Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

195.225.176.37 - again FIXED


  • Please log in to reply

#1
maa

maa

    New Member

  • Member
  • Pip
  • 5 posts
Hello !

I've read and done all in THIS LINK but still get a 017 referal to the above site. Who the [bleep] are these people ? Can't they be stopped ? If one enters that number in Google one gets pages of entries with various forums etc. but nothing I've seen so far works.
So after the above, here is my HijackThis log. I actually uninstalled the Google Toolbar but it appears to have left overs......

Logfile of HijackThis v1.99.1
Scan saved at 13:13:46, on 20.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT5\System32\smss.exe
C:\WINNT5\system32\winlogon.exe
C:\WINNT5\system32\services.exe
C:\WINNT5\system32\lsass.exe
C:\WINNT5\system32\svchost.exe
C:\WINNT5\System32\svchost.exe
C:\WINNT5\system32\spoolsv.exe
E:\AVPersonal\AVGUARD.EXE
E:\AVPersonal\AVWUPSRV.EXE
C:\programme\ewido\security suite\ewidoctrl.exe
C:\WINNT5\System32\svchost.exe
C:\WINNT5\system32\ZONELABS\vsmon.exe
C:\WINNT5\Explorer.EXE
C:\WINNT5\System32\wbem\wmiapsrv.exe
D:\ZoneAlarm\zlclient.exe
E:\AVPersonal\AVGNT.EXE
D:\freemem\FMEMPRO.EXE
C:\WINNT5\System32\ctfmon.exe
D:\TerraTec\DMX 6fire\DMX6Fire.exe
E:\SpyWare\Hijackthis1_99_1.exe
D:\NoteTab\NoteTab.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT5\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT5\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer 6
O2 - BHO: Internet Explorer Hot Fix - {13EB9F96-22D7-44FB-89BD-BE859A74C02E} - C:\WINNT5\System32\yrjdi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ Services.dll] C:\WINNT5\msagent\system\smss.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT5\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "E:\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [FreeMem Pro] "D:\freemem\FMEMPRO.EXE" Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT5\System32\ctfmon.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = D:\TerraTec\DMX 6fire\DMX6Fire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B6B555-C2FB-4F0B-A316-B99DFD661749}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - E:\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - E:\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\programme\ewido\security suite\ewidoctrl.exe
O23 - Service: Speed Disk service - Symantec Corporation - d:\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT5\system32\ZONELABS\vsmon.exe


Thanks for any practical advice.

BTW, I can boot into DOS 7.1 to delete stuff

cheers

maa

Edited by maa, 22 July 2005 - 02:52 AM.

  • 0

Advertisements


#2
maa

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I guess I forgot to say that the referal is to Poorrn sites and the like.

It only happens when I go on www.audioforums.com and click a link to someones homepage.
Well I thought their server was fixed at first but its not as I found out by checking with my girlfriends computer that uses a harware firewall - hmm.

So this evening I installed Firefox for the first time but to no avail - it happens with that too.

Hope someone finds time to help me here........

Edited by maa, 21 July 2005 - 03:16 PM.

  • 0

#3
maa

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Right - I started messing around and came up with this intersting fact:
When deleting the regisrty key 017 with HijackThis, I couldn't access any internet sites at all untill after a new system start - at which time the values were automatically replaced when accessing the internet.
Well having removed all viruses and tojans and the likes with the various tools sugessted here I assumed that not a virus was changing the Name Server shown in 017 but Windows itself. So I deinstalled TCP/IP in my network connection, restarted windows and reinstalled TCP/IP. In the properties page, Windows had placed an address for DNS server addresses. Not knowing realy what to do there I changed it to automatic which has solved the problem for now.
HijackThis shows two lines of 017 now as shown here:

O17 - HKLM\System\CCS\Services\Tcpip\..\{33F46443-179E-410C-99C0-55C95DB71DD2}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B6B555-C2FB-4F0B-A316-B99DFD661749}: NameServer = 217.237.150.225 217.237.150.141

Conclusion is that although HijackThis thinks these values are Browser Hijacks, the sytem works flawlessly and also much faster now.

cheers

maa
  • 0

#4
maa

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, after a week the computer is stable and the problem solved.

How can I "clean up" the HijackThis log file of 017 entries ?

cheers

maa
  • 0

#5
maa

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
5 weeks on, everthing still stable and clean.

How do I get the 017 entries cleared?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP