6 replies to this topic

[Amethyst]

I ran HijackThis last night on my laptop, just to check on something, and I found an entry that is new from the last time I had run HijackThis. It is:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D31ECCF6-D6CC-49C8-803F-60968E78A25F}: NameServer = 72.xx.xxx.xxx,72.xx.xxx.xxy

I've substituted x's and y's for most of the numbers. The numbers are DNS server numbers from my ISP. I recognize that long string of letters/numbers as being related to my ethernet adapter. Normally I access the internet via a wireless connection to a router. A couple of weeks ago, I was testing a firewall by connecting it by ethernet directly to the router. I was having some trouble establishing a connection and had tried several things, including entering the IP address and DNS numbers and all that in the Windows settings, although I normally have an automatically set DHCP determined IP address. I removed that information and resumed having the connection settings be automatically established. What eventually worked was rebooting both modem and the laptop, and then a ethernet connection was successfully established. (BTW, the firewall experience was not a good one and I have since uninstalled it. I'm back to using the Windows firewall behind my router, but that's an issue I'll deal with further when I have more time. I do need a stronger firewall for times when we travel with the laptop and it's not behind a router.)

From what I can find on the internet, if this entry shows up in a HijackThis log and the IP numbers are legitimate, then the recommendation is to NOT have HJT fix it. It kind of bugs me that this entry is there at all, but I can live with it. I am wondering what will happen if I take the laptop elsewhere on a trip and end up using an ethernet connection at a hotel or something. Would there then be an entry in the registry with the DNS server numbers of that ISP? If that was the case, would it then be OK to have HJT 'fix' this?

[swagger]

I'm not an expert on this, but I tend to think in this situation, if you are using DHCP to provide you with all of the information including DNS then it would be okay to remove this entry as it only showed up when you input the information manually for testing purposes.

[Maniac]

About 017 see here:
http://www.bleepingcomputer.com/tutorials/...42.html#O17Diag

[swagger]

@Maniac,

Thanks for the link, I've read that a few times or two. That still does not really help Amethyst in this situation because he stated in his original post that the IP address is his ISP's DNS server. I honestly do believe he would be alright removing it since the entry was added after he manually set them in the Ethernet adapter's IP settings.

[AdvancedSetup]

Write down the numbers or even take a screen shot of them if needed. Then remove them and reboot the computer. If you're having issues locating Websites then re-enable it.

[Amethyst]

Thanks for your responses, I really appreciate the quick replies.

I do feel like a total dork, though!

I went and checked the TCP/IP properties for the ethernet adapter, and the DNS server was set to use those particular numbers, rather than to find the DNS server automatically. When I was having trouble getting a connection while trying to test the firewall, I had typed in the DNS server numbers and had not changed the setting back to what it had been originally, which was to find the DNS server automatically. I had done so for the DHCP setting, but neglected to change the DNS settings back. (This is the sort of thing that happens when you're trying to troubleshoot at 2 a.m.! ) Today I changed it back to finding the DNS automatically, rebooted the laptop, then ran HJT again. The 017 entry is no longer there.

So everything is fine, but at least I learned what to do if anything suspect does show up in that 017 area in the future. Thanks again, and sorry to bother you.

[swagger]

No problem. Glad you figured it out... That is good to know information!