Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: bobbydee on March 14, 2008, 07:48:36 PM

Title: HijackThis Log: Please help diagnose
Post by: bobbydee on March 14, 2008, 07:48:36 PM
Hope this is it.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 15, 2008, 12:21:28 AM
You have some major infections.

Start with this.

Download this program to your desktop so you can find it if needed.

LSP-Fix Download Link (http://www.bleepingcomputer.com/files/lspfix.php)

Click on start, then settings and then control panel.

Double-click on the Add/Remove Programs icon.

Look through the installed programs for a program called New.Net or NewDotNet. and uninstall it.


If there is no uninstall program listed then do the following:
Go to www.newdotnet.com/removal.html
Scroll down to Procedure 4 and follow the removal instructions

Reboot.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

Close all other browsers/windows, click fix, close HJT.

NOTE: Do not fix any 010 lines. Please return to the forum and ask for help.

Reboot.

If you can not connect to the internet run the LSP-Fix program  you download earlier, and click on the finish button. Reboot and you should be able to get back on.




Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and post of the results file Report.txt in your next reply along with a new HijackThis log
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 16, 2008, 08:19:22 PM
File Report.Txt
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 16, 2008, 08:31:44 PM
I need a new HJT log

Some of it's gone.  :)

Thanks
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 16, 2008, 08:53:12 PM
HJT Log
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 16, 2008, 09:23:01 PM
Progress. We'll thin some of this out and see what's left.

Go to add/remove programs and uninstall, this program if present

webHancer
EbatesMoeMoneyMaker

Open HJT, run a system scan only, check mark these lines if present

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll (file missing)
O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU

Close all other browsers/windows, click fix, close HJT.

Tell me about these. They are desktop components. They might be images/pictures.

Code: [Select]
O24 - Desktop Component 0: (no name) - http://online.comcast.net/images/headerBkg.gif
O24 - Desktop Component 1: (no name) - http://a.sc.msn.com/3H/]4B2,]W{U[5UV-93_}+P3K.gif
O24 - Desktop Component 2: (no name) - http://www.comcast.net/images/headerBkgHome.jpg
O24 - Desktop Component 3: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXipvyB0VioSQms4jAsPUrDsHr6P51JmcDxLm10XfuR4M$/aol
O24 - Desktop Component 4: (no name) - http://www.scottrade.com/images/swap/personhome10.jpg
O24 - Desktop Component 5: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXw9Izqq7cD1MUykrTGpaSaHInWABV0uDCe6UbwKw5ZHU$/aol


Please go to the Logitech web site and download and install the newest version of their Desktop Messenger client. Yours is several years old and the newer one does not corrupt the registry as the one currently used is doing. That will clean up the 018 lines.
http://www.logitech.com/index.cfm/494/3041&cl=us,en?osid=1&file=

It can probably be unistalled as it is a update notification. The info on what it does in on the page along with the download link.


Then in normal windows


Open the extracted SDFix folder and double click RunThis.bat to start the script again.

Type A to create a System Report.

Please be patient as this scan may take some time
When the scan is done a notepad will open with the report.
Attach SystemReport.txt to your next reply. You can find the report at this location: C:\SDFix\SystemReport.txt along with a new HJT log.

Thanks

Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 16, 2008, 11:01:20 PM
Removed webHancer
Unable to remove EbatesMoe Money Maker

Jumping ahead (did not do HJT system scan- waiting first for your answer about Ebates)
024 0 Comcast Header - No Text (no longer use Comcast as a provider)
024 1 Denied Directory listing
024 2 Comcast Header - No Text
024 3 CNN Money Header - No Text
024 4 Scottrade Header - 404 Error Page Not Found
024 5 CNN Newsnight - Header
I guess I could also use the word Banner instead of Header
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 16, 2008, 11:38:14 PM
Leave Moemoney for now, just fix the other lines and any of the 024 you don't what. Then continue on. I'll look for a method of removing Moemoney.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 17, 2008, 01:17:31 AM
System Report
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 17, 2008, 05:14:48 AM
We'll try to get rid of moe money in safe mode.


* Please download
 OTMoveIt2 by OldTimer. (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)

Save it to your desktop. Again do not run it yet, we'll use it later.


* Open HJT, run a system scan only, check mark these lines if present

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=15013268572106
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
 

Close all other browsers/windows, click fix, close HJT.


* Boot into safe mode, go to add/remove programs and uninstall the following



My Search Bar
Search Assistant - My Search
Ebates Moe Money Maker



* Boot back into normal windows.



* Please double-click OTMoveIt2.exe to run it.
 

Please note the location of the boxes where the copy/paste is to be done

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Program Files\PurityScan
C:\Program Files\NewDotNet



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


purity 



Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


* Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
-----------------------------------------------------------
-----------------------------------------------------------
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

I will require:
OTMOVEIT2 results
combofix log
HJT log

Thanks

Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 17, 2008, 11:25:04 PM
Good Afternoon. I'm not too sure I can get through all of this. To begin with, I downloaded  OTMoveIt2 and all I got was mixed up letters and symbols. Said something about the program has to be run under Win32.
Also, I only have Avast anti virus 4.7 home edition. If I stop avast on-line protection, will that also disable script blocking?
Do all of your instructions in your last post have to be done all at the same time or I can  stop at an appropriate point.  I'm not trying to be difficult, but I'm by no means a computer whiz. Thanks
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 18, 2008, 01:48:18 AM
Do the HJT fix and the uninstalls. Skip OTMOVEIT2 for now. Run combofix.

Just stop avast's standard shield  (script blocker is available only if you have the Pro version.), restart it after combofix has given you the log.


Just do them in order, you're probably looking at 30 min or less.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 18, 2008, 02:55:58 PM
On the HJT report:
04-HKLM Run Ebates - Not Shown
09-Extra button: Ebates - Not Shown
However, 08 Extra content-menu item-Ebates,etc. was shown if this means anything.
Also, I could not remove:
My Search Bar
Search Assistant-My search
Ebates Moe Money Maker
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 18, 2008, 02:58:49 PM
Combofix Log
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 19, 2008, 07:47:48 AM
Starting to shape up. You can delete OTMOVEIT2, that error usually indicates a corrupted download.

Combofix got myweb for you along with some other stuff.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {6B4F2BE7-D4C4-43CE-A7DD-8F1DB92BA570} - C:\WINDOWS\system32\browseuidw.dll

Close all other browsers/windows, click fix, close HJT.



Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\acezlink.htm


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\info.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.


I need to see the contents of a file, so I will get you to create a batch file.


Open a new notepad and copy and paste the following into it


copy C:\system.bat look.txt
start look.txt


Click file, save as. Set save it to desktop, and enter (including quotation marks) as the filename:  "get.bat",  click ok.  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a notepad will appear. Save it to your desktop. Do not post it. When we are online at the same time, I will unhide my email address and you can send it to me. Either that or after you make 7 more posts. I can PM you my address.

Combofix log, HJT log, and the virustotal results please.

Thanks
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 20, 2008, 12:12:50 AM
Have an emergency in the family. Please bear with me and thank you for all that you have done todate.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 20, 2008, 12:27:55 AM
No problem. Take care. Let me know when you are back.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 21, 2008, 05:38:34 PM
The result of the Virustotal was 0/32 (0%). 
The body of the site listed 32 Antivirus Programs.
Requested logs attached.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 21, 2008, 07:27:37 PM
Hi. We'll clean up the tools you used so far and run this scan tool, Malwarebytes' Anti-Malware. I also included removal instructions for Viewpointand a link with a little info about it. It's not spyware or adware but foistware. That is, it will install without you knowing it. Your choice.

I'm still interested in that file, so as soon as we are online at the same time, I'll get my address to you.

* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

* Please downloadOTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.



* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
 


Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Viewpoint, your choice.

http://www.pchell.com/support/viewpoint.shtml

1) Right-click on the clock in your taskbar and choose Task Manager
2) Click on the Processes tab and search for VIEWMGR.EXE, if its found, click on it and then click End Task to close it
3) Click on Start, Control Panel, Add/Remove Programs
4) Uninstall any of the following programs associated with Viewpoint

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar
 
5) Close the Add/Remove Programs and Control Panel
6) Restart your computer

Warning: If you install AOL © Instant Messenger, Adobe Atmosphere plugin, or another program that requires Viewpoint, it will download and install again.

Just the Malwarebytes' log for now.

Thanks
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 21, 2008, 10:30:45 PM
I had been getting a siren and virus warning about 3-4 times an hour for the past week or so. But now I have not received a warning for the past 6 1/2 hrs.
Do I still go through your last instuctions or am I home free?
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 21, 2008, 10:53:23 PM
Do the instructions. I like to remove the tools and old restore points first as they will be needlessly detected.

So do the clean up and system restore, then run Malwarebytes. It's always good to have a second opinion, plus you had a whole variety of infections.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 22, 2008, 06:22:00 PM
Also went into Viewpoint (your choice) and cleaned that up.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 22, 2008, 06:32:07 PM
Hi bobbylee, If you are quick you can get my address. Let me know when you got it. You got 10 min.  8)
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 22, 2008, 06:41:54 PM
Nothing serious found there, just a little stray adware. Let's finish the clean up. Don't forget the batch file please. Let me know how things are.

Since some reg keys where removed we'll start with system restore again. It won't take long this time.

* Uninstall Malwarebytes

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


* Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/)
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 23, 2008, 05:51:14 PM
Hi oldman and HAPPY EASTER
I will be busy today, however, when I go into My Computer, I show
C:\Program Files\Java Soft with a subfolder JRE. Don't have JavaVM. Do I delete the sub folder and leave Java Soft?
Also, I have no spyware program installed. Thinking of getting Spy Sweeper and Zone Alarm Firewall (Free version) and uninstall Windows Firewall} Choices OK? My question is  -Do I download these programs now or wait until we are finished? Have a great day.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 23, 2008, 06:44:29 PM
Happy Easter to you too. Just remove the subfolder. I believe Java Soft was the original name for the java folder.

I don't know much about spysweeper, but if you do decide to use it, make sure you use the version without the antivirus or a conflict will occur. You should also get a non resident antispyware program. This is probably the best one at the moment. Get the free version.

These are the settings I use and a link

Download  superantispyware (http://www.superantispyware.com/)

First update SAS Then boot into safe mode and set SAS up like this.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES


Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found.

Give ZA a try, lots use it and seem to like it. It isn't very configurable though. You don't have to uninstall windows firewall, just turn it off.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 24, 2008, 07:35:56 PM
Can't find "Java Runtime Environment" (JRE) 6 update 5 in
http://java.sun.com/javase/downloads/index.jsp
Were you saying to use superantispyware with another anti spyware program or as a stand alone?
Title: Re: HijackThis Log: Please help diagnose
Post by: DavidR on March 24, 2008, 07:47:58 PM
Alternate, for JRE version 6 update 5 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 25, 2008, 01:13:57 AM
re java download, it's the 4th one in the list. The link DavidR gave you will do the trick also.  8)

Use 2 antispyware programs. One resident(real time scanning) and one on demand. I suggest SAS as the on demand because the free version isn't resident, but it is a very good scanner.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 25, 2008, 08:18:34 PM
Yes, I can readily see that the Java download is 4th on the list, however when I first clicked java,sun.com.... link earlier, for some reason or another, it took me to a different Java page and that is why I said that I couldn't find the download. Well anyway, I got through your instructions as best as I could.
On the steven gould link, it shows an index of download/ cleaning, parent directory with a list of clean-up files. How do I use this site?
The Secunia is a neat site that revealed some issues that I have to address.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 26, 2008, 12:53:55 AM
452 is the newest, 451 comes in either zipped or unzipped. They both do the same.

I PMed you my address, if you could mail me that file I had you make, I'll have a look and see what it's all about.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 28, 2008, 07:50:18 AM
Hi bobbydee

Everything going ok?

You have a couple of files to delete.

C:\system.bat
C:\info.exe

Then empty your recycle bin.
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 28, 2008, 06:53:22 PM
System Report Txt
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 29, 2008, 07:12:50 AM
Hi, thanks that's an old one. thanks for continuing this in the forum. Others may benifit from what we find. I just didnt want the contents of system.bat post in case they where really malicious.

you can delete get.bat, the look.txt it created on your desktop and any logs, other notepads that where created during the cleaning of your computer. I forgot to mention that earlier.

We'll use a tool to get those files.

Please download
 OTMoveIt2 by OldTimer. (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\system.bat
C:\info.exe



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.



Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")





Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 29, 2008, 06:29:00 PM
C:\system.bat moved successfully.
C:\info.exe moved successfully.

BTW Spybot is constantly giving me a message that reads:
Category: Sessions Manager
Change: Value Changed
 
Entry: Boot Execute

Old data: autocheck autochk *\aswBoot.exe\A:"*"/L:
New data: autocheck autochk \*

Allow change                             Deny change

Anyone know anything about this?

Title: Re: HijackThis Log: Please help diagnose
Post by: DavidR on March 29, 2008, 06:40:48 PM
If you schedule a boot-time scan (or after you install avast) then aswboot.exe should run, after the first run then that value I assume would change so that it doesn't run on every boot but only once after you select it ?

However I have never seen this stuff about session manager from spybot S&D when I used it but I also didn't run the resident element of it when I did have it.

Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on March 29, 2008, 06:52:36 PM
Good the files are gone.

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Spybot. Like DavidR, I never used the resident. I wonder if it is monitoring the registy and is seeing the bootscan setting being changed?
Title: Re: HijackThis Log: Please help diagnose
Post by: bobbydee on March 31, 2008, 02:48:22 PM
Thanks oldman for all your help and patience in resolving my problems. It's nice to know that there are people like you, and others, who are so willing to help those of us who are far less computer savvy. Take care.
Title: Re: HijackThis Log: Please help diagnose
Post by: oldman on April 01, 2008, 07:48:33 AM
You're welcome bobbydee, we all learn as we go.