Possible trojan on my PC - can someone please help?

Discussion in 'malware problems & news' started by iqueen, Sep 7, 2004.

Thread Status:
Not open for further replies.
  1. iqueen

    iqueen Registered Member

    Joined:
    May 25, 2004
    Posts:
    10
    Hi,

    I have had several problems with my PC recently including the about:blank problem, but I thought that I had eradicated everything. However, I am having several new problens now:

    i) most times (but not every time) when I go-online and start up IE, IE
    cannot find any pages, it reports an error along the lines of "Cannot Find
    Search Page". When I run HJT I see an entry which is not present before
    I start up IE, extraced below from the full-log

    ii) At other times, when I am offline, my PC tries to connect to a web page,
    and a "Web Page Unavailable While Offline" window pops up. This happens
    every few hours.

    Maybe these problems are related - I would be extremely grateful if someone could suggest ways to overcome these problems as they are becoming quite frustrating.
     
    iqueen, Sep 7, 2004
    #1
  2. iqueen

    iqueen Registered Member

    Joined:
    May 25, 2004
    Posts:
    10
    The suspicious HJT extract is below:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E27FFDCA-0569-41F6-8302-E89B1EFFEDO8}:NameServer= 195.92.195.94 195.92.195.95

    This problems persists after I run Ad-Aware, Spyboy S&D and CWSdhredder.

    Help gratefully received.
     
    iqueen, Sep 7, 2004
    #2
  3. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi

    Did they come up with anything? Have you tried scanning in Safemode. :)

    You can try Ewido trojan scanner(free 14 day trial), and see if it comes up with anything. :)
     
    Last edited: Sep 7, 2004
    Don Pelotas, Sep 7, 2004
    #3
  4. iqueen

    iqueen Registered Member

    Joined:
    May 25, 2004
    Posts:
    10
    Ping...can someone please have a look at my question and let me have the benefit of your wisdom. Ta
     
    iqueen, Sep 9, 2004
    #4
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    From your description, it sounds like there is still more spyware on your system. If you have not posted a HijackThis log for review at one of the better anti-spyware forums yet, you should do that. There is more to cleaning some of the newer and more damaging infections then just removing the items that are visible with HJT. Very frequently there are many other "manual" steps beyond checking items in HijackThis and clicking fix, or running CWShredder, Ad-aware and Spybot. (These are often part of a fix, but not the entire fix!)

    However, I'm afraid we have discontinued the HijackThis log analysis service here at Wilders. See this announcement regarding this change:

    https://www.wilderssecurity.com/showthread.php?t=42148

    Within that post is an image linking over to a site that lists a number of friendly security sites, some of which still provide that service. You'll need to pick a site and read their HijackThis (spyware cleaning) posting guidelines, following their required steps carefully, and then posting as directed.
     
    LowWaterMark, Sep 10, 2004
    #5
  6. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    If I run HJT on my machine I get this as part of the report:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{9534766F-A43D-4493-AF2A-971E8F4A777F}: NameServer = 213.208.106.213 213.208.106.212

    This only started happening once I got ADSL and think it is just an entry which denotes the ADSL connection to the net.
     
    rbw91, Sep 11, 2004
    #6
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i did a whois on the IP 195.92.195.94 :

    inetnum: 195.92.195.0 - 195.92.195.255
    netname: E2-GRL-POP
    descr: Energis UK
    descr: Leeds POP (GRL)
    country: GB
    admin-c: RADM1-RIPE
    tech-c: RADM1-RIPE
    status: ASSIGNED PA
    notify: ripe-adm@energis.com
    mnt-by: ENERGIS-MNT
    changed: denis@energis.com 20020917
    source: RIPE

    route: 195.92.0.0/16
    descr: Energis UK
    origin: AS5388
    mnt-by: ENERGIS-MNT
    changed: matthew@planet.net.uk 19960612
    changed: denis@energis.com 20020916
    source: RIPE

    role: RIPE Admin
    address: Energis UK
    address: Melbourne Street
    address: Leeds, LS2 7PS
    address: United Kingdom
    phone: +44 113 2345100
    e-mail: ripe-adm@energis.com
    admin-c: DS3356-RIPE
    admin-c: KG1164-RIPE
    tech-c: DS3356-RIPE
    tech-c: KG1164-RIPE
    tech-c: DH6692-RIPE
    tech-c: SW1645-RIPE
    tech-c: MM3076-RIPE
    nic-hdl: RADM1-RIPE
    remarks: Abuse reports to abuse@energis.com please!
    remarks: No actions are taken on abuse reports sent to RIPE admins.
    mnt-by: ENERGIS-MNT
    changed: ripe-adm@energis.com 20030808
    source: RIPE

    is this your isp? http://www.energis.com/
     
    Last edited: Sep 11, 2004
    illukka, Sep 11, 2004
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...