been trying, but I can't do it on my own.

I use Firefox 22.0 on a Windows XP Professional machine (Version 2002, SP3). A few months ago I noticed that the google search was very slow or did not return at all. I switched to bing, but recently bing and yahoo started to show the same problem. The problem also shows up in IE. Other pages work fine, and I can access a google search within seconds if I enter an IP, e.g.

I access the internet through a fritz.box. DNS queries go there first, but it doesn't matter whether I tell the fritz.box to use the default of the ISP (M-Net) or explicitly a particular DNS server (e.g. I can't figure out where the queries are going astray. It's not just a browser problem because I can call "nslookup www.google.com" from either a Windows command shell or a cygwin bash shell and I get back (At the moment. I have gotten other wrong address in the past.)

I ran a scan with up-to-date Sophos anti-virus software and found nothing. After this ordeal I decided it was time to try HighjackThis. I downloaded it and ran it. The log is below. I see now why the say beginners should ask an expert human being for help. That is what I am doing now, and thanking you in advance.

Gratefully yours,
Art Carlson

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 17:44:15, on 2013-07-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 22.0 (en-US)
Boot mode: Normal

Running processes:
C:\Programme\Gemeinsame Dateien\Virtual Token\vtserver.exe
C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
C:\Programme\ShrewSoft\VPN Client\dtpd.exe
C:\Programme\ShrewSoft\VPN Client\iked.exe
C:\Programme\infonet services corporation\infonet wireless\WENGINE\wmonitor.exe
C:\Programme\ShrewSoft\VPN Client\ipsecd.exe
c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Programme\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
c:\Programme\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Programme\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Firefox\plugin-container.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\Dokumente und Einstellungen\Art\Eigene Dateien\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=0&o=xph&d=1111&m=ao751h
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=0&o=xph&d=1111&m=ao751h
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von Süddeutsche Zeitung GmbH
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy01.biochem.mpg.de:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [SDNI-Anpassungen] C:\Treiber\Settings\Anpass\SDAnpass.vbe
O4 - HKLM..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM..\Run: [TpShocks] TpShocks.exe
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM..\Run: [ControlCenter] "C:\Programme\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TP4EX] tp4ex.exe
O4 - HKLM..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM..\Run: [PDFDrucker] c:\Treiber\Utils\PDFDrucker\PDFDrucker.vbe InstallPDFPrinter
O4 - HKLM..\Run: [run] ccswow.exe
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Programme\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM..\Run: [MSC] "C:\Programme\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM..\Run: [ApnUpdater] "C:\Programme\Ask.com\Updater\Updater.exe"
O4 - HKLM..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] c:\Programme\Sophos\AutoUpdate\almon.exe
O4 - HKLM..\Run: [APSDaemon] "C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] "C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] "C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Netzmanager.lnk = C:\Programme\Netzmanager\netzmanager.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Programme\Palm\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\dokumente und einstellungen\all users\anwendungsdaten\sophos\web intelligence\swi_ifslsp.dll
O10 - Unknown file in Winsock LSP: c:\dokumente und einstellungen\all users\anwendungsdaten\sophos\web intelligence\swi_ifslsp.dll
O10 - Unknown file in Winsock LSP: c:\dokumente und einstellungen\all users\anwendungsdaten\sophos\web intelligence\swi_ifslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sz-korrespondent.de/
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://O:\Utils\Macromed\awswaxf.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail2.sv-it.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1364674931031
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip..{4A2B60EF-B52E-4AC4-994C-D532CD30FE8D}: Domain = biochem.mpg.de
O17 - HKLM\System\CCS\Services\Tcpip..{4A2B60EF-B52E-4AC4-994C-D532CD30FE8D}: NameServer =,
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: rcHostExt - C:\Programme\CA\DSM\Bin\rcLoginExt.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: AAV UpdateService - Unknown owner - C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINNT\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: ShrewSoft DNS Proxy Daemon (dtpd) - Unknown owner - C:\Programme\ShrewSoft\VPN Client\dtpd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update-Dienst (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update-Dienst (gupdatem) (gupdatem) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ShrewSoft IKE Daemon (iked) - Unknown owner - C:\Programme\ShrewSoft\VPN Client\iked.exe
O23 - Service: Infonet Monitor Service (InfonetMonitor) - Boingo Wireless, Inc. - C:\Programme\infonet services corporation\infonet wireless\WENGINE\wmonitor.exe
O23 - Service: ShrewSoft IPSEC Daemon (ipsecd) - Unknown owner - C:\Programme\ShrewSoft\VPN Client\ipsecd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Programme\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Netzmanager Infrastruktur Informationssystem Dienst (Netzmanager Service) - Deutsche Telekom AG - C:\Programme\Netzmanager\NMInfraIS2\Netzmanager_Service.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Limited - c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Limited - c:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Programme\Skype\Updater\Updater.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Limited - c:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Web Control Service - Sophos Limited - c:\Programme\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Limited - c:\Programme\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
O23 - Service: Sophos Web Intelligence Update (swi_update) - Sophos Limited - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Web Intelligence\swi_update.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Programme\TeamViewer\Version8\TeamViewer_Service.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINNT\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programme\Gemeinsame Dateien\Virtual Token\vtserver.exe

End of file - 14045 bytes


  • Art Carlson
    Art Carlson

    I have since installed Malwarebytes and SUPERAntiSpyware and done a quick scan with each. Malwarebytes detected 6 objects, which I deleted, and SUPERAntiSpyware found 510 file items (Adware.Tracking cookie), which I quarantined. I restarted my computer, but the google problem was still there.

  • Hi Art,

    Have you tried disabling or uninstalling the ask.com toolbar?

    • status: open --> pending
    • assigned_to: Loucif Kharouni
  • Art Carlson
    Art Carlson

    I just uninstalled the Ask Toolbar because that sounded like a generally good idea. Nothing changed, which doesn't surprise me since the problem is not specific to Firefox. I just looked at nslookup again. It returns an IP when I ask about www.google.com, but then it doesn't recognize that very same IP. Strange. Anyway, thanks for picking up my ticket. -art-

    Art@ThinkPad ~
    $ nslookup www.google.com
    Nicht autorisierte Antwort:
    Server: fritz.box

    Name: www.google.com

    Art@ThinkPad ~
    $ nslookup
    *** wurde von fritz.box nicht gefunden: Non-existent domain
    Server: fritz.box

  • Art Carlson
    Art Carlson

    I got some help from the computing center to clean up my machine. Some things are more stable, but the DNS problem remains. However, I can now connect to my institute with a VPN, and when I do, my browser works with www.google.com and nslookup returns for google, as it should. This makes me pretty sure that the problem lies with my ISP (M-Net, in Munich). I have sent a mail to them asking about it. If they are uncooperative or ignorant, is there any way I can be 100% sure that they are hijacking the DNS server? Why would they do that, given that I am not being re-routed to an advertizing page? -art-

  • Hi,

    Can you send me the content of the hosts file located at:

  • Art Carlson
    Art Carlson

    Post awaiting moderation.
  • Every windows system has its own hosts file. The one that you are currently using is very far from the original windows file and might be the source of your problem.
    here is attached an original WinXP hosts file. Please rename the one you are using and use the one attached. There is no extension to the file.

  • Art Carlson
    Art Carlson

    This file seems to pull Sophos' chain. Sophos is calling this file "Adware or PUA" and says "legitimate domains blocked or redirected". I am not sure whether Sophos has deactivated this file or not. I am also concerned because the first of the comment lines does not have a comment sign (#) at the front. Be that as it may, I have copied the file to C:\WINNT\system32\drivers\etc. The problem persists. I tried the commands
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    in the belief that that does something like flush the DNS cache. The problem persists.

  • Art Carlson
    Art Carlson

    I should probably mention that Sophos also complains about two other files. I think this is new.

    Type: Suspicious behavior
    Name: HIPS/RegMod-008
    Details: C:WINNT\system32\rundll32.exe

    Type: Adware or PUA (potentially unwanted application)
    Name: FTdownloader
    Details: C:\Dokumente und Einstellungen\Art\Lokale Einstellungen\Temp\JkeqEzu2.exe.part

  • Art Carlson
    Art Carlson

    The problem seems very erratic. Or I'm not looking at the data in the right way. At the suggestion of Sophos, I assume related to one or more of the problems I just mentioned, I restarted my computer. Now my browser finds www.google.com, but nslookup is still acting in the old way, which I interpreted as being a sign of a problem.

    Art@ThinkPad ~
    $ nslookup www.google.com
    Nicht autorisierte Antwort:
    Server: fritz.box

    Name: www.google.com

    Art@ThinkPad ~
    $ nslookup
    *** wurde von fritz.box nicht gefunden: Non-existent domain
    Server: fritz.box

    When I point my browser to, I get "404 Not Found". Maybe that just means index.html is missing? I am able to ping ... That is, I can go to google.com and do a search, but when I click on any of the search results I get "403 Forbidden". The world just doesn't make any sense. :-<

  • have you tried to scan your machine with TDSSKiller? If not, please try and let me know if it changes anything. I've seen some articles related to that and it seems to be the same issue happening to you.

  • have you been able to fix this?

  • Art Carlson
    Art Carlson

    Sorry, I haven't had time to run TDSSKiller or do any other work on this problem. I hope I can get back to it tomorrow. I did ask my ISP if they were doing anything screwy. They denied it, and are probably telling the truth, because over the weekend I was connected to the internet through a different ISP in a different city but with the same laptop, and the problem was still there.

  • Art Carlson
    Art Carlson

    I ran TDSSKiller and it found and removed a threat:
    ACPI (Virus.Win32.Rloader.a)

    I can currently access www.google.com with my browser, and nslookup returns IPs that look correct to me:

    C:\Dokumente und Einstellungen\Art>nslookup www.google.com
    Server: fritz.box

    Nicht autorisierte Antwort:
    Name: www.google.com

    I can't be sure that RLoader was the problem, although it seems highly probable, because the problem wasn't present when I booted up this evening. I will keep an eye on my laptop for a few days and let you know one way or the other whether the problem is gone for good. In the hope that it is, heartfelt thanks.

    • status: pending --> closed
  • ok good to hear that. Thanks.

  • Art Carlson
    Art Carlson

    Before I go back to relax mode, what damage has likely been done or could have been done by Virus.Win32.Rloader? In particular, do I have to assume that all my passwords have been compromised?