| Post ID |
Timestamp |
Content |
User |
| 416668 |
2005-12-30 20:58:00 |
Ive spent the last 3 days deleting viruses off my computer..one it seems wouldnt let me acsess the internet via internet explorer or advanced browser
but all other programs work fine (yahoo msn). i ended up getting Hijackthis and found out that it was that stupid newdotnet thing that was keeping me from acessing the internet. so i got LSPfix and deleted the newdonet thing. The problem is i can acess IE through safemode
and i have no idea of i can acsess it through normal windows cause everytime i log in (i use xp pro sp2), i will get to the desktop then it restarts my damn computer before i can find out if IE works.
Heres my hijack log....but unfortuantly its while im in safemode:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin\My Documents\HIJACKTHIS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpF03C.tmp (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\TELUS\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: & Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\ Yahoo! \Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\ Yahoo! \Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\ Yahoo! \Common\yiesrvc.dll (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - www.creative.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\ Yahoo! \Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - by102fd.bay102.hotmail.msn.com
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - www.creative.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BD16C6-BD82-4693-8D7F-47B5E83B8E20}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5BD7D44-639F-42DD-B570-E6F1B903780E}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1F12C87-0C5C-4F60-B7D0-7520434388DC}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3gw.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe |
Henicide (9502) |
| 416669 |
2005-12-30 21:21:00 |
Boot to safemode and right click My Computer
Select properties > Advanced > Startup & Recovery Options then untick Automatically Restart
This should give you a BSOD when it shuts down and an error meassage
Post the error message here for us to look at
Turn off system Restore
Run HJT again in safemode and check and fix these
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpF03C.tmp (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\ Yahoo! \Common\yiesrvc.dll (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BD16C6-BD82-4693-8D7F-47B5E83B8E20}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5BD7D44-639F-42DD-B570-E6F1B903780E}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1F12C87-0C5C-4F60-B7D0-7520434388DC}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85.255.114.18,85.255.112.62
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3gw.exe (file missing)
Download ewido, www.ewido.net install, update online, then run and fix problems in safe mode, then again in normal mode if you can get there |
bartsdadhomer (80) |
| 416670 |
2005-12-31 01:28:00 |
Hi
You have a number of infections that will need to be deep cleaned .
It may help to print out or copy this page as you will be working in Safe Mode . . Make sure to work through the fixes in the exact order its listed . .
Download any of the required programs before attempting to start any of the fixes .
SHOW HIDDEN FILES AND FOLDERS .
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------
Files highlighted in BLACK will need to be removed from your hard drive .
------------------------------------------------------------------
Please download FixWareout from one of these sites:
. subratam . org/Fixwareout . exe" target="_blank">downloads . subratam . org
. geekstogo . com/Fixwareout . exe" target="_blank">swandog46 . geekstogo . com
Save it to your desktop and run it . Click Next, then Install, then make sure "Run fixit" is checked and click Finish . The fix will begin; follow the prompts . You will be asked to reboot your computer; please do so . Your system may take longer than usual to load; this is normal .
When your system reboots, follow the prompts . Afterwards, HijackThis will launch . Please click Scan, and check the following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpF03C . tmp (file missing)
O4 - HKLM\ . . \Run: [WindowsUpdate] C:\WINDOWS\System\svchost . exe /s
O17 - HKLM\System\CCS\Services\Tcpip\ . . \{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O17 - HKLM\System\CCS\Services\Tcpip\ . . \{98BD16C6-BD82-4693-8D7F-47B5E83B8E20}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O17 - HKLM\System\CCS\Services\Tcpip\ . . \{A5BD7D44-639F-42DD-B570-E6F1B903780E}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O17 - HKLM\System\CCS\Services\Tcpip\ . . \{F1F12C87-0C5C-4F60-B7D0-7520434388DC}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O17 - HKLM\System\CS1\Services\Tcpip\ . . \{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O17 - HKLM\System\CS2\Services\Tcpip\ . . \{60CD93E3-33C6-4310-B38F-B215E1DCBDE3}: NameServer = 85 . 255 . 114 . 18,85 . 255 . 112 . 62
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela . dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32 . dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3 . dll (file missing)
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3gw . exe (file missing)
---------------------------------------------------------------------------------
Download L2mfix ( . downloads . subratam . org/l2mfix . exe" target="_blank">www . downloads . subratam . org)
Save the file to your desktop and double click l2mfix . exe . Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop . Double click l2mfix . bat and select option #1 for Run Find Log by typing 1 and then pressing enter . This scan takes time to complete, then notepad will open with a log .
Close all open programs
From the l2mfix folder on your desktop, double click l2mfix . bat and select option #2 for Run Fix by typing 2 and then press enter, then press any key to reboot your computer . After a reboot, your desktop and icons will appear, then disappear (this is normal) . L2mfix will continue to scan your computer and when it's finished, notepad will open with a log . Copy the contents of that log and paste it here, along with a new HJT log .
-----------------------------------------------------------------------
Go to Start > Run and type
cmd
and OK . Type the below commands and hit "Enter" after each line
sc stop 11Fßä�#·ºÄÖ`I
sc delete 11Fßä�#·ºÄÖ`I
Type Exit to close .
-----------------------------------------------------------------------
Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------
Open Windows Explorer and delete the following highlighted file/s
C:\WINDOWS\system32\d3gw . exe
C:\WINDOWS\System\svchost . exe <-- do not remove the svchost . exe file from System32 folder
C:\WINDOWS\system32\st3 . dll
C:\WINDOWS\system32\browsela . dll
-------------------------------------------------------------------
Should you have problems connecting to the internet after the fix, follow these instrutions .
Please go to Start -> Control Panel Network Connections . Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties . Doubleclick on the Internet Protocol (TCP/IP) item and select the button that says "Obtain DNS servers automatically" . Click OK twice, and restart your computer .
When finished please post a new log . . . . . . |
Pancake (6359) |
| 416671 |
2006-01-16 23:26:00 |
Your DNS entries most probably have been modified by virus: 85.255.114.18,85.255.112.62
Whois:
85.255.112.0 - 85.255.127.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine |
keeperlink (9503) |
| 416672 |
2006-01-17 01:05:00 |
Thanks for the reminder keeperlink.I forgot to add the fix for it.
Please download FixWareout from one of these sites:
downloads.subratam.org
swandog46.geekstogo.com
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and send a new post. |
Pancake (6359) |
| 1 |
|