[tonygg]

Logfile of HijackThis v1.99.1
Scan saved at 9:05:54 AM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Documents and Settings\TonyG\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: SATARaid.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Advertisements]

Hello and Geeks to Go! I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

++++++++++++++++++++++ TRACK TOPIC REPLIES ++++++++++++++++++++++

Looking for your own topic? To track replies in your own topics, first you must be at the index of the Malware Removal Forum:
http://www.geekstogo.com/forum/Malware-Removal-HiJackThis-Logs-Go-Here-f37.html

Then at the bottom right of it you should be able to see several options, (see Figure 1) choose Topics: I Replied then click the Go button.



Figure 1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[kool808]

Hello and Geeks to Go! I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

++++++++++++++++++++++ TRACK TOPIC REPLIES ++++++++++++++++++++++

Looking for your own topic? To track replies in your own topics, first you must be at the index of the Malware Removal Forum:
http://www.geekstogo.com/forum/Malware-Removal-HiJackThis-Logs-Go-Here-f37.html

Then at the bottom right of it you should be able to see several options, (see Figure 1) choose Topics: I Replied then click the Go button.



Figure 1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[kool808]

C:\Documents and Settings\TonyG\Desktop\HijackThis.exe
It is highly recommended that you extract your HijackThis Tool from the ZIP file then install it in a safe location where you can easily find them. It is suggested you place them in a folder C:\HJT\, that way it could create backups necessary for future restore.

+++++++++++++++++++++++++++++++++++
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Please read the instructions for About:Buster then download it to a safe location where you can easily remember it.
Please Download the stand-alone version of CoolWebShredder
Download Cleanup.

Save all of these files somewhere you will remember like to the Desktop.

Run the CleanUp! installer. You dont need to do anything with it right now. Do NOT run it yet.

Update About:Buster

• Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
• Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
• Click "OK" at the prompt with instructions.
• Click "Update" and then "Check For Update" to begin the update process.
• If any updates exist please download them by clicking "Download Update" then click the X to close that window.
• Now close About:Buster

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

Reboot in SAFE MODE. (How to boot in Safe Mode...)
================================================
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

Make sure to double check the items you have selected, then click Fix Checked.
================================================

• Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
  In the event you get an error message then do the following:
  Start > Run then paste this in the dialog box
  
  

  regsvr32 C:\Windows\System32\COMCTL32.OCX

• Run about:buster again following the same instructions as above, this time without the restart at the end
  
  
• Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
  
  
• Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky Online Scan or if that doesnt work, you can have an On-line scan at this sites:
Trend Micro or Panda Scan or BitDefender.
(Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck!

+++++++++++++++++++++++++++++++++++
If the fixes fails try this:

RIGHT-CLICK [ HERE ] and Save As (In IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


Download the Hoster http://www.funkytoad.com/download/hoster.zip
DO NOT run the program yet.

Unzip Host to your desktop

Open up the Host program folder then double-clicking Hoster.exe.

• Click back-up Host files
  
• then click Restore orginal host files
  
• close the program.

Reset you Internet Explorer settings:
IE > Tools > Reset Web Settings > OK

Let me know how everything goes, post all requested logs.

[tonygg]

Thank you so very much for the help. I really appreciate it. However, it did not solve my problem. Followed your instructions and scanned the computer and it only found one adware cookie and no virus. Stated that there wasn't any Cool web search items.

So I am back to where I started. IE still comes up, but I cannot do anything with it. It will not respond to any address or even let me click on items i.e tools...

Have tried uninstalling IE in Add/Remove Windows Components and changed IE Install items in the registry. I downloaded a new copy of IE and SP2. Reinstalled SP2 and tried to reinstall IE. However, it gets so far and announces that it found a newer version of IE that already exists and setup cannot continue.

What now, coach?

Logfile of HijackThis v1.99.1
Scan saved at 1:28:18 PM, on 9/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Aladdin Systems\StuffIt\stuffit.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[kool808]

hi tonygg,

okay it is interesting, I notice you were able to use Firefox. Are you successful enough to load webpages?.

Since the scans did not find any malwares, let us make a deeper diagnosis.

++++++++++++++++++++++++++++

• Open up NOTEPAD, then copy & paste the follwing codes below(starting from REGEDIT4). Save it on desktop as IEfix.reg. Choose file types as ALL FILES.
  
  

  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search] 
  "SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" 
  "CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" 
  "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
  "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
  "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  "Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
  
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl] 
  ""="http://home.microsoft.com/access/autosearch.asp?p=%s" 
  
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main] 
  "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  "Search Bar"="http://search.msn.com/spbasic.htm"
  "Use Custom Search URL"= dword:00000000
  
  [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
  
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
  "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" 
  
  [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
  @="http://"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
  "ftp"="ftp://"
  "gopher"="gopher://"
  "home"="http://"
  "mosaic"="http://"
  "www"="http://"
  

  
  Now double-click IEfix.reg then allow it to merge to the system.
  (NOTE: You can delete this file afterwards.)
  
  REBOOT YOUR COMPUTER.
  
• Please download RootKitRevealer from here:
  http://www.sysinternals.com/files/rootkitrevealer.zip
  Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
  
• SILENT RUNNERS
• Please right-click this link to download Silent Runners.
• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
• Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
  
  *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Edited by kool808, 09 September 2005 - 07:29 PM.

[tonygg]

Thanks again for this super help.

Yes, Firefox (thank goodness) works perfectly, but IE...

Here is the Rootkit reveal log

C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\09169791d01 9/9/2005 11:51 PM 60.32 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\5A78749Ad01 9/9/2005 11:49 PM 83.49 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\60C6EFD4d01 9/9/2005 11:47 PM 18.44 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\746454E6d01 9/9/2005 11:47 PM 55.98 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\7465E2B0d01 9/9/2005 11:46 PM 46.64 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\75C90D4Bd01 9/9/2005 11:52 PM 26.35 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\A3CC6654d01 9/9/2005 11:45 PM 37.22 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\B07E675Ad01 9/9/2005 11:51 PM 60.18 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\B17E675Ad01 9/9/2005 11:47 PM 60.80 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\B27E675Ad01 9/9/2005 11:49 PM 59.50 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\B417E180d01 9/9/2005 11:45 PM 69.52 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\D47E66ECd01 9/9/2005 11:46 PM 56.62 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\E3170285d01 9/9/2005 11:46 PM 25.79 KB Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\Cache\F223376Bd01 9/9/2005 11:52 PM 115 bytes Hidden from Windows API.
C:\Documents and Settings\TonyG\Application Data\Mozilla\Firefox\Profiles\p6nol2v2.default\parent.lock 9/9/2005 11:45 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\TonyG\Local Settings\Temporary Internet Files\Content.IE5\Y0UMK6MJ\spdbupdate[1].htm 9/9/2005 11:44 PM 54 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 9/9/2005 11:40 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.





Here is the Silent Runners output

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll" ["Aladdin Systems, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BPS.Spyware.Adware.Remover\(Default) = "{7306D133-DBED-4096-84A3-8B98B23F02B4}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\BulletProofSoft.com\BPS Spyware & Adware Remover\ContextMenu.dll" ["BulletProofSoft.com"]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll" ["Aladdin Systems, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\TonyG\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "TonyG" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"SATARaid" -> shortcut to: "C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe" ["Silicon Image, Inc."]
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
The contents of IERESET.INF cannot be reliably checked!

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...r=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...r=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 12 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 9 seconds.
---------- (total run time: 41 seconds)

[kool808]

Please read here with regard to BPS Spyware & Adware Remover : http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download and install Cleanup. Do NOT run it yet.

++++++++++++++++++++++++++++++++++
Reboot in SAFE MODE. (How to boot in Safe Mode...)

• We need to uninstall the following programs:
  (NOTE: If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.)
• Go to Control Panel > Add/Remove Programs
• Please locate if they exist
  • 
    
  • BPS Spyware & Adware Remover
    
• Click Uninstall
• Confirm with OK

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in red):

• [EDITED] * Revised the fix, see below

Finally, Empty Recycle Bin

Open up NOTEPAD, then copy & paste the follwing codes below(starting from REGEDIT4). Save it on desktop as fixme.reg. When saving, choose file types as ALL FILES.

REGEDIT4

[EDITED] * Revised the fix, see below

Now double-click fixme.reg then allow it to merge to the system.
(NOTE: You can delete this file afterwards.)

++++++++++++++++++++++++++++++++++
Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

++++++++++++++++++++++++++++++++++
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

When you click the Close button you will be prompted to reboot, agree to it.

++++++++++++++++++++++++++++++++++
reboot back in NORMAL MODE.

post a new hijackthis log as well as a the report from Ewido.

[EDITED] * Revised the fix, see below

Edited by kool808, 10 September 2005 - 06:29 PM.

[tonygg]

Cannot use Ewido, for it ONLY works with IE, which I cannot get to work..

Gee, is Aladdin, the make of Stuffit, a bad guy?

[kool808]

Hi Tonygg,

I also use firefox, works great with me. I am able to download it perfectly.
This is NOT the online scanner but rather the package type installation.

I am sorry tonygg, my mistake due to very fast reading of the log. Aladdin is good, it is the BPS Spyware & Adware Remover I am referring. If you have read it here http://www.spywarewa...nti-spyware.htm then you will be able to determine that it is bad.

(Disregard the previous fix with the registry editing and deleting stuff then follow the one below; and continue with the remaining steps of the previous post)
++++++++++++++++++++++++++++++
REVISED FIX:

Open up NOTEPAD, then copy & paste the follwing codes below(starting from REGEDIT4). Save it on desktop as fixme.reg. When saving, choose file types as ALL FILES.

REGEDIT4

[-HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ContextMenu.dll]

[-HKEY_CLASSES_ROOT\CLSID\{7306D133-DBED-4096-84A3-8B98B23F02B4}]

Now double-click fixme.reg then allow it to merge to the system.
(NOTE: You can delete this file afterwards.)

++++++++++++++++++++++++++++++
Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in red):

• C:\Program Files\BulletProofSoft.com\ <-- whole folder

Finally, Empty Recycle Bin

Edited by kool808, 10 September 2005 - 06:26 PM.

[tonygg]

thanks again for all of your efforts. Unfortunately, I tried all of your suggestins and still cannot get IE to open any webpages! I have tried to uninstall IE, In the Add / Remove sector, I only get the chance to repair, all others are grayed out. However, I get the message that it cannot be repaired and must be reinstalled. I try to reinstall and I get the message that a newer version is already their and setup cannot continue. I went to the MS website and got a regedit repair if that message appears about a newer version. I reboot and get the message that IE has been uninstalled and asks if I would my personal choices removed. I say yes and then go to reinstall IE. The installer goes through the motions and asks for a reboot. I reboot. The system comes back up and I go to IE. IE comes up, but if I try to go to a webaddress, the hour glass stays on forever without ever going to the desired spot. I check if I am on line, I am. Firefox works great, but IE just sits there.........

[kool808]

hi tonygg,

is this the MS article you followed: http://support.microsoft.com/default.aspx?kbid=318378

Then follow this : http://www.dougknox.com/xp/tips/xp_ie_reinstall.htm

+++++++++++++++++++++++++++++++++
Please download WebRoot SpySweeper from [ HERE ] (It's a 2 week trial):

• Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
• Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directoy as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

[tonygg]

Yes, I was using the Microsoft procedure. However, the other method resulted in the same. IE still will not open any web pages..

Here is the log from Spy Sweeper

********
10:24 PM: |··· Start of Session, Saturday, September 10, 2005 ···|
10:24 PM: Spy Sweeper started
10:24 PM: Sweep initiated using definitions version 531
10:24 PM: Starting Memory Sweep
10:26 PM: Memory Sweep Complete, Elapsed Time: 00:01:31
10:26 PM: Starting Registry Sweep
10:26 PM: Registry Sweep Complete, Elapsed Time:00:00:04
10:26 PM: Starting Cookie Sweep
10:26 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:26 PM: Starting File Sweep
10:26 PM: Warning: Failed to read file "c:\windows\temp\perflib_perfdata_1dc.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
10:27 PM: Warning: Failed to read file "c:\documents and settings\tonyg\local settings\temp\perflib_perfdata_8ec.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
10:30 PM: File Sweep Complete, Elapsed Time: 00:03:52
10:30 PM: Full Sweep has completed. Elapsed time 00:05:30
10:30 PM: Traces Found: 0
********
10:24 PM: |··· Start of Session, Saturday, September 10, 2005 ···|
10:24 PM: Spy Sweeper started
10:24 PM: |··· End of Session, Saturday, September 10, 2005 ···|

[kool808]

hi tonygg,

I will consult this with our tech staff members as there are no signs of malwares. For the moment can you get to run the Ewido tool and make a report.

[kool808]

hi tonygg,

Let us try this out. Thanks to my mates who helped me out.

1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type or paste this entry regsvr32 urlmon.dll
4. then click OK.
5. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK. Then repeat for all the following

regsvr32 scrrun.dll
regsvr32 msxml.dll
regsvr32 mshtml.dll
regsvr32 shdocvw.dll
regsvr32 browseui.dll
regsvr32 actxprxy.dll
regsvr32 Shdocvw.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Shell32.dll

[tonygg]

Thanks again for your help, I really appreciate it. However, the problem goes on....

All of the Dll's registered, but IE still will not respond to any web addresses...including using Ewido