Author Topic: HijackThis Log: Please help diagnose  (Read 14351 times)

0 Members and 1 Guest are viewing this topic.

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
HijackThis Log: Please help diagnose
« on: March 14, 2008, 07:48:36 PM »
Hope this is it.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #1 on: March 15, 2008, 12:21:28 AM »
You have some major infections.

Start with this.

Download this program to your desktop so you can find it if needed.

LSP-Fix Download Link

Click on start, then settings and then control panel.

Double-click on the Add/Remove Programs icon.

Look through the installed programs for a program called New.Net or NewDotNet. and uninstall it.


If there is no uninstall program listed then do the following:
Go to www.newdotnet.com/removal.html
Scroll down to Procedure 4 and follow the removal instructions

Reboot.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

Close all other browsers/windows, click fix, close HJT.

NOTE: Do not fix any 010 lines. Please return to the forum and ask for help.

Reboot.

If you can not connect to the internet run the LSP-Fix program  you download earlier, and click on the finish button. Reboot and you should be able to get back on.




Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and post of the results file Report.txt in your next reply along with a new HijackThis log

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #2 on: March 16, 2008, 08:19:22 PM »
File Report.Txt

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #3 on: March 16, 2008, 08:31:44 PM »
I need a new HJT log

Some of it's gone.  :)

Thanks

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #4 on: March 16, 2008, 08:53:12 PM »
HJT Log

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #5 on: March 16, 2008, 09:23:01 PM »
Progress. We'll thin some of this out and see what's left.

Go to add/remove programs and uninstall, this program if present

webHancer
EbatesMoeMoneyMaker


Open HJT, run a system scan only, check mark these lines if present

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll (file missing)
O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU


Close all other browsers/windows, click fix, close HJT.

Tell me about these. They are desktop components. They might be images/pictures.

Code: [Select]
O24 - Desktop Component 0: (no name) - http://online.comcast.net/images/headerBkg.gif
O24 - Desktop Component 1: (no name) - http://a.sc.msn.com/3H/]4B2,]W{U[5UV-93_}+P3K.gif
O24 - Desktop Component 2: (no name) - http://www.comcast.net/images/headerBkgHome.jpg
O24 - Desktop Component 3: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXipvyB0VioSQms4jAsPUrDsHr6P51JmcDxLm10XfuR4M$/aol
O24 - Desktop Component 4: (no name) - http://www.scottrade.com/images/swap/personhome10.jpg
O24 - Desktop Component 5: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXw9Izqq7cD1MUykrTGpaSaHInWABV0uDCe6UbwKw5ZHU$/aol



Please go to the Logitech web site and download and install the newest version of their Desktop Messenger client. Yours is several years old and the newer one does not corrupt the registry as the one currently used is doing. That will clean up the 018 lines.
http://www.logitech.com/index.cfm/494/3041&cl=us,en?osid=1&file=

It can probably be unistalled as it is a update notification. The info on what it does in on the page along with the download link.


Then in normal windows


Open the extracted SDFix folder and double click RunThis.bat to start the script again.

Type A to create a System Report.

Please be patient as this scan may take some time
When the scan is done a notepad will open with the report.
Attach SystemReport.txt to your next reply. You can find the report at this location: C:\SDFix\SystemReport.txt along with a new HJT log.

Thanks

« Last Edit: March 16, 2008, 10:31:50 PM by oldman »

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #6 on: March 16, 2008, 11:01:20 PM »
Removed webHancer
Unable to remove EbatesMoe Money Maker

Jumping ahead (did not do HJT system scan- waiting first for your answer about Ebates)
024 0 Comcast Header - No Text (no longer use Comcast as a provider)
024 1 Denied Directory listing
024 2 Comcast Header - No Text
024 3 CNN Money Header - No Text
024 4 Scottrade Header - 404 Error Page Not Found
024 5 CNN Newsnight - Header
I guess I could also use the word Banner instead of Header

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #7 on: March 16, 2008, 11:38:14 PM »
Leave Moemoney for now, just fix the other lines and any of the 024 you don't what. Then continue on. I'll look for a method of removing Moemoney.

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #8 on: March 17, 2008, 01:17:31 AM »
System Report

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #9 on: March 17, 2008, 05:14:48 AM »
We'll try to get rid of moe money in safe mode.


* Please download
 OTMoveIt2 by OldTimer.


Save it to your desktop. Again do not run it yet, we'll use it later.


* Open HJT, run a system scan only, check mark these lines if present

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=15013268572106
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
 


Close all other browsers/windows, click fix, close HJT.


* Boot into safe mode, go to add/remove programs and uninstall the following



My Search Bar
Search Assistant - My Search
Ebates Moe Money Maker




* Boot back into normal windows.



* Please double-click OTMoveIt2.exe to run it.
 

Please note the location of the boxes where the copy/paste is to be done

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Program Files\PurityScan
C:\Program Files\NewDotNet



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


purity 



Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


* Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

I will require:
OTMOVEIT2 results
combofix log
HJT log

Thanks

« Last Edit: March 17, 2008, 05:45:26 AM by oldman »

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #10 on: March 17, 2008, 11:25:04 PM »
Good Afternoon. I'm not too sure I can get through all of this. To begin with, I downloaded  OTMoveIt2 and all I got was mixed up letters and symbols. Said something about the program has to be run under Win32.
Also, I only have Avast anti virus 4.7 home edition. If I stop avast on-line protection, will that also disable script blocking?
Do all of your instructions in your last post have to be done all at the same time or I can  stop at an appropriate point.  I'm not trying to be difficult, but I'm by no means a computer whiz. Thanks

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #11 on: March 18, 2008, 01:48:18 AM »
Do the HJT fix and the uninstalls. Skip OTMOVEIT2 for now. Run combofix.

Just stop avast's standard shield  (script blocker is available only if you have the Pro version.), restart it after combofix has given you the log.


Just do them in order, you're probably looking at 30 min or less.

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #12 on: March 18, 2008, 02:55:58 PM »
On the HJT report:
04-HKLM Run Ebates - Not Shown
09-Extra button: Ebates - Not Shown
However, 08 Extra content-menu item-Ebates,etc. was shown if this means anything.
Also, I could not remove:
My Search Bar
Search Assistant-My search
Ebates Moe Money Maker

Offline bobbydee

  • Jr. Member
  • **
  • Posts: 25
Re: HijackThis Log: Please help diagnose
« Reply #13 on: March 18, 2008, 02:58:49 PM »
Combofix Log

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: HijackThis Log: Please help diagnose
« Reply #14 on: March 19, 2008, 07:47:48 AM »
Starting to shape up. You can delete OTMOVEIT2, that error usually indicates a corrupted download.

Combofix got myweb for you along with some other stuff.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {6B4F2BE7-D4C4-43CE-A7DD-8F1DB92BA570} - C:\WINDOWS\system32\browseuidw.dll


Close all other browsers/windows, click fix, close HJT.



Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\acezlink.htm


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\info.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.


I need to see the contents of a file, so I will get you to create a batch file.


Open a new notepad and copy and paste the following into it


copy C:\system.bat look.txt
start look.txt



Click file, save as. Set save it to desktop, and enter (including quotation marks) as the filename:  "get.bat",  click ok.  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a notepad will appear. Save it to your desktop. Do not post it. When we are online at the same time, I will unhide my email address and you can send it to me. Either that or after you make 7 more posts. I can PM you my address.

Combofix log, HJT log, and the virustotal results please.

Thanks