— Anya —
Trudging Scribe
Post 684/23359
|
| Posted on 05-04-08 12:57:49 PM (last edited by Anya at 05-04-08 10:01 AM) |
Link | Quote
| |
| Okay, I'm going a tad insane here and I need help.
It started about a week ago when we installed HitMan Pro on the computer. My husband uses it at work and he wanted to try it at home. Since then, I haven't been able to access certain websites like MySpace and Gmail. The pages won't load at all and it stays at a blank page. I've uninstalled Hitman pro, uninstalled firefox, updated IE, downloaded a trail version of Microsoft's LiveOne Care program and its still not working. I haven't went back to restore the computer yet. I think this is a simple fix, but I cannot figure it out. Any tips, advance, help, is greatly appreciated. And if you need info from me, let me know and I'll do the best that I can.
Also, we've tried the ethernet cord into my laptop and we're able to access the websites in question, so its not the line, comcast, the router, or anything along those lines.
I've also tried the sites in question in two different web clients. And it now seems that this place is running a bit off too.
____________________
| | | |
|
Xkeeper
Level: 263
   
Posts: 5533/25353
EXP: 297174075
For next: 1786378
Since: 07-03-07
Pronouns: they/them/????????
Since last post: 4 days
Last activity: 14 min.
|
|
Checking the HOSTS file and Winsock LSPs may be a good idea; try posting a HijackThis log here (don't blindly click "fix" on anything)
HijackThis
That way we can prod though it to look for nasties.
____________________
|
 |
|
— Anya —
Trudging Scribe
Post 685/23359
|
|
| Thanks. This is what it came up with (and now typing a post, its a bit laggy):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:35 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BFEDC73-DA76-458E-ACF6-6ADD40C2EE4C} - (no file)
O2 - BHO: (no name) - {50AE568C-E9D3-4D5D-8A95-9B4453792192} - (no file)
O2 - BHO: (no name) - {5C903A07-8F19-4B46-A8E2-269D4EF73789} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8A64AC16-CB95-49F6-B1C5-BB9FA6B8A140} - C:\WINDOWS\system32\yayyVPJa.dll (file missing)
O2 - BHO: (no name) - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O2 - BHO: (no name) - {b13c5e88-f5dd-4a16-bab2-0519a81df4c7} - (no file)
O2 - BHO: {16642d11-fc8e-f95a-8b54-c36c5539182b} - {b2819355-c63c-45b8-a59f-e8cf11d24661} - C:\WINDOWS\system32\wydxxgpw.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\tuvVpMGv.dll (file missing)
O2 - BHO: (no name) - {E302CE48-FB17-4572-8861-6A23BE9A5C8D} - C:\WINDOWS\system32\tuvSkIBT.dll (file missing)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [d4644990] rundll32.exe "C:\WINDOWS\system32\xbcirpiq.dll",b
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMd7577a0c] Rundll32.exe "C:\WINDOWS\system32\uboeoewc.dll",s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163814390093
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O20 - Winlogon Notify: tuvVpMGv - tuvVpMGv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
--
End of file - 6820 bytes
____________________
| | | |
|
paulguy
Green Birdo
Level: 93
Posts: 63/2294
EXP: 8033272
For next: 19538
Since: 09-14-07
From: Buffalo, NY
Since last post: 9.7 years
Last activity: 9.7 years
|
|
Jesus you've got a lot of shit on your computer.  Quicktime, Real, Acrobat and a bunch of things that have the most nonsensical names. As for your problem, I don't know what specifically is causing it but as said before, it could be your hosts file, which I forget it's location in Windows. |
Xkeeper
Level: 263
Posts: 5534/25353
EXP: 297174075
For next: 1786378
Since: 07-03-07
Pronouns: they/them/????????
Since last post: 4 days
Last activity: 14 min.
|
|
3 seconds of googling: c:\windows\system32\drivers\etc\hosts
posting the contents of that file will also be useful
____________________
|
|
|
Post 180/1311 ( 42 days),
online 2 days ago
|
| Posted on 05-04-08 05:14:28 PM (last edited by Acmlm at 05-04-08 02:18 PM) |
Link | Quote
| |
|
Hiryuu
Level: 207
Posts: 3127/14435
EXP: 127636243
For next: 2147911
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
|
While you're at it with IE, try running this.
See if that picks up anything.
I'd also wonder if maybe something in the Management/Services section that's screwing with it as a process always running...but looking at that list, I don't see anything that's suspicious for RUNNING processes.
____________________
|  |
| |
|
— Anya —
Trudging Scribe
Post 686/23359
|
| Posted on 05-04-08 11:04:35 PM (last edited by Anya at 05-04-08 08:08 PM) |
Link | Quote
| |
| Damnit...I lost the whole damn post!!!  And it was long too. FUSK!
Okay, so I am running the scan that TJ posted about. I'll check and delete the files that Acmlm mentioned once the scan is over...which should be in about 3 hours.
I checked out the folder that Alex posted and I couldn't get the host file to open, so I took a screenshot of the folder, which is Here. Sorry for the size of the screenshot..I didn't think I would even be able to get it online to show in the first place.
Oh you gotta be shitting me....while running the scan, I tried my luck and I was able to log into gmail and check my mail....still, if there's crap on my computer, I want it off.
____________________
| | | |
|
— Anya —
Trudging Scribe
Post 687/23359
|
| Posted on 05-05-08 01:41:28 AM (last edited by Anya at 05-04-08 11:06 PM) |
Link | Quote
| |
| Okay, after running the scan (twice) I get a blue screen error message. Something about dumping memory...I should have taken a screenshot of it, but I forgot to do so after I restarted the computer.
So I am NOT using that scan again....
I can't get into this thread with firefox (again) and I'mnot even sure I can post with IE (password, I don't think I know it..and since I am posting, I guess I was able to remember it).
Well, I opened the file and this is what I got..its long...very long.
I went ahead and saved it, link is HERE. Hopefully thats it.
____________________
| | | |
|
Post 182/1311 ( 42 days),
online 2 days ago
|
|
 Ok, that just seems to be Spybot adding a very long list of bad sites as 127.0.0.1 (to block access to them), so no problem there ...
____________________
| 
#64 |
|
— Anya —
Trudging Scribe
Post 691/23359
|
| Posted on 05-05-08 02:22:47 AM (last edited by Anya at 05-04-08 11:25 PM) |
Link | Quote
| |
| I trashed spybot a few days ago.
And I looked for:
O2 - BHO: (no name) - {8A64AC16-CB95-49F6-B1C5-BB9FA6B8A140} - C:\WINDOWS\system32\yayyVPJa.dll (file missing)
O2 - BHO: {16642d11-fc8e-f95a-8b54-c36c5539182b} - {b2819355-c63c-45b8-a59f-e8cf11d24661} - C:\WINDOWS\system32\wydxxgpw.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\tuvVpMGv.dll (file missing)
O2 - BHO: (no name) - {E302CE48-FB17-4572-8861-6A23BE9A5C8D} - C:\WINDOWS\system32\tuvSkIBT.dll (file missing)
O4 - HKLM\..\Run: [d4644990] rundll32.exe "C:\WINDOWS\system32\xbcirpiq.dll",b
O4 - HKLM\..\Run: [BMd7577a0c] Rundll32.exe "C:\WINDOWS\system32\uboeoewc.dll",s
O20 - Winlogon Notify: tuvVpMGv - tuvVpMGv.dll (file missing)
And I only found uboeoewc.dll. It is getting late and I'm a bit PO'ed about this whole ordeal, so maybe I'll have better luck tomorrow. (If I have time that is)
And now I can check my e-mail again with Firefox. My computer is a dumb ass. Must take after the comps at work.
____________________
| | | |
|
Erika
Catgirl
미안합니다
Level: 68
Posts: 224/1088
EXP: 2637804
For next: 90996
Since: 07-19-07
Since last post: 9.5 years
Last activity: 9.3 years
|
|
Those randomly named DLLs in system32 sound a lot like a Virtumonde virus to me...Spybot and Adaware should be able to remove most of them, as should a quick-fix in HJT. AVG or Pandascan can also sometimes remove them. If all else fails use a heavy-duty cleaner like Vundofix (likely will not work if you have the rootkit version) Or Combo Fix (finds the rootkit version as well as any other nasties you might not even know or think you have, HIGHLY recomended on a lot of tech forums)
I would personally suggest either SpyBot or Combofix, since Spybot gets things Adaware sometimes does not and Combo Fix is garunteed to get rid of most nasty things generally. Just make sure you are careful with it. It recomends having the Windows Recovery Console installed but if you make a restore point and know what you're doing...you shouldn't even need that. |
- 
- 
And what are all those backups of it?
