HELP! Hi jack logs 213.159.117.134

My computer is constanly rebooting. My webpage is being redirected to 213.159.117.134. I ran spyware and it sees the spyware, removesit and it is still there after I run another scan. So Here are my logs Form HiJack This. What's next! I needs lots of help!

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Allow me a moment to post a fix. In the mean time start on this thread.

 

First:

Please download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Second:

Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.


After you complete these two task, and complete the steps in the sticky, post a new HJT log.

 

did all the stuff in the sticky, ran those progeams you previously suggested. Here are my new logs

 

Please attach all logs as attachments to your post!

Allow me a moment to analyze your log.

 

sorry man, I'm a newbie in this forum ( not a good excuse).....and been working on this all day so I am quick to post ( not another good excuse)......Will attatch next time..thanks for your help!

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:


hostdll.exe



Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/'

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll

O2 - BHO: (no name) - {52B78FB4-C637-462F-8F7C-BD08C1139E03} - C:\WINDOWS\System32\dhmo.dll (file missing)

O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\hostdll.exe

C:\WINDOWS\cerbmod.dll

C:\WINDOWS\System32\dhmo.dll


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

In addition to what BJ has given you, please download this tool: HSFix.zip Tool

Please Extract the files from the ZIP to your Desktop.

THEN:
Please boot to Safe Mode and DoubleClick hsfix.bat to run the tool.

Allow it as long as it takes to run, then Reboot to Normal Windows and look for a log at C:/hslog.txt . Please attach that log + a fresh HijackThis log.

PP

 

Ok here are my updated logs (looks good!):

I did everythuing that BJ said and PhilliePhan. Here are my logs. It seems like everything is working now (knocking on wood)!!! I can now reset my home page. The other problem was that my computer was constanly rebooting right as windows finished loading up.looks like I am all set for now thanks guys!

 

HJT log is clean, however there appears to be some infections. Lets take things one at a time.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

Note: These most likely will be located in the SYSTEM or SYSTEM32 directory, if found delete!


DSManager.dll <-- Search for this file and delete it if found!

klogini.dll <-- Search for this file and delete it if found!

p2.ini <-- Search for this file and delete it if found!

ps.a3d <-- Search for this file and delete it if found!

vdnt32.sys <-- Search for this file and delete it if found!

klo5.sys <-- Search for this file and delete it if found!

draw32.dll <-- Search for this file and delete it if found!

memlow.sys <-- Search for this file and delete it if found!

wd.sys <-- Search for this file and delete it if found!

vtd_16.exe <-- Search for this file and delete it if found!

w32tm.exe <-- Search for this file and delete it if found!


Reboot to Normal Windows and post a new log from HSFix and HJT to confirm your clean.

 

New logs.....

How does this look?

 

Re: New logs.....

HSFix log is clean, however was the HJT log ran in Safe Mode?

 

Re: New logs.....

yes it was. Here is the log ran in normal windows (HJT)

 

Your log is clean! Are you currently experiencing any problems?

If not, Then you should see this article on How to Protect yourself from malware!