Results 1 to 5 of 5
  1. #1
    Member Jynx980's Avatar
    Join Date
    Dec 2005
    Posts
    3
    Points
    0

    Default SOLVED! IP Address in Registry/Links in Favorites

    I picked up a bit of spyware a couple of days ago and have followed the Get Rid of Spyware, Adware, and Web Browser Hijackers guide. I think I got rid of most of it. I removed these so far from an earlier log with hijackthis:
    O4 - HKLM\..\Run: [dmjzr.exe] C:\WINDOWS\system32\dmjzr.exe
    O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe

    There is an IP address in 017 that seems questionable. If I remove those entries I can't connect to the internet. I also just noticed that I had links inserted into my favorites from IE. TIA!


    Logfile of HijackThis v1.99.1
    Scan saved at 6:23:05 PM, on 12/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Find-a-Drug\server.exe
    C:\Program Files\Find-a-Drug\think.exe
    C:\Program Files\Find-a-Drug\fadsetup.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;www.anandtech.com;<local>
    R3 - URLSearchHook: (no name) - {A4057901-AD29-B8CC-E6DE-4D49A8EA05F6} - hyandex.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121584927671
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126633843488
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44DFE957-5567-4BCB-92CF-0A1EA0FAD485}: NameServer = 85.255.115.62,85.255.112.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49BB2812-27B2-4C17-B0E5-1CA02D7B61D4}: NameServer = 85.255.115.62,85.255.112.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{545D0551-03EF-4582-B518-ABBF781ECABD}: NameServer = 85.255.115.62,85.255.112.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6843A5D-7B5D-4149-81B6-D9661E5A60A3}: NameServer = 85.255.115.62,85.255.112.10
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Find-a-Drug - Unknown owner - C:\Program Files\Find-a-Drug\loader.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    fix this with hijackthis :-

    R3 - URLSearchHook: (no name) - {A4057901-AD29-B8CC-E6DE-4D49A8EA05F6} - hyandex.dll (file missing)

    quote:

    "There is an IP address in 017 that seems questionable. If I remove those entries I can't connect to the internet."

    I agree...they all point to Kiev Ukraine...

    Normally if you remove any O17 entries, and they are required, they will be replaced by your ISP the next time you log on...

    Have you tried removing them, or are you just assuming you need them to connect ?

    AS you are in Atlanta with COX internet, I don't see the need for those O17's, which are probably connected to the VX2 transponder gang

    Have you tried deleteing the links from your favourites ?

    Do you know what this is :-

    O23 - Service: Find-a-Drug - Unknown owner - C:\Program Files\Find-a-Drug\loader.exe

    is it this :-

    http://www.find-a-drug.org.uk/

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member Jynx980's Avatar
    Join Date
    Dec 2005
    Posts
    3
    Points
    0

    Default

    If I remove all of the 017 entries and I can then no longer connect, even after a reboot. I can however remove the first three entries and still connect, but the last one:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6843A5D-7B5D-4149-81B6-D9661E5A60A3}: NameServer = 85.255.115.62,85.255.112.10

    will leave me disconnected.

    I do have Cox High Speed Internet but I am in Arizona. When the last 017 entry is removed, I still have access to my router and can even ping a ip address, such as the one above, from within the command prompt, but I seem to lose connection otherwise. IE wont open up yahoo.com and neither will the FireFox browser.

    The links in the favorites were deleted.

    The Find-a-Drug thing is something that I put on, you got the right address.

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    You should be able to remove ALL those entries... because that server is in the Ukraine and has no place on your computer...

    Removing it should not stop you connecting to the net...

    You may need to remove them, then repair the connection to restore the correct DNS entries, or you may have to input the correct entries yourself...

    This is not my area so I am moving this to the Q & A forum where more of our members will see it and be able to help you.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member Jynx980's Avatar
    Join Date
    Dec 2005
    Posts
    3
    Points
    0

    Default

    OK it is working now. I re-entered the dns address and that seemed to do the trick. Now that was one nasty registry entry! Thanks for you help!