IE problem - very very slow (pretty sure not spyware)

[xylophone]

There are a couple of entries that may be causing some problems. A lot depends on whether you know what they are.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.211.74:80 If you don`t use a proxy server, or you have not set this yourself, it should be fixed.

O17 - HKLM\System\CCS\Services\Tcpip\..\{28F55A98-3C25-4D2B-828A-8539B9A36F2D}: NameServer = 80.225.252.58 80.225.252.50 If this does not belong to your ISP, it should be fixed.

To fix an entry in HJT. Run HJT and place a tick in the little box next to the entry you want to fix and click on the fix checked button. Once done, Close HJT.

Let me know if this helps.

Regards Howard

Howard, if I may but in here. I would be grateful ifyou could help me. I am a non-techie here and flying by the seat of my pants.

I also have exactly the same HKLM entry. You say that if this name server does not belong to your ISP, get HJT to get rid of it.

My ISP original account details give a primary DNS of 212.74.112.66, secondary 212.74.112.67, and an IP address of 212.1.134.54

Is any of these the same as the 'name server' you mention? I understand the IP (numerical) address should = (my ISP's name address) www.tiscali.co.uk

The reason I ask is that I have had problems with my ISP's DNS servers causing (with a secure online web site) 'page cannot be displayed' To get round that, and as it seemed a good idea, anyway, I installed Treewalk, which causes the PC to use DNS numerical addresses, avoiding the name addresses. But TW would not work, and after many postings in their Forum, they concluded that my 80.225.252.58 80.225.252 address was fishy: they couldn't get TW to work.

I have since run a DNS test at DNSReport.com on my ISP domain = tiscali.co.uk (omit www., which showed up minor (yellow) but no real (red) problems.

So, if I am able to get rid of the HKLM... entry in HJT, it could mean my ISP DNS servers problems would be over

My question is - as I have described my position, should I delete this entry?

 

[howard_hopkinso]

Hello and welcome to Techspot.

Make sure HJT is in it`s own directory, I.E C:\HJT\HJT.exe. This is because HJT makes backups of anything it fixes.

Then, go ahead and have HJT fix that entry. If you then have problems, you can restore that entry by doing the following.

Run HJT and click on the config button, then the backupps button. Choose the entry you would like to reastor and tick the little box next to that entry. Click on the restore button.

Regards Howard :wave: :wave:

 

[howard_hopkinso]

I have split your post to it`s own thread. This will save any confusion.

Regards Howard

 

[howard_hopkinso]

Ok, I have just read your PM.

In view of what you said in your pm, I suggest you do the following.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, Only after doing the above.

Regards Howard

 

[xylophone]

Following instructions. Ewido run, no problems, still have offending 017 entry in HJT (HKLM -- 85...), so posting Ewido report below. Will now follow remaining instructions>

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Created at: 16:49:54 12/06/2006

+ Scan result:



Nothing found.



::Report end

 

[xylophone]

Just to say the rest of the instructions will take some time I will have to set aside, so may not post again time until tomorrow Tuesday. I am not going away!

 

[howard_hopkinso]

Just to say the rest of the instructions will take some time I will have to set aside, so may not post again time until tomorrow Tuesday. I am not going away!

That`s not a problem.

I`m not going away either lol.

Regards Howard

 

[xylophone]

Me again.

Problem. I ran through the programs you mention to download and install. One of them, I can't remember now which, got me to go into Safe Mode, which I did successfully. Having run all of the programs, to see how they work, I then tried (top of page 2 of your instructions) to reboot in Safe Mode again, before Disabling System Restore, and then running the programs you then mention. But this time, when on restarting it got the bit where I click on (below greyed out Administrator bit), the 'hand' froze and I could not enter my password for that reason, the cursor jusy kept blinking. It also seemed as if the entire keyboard was locked. Can you please advise (I hope!) how I get out from under this, so I can proceed with your instructions. I run XP SP1

 

[xylophone]

If I try msconfig.../safeboot, will that be ok, will that bypass the password problem???

 

[howard_hopkinso]

No do not use safeboot in msconfig.

You`re not supposed to run all the programmes to see how they work. You`re supposed to follow the instructions in the exact order they are given.

Reboot your computer into normal mode and post a HJT log.

Regards Howard

 

[xylophone]

I believed I should familiarise myself with the programs first. You do have a line 'before running these programs (now or later) alweays make sure.... I took 'now' to mean I was at liberty, sensibly it seemed to me, to run through them first, before proceeding with your instructions further. I am not complaining or seeking to justify myself, just staing how I read the instructions.

At all events, as requested, I append my HJT log (can't get attach to work)

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=StopThePopup:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file)

O3 - Toolbar: (no name) - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

Fix all 016-DPF entries.

O17 - HKLM\System\CCS\Services\Tcpip\..\{24100528-2EF3-4F79-9E00-512BF6643493}: NameServer = 80.225.252.50 80.225.252.58<Only fix this, if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

 

[xylophone]

All instructions completed, except please note that 017 entry did not appear this time. I append the log:

 

[howard_hopkinso]

Your HJT log is not in the correct format.

Please see HERE

Post a fresh HJT log as an attachment.

Regards Howard

 

[xylophone]

Post all of the before, when I ran IE, I got MSN as the address, when this should have been tiscali.co.uk. So I put in that address in IE and got it to use that as the current. When I then ran HJT, entry 017, as before, reappeared - HKLM.... the numbers. Might this mean that the Tiscali address brought this entry back? If so, what are the ramifications of that?

 

[howard_hopkinso]

If the 017 entry does belong to your ISP, I.E Tiscali, then it`s probably safe.

Regards Howard

P.s. I have just checked your 017 entry and it is indeed from Tiscali. So, if your ISP is Tiscali, it`s safe.

 

[xylophone]

HJT log.txt attached.

Sorry. Only just twigged to rename it hijackthis.txt before saving it.

Re 017, I don't know if this belongs to Tiscali. My previous researches re failure to access my secure online banking account indicated it does belong to Tiscali. That said, several forum moderators elsewhere (e.g Treewalk) have suggested the entry is 'fishy'. On thta basis and hitherto, I have assumed my quest is to get the entry off my PC. Perhaps instead I should be questioning Tiscali about it. I know which technical people to speak to there who should field such an enquiry, but my problem there would be I would not be able to raise it and pursue it, for fear I would get 'lost off'.

 

[howard_hopkinso]

Have HJT fix the following.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=StopThePopup:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{24100528-2EF3-4F79-9E00-512BF6643493}: NameServer = 80.225.252.50 80.225.252.58

Click on the fix checked button and close HJT.

If after fixing the above 017 entry your internet stops working, do the following.

Run HJT and click on the config button and then on the backups button. Place a tick in the little box next to the enty you wish to restore and click the restore button. Reboot your computer.

Regards Howard

 

[xylophone]

Did all of that. In IE, got page cannot be displayed, and OE error. Restored 017 in HJT and internet now working.

What next?

 

[howard_hopkinso]

Did all of that. In IE, got page cannot be displayed, and OE error. Restored 017 in HJT and internet now working.

What next?

As far as I`m aware, your HJT log should now be clean.

You can post a fresh log if you like.

Regards Howard

 

[xylophone]

Thanks. Many thanks

So what therefore does all of this mean?

Were there problems, and if so, what were they?

Should I now be having problems accessing my secure online account?

Is the 017 entry now in any way 'fishy'

In other words, do I have anything HJT shows to worry about???

 

[howard_hopkinso]

The problems were the entries I told you to fix.

Providing everythings running ok now, that should be it.

Regards Howard

 

[xylophone]

Thanks. To make sure - by this do you mean your post, no 19?

 

[howard_hopkinso]

If you are in any Doubt, please feel free to post another fresh HJT log.

Regards Howard

 

[xylophone]

I attach latest log

Puzzled now.

If the entries you say were the problems, were the 4 entries in post 19 (which is what I asked before), then the first 2, R1 entries have reappeared, but not the 02 entry.

If the first 2, R1 entries were 'problems', which HJT fixed, then why have they reappeared, and the other entry HJT also fixed, has not?

I am trying to understand. Might the upshot be that if the same 02 entry were to reappear (I have kept a record of it), I should get HJT to fix it without further ado???