Hijack Log and other bits...

Home from grad school and doing my annual clean-up of mom and dad's computer. Found over 180 spywares and 20 or viruses. Couldn't clean some, so I followed your in-depth instructions and here is my hijack log, bitdefender and panda scan logs, and a few sympoms:

At startup, lots of pop-ups are coming up saying that this or that file does not exist, like the dinst.exe (or is it .dll?) and some others. Best Offers pop-up wont go away either and nothing seems to be detecting it.

My parents do some work online, so their computer needs to be spick-and-span. You gals and guys are amazing, and I hope there is some worthy compensation. Thanks in advance.

Also, I leave Jan 2nd early am. If nobody has replied before that date, could you make the instruction simple enough that my mom could follow? She's about 2/3 computer literate.

 

I also need the Panda log from the READ ME, then follow the below...

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Apologies, forgot to include the Panda log.

Had some problems with Ewido... when I tried to load it after a normal boot, it would stay open for about 1 second and then close itself. Tried to reinstall. No change. Only would run in Safe Mode, and I couldnt read the options on the left to change the settings properly, but I DID find the update. Here is that log.

Also, the new Hijack log.

Happy New Year!!!!!!

 

Fisrt, download Nail/Bolder/Aurora Remover 0.3.3 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disappear)

- When it finishes just reboot and attach a fresh HJT log.

 

Happy New Year, for real this time. Cant believe Im doing this on New Year's eve.

 

Let's begin the initial fix...

Download Pocket KillBox
(Don't run it yet)

Click Start > Run > type services.msc and Click OK

Locate cmpbk32 and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ljtrkr.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo. com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)

O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [fliamjj] C:\WINDOWS\system32\ljtrkr.exe r
O4 - HKCU\..\Run: [itircl] C:\WINDOWS\System32\itircl.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_7] "C:\WINDOWS\198_150_ni_7.exe"
O4 - HKCU\..\Run: [mgmtapi] "C:\WINDOWS\system32\mgmtapi.exe"
O4 - HKCU\..\Run: [kbdtat] "C:\WINDOWS\system32\kbdtat.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: cmpbk32 - Unknown owner - C:\WINDOWS\system32\cmpbk32.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, procede with the below steps...

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Finally, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you have completed the above, reboot and attach a fresh HJT log. Also follow the below to confirm nothing else is hiding.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

I see the light at the end of the tunnel.


One symptom I had hoped would be solved is that after rebooting, an IE message comes up that says, "The website you requested cannot be connected to while offline." It then gives two options, connect or work offline.

I of course have never tried connecting, especially since I have no idea to what site it would actually take me to.

Can you get a sense of what that is by looking at the hijack log?

The main browser here is Mozilla, btw. Nobody uses IE.

Thanks again.

 

And the other requested log.

 

Wierd, try that again.

 

First, please uninstall Microsoft Antispyware so it will not block anything we try to fix!

Then please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Navigate to and DELETE the following if they should remain:

C:\Program Files\Ebates_MoeMoneyMaker ←–– Delete this whole folder if it exist!


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F2 - REG:system.ini: Shell=Explorer.exe

O4 - HKLM\..\Run: [roexqln] C:\WINDOWS\system32\nwyjgnv.exe r

Again, make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot about 3 times, then attach a fresh HJT log.

 

Ran into a problem... dont have notepad. Instead, the extension the notepad icon tries to load is actmovie.exe. Recommendations?

 

Do you have Wordpad?

Should work the same.

 

Wordpad works, my bad. I thought since the save as option "all file types" wasnt avail. it wouldnt save as a .reg. Anyhoo,

Couldn't find:

O4 - HKLM\..\Run: [roexqln] C:\WINDOWS\system32\nwyjgnv.exe r


Also, noticed that the nail.exe hasnt gone away, the .dinst is back, and that there is a randomly named file along the same lines as the [roexqln] with an .exe r in the same place on the hijack each time.

You've probably got an answer for this. I'd love to know how some of this stuff works. I thought I was 4/5 computer literate till I began playing with spyware removal.

 

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot and post a new HJT log.

Download Uninstaller