Anyone willing to do a HijackThis log ?

Discussion in 'other software & services' started by Rainwalker, Jun 7, 2005.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    I am wondering about an entry that has not been there before>>

    HKLM\System\CCS\Services\Tcpip\..\{C3F951BE-384F-411F-8A9A-5749435C2A0E}: NameServer = 209.165.xxx.xx 209.165.xxx.xx
    This is my DNS server.
     
  2. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    What is the folder after Tcpip?
     
  3. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    O15 - Trusted Zone: http://download.windowsupdate.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100540426733
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3F951BE-384F-411F-8A9A-5749435C2A0E}: NameServer = 209.165.xxx.xx 209.165.xxx.xx
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
     
  4. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    These can be replaced with *.microsoft.com if you remove the HTTPS check box. You do not need to prelude with http, just use as I typed and it will cover the entire domain.

    This is part of your Intel graphics card and probably can be removed.

    This is no longer needed.

    I need to know the folder name after Tcpip (\..\) to answer this one. PM me the IP addresses if you feel comfortable.
     
  5. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Close Hauled.....i do not know what you mean by the folder name after Tcpip (\..\)....i thought this was it>>>
    {C3F951BE-384F-411F-8A9A-5749435C2A0E}
     
  6. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Go into Regedit. Follow the hierarchy all the way down to Tcpip. Their are folders after Tcpip that lead to {C3F951BE-384F-411F-8A9A-5749435C2A0E}. It is those folders that I am looking for.
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi Close_Hauled....please give the path..
     
  9. helping hand

    helping hand Guest

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3F951BE-384F-411F-8A9A-5749435C2A0E}

    Look for the Name Server ref here.
     
  10. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I just read this. It's late. I will review it tomorrow.
     
  11. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    17 is probably your internet connection isp
     
  12. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    "017" is the HJT abbreviation for a likely browser hijack. Have you checked your firewall logs? Maybe you could find out something there.

    BTW, I don't have any 017's. I don't know how common it is to have one that is legit. I'd be inclined to do as you are doing...Find out!

    Another thing you can do is to run:

    start, run, cmd, ipconfig /all and see what comes up for your DNS servers. Armed with the exact IP, then do a search and it should tell you something.


    - HandsOff
     
    Last edited: Sep 1, 2005
  13. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi there

    The only suspicious line in your posts are the 015 lines, as I wouldnt normally expect those enties in your trusted zone unless you put them there
    The 017 is legit as it is your ISP and should be left alone.
    the 020 and 023 lines are both legit and should be left alone.

    Its impossible to analyse a log in little bits, so in view of the forum rules, if you would like to PM a copy of the full log, ill have a look at it for you.

    HDRiderUK
     
  14. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I have seven of those 17 entries on my laptop. So more than likely, yours is not maliceous.

    The Regedit path that I was looking for looks something like mine:

    Code:
    My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76614EDC-4089-403C-A3E6-F6D3BC4CABD8}
    My HiJackThis entry for the above looks like this:
    Code:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76614EDC-4089-403C-A3E6-F6D3BC4CABD8}: NameServer = nnn.nnn.51.40,nnn.nnn.5.12
    My original question was "What is the folder after Tcpip?". In your case it is more than likely the same as mine, "Paramaters". If you follow that all the way down the hierarchy to {C3F951BE-384F-411F-8A9A-5749435C2A0E}, you should find some information in there. Check that information and see if it looks odd. Post it here with the private bits edited out.
     
    Last edited: Sep 1, 2005
  15. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    There is nothing wrong with the 15 entries. They are normal. I have over about 50 of those entries that I put in myself.

    In fact, you can simplify what you have with just one entry that looks like this in your "Trusted sites" list:

    *.microsoft.com
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thank you all ....very much..........i will consider everything....
     
  17. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi there closehauled. I agree with your comment on the 015 lines. I noted that they were suspicious Unless the user had put them there, (note, the sites themselves are legit). The same caveat that you make. Perhaps i should have phrased it as "potentially" suspicious, pending review of the whole log and feedback from the user.

    HDriderUK
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hey rider..............what i did was add those site to the Trusted Sites via I.E.............so am thinking that is why they are there...........................right ?
    I am thinking that if i removed them it would not mess anything up other then removing them from trusted sites list.......................right ?
     
  19. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi there Rainwalker

    As you put those sites there, that is fine. personally, I would leave them alone, dont move them or do anything to those lines with HJT. My simple rule of thumb is to fix only what needs to be fixed, and these dont need fixing.

    HD Rider UK
     
Loading...
Thread Status:
Not open for further replies.