Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91732 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I need help!


  • Please log in to reply
3 replies to this topic

#1 avispita

avispita

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 19 May 2005 - 07:32 AM

When I open my home page, is suposed to open comcast.net, but instead opens this page:http://81.222.131.49/index.php. It does not matter what I do to change it , it still opens up in this page wich pops up another page with an AD. Can anyone help? This is really anying me!!! Please help!!!!!

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 19 May 2005 - 08:38 AM

Please download hijackthis from the link below. Save it to its own folders so that back ups will be easy to find. Close all connections and scan with hijackthis. It will produce a log. Save the log and then copy and paste it here by clikcing on "add reply" at the bottom right.

Download >>>>> http://www.majorgeek...wnload3155.html

#3 avispita

avispita

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 25 May 2005 - 02:18 PM

Here it is. Help please!!!
Logfile of HijackThis v1.99.1
Scan saved at 4:14:11 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\plppsia.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\mp4sdmod.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6485F3A9-CE2F-5903-77CF-32A27BD8FCA6} - C:\WINDOWS\System32\DyBnAU1G.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\r3k.dll
O2 - BHO: (no name) - {FB153DCE-822E-47ec-8D00-2706E7864B37} - C:\WINDOWS\KB290333.dll
O2 - BHO: XBTB09580 - {FFDA4F6F-2EA3-4942-9420-E42880965A3A} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: WordReferenceEsEn - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\WordReferenceEsEn\wordreferenceEsEn.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [twxitf] c:\windows\system32\plppsia.exe
O4 - HKLM\..\RunOnce: [9m6xfc.exe] C:\WINDOWS\System32\9m6xfc.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp4sdmod] C:\WINDOWS\System32\mp4sdmod.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\RunOnce: [9m6xfc.exe] C:\WINDOWS\System32\9m6xfc.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00AC4B9D-97B0-5C87-FA6F-139730449A29} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {07E954B5-ED6E-2A5E-BCAE-2F860CE96770} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {0D0A5D50-832B-0F24-557B-31301D6E0CD9} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {1C342CD9-7B5F-7F15-ACC7-1CE107A1C495} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {30B7A084-AE6E-0802-1876-31864CCF1A27} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {33318D83-E065-52B1-235E-7368077C6020} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {3B3051D8-EFBE-123D-100B-65A00CFCDA5F} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {45F8693D-0FF3-047A-9544-269A0EA9FB56} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {66332516-E399-0B0A-D898-7B7304E5581F} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {6A338BB2-044B-0324-AB33-58E565CD87B6} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {7FB0EFC9-B0FF-2CAC-30AA-19293A2161F4} - http://69.31.82.26/1/gdnUS10.exe
O21 - SSODL: EFCbrFa - {6485F3A3-CE2F-5909-BE4B-21B67BD8FCA3} - C:\WINDOWS\System32\uyjt.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 25 May 2005 - 08:16 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users