Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Values


  • Please log in to reply
32 replies to this topic

#1 pogo666

pogo666

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 08 March 2007 - 07:47 PM

I recently un-installed several Dell crapware applications from my computer. Also I installed Acrobat Reader 8, then un-installed Acrobat Reader 7. I decided to un-install Acrobat Reader 8 and re-install AR 7. I used CCleaner, RegCleaner and EasyClean Reg Cleaner to remove leftover traces after each un-install. Things seem to have gone smoothly enough, but then I did a HJT scan.

The HJT scan included: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =; and R3 - Default URLSearchHook is missing. I check those boxs, clicked FIX and rebooted.

I did another HJT scan an discovered that the RO and R3 were still present. Actually I repeated the process several times.

In the registry, I located the KEY with the R3 ... - Default URLSearchHook is missing, but received the error message ... Cannot open URLSearchHooks: Error while opening key.

Do I have problems? I don't know. The RO and R3 are troubling to me.
Please advise.


SYSTEM DESCRIPTION
Dell Dimension E310
OS Name Microsoft Windows XP Professional
XP Media Center Edition 2005 with Rollup 2
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacture Microsoft
System Manufacture Dell Inc.
System Model Dell DV051
System Type X86-based PC
Processor X86 Family Model 4 Stepping 9 GenuineIntell~3059 Mhz
Processor X86 Family Model 4 Stepping 9 GenuineIntell~3059 Mhz
BIOS Version/Date Dell Inc. A04, 4/4/2006
SMBIOS Version 2.3
Total Physical Memory 1,024,00 MB
Available Physical Memory 654.42 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB


Kaspersky Internet Security v6
Windows Defender
Spyware Blaster
Ad-Ware SE
Spybot S&D
AVG Anti-Spyware


Logfile of HijackThis v1.99.1
Scan saved at 4:11:12 PM, on 3/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


What is GUIDED MODE OFF, and GUIDED MODE ON?

This is my first attempt at this ... after years of fears. My butt is tired, but you guys and gals will make it all worth while. Thanks!

Edited by pogo666, 09 March 2007 - 12:47 AM.


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 09 March 2007 - 10:53 AM

Hi pogo666, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 09 March 2007 - 12:56 PM

I just spotted this. Thanks for responding to my post.
I forgot to mention in my original post, I have used all of the virus/malware scanners several times. The results have all been "clean".
I am very patient, so take your time.

Thanks!

Edited by pogo666, 09 March 2007 - 01:17 PM.


#4 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 09 March 2007 - 07:42 PM

I am still learning how to use this system of communicating.
I have been working on my problem most of the day. I found something interesting. Symantec has a description of a virus they call Adware.lefeats. It has to do with "URLMissingSearchHooks."
If you wish to look at the description use this URL: http://www.symantec.com/security_response/...-99&tabid=2

After a quick read, I searched the registry for, and found, one of the entries made by Adware.lefeats. I stopped my research to let you know what I had found.

I will continue to pursue this direction for awhile, but will make no changes before hearing from you.
Well, if I am very confident, I may make a change or two.

Pogo

#5 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 09 March 2007 - 08:25 PM

I downloaded the Adware.lefeats Removal Tool from Symantec.
Bottom line: It found nothing.

I will push on.

Pogo

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 10 March 2007 - 04:37 AM

Hi pogo666, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Let's start with your questions:

>

This is my first attempt at this ... after years of fears. My butt is tired, but you guys and gals will make it all worth while. Thanks!


We certainly will do our best. One thing is for sure however: no need to have fears!!!!

>

Nothing changes when I FIX R valurs


To begin with: those entries are harmless and don't represent malware. The reason they came back is most likely caused by your real-time protection which may block fixing them.

>

What is GUIDED MODE OFF, and GUIDED MODE ON?


When in Guided Mode the forum software automatically adds bold tags straight onto text by using the 'B' button for example, or allowing the user to italicise certain text by highlighting it and pressing the 'I' button. Basically it makes inputting text a lot easier for the user. Guided Mode is set as 'on' as default.

3. So we need to disable some of your real-time protection: Windows Defender and AVG-AntiSpyware as they may interfere with the fixes that we need to make.

> Windows Defender:

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You may re-enable it again when your computer is clean; I will let you know!

> AVG AntiSpyware:

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Next, go to Start > Run and type: services.msc
* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

4. Download ATF Cleaner by Atribune. Do not run it yet.

5. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

6. Run HijackThis, click Scan and checkmark the following entries:

The R0-entry is a specific tweak to prevent the 'links'-folder from being recreated once it has been removed, so normally it's best to leave this entry. If you're the only one working on this computer and you have set it as it is, you may fix it.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing


The next entry is related to SpySweeper which I don't see present anymore on your computer so you may fix this one as well:

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\

HijackThis may report an error, you may neglect that and click 'continue'.

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

7. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

8. Reboot to go back into Normal mode.

9. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6.0). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6.0
Please reboot and post a fresh HijackThis log!

#7 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 10 March 2007 - 03:42 PM

Falu, thanks for getting back to me again.
I have done the following.

>Disable Windows Defender real time protection:
DONE.

>Disable AVG Anti-Spyware:
I have the free version. The Resident Shield and Automatic Updates options are grayed out ... not available for changing.

AVG isn't showing in the System Tray. When I open it, I see no "Start with Windows".
I made your recommended changes in the "run services.msc window".
Bottom line: it is my belief that AVG Anti-spyware will remain inactive until I activate it manually.

>Download ATF Cleaner ... DONE

>Boot to Safe Mode ... DONE

>Run HJT ... >Checkmark
RO
R3
020 - Winlogon Notify: WRNotifier - C:\WINDOWS\
Press FIX ... DONE


>Run ATF-Cleaner; Empty ALL ... DONE

>Reboot to Normal mode ... DONE

>Uninstall old Java ... DONE
>Install Java Runtime Environment (JRE) 6.0 ... DONE

>Reboot and run JHT w/log ... DONE

>Most recent JHT log

Logfile of HijackThis v1.99.1
Scan saved at 11:51:46 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


I have a single home computer and am not involved with a local network.
Question: Are there some of the Running Processes that could safely be turned off untill they are required?

Thanks again for providing you time and expertise.
pogo

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 11 March 2007 - 05:03 PM

Hi pogo666, :thumbsup:

1.

Somewhere I read how to insert images into the messages I send you.
Now I can't find those instructions ... and I need them. Can you help me out?


Do you mean to add a screenshot?

2.

I found that while writing a reply to you there is a lot of cutting & pasting, previewing the reply, running HJT and a whole bunch of others activities. Too often while jumping from one activity to another, I lost some of what I had already written. On a couple of occasions I lost everything, and had to start over.

Is there a way to prevent this?


You can use Notepad or another text editor to prepare your reply and than copy/paste it in your post here at the forum.

3.

Are there some of the Running Processes that could safely be turned off untill they are required?


No, since you still have Windows Defender and AVG disabled. On second thought disable Kaspersky as well before running the regedit. You can do this by right clicking on the icon in the taskbar and selecting Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot.

4. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor):

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please reboot and post a fresh HijackThis log for review.

#9 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 March 2007 - 03:26 PM

Hi pogo666, :thumbsup:

1.

Somewhere I read how to insert images into the messages I send you.
Now I can't find those instructions ... and I need them. Can you help me out?


Do you mean to add a screenshot?

2.

I found that while writing a reply to you there is a lot of cutting & pasting, previewing the reply, running HJT and a whole bunch of others activities. Too often while jumping from one activity to another, I lost some of what I had already written. On a couple of occasions I lost everything, and had to start over.

Is there a way to prevent this?


You can use Notepad or another text editor to prepare your reply and than copy/paste it in your post here at the forum.

3.

Are there some of the Running Processes that could safely be turned off untill they are required?


No, since you still have Windows Defender and AVG disabled. On second thought disable Kaspersky as well before running the regedit. You can do this by right clicking on the icon in the taskbar and selecting Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot.

4. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor):

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please reboot and post a fresh HijackThis log for review.



#10 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 March 2007 - 03:53 PM

Thanks for answering my questions.
I will study that which you have provided and practice accordingly.

I used care while following your instructions. The results are below.

Logfile of HijackThis v1.99.1
Scan saved at 12:49:39 PM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 13 March 2007 - 12:24 PM

Hi pogo666, :thumbsup:

1. Disable Kaspersky again: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot.

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Run HijackThis, click Scan and checkmark the following entries:

R3 - Default URLSearchHook is missing

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

Reboot and post a fresh HijackThis log!

#12 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 March 2007 - 01:39 PM

Hi Falu,

The following is a portion of the Hijackthis log created when I ran HJT from within SAFE MODE.
It varifies what was running at the time.
Per your instructions, I check marked R3 and clicked FIX CHECKED.

------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:36:26 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

--------------------------------------------------------------------------------------------------------

The following is the full Hijackthis log created after a re-boot. Of course, I was in WINDOWS then.

Logfile of HijackThis v1.99.1
Scan saved at 10:58:28 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Thank you, again.

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 13 March 2007 - 05:49 PM

Hi pogo666, :thumbsup:

Probably I wasn't clear enough so I'll summarise what I want you to do and than give instructions: you must disable all of your realtime protection (Windows Defender, AVG and Kaspersky), reboot into Safe mode, fix the entries, reboot into Normal mode and finally run HijackThis and post a new log;
if this doesn(t work I suggest you let the R3-entry where it is since it's absolutely harmless.

1. Please disable your relatime protection:

> Windows Defender:

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

> AVG AntiSpyware:

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Next, go to Start > Run and type: services.msc
* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

> Kaspersky: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot.

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Run HijackThis, click Scan and checkmark the following entry:

R3 - Default URLSearchHook is missing

I repeat my explanation, relating to the R0-entry, again: The R0-entry is a specific tweak to prevent the 'links'-folder from being recreated once it has been removed, so normally it's best to leave this entry. I understand that you're the only one working on this computer. Since you mentioned in your first post that you tried to fix the entry I conclude that you didn't set the tweak. If this is true checkmark this entry as well:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

Reboot to go back into Normal mode and post a new HijackThis log!

#14 pogo666

pogo666
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 15 March 2007 - 04:42 PM

Good day Falu,

I believe I did everything per your instructions.

Below is a partial HJT log generated from within SAFE MODE before FIX CHECKED was run.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:34 AM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
-------------------------------------------------------------------------

I see the "C:\Program Files\Windows Defender\MsMpEng.exe" entry in the Running Processes. Why is it running? I don't know. Did Interfere with the FIX? I don't know.

While within SAFE MODE I:
1. Check marked R3 ... FIXED. Ran HJT ... no change.
2. Check marked R0 ... FIXED; Ran HJT ... no change.
3. Check marked R0 and R3 ... FIXED; Ran HJT ... no change.

It would seem there is no need to send you the HJT log generated in NORMAL MODE, for there were no changes made to the registry.

For now, I will accept your suggestion, and "let the R3-entry where it is since it's absolutely harmless." I will attempt to discover why this particular registry change cannot be made; if that in itself is problematic; and correct that problem if need be. If you come up with other suggestions, please let me give it try.

Thanks for working with me on this, Falu. You have, at a very high level, demonstrated many qualities and skills necessary to excel in this field ... and most others. That which you do, you do in an exemplary fashion.

Au revoir

pogo666

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 16 March 2007 - 06:20 PM

Hi pogo666, :thumbsup:

Thanks for working with me on this, Falu. You have, at a very high level, demonstrated many qualities and skills necessary to excel in this field ... and most others. That which you do, you do in an exemplary fashion.


Thanks for your kind words and you're very welcome.

For now, I will accept your suggestion, and "let the R3-entry where it is since it's absolutely harmless." I will attempt to discover why this particular registry change cannot be made; if that in itself is problematic; and correct that problem if need be. If you come up with other suggestions, please let me give it try.


If you don't mind I would like to try the following, just to be sure:

1. Please disable your realtime protection:

> Windows Defender:

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

> AVG AntiSpyware:

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Next, go to Start > Run and type: services.msc
* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

> Kaspersky: right click on the icon in the taskbar and select Exit. When the fixes have been done, you can reopen Kaspersky by the icon which should be on your desktop. Alternatively you may have to reboot.

2. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
"LinksFolderName"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Reboot and post a fresh HijackThis log!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users