New HiJackThis version reveals more 2

[Ngolem]

Hi

Well after dealing with my friends machine I decided to try the newer version of HJT on my simple Win95 machine.

here is the log:

**************************************************

Logfile of HijackThis v1.99.0
Scan saved at 4:15:41 PM, on 1/6/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
D:\ZIPS_INSTALLS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Tracks Eraser Pro] C:\PROGRAM FILES\ACESOFT\TRACKS ERASER PRO\TE.exe min
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O15 - Trusted IP range: 81.222.131.50
O15 - Trusted IP range: 81.222.131.50 (HKLM)

************************************************

The entries that bother me are the two O15's which list "Trusted IP range". I have no idea what these IP's refer to...and frankly I don't recall allowing an Ip to be "Trusted".

I tried to use HJT to fix these items but they won't allow themselves to be fixed.

Am I being paraniod or is there a problem here...any guidance is appreciated.

Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[erikhertzel]

Jim,

I looked at your post and thought the last two looked funny as well. I recognized that IP address in the Europe range...anyhow went to arin.net and found this:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
Comment: the RIPE database at

http://www.ripe.net/whois

RegDate:
Updated: 2004-03-16

Do you recognize this? I doubt it. Anyhow, see your Hosts file and look for that IP. Also run the following:

AdwareSE---

http://www.lavasoftusa.com

Spybot S&D---

http://www.safer-networking.org/en/download/index.html

Microsoft AntiSpyware----

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Hope this helps.

Erik

 

[eyec]

i just ran a trace & the IP address above is currently terminating @
Latitude 59.88N
Longitude 30.25E

St. Petersburg, Russia

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See

http://www.ripe.net/db/copyright.html

inetnum: 81.222.0.0 - 81.222.255.255
org: ORG-EA40-RIPE
netname: RU-ELTEL-20021128
descr: ELTEL.NET
descr: PROVIDER
country: RU
admin-c: ER4040-RIPE
tech-c: ER4040-RIPE
status: ALLOCATED PA
notify: registry@eltel.net
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: ELTEL-RIPE-MNT
mnt-routes: ELTEL-RIPE-MNT
changed: hostmaster@ripe.net 20021128
changed: hostmaster@ripe.net 20041031
source: RIPE
route: 81.222.128.0/20
descr: ELTEL.net
origin: AS20597
mnt-by: ELTEL-RIPE-MNT
changed: registry@eltel.net 20021204
source: RIPE
organisation: ORG-EA40-RIPE
org-name: ELTEL
org-type: LIR
address: JSC "ELTEL"
10N, 65-67, Chaykovskogo Str.
191123, Saint-Petersburg
Russia
phone: +7 812 4381100
fax-no: +7 812 4381101
e-mail: admin@eltel.net
admin-c: DS544-RIPE
admin-c: OS1157-RIPE
admin-c: AG12797-RIPE
admin-c: SA507-RIPE
mnt-ref: ELTEL-RIPE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20040415
changed: bitbucket@ripe.net 20041025
changed: bitbucket@ripe.net 20041025
changed: bitbucket@ripe.net 20041101
changed: bitbucket@ripe.net 20041101
changed: bitbucket@ripe.net 20041102
changed: bitbucket@ripe.net 20041119
changed: bitbucket@ripe.net 20041206
changed: bitbucket@ripe.net 20041210
changed: bitbucket@ripe.net 20041227
changed: bitbucket@ripe.net 20041227
changed: bitbucket@ripe.net 20041228
source: RIPE
role: ELTEL REGISTRY
address: JSC ELTEL
address: 10N, 65-67,
address: Chaykovskogo st.
address: 191123 Saint-Petersburg
address: Russia
phone: +7 812 4381100
phone: +7 812 4381102
fax-no: +7 812 4381101
e-mail: registry@eltel.net
trouble: Points of contact for ELTEL
trouble: Sales:
sales@eltel.net
trouble: Routing and peering issues:
hostmaster@eltel.net
trouble: SPAM and Network security issues:
abuse@eltel.net
trouble: Mail issues:
postmaster@eltel.net
trouble: LIR issues:
registry@eltel.net
trouble: Information:

http://www.eltel.net

trouble: Hosting:

http://www.HostWay.ru

admin-c: SA507-RIPE
admin-c: OS1157-RIPE
tech-c: AG12797-RIPE
tech-c: YV89-RIPE
nic-hdl: ER4040-RIPE
notify: registry@eltel.net
mnt-by: ELTEL-RIPE-MNT
changed: registry@eltel.net 20041027
source: RIPE


because it is in your log i would say that it has a static IP address. email the contacts above and question them.

 

[diogenes10]

Do they show up in explorer?

Dont have a ie5.5 to look at.
In ie6 Tools/InternetOptions/Security you can look at trusted sites and add/remove. If they show there, maybe you can remove them there.

Try hjt in safe mode?

Try searching registry with a registry editor? (Be sure you have a good registry backup before tinkering.)

O15 section in this will give you a few more comments:

http://www.bleepingcomputer.com/forums/tutorial42.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Ngolem]

Ok

Diogenes10 - I worked on trying to remove the Trusted IP in Tools/InternetOptions/Security and was able to remove one of the bad guys

O15 - Trusted IP range: 81.222.131.50 (HKLM)

This one is still left....when I remove it...it seem to disappear but is re-installed when I close and look again. Something is re-installing it.


Erik/Eyec - I have nothing to do with Russia or Amsterdam so this does not belong there...thank you for the trace...I want it removed.

I also had an AOL entry as well that disappeared when I removed it.

Registry stuff is not my forte....your instructions would have to be in complete gory detail. I would like to look but not touch first




Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[eyec]

i am not familiar with cookiewall but if it is like Zone Alarm you may want to check there to see if it is there and get rid of it from there and then edit the registry to clean it out.

good luck

 

[diogenes10]

Could somebody help out here so I don't tell him something that will screw up his machine?

My theory is that he can paste 81.222.131.50 into the regedit find screen, hunt for and make a list of locations, and then remove them.

If that is correct could someone give some instructions for a win95 registry backup and how to do the search?

Thanks.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[erikhertzel]

That is what I would say. I was going to post, but didn't know if I should. I agree with you doigenes10...

If it were me, I would do a regedit and look for that exact IP address 81.222.131.50 and delete any keys, etc... that you find. Then reboot and run Hijack again and see what is up.

To backup the registry in 95:

http://support.microsoft.com/kb/132332/EN-US/

Erik

 

[eyec]

editing the registry is a one way street - once you delete something MS does not (and this is the only place in all of their software) ask are you sure . . ?

in W95 go to start, run and type regedit
go to edit, find and type in the ip address you want to find

now, here is the tricky part:
you will see two sides on your screen
the left side is the top level(key)
the right side has the values

sometimes just deleting the value will delete what you want
other times you need to delete the key level to get rid of the value altogether

you best bet (in order for us to help) is to copy the info on both sides of your screen when you find it and print it out here so we can let you know how to proceed.

also do not stop after finding the value one time. hit find next until it tells you it has finished searching the entire registry.

 

[Ngolem]

Eyec - Cookiewall is not a problem...it is quite useful at restricting the cookies that you will allow.

I will follow your instructions to find this IP address and report back to you before doing anything...Thanks

Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[Ngolem]

Ok I did a search on my registry as suggested by Eyec and I found only one occurrance

MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1

the entry here is

Ab(default) (value not set)

o ||
||0 0x000000002(2) Cannot make the leading
symbol but looks like that

Ab:Range "81.222.131.50"


What do I do to get rid of this puppy?...I don't see that (HKLM) of the 81.222.131.50 (HKLM)...what does (HKLM) mean??



Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[eyec]

H=Host
K=Key
L=Local
M=Machine

if this is the only value under that key delete the key on the left side of the pane by clicking on it and hitting your delete key or right click on it and select delete.

then exit. you did disable your restore point, right?

then reboot and that should be the end of it.

 

[Ngolem]

I don't know how to do this:

"you did disable your restore point, right?"

sorry but never done this before....after I delete the entry then what...reboot then reenable the restore point ...or can I enable this immediately after deleting the item.

Your help is really appreciated.


Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[erikhertzel]

There is no retore point in Windows 95 that I know of. So, you don't need to worry about that. We just said that because we don't want this little beast to come back if you did have a restore point. But, I don't think that's an issue with Windows 95. As long as you just delete what we have directed, you should be fine.

Just delete the key and reboot and you should be good to go. Run another Hijack and see if that took care of the problem. I would also run AdwareSE and Spybot to make sure.

Hope that helps. Have a great weekend.

Erik

 

[eyec]

oopps, i forgot what system he was running.

after you delete the key just reboot and follow the last paragraph erik stated above.

good luck

 

[Ngolem]

That got rid of it...HijackThis doesn't show it anymore.

Well another thing learned...great site...great advisors. Thanks to all, much appreciated.

Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!