3 replies to this topic

[avispita]

When I open my home page, is suposed to open comcast.net, but instead opens this page:http://81.222.131.49/index.php. It does not matter what I do to change it , it still opens up in this page wich pops up another page with an AD. Can anyone help? This is really anying me!!! Please help!!!!!

[Siggyx]

Please download hijackthis from the link below. Save it to its own folders so that back ups will be easy to find. Close all connections and scan with hijackthis. It will produce a log. Save the log and then copy and paste it here by clikcing on "add reply" at the bottom right.

Download >>>>> http://www.majorgeek...wnload3155.html

[avispita]

Here it is. Help please!!!
Logfile of HijackThis v1.99.1
Scan saved at 4:14:11 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\plppsia.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\mp4sdmod.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6485F3A9-CE2F-5903-77CF-32A27BD8FCA6} - C:\WINDOWS\System32\DyBnAU1G.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\r3k.dll
O2 - BHO: (no name) - {FB153DCE-822E-47ec-8D00-2706E7864B37} - C:\WINDOWS\KB290333.dll
O2 - BHO: XBTB09580 - {FFDA4F6F-2EA3-4942-9420-E42880965A3A} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: WordReferenceEsEn - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\WordReferenceEsEn\wordreferenceEsEn.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [twxitf] c:\windows\system32\plppsia.exe
O4 - HKLM\..\RunOnce: [9m6xfc.exe] C:\WINDOWS\System32\9m6xfc.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp4sdmod] C:\WINDOWS\System32\mp4sdmod.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\RunOnce: [9m6xfc.exe] C:\WINDOWS\System32\9m6xfc.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00AC4B9D-97B0-5C87-FA6F-139730449A29} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {07E954B5-ED6E-2A5E-BCAE-2F860CE96770} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {0D0A5D50-832B-0F24-557B-31301D6E0CD9} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {1C342CD9-7B5F-7F15-ACC7-1CE107A1C495} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {30B7A084-AE6E-0802-1876-31864CCF1A27} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {33318D83-E065-52B1-235E-7368077C6020} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {3B3051D8-EFBE-123D-100B-65A00CFCDA5F} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {45F8693D-0FF3-047A-9544-269A0EA9FB56} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {66332516-E399-0B0A-D898-7B7304E5581F} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {6A338BB2-044B-0324-AB33-58E565CD87B6} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {7FB0EFC9-B0FF-2CAC-30AA-19293A2161F4} - http://69.31.82.26/1/gdnUS10.exe
O21 - SSODL: EFCbrFa - {6485F3A3-CE2F-5909-BE4B-21B67BD8FCA3} - C:\WINDOWS\System32\uyjt.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Siggyx]

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.