HijackThis Log: Please help diagnose

Hope this is it.

You have some major infections.

Start with this.

Download this program to your desktop so you can find it if needed.

LSP-Fix Download Link

Click on start, then settings and then control panel.

Double-click on the Add/Remove Programs icon.

Look through the installed programs for a program called New.Net or NewDotNet. and uninstall it.

If there is no uninstall program listed then do the following:
Go to www.newdotnet.com/removal.html
Scroll down to Procedure 4 and follow the removal instructions

Reboot.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

Close all other browsers/windows, click fix, close HJT.

NOTE: Do not fix any 010 lines. Please return to the forum and ask for help.

Reboot.

If you can not connect to the internet run the LSP-Fix program you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and post of the results file Report.txt in your next reply along with a new HijackThis log

File Report.Txt

I need a new HJT log

Some of it’s gone. :slight_smile:

Thanks

HJT Log

Progress. We’ll thin some of this out and see what’s left.

Go to add/remove programs and uninstall, this program if present

webHancer
EbatesMoeMoneyMaker

Open HJT, run a system scan only, check mark these lines if present

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll (file missing)
O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM..\Run: [EbatesMoeMoneyMaker] wjview /cp:p “C:\Program Files\EbatesMoeMoneyMaker\System\Code” Main lp: “C:\Program Files\EbatesMoeMoneyMaker”
O4 - HKLM..\Run: [webHancer Agent] “C:\Program Files\webHancer\Programs\whAgent.exe”
O4 - HKLM..\Run: [webHancer Survey Companion] “C:\Program Files\webHancer\Programs\whSurvey.exe”
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU

Close all other browsers/windows, click fix, close HJT.

Tell me about these. They are desktop components. They might be images/pictures.

O24 - Desktop Component 0: (no name) - http://online.comcast.net/images/headerBkg.gif
O24 - Desktop Component 1: (no name) - http://a.sc.msn.com/3H/]4B2,]W{U[5UV-93_}+P3K.gif
O24 - Desktop Component 2: (no name) - http://www.comcast.net/images/headerBkgHome.jpg
O24 - Desktop Component 3: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXipvyB0VioSQms4jAsPUrDsHr6P51JmcDxLm10XfuR4M$/aol
O24 - Desktop Component 4: (no name) - http://www.scottrade.com/images/swap/personhome10.jpg
O24 - Desktop Component 5: (no name) - http://ar.atwola.com/content/B0/0/H7pTL2Luf0_kw3xmlj8W1sns8a9RRNke8_SAqLzKBa609jmULHVa8jgFKtiL69KXw9Izqq7cD1MUykrTGpaSaHInWABV0uDCe6UbwKw5ZHU$/aol

Please go to the Logitech web site and download and install the newest version of their Desktop Messenger client. Yours is several years old and the newer one does not corrupt the registry as the one currently used is doing. That will clean up the 018 lines.
http://www.logitech.com/index.cfm/494/3041&cl=us,en?osid=1&file=

It can probably be unistalled as it is a update notification. The info on what it does in on the page along with the download link.

Then in normal windows

Open the extracted SDFix folder and double click RunThis.bat to start the script again.

Type A to create a System Report.

Please be patient as this scan may take some time
When the scan is done a notepad will open with the report.
Attach SystemReport.txt to your next reply. You can find the report at this location: C:\SDFix\SystemReport.txt along with a new HJT log.

Thanks

Removed webHancer
Unable to remove EbatesMoe Money Maker

Jumping ahead (did not do HJT system scan- waiting first for your answer about Ebates)
024 0 Comcast Header - No Text (no longer use Comcast as a provider)
024 1 Denied Directory listing
024 2 Comcast Header - No Text
024 3 CNN Money Header - No Text
024 4 Scottrade Header - 404 Error Page Not Found
024 5 CNN Newsnight - Header
I guess I could also use the word Banner instead of Header

Leave Moemoney for now, just fix the other lines and any of the 024 you don’t what. Then continue on. I’ll look for a method of removing Moemoney.

System Report

We’ll try to get rid of moe money in safe mode.

Save it to your desktop. Again do not run it yet, we’ll use it later.

  • Open HJT, run a system scan only, check mark these lines if present

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=15013268572106
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM..\Run: [EbatesMoeMoneyMaker] wjview /cp:p “C:\Program Files\EbatesMoeMoneyMaker\System\Code” Main lp: “C:\Program Files\EbatesMoeMoneyMaker”
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)

Close all other browsers/windows, click fix, close HJT.

  • Boot into safe mode, go to add/remove programs and uninstall the following


My Search Bar
Search Assistant - My Search
Ebates Moe Money Maker

  • Boot back into normal windows.

  • Please double-click OTMoveIt2.exe to run it.

Please note the location of the boxes where the copy/paste is to be done

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Program Files\PurityScan
C:\Program Files\NewDotNet

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


purity

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

  • Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

I will require:
OTMOVEIT2 results
combofix log
HJT log

Thanks

Good Afternoon. I’m not too sure I can get through all of this. To begin with, I downloaded OTMoveIt2 and all I got was mixed up letters and symbols. Said something about the program has to be run under Win32.
Also, I only have Avast anti virus 4.7 home edition. If I stop avast on-line protection, will that also disable script blocking?
Do all of your instructions in your last post have to be done all at the same time or I can stop at an appropriate point. I’m not trying to be difficult, but I’m by no means a computer whiz. Thanks

Do the HJT fix and the uninstalls. Skip OTMOVEIT2 for now. Run combofix.

Just stop avast’s standard shield (script blocker is available only if you have the Pro version.), restart it after combofix has given you the log.

Just do them in order, you’re probably looking at 30 min or less.

On the HJT report:
04-HKLM Run Ebates - Not Shown
09-Extra button: Ebates - Not Shown
However, 08 Extra content-menu item-Ebates,etc. was shown if this means anything.
Also, I could not remove:
My Search Bar
Search Assistant-My search
Ebates Moe Money Maker

Combofix Log

Starting to shape up. You can delete OTMOVEIT2, that error usually indicates a corrupted download.

Combofix got myweb for you along with some other stuff.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU..\Run: [Usrr] C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe
O4 - HKCU..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {6B4F2BE7-D4C4-43CE-A7DD-8F1DB92BA570} - C:\WINDOWS\system32\browseuidw.dll

Close all other browsers/windows, click fix, close HJT.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Documents and Settings\Robert Dombroski\Application Data\rncr.exe C:\WINDOWS\System32\NDrv.exe C:\WINDOWS\acezlink.htm

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\info.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

I need to see the contents of a file, so I will get you to create a batch file.

Open a new notepad and copy and paste the following into it

copy C:\system.bat look.txt
start look.txt

Click file, save as. Set save it to desktop, and enter (including quotation marks) as the filename: “get.bat”, click ok. You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a notepad will appear. Save it to your desktop. Do not post it. When we are online at the same time, I will unhide my email address and you can send it to me. Either that or after you make 7 more posts. I can PM you my address.

Combofix log, HJT log, and the virustotal results please.

Thanks

Have an emergency in the family. Please bear with me and thank you for all that you have done todate.

No problem. Take care. Let me know when you are back.

The result of the Virustotal was 0/32 (0%).
The body of the site listed 32 Antivirus Programs.
Requested logs attached.

Hi. We’ll clean up the tools you used so far and run this scan tool, Malwarebytes’ Anti-Malware. I also included removal instructions for Viewpointand a link with a little info about it. It’s not spyware or adware but foistware. That is, it will install without you knowing it. Your choice.

I’m still interested in that file, so as soon as we are online at the same time, I’ll get my address to you.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Viewpoint, your choice.

http://www.pchell.com/support/viewpoint.shtml

  1. Right-click on the clock in your taskbar and choose Task Manager
  2. Click on the Processes tab and search for VIEWMGR.EXE, if its found, click on it and then click End Task to close it
  3. Click on Start, Control Panel, Add/Remove Programs
  4. Uninstall any of the following programs associated with Viewpoint

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar

  1. Close the Add/Remove Programs and Control Panel
  2. Restart your computer

Warning: If you install AOL © Instant Messenger, Adobe Atmosphere plugin, or another program that requires Viewpoint, it will download and install again.

Just the Malwarebytes’ log for now.

Thanks

I had been getting a siren and virus warning about 3-4 times an hour for the past week or so. But now I have not received a warning for the past 6 1/2 hrs.
Do I still go through your last instuctions or am I home free?