Registry Values

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT post a ComboFix log unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Registry Values, Nothing changes when I FIX R valurs

Options

pogo666 View Member Profile	Mar 8 2007, 07:47 PM Post #1
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	I recently un-installed several Dell crapware applications from my computer. Also I installed Acrobat Reader 8, then un-installed Acrobat Reader 7. I decided to un-install Acrobat Reader 8 and re-install AR 7. I used CCleaner, RegCleaner and EasyClean Reg Cleaner to remove leftover traces after each un-install. Things seem to have gone smoothly enough, but then I did a HJT scan. The HJT scan included: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =; and R3 - Default URLSearchHook is missing. I check those boxs, clicked FIX and rebooted. I did another HJT scan an discovered that the RO and R3 were still present. Actually I repeated the process several times. In the registry, I located the KEY with the R3 ... - Default URLSearchHook is missing, but received the error message ... Cannot open URLSearchHooks: Error while opening key. Do I have problems? I don't know. The RO and R3 are troubling to me. Please advise. SYSTEM DESCRIPTION Dell Dimension E310 OS Name Microsoft Windows XP Professional XP Media Center Edition 2005 with Rollup 2 Version 5.1.2600 Service Pack 2 Build 2600 OS Manufacture Microsoft System Manufacture Dell Inc. System Model Dell DV051 System Type X86-based PC Processor X86 Family Model 4 Stepping 9 GenuineIntell~3059 Mhz Processor X86 Family Model 4 Stepping 9 GenuineIntell~3059 Mhz BIOS Version/Date Dell Inc. A04, 4/4/2006 SMBIOS Version 2.3 Total Physical Memory 1,024,00 MB Available Physical Memory 654.42 MB Total Virtual Memory 2.00 GB Available Virtual Memory 1.96 GB Kaspersky Internet Security v6 Windows Defender Spyware Blaster Ad-Ware SE Spybot S&D AVG Anti-Spyware Logfile of HijackThis v1.99.1 Scan saved at 4:11:12 PM, on 3/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219 O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\ O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe What is GUIDED MODE OFF, and GUIDED MODE ON? This is my first attempt at this ... after years of fears. My butt is tired, but you guys and gals will make it all worth while. Thanks! This post has been edited by pogo666: Mar 9 2007, 12:47 AM

Falu View Member Profile	Mar 9 2007, 10:53 AM Post #2
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, We're studying your log and will be back to you a.s.a.p. Thanks for your patience. -------------------- Surf Safe!!

pogo666 View Member Profile	Mar 9 2007, 12:56 PM Post #3
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	I just spotted this. Thanks for responding to my post. I forgot to mention in my original post, I have used all of the virus/malware scanners several times. The results have all been "clean". I am very patient, so take your time. Thanks! This post has been edited by pogo666: Mar 9 2007, 01:17 PM

pogo666 View Member Profile	Mar 9 2007, 07:42 PM Post #4
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	I am still learning how to use this system of communicating. I have been working on my problem most of the day. I found something interesting. Symantec has a description of a virus they call Adware.lefeats. It has to do with "URLMissingSearchHooks." If you wish to look at the description use this URL: http://www.symantec.com/security_response/...-99&tabid=2 After a quick read, I searched the registry for, and found, one of the entries made by Adware.lefeats. I stopped my research to let you know what I had found. I will continue to pursue this direction for awhile, but will make no changes before hearing from you. Well, if I am very confident, I may make a change or two. Pogo

pogo666 View Member Profile	Mar 9 2007, 08:25 PM Post #5
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	I downloaded the Adware.lefeats Removal Tool from Symantec. Bottom line: It found nothing. I will push on. Pogo

Falu View Member Profile	Mar 10 2007, 04:37 AM Post #6
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, Welcome to BleepingComputer Forums and thanks again for your patience. 1. Let's start with your questions: > QUOTE This is my first attempt at this ... after years of fears. My butt is tired, but you guys and gals will make it all worth while. Thanks! We certainly will do our best. One thing is for sure however: no need to have fears!!!! > QUOTE Nothing changes when I FIX R valurs To begin with: those entries are harmless and don't represent malware. The reason they came back is most likely caused by your real-time protection which may block fixing them. > QUOTE What is GUIDED MODE OFF, and GUIDED MODE ON? When in Guided Mode the forum software automatically adds bold tags straight onto text by using the 'B' button for example, or allowing the user to italicise certain text by highlighting it and pressing the 'I' button. Basically it makes inputting text a lot easier for the user. Guided Mode is set as 'on' as default. 3. So we need to disable some of your real-time protection: Windows Defender and AVG-AntiSpyware as they may interfere with the fixes that we need to make. > Windows Defender: Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. You may re-enable it again when your computer is clean; I will let you know! > AVG AntiSpyware: * Launch AVG Anti-Spyware. * From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. * Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows". * Next, go to Start > Run and type: services.msc * Press "OK". * Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard. * When you find the guard service, double-click on it. * In the Properties Window > General Tab that opens, click the "Stop" button. * From the drop-down menu next to "Startup Type", click on "Manual". * Now click "Apply", then "OK" and close the Services window. 4. Download ATF Cleaner by Atribune. Do not run it yet. 5. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear. 6. Run HijackThis, click Scan and checkmark the following entries: The R0-entry is a specific tweak to prevent the 'links'-folder from being recreated once it has been removed, so normally it's best to leave this entry. If you're the only one working on this computer and you have set it as it is, you may fix it. R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing The next entry is related to SpySweeper which I don't see present anymore on your computer so you may fix this one as well: O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\ HijackThis may report an error, you may neglect that and click 'continue'. Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis! 7. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 8. Reboot to go back into Normal mode. 9. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6.0). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following: Go to Start > Control Panel double-click on the Software icon > add/remove programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) It should have next icon next to it: Select it and click Remove. Then Download and install the newest version from here: Java Runtime Environment (JRE) 6.0 Please reboot and post a fresh HijackThis log! -------------------- Surf Safe!!

pogo666 View Member Profile	Mar 10 2007, 03:42 PM Post #7
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	Falu, thanks for getting back to me again. I have done the following. >Disable Windows Defender real time protection: DONE. >Disable AVG Anti-Spyware: I have the free version. The Resident Shield and Automatic Updates options are grayed out ... not available for changing. AVG isn't showing in the System Tray. When I open it, I see no "Start with Windows". I made your recommended changes in the "run services.msc window". Bottom line: it is my belief that AVG Anti-spyware will remain inactive until I activate it manually. >Download ATF Cleaner ... DONE >Boot to Safe Mode ... DONE >Run HJT ... >Checkmark RO R3 020 - Winlogon Notify: WRNotifier - C:\WINDOWS\ Press FIX ... DONE >Run ATF-Cleaner; Empty ALL ... DONE >Reboot to Normal mode ... DONE >Uninstall old Java ... DONE >Install Java Runtime Environment (JRE) 6.0 ... DONE >Reboot and run JHT w/log ... DONE >Most recent JHT log Logfile of HijackThis v1.99.1 Scan saved at 11:51:46 AM, on 3/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219 O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe I have a single home computer and am not involved with a local network. Question: Are there some of the Running Processes that could safely be turned off untill they are required? Thanks again for providing you time and expertise. pogo

Falu View Member Profile	Mar 11 2007, 05:03 PM Post #8
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, 1. QUOTE Somewhere I read how to insert images into the messages I send you. Now I can't find those instructions ... and I need them. Can you help me out? Do you mean to add a screenshot? 2. QUOTE I found that while writing a reply to you there is a lot of cutting & pasting, previewing the reply, running HJT and a whole bunch of others activities. Too often while jumping from one activity to another, I lost some of what I had already written. On a couple of occasions I lost everything, and had to start over. Is there a way to prevent this? You can use Notepad or another text editor to prepare your reply and than copy/paste it in your post here at the forum. 3. QUOTE Are there some of the Running Processes that could safely be turned off untill they are required? No, since you still have Windows Defender and AVG disabled. On second thought disable Kaspersky as well before running the regedit. You can do this by right clicking on the icon in the taskbar and selecting Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot. 4. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor): CODE Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. Please reboot and post a fresh HijackThis log for review. -------------------- Surf Safe!!

pogo666 View Member Profile	Mar 12 2007, 03:26 PM Post #9
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	QUOTE(Falu @ Mar 11 2007, 03:03 PM) Hi pogo666, 1. QUOTE Somewhere I read how to insert images into the messages I send you. Now I can't find those instructions ... and I need them. Can you help me out? Do you mean to add a screenshot? 2. QUOTE I found that while writing a reply to you there is a lot of cutting & pasting, previewing the reply, running HJT and a whole bunch of others activities. Too often while jumping from one activity to another, I lost some of what I had already written. On a couple of occasions I lost everything, and had to start over. Is there a way to prevent this? You can use Notepad or another text editor to prepare your reply and than copy/paste it in your post here at the forum. 3. QUOTE Are there some of the Running Processes that could safely be turned off untill they are required? No, since you still have Windows Defender and AVG disabled. On second thought disable Kaspersky as well before running the regedit. You can do this by right clicking on the icon in the taskbar and selecting Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot. 4. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor): CODE Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. Please reboot and post a fresh HijackThis log for review.

pogo666 View Member Profile	Mar 12 2007, 03:53 PM Post #10
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	Thanks for answering my questions. I will study that which you have provided and practice accordingly. I used care while following your instructions. The results are below. Logfile of HijackThis v1.99.1 Scan saved at 12:49:39 PM, on 3/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219 O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Falu View Member Profile	Mar 13 2007, 12:24 PM Post #11
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, 1. Disable Kaspersky again: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot. 2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear. 3. Run HijackThis, click Scan and checkmark the following entries: R3 - Default URLSearchHook is missing Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis! Reboot and post a fresh HijackThis log! -------------------- Surf Safe!!

pogo666 View Member Profile	Mar 13 2007, 01:39 PM Post #12
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	Hi Falu, The following is a portion of the Hijackthis log created when I ran HJT from within SAFE MODE. It varifies what was running at the time. Per your instructions, I check marked R3 and clicked FIX CHECKED. ------------------------------------------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 10:36:26 AM, on 3/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing -------------------------------------------------------------------------------------------------------- The following is the full Hijackthis log created after a re-boot. Of course, I was in WINDOWS then. Logfile of HijackThis v1.99.1 Scan saved at 10:58:28 AM, on 3/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219 O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe Thank you, again.

Falu View Member Profile	Mar 13 2007, 05:49 PM Post #13
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, Probably I wasn't clear enough so I'll summarise what I want you to do and than give instructions: you must disable all of your realtime protection (Windows Defender, AVG and Kaspersky), reboot into Safe mode, fix the entries, reboot into Normal mode and finally run HijackThis and post a new log; if this doesn(t work I suggest you let the R3-entry where it is since it's absolutely harmless. 1. Please disable your relatime protection: > Windows Defender: Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. > AVG AntiSpyware: * Launch AVG Anti-Spyware. * From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. * Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows". * Next, go to Start > Run and type: services.msc * Press "OK". * Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard. * When you find the guard service, double-click on it. * In the Properties Window > General Tab that opens, click the "Stop" button. * From the drop-down menu next to "Startup Type", click on "Manual". * Now click "Apply", then "OK" and close the Services window. > Kaspersky: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot. 2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear. 3. Run HijackThis, click Scan and checkmark the following entry: R3 - Default URLSearchHook is missing I repeat my explanation, relating to the R0-entry, again: The R0-entry is a specific tweak to prevent the 'links'-folder from being recreated once it has been removed, so normally it's best to leave this entry. I understand that you're the only one working on this computer. Since you mentioned in your first post that you tried to fix the entry I conclude that you didn't set the tweak. If this is true checkmark this entry as well: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis! Reboot to go back into Normal mode and post a new HijackThis log! -------------------- Surf Safe!!

pogo666 View Member Profile	Mar 15 2007, 04:42 PM Post #14
Member Group: Members Posts: 18 Joined: 8-March 07 Member No.: 116,250	Good day Falu, I believe I did everything per your instructions. Below is a partial HJT log generated from within SAFE MODE before FIX CHECKED was run. Logfile of HijackThis v1.99.1 Scan saved at 11:32:34 AM, on 3/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing ------------------------------------------------------------------------- I see the "C:\Program Files\Windows Defender\MsMpEng.exe" entry in the Running Processes. Why is it running? I don't know. Did Interfere with the FIX? I don't know. While within SAFE MODE I: 1. Check marked R3 ... FIXED. Ran HJT ... no change. 2. Check marked R0 ... FIXED; Ran HJT ... no change. 3. Check marked R0 and R3 ... FIXED; Ran HJT ... no change. It would seem there is no need to send you the HJT log generated in NORMAL MODE, for there were no changes made to the registry. For now, I will accept your suggestion, and "let the R3-entry where it is since it's absolutely harmless." I will attempt to discover why this particular registry change cannot be made; if that in itself is problematic; and correct that problem if need be. If you come up with other suggestions, please let me give it try. Thanks for working with me on this, Falu. You have, at a very high level, demonstrated many qualities and skills necessary to excel in this field ... and most others. That which you do, you do in an exemplary fashion. Au revoir pogo666

Falu View Member Profile	Mar 16 2007, 06:20 PM Post #15
Forum Addict Group: Security Colleague Posts: 2,974 Joined: 13-May 05 Member No.: 19,948	Hi pogo666, QUOTE Thanks for working with me on this, Falu. You have, at a very high level, demonstrated many qualities and skills necessary to excel in this field ... and most others. That which you do, you do in an exemplary fashion. Thanks for your kind words and you're very welcome. QUOTE For now, I will accept your suggestion, and "let the R3-entry where it is since it's absolutely harmless." I will attempt to discover why this particular registry change cannot be made; if that in itself is problematic; and correct that problem if need be. If you come up with other suggestions, please let me give it try. If you don't mind I would like to try the following, just to be sure: 1. Please disable your realtime protection: > Windows Defender: Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. > AVG AntiSpyware: * Launch AVG Anti-Spyware. * From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. * Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows". * Next, go to Start > Run and type: services.msc * Press "OK". * Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard. * When you find the guard service, double-click on it. * In the Properties Window > General Tab that opens, click the "Stop" button. * From the drop-down menu next to "Startup Type", click on "Manual". * Now click "Apply", then "OK" and close the Services window. > Kaspersky: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot. 2. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor): CODE Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] "LinksFolderName"=- [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. Reboot and post a fresh HijackThis log! -------------------- Surf Safe!!

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides