Help with HijackThis

[tdsmith]

I have just removed a trojan and it seems that there are still parts of it in the system. I have managed to get online, but when I go to any antivirus site it still tries to redirect me to another site.

I can access all sites with right-clicking and opening the site in a new tab. but it seems as though if I click on the link, a message pops up saying internet explorer has stopped working... but it clears off the screen and brings me back to the link page.

Can someone please help me with this HijackThis log?

I'm not sure what to remove,
any help would be greatly appreciated.

Thank you.

 

[Xhi]

I noticed you had Malwarebytes installed. If you haven't done a Full Scan yet, I suggest you do that. It usually gets rid of most of the malware out there. I checked your hijackthis log and I found nothing unusual.

The issue you have with IE could also be an isolated issue on just the browser. Have you tried resetting (Tools>Internet Options>Advanced>Rest Button) Internet Explorer? Also try to run internet explorer with no-addons. One of your addons could also be the culprit.

 

[tdsmith]

I have reset the internet explorer settings and tried with no addons, and it keeps redirecting me to asportreport.com

I've even tried installing chrome and when I go to antivirus sites it brings up the same site http://asportreport.com/?652877617f

i'm really baffled on this. i've ran AVG full scan, Malwarebytes full scan, spybot S&D, as well as unistalled AVG and installed Avira to see if that could catch it. but still nothing.

anyone?

 

[Carolyn]

Please download DDS by sUBs from one of the links below, save it to your Desktop (It must be in this location).
Link1
Link2
Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

 

[tdsmith]

ok, here are the logs.

thank you.

 

[Carolyn]

You have more than one antivirus program installed. Please uninstall all but one (I would prefer that you keep MSE and delete any other AV at least until your computer is clean).

==================

Create a System Restore Point

1. Right-click on Computer ... select Properties.
2. In the left pane under Tasks ... click System protection.
   If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
3. Select System Protection ...then choose Create.
4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
   A window will pop up with "The Restore Point was created successfully" confirmation message.
5. Click OK ...then close the System Restore dialog.

==================

Update and Run a Full System Scan with MBAM

1. Right-click Malwarebytes' Anti-Malware and select Run as administrator.
2. Select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
3. Select the Scanner tab. Click on Perform full scan, then click on Scan.
4. Leave the default options as it is and click on Start Scan.
5. When done, you will be prompted. Click OK, then click on Show Results.
6. Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
7. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

==================

Please post the Malwarebytes' log along with a description of how your computer is behaving now.

 

[tdsmith]

I keep getting the blue screen when i try to create a restore point. i've tried it twice now.

 

[Carolyn]

Please continue with the Malwarebytes' instructions.

 

[tdsmith]

ok, i'll continue with MBAM

the error from the bluescreen says:

Problem Event Name: BlueScreen
OS Version 6.1.7600.2.0.0.768.11
Locale ID: 4105

Additional information about the problem:
BCCCode: 100008e
BCP1: C0000005
BCP2: 86456B40
BCP3: AA359424
BCP4: 00000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\051011-22323-01.dmp
C:\Users\(Usernam)\AppData\Local\Temp\WER-97485-0.sysdata.xml

 

[tdsmith]

it seems like I can only run MBAM in safe mode. (When I do, it says there are no infections)

when i try to start it in normal mode it keeps giving me the error:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

The dependency service or group failed to start.

 

[Carolyn]

Follow the directions in this tutorial to change UAC to "Never Notify"
http://www.sevenforums.com/tutorials/299-user-account-control-uac-change-notification-settings.html

=====================

Backup the Registry with ERUNT

This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Download:

1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
2. Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
   VISTA/Windows 7 users must right-click erunt-setup-exe, select "Run As Administrator" to run the install process. Install by following prompts.
3. Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder. You can enable this later.
4. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
   VISTA /Windows 7 users must right-click the desktop icon, select "Run As Administrator" or start it at the end of the setup process.
5. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
6. Make sure the first two check boxes -> (Create ERUNT and NTREGOPT desktop icons) are checked.
7. Click on OK ... then click on "YES" to create the folder.

Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.

1. Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
   Vista users: Right-click on ERUNT in the menu, then select "Run As Administrator". If UAC prompts, please allow it.
2. Click on OK within the pop-up menu.
3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
   • System registry.
   • Current user registry.
4. Next click on "OK"... at the prompt... reply "Yes".
   After a short duration the Registry backup is complete! pop-up message will appear.
5. Now click on "OK". A registry backup has now been created.

< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

=====================

Follow the directions in this tutorial to change UAC to the "Default" setting.
http://www.sevenforums.com/tutorials/299-user-account-control-uac-change-notification-settings.html

=====================

aswMBR - Scan

Please download aswMBR.exe ... © Avast Software ( 511KB ). Save it to your desktop.

1. Double click the aswMBR.exe to run it
2. Click the "Scan" button to start the scan.
3. On completion of the scan, "Scan finished successfully" press the "Save log" button.
4. You'll be prompted to save a file named "aswMBR.txt"... Save it to your desktop.
5. Please copy and paste the contents of aswMBR.txt in your next reply.

Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat... this is a copy of your MBR record, before we make changes, it can be used to recover the MBR record to it's previous condition, if problems exist after changes.

Please post the contents of aswMBR.txt for my review.

 

[begatdj]

You can try a windows repair ( f8 at boot up) and follow the prompts. if there is some corrupted files that should solve the problem. you can also run in DOS SCF /scannow . see link SFC Scannow - How to Use SFC Scannow to Repair Protected Windows Operating System Files
you may have to run the scan in safe mode if you cannot run it as an administrator when windows open normally.

 

[tdsmith]

Follow the directions in this tutorial to change UAC to "Never Notify"
http://www.sevenforums.com/tutorials/299-user-account-control-uac-change-notification-settings.html

=====================

Backup the Registry with ERUNT

This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program

Download:

1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
2. Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
   VISTA/Windows 7 users must right-click erunt-setup-exe, select "Run As Administrator" to run the install process. Install by following prompts.
3. Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder. You can enable this later.
4. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
   VISTA /Windows 7 users must right-click the desktop icon, select "Run As Administrator" or start it at the end of the setup process.
5. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
6. Make sure the first two check boxes -> (Create ERUNT and NTREGOPT desktop icons) are checked.
7. Click on OK ... then click on "YES" to create the folder.

Run:

This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.

1. Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
   Vista users: Right-click on ERUNT in the menu, then select "Run As Administrator". If UAC prompts, please allow it.
2. Click on OK within the pop-up menu.
3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
   • System registry.
   • Current user registry.
4. Next click on "OK"... at the prompt... reply "Yes".
   After a short duration the Registry backup is complete! pop-up message will appear.
5. Now click on "OK". A registry backup has now been created.

< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

=====================

Follow the directions in this tutorial to change UAC to the "Default" setting.
http://www.sevenforums.com/tutorials/299-user-account-control-uac-change-notification-settings.html

=====================

aswMBR - Scan


Please download aswMBR.exe ... © Avast Software ( 511KB ). Save it to your desktop.

1. Double click the aswMBR.exe to run it
2. Click the "Scan" button to start the scan.
3. On completion of the scan, "Scan finished successfully" press the "Save log" button.
4. You'll be prompted to save a file named "aswMBR.txt"... Save it to your desktop.
5. Please copy and paste the contents of aswMBR.txt in your next reply.

Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat... this is a copy of your MBR record, before we make changes, it can be used to recover the MBR record to it's previous condition, if problems exist after changes.

Please post the contents of aswMBR.txt for my review.

I cannot access the UAC settings either. it just sits there, it does nothing when I click on it.

 

[tdsmith]

i'm not really 100% sure, but I think I have to do most of the work in safe mode. nothing is opening for me. I cannot access the cmd.exe, or any other .exe files... it keeps giving me "the remote procedure call failed" when trying to access them.

 

[Carolyn]

If you have not done so already, you should back up any important files/folders before you continue.

Try running aswMBR.exe in Normal Mode.

If that fails, rename aswMBR.exe to BlueaswMBR.scr and try that in Normal Mode.

If that fails, then try safe mode.

Attach the mbr.dat file to your next reply (it will serve as an off-site backup) and post the contents of aswMBR.txt

 

[tdsmith]

Everything is backed up.

I tried running the file in normal mode, but no go. it would not let me at all. (It gives me an error: The pipe has been ended.)

so my other option; I tried running in Safe Mode, it says;

18:23:56.755 OS Version: Windows 6.1.7600
18:23:56.755 Number of processors: 2 586 0x1c02
18:23:56.755 ComputerName: (Username)-PC UserName: (Username)
18:23:57.269 Initialze error C0000061 - driver not loaded

 

[Carolyn]

I'm glad that you have been able to make a back up you files.

There aren't very many options here.

You can try using a rescue disk:
FREE Bootable AntiVirus Rescue CDs Download List

You've been able to back up your important files. You should consider doing a clean install:
http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

[tdsmith]

I was able to get the UAC settings changed, and it seems that a few more things are working now. (Himachi wasn't autoloading before I did this).

I'll try the other steps now, hopefully this works.

 

[tdsmith]

ok, i'm making progress!!

here is the log file you requested. but it said the .dat file is invalid format.

 

[Oaken]

Not sure if this will be of any help at this point...

I uploaded your HijackThis log file to the HijackThis Log File Analyser which suggests there is a dodgy Hosts entry which should be fixed?

O1 - Hosts: 76.74.236.88 webmail.rapidcitytransport.com Must be fixed!

Unfortunately there is little precise information to go with it, though I though I'd bring it you your attentions just in case...