Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

195.225.176.37 - again FIXED

Started by maa , Jul 20 2005 05:19 AM

  • Please log in to reply

#1
maa
Posted 20 July 2005 - 05:19 AM

maa

    New Member

  • Member
  • Pip
  • 5 posts
Hello !

I've read and done all in THIS LINK but still get a 017 referal to the above site. Who the [bleep] are these people ? Can't they be stopped ? If one enters that number in Google one gets pages of entries with various forums etc. but nothing I've seen so far works.
So after the above, here is my HijackThis log. I actually uninstalled the Google Toolbar but it appears to have left overs......

Logfile of HijackThis v1.99.1
Scan saved at 13:13:46, on 20.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT5\System32\smss.exe
C:\WINNT5\system32\winlogon.exe
C:\WINNT5\system32\services.exe
C:\WINNT5\system32\lsass.exe
C:\WINNT5\system32\svchost.exe
C:\WINNT5\System32\svchost.exe
C:\WINNT5\system32\spoolsv.exe
E:\AVPersonal\AVGUARD.EXE
E:\AVPersonal\AVWUPSRV.EXE
C:\programme\ewido\security suite\ewidoctrl.exe
C:\WINNT5\System32\svchost.exe
C:\WINNT5\system32\ZONELABS\vsmon.exe
C:\WINNT5\Explorer.EXE
C:\WINNT5\System32\wbem\wmiapsrv.exe
D:\ZoneAlarm\zlclient.exe
E:\AVPersonal\AVGNT.EXE
D:\freemem\FMEMPRO.EXE
C:\WINNT5\System32\ctfmon.exe
D:\TerraTec\DMX 6fire\DMX6Fire.exe
E:\SpyWare\Hijackthis1_99_1.exe
D:\NoteTab\NoteTab.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT5\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT5\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer 6
O2 - BHO: Internet Explorer Hot Fix - {13EB9F96-22D7-44FB-89BD-BE859A74C02E} - C:\WINNT5\System32\yrjdi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ Services.dll] C:\WINNT5\msagent\system\smss.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT5\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "E:\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [FreeMem Pro] "D:\freemem\FMEMPRO.EXE" Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT5\System32\ctfmon.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = D:\TerraTec\DMX 6fire\DMX6Fire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B6B555-C2FB-4F0B-A316-B99DFD661749}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - E:\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - E:\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\programme\ewido\security suite\ewidoctrl.exe
O23 - Service: Speed Disk service - Symantec Corporation - d:\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT5\system32\ZONELABS\vsmon.exe


Thanks for any practical advice.

BTW, I can boot into DOS 7.1 to delete stuff

cheers

maa

Edited by maa, 22 July 2005 - 02:52 AM.

  • 0

Advertisements

#2
maa
Posted 21 July 2005 - 02:38 PM

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I guess I forgot to say that the referal is to Poorrn sites and the like.

It only happens when I go on www.audioforums.com and click a link to someones homepage.
Well I thought their server was fixed at first but its not as I found out by checking with my girlfriends computer that uses a harware firewall - hmm.

So this evening I installed Firefox for the first time but to no avail - it happens with that too.

Hope someone finds time to help me here........

Edited by maa, 21 July 2005 - 03:16 PM.

  • 0

#3
maa
Posted 22 July 2005 - 03:23 AM

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Right - I started messing around and came up with this intersting fact:
When deleting the regisrty key 017 with HijackThis, I couldn't access any internet sites at all untill after a new system start - at which time the values were automatically replaced when accessing the internet.
Well having removed all viruses and tojans and the likes with the various tools sugessted here I assumed that not a virus was changing the Name Server shown in 017 but Windows itself. So I deinstalled TCP/IP in my network connection, restarted windows and reinstalled TCP/IP. In the properties page, Windows had placed an address for DNS server addresses. Not knowing realy what to do there I changed it to automatic which has solved the problem for now.
HijackThis shows two lines of 017 now as shown here:

O17 - HKLM\System\CCS\Services\Tcpip\..\{33F46443-179E-410C-99C0-55C95DB71DD2}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B6B555-C2FB-4F0B-A316-B99DFD661749}: NameServer = 217.237.150.225 217.237.150.141

Conclusion is that although HijackThis thinks these values are Browser Hijacks, the sytem works flawlessly and also much faster now.

cheers

maa
  • 0

#4
maa
Posted 28 July 2005 - 03:01 AM

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, after a week the computer is stable and the problem solved.

How can I "clean up" the HijackThis log file of 017 entries ?

cheers

maa
  • 0

#5
maa
Posted 07 September 2005 - 04:01 AM

maa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
5 weeks on, everthing still stable and clean.

How do I get the 017 entries cleared?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP