A stubborn regenerating HKCU entry

I've posted a HJT scan of my computer here a few times in the past, and the results were extremely positive, thanks to the help of great people here. I do have, however, an extremely stubborn and recurring problem that I've tried to resolve myself, but to no avail. Whenever I scan HJT, an entry appears in the R1 (Start/Search pages) line in the HKCU category. I continually "fix" it with HJT, but it continues to regenerate after each reboot. I've tried to remove it by navigating to it in REGEDIT as well, but same eventual conclusion. I know for a fact that its a non-legit entry, as determined in this forum in the past. Any help in permanently removing this pest would be appreciated.

I've done all required in the READ THIS FIRST post in order to post a HJT scan, so if needed, I can post the most recent one. Thanks again.

Windows 98SE
160MbRAM
56K Modem

 

Go ahead post your HJT log as an attachment.

 

Here's an example of how stubborn this thing is... after reading your post, I logged off to create a HJT scan. Nothing. It wasn't there. So I rebooted... nothing. I logged back in and scanned while online and bam... there it is. "Jimandali", by the way, was a deceased website that was brought back to life by somebody via apparent mirroring... NEVER should have clicked on that link. Nevertheless, here's the scan. Let me know if there's any other items that may need fixed in the scan as long as its posted, and again, my apologies for scanning while online... only choice I had for the moment.

 

Your log shows no signs of having completed any of the steps in the READ ME First.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans? Were you unable to download any of the tools? Did you do the on-line scans as suggested?

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Also complete the instructions in this thread:

Running Ewido Security Suite

Once completed post both the Ewido and HijackThis logs as attachments.

 

First, my apologies for not getting back promptly. Secondly, my apologies for not being smart enough to realize that the READ ME FIRST section was updated with new material since my last post.

OK, the Ewido tool could not be used because its telling me I need Windows 2000. I did, however, perform all the other scans and used all the tools and each one was clean... no viruses or adware.

I'm posting 2 HJT logs... one is OFFLINE in normal mode after having performed all the scans. The other is ONLINE after having performed the scans. I posted both due to the fact that the pesky Proxy Override entry (jimandali) seems to only show up when online.

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments and a fresh HJT log, you will need to do 2 posts to attach all 4 logs.

 

My apologies for the delayed reply. The scans took quite some time to perform, particularly on dial-up. Here are the first two... second two to follow.

 

And the final two...

 

Download
- Pocket Killbox

Make sure you have done the following:
How to view hidden, system files & folders!

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner

Now reboot in normal mode and post a new HJT log; and tell us how things are working.

 

Did I mention how stubborn this thing was?....

I performed the tasks you mentioned. I had HJT fix the entries you had listed. KillBox took care of all the files you had listed except for the C:\WINDOWS\iLookup, which I deleted the entire folder myself. Rebooted in NORMAL mode and did a HJT scan. Still present unfortunately. Here's the scan.

 

Download
- CWShredder ......No installation required! Just unzip it to a folder.

Have HijackThis fix the following:

Now reboot to Safe Mode and run CWShredder - Make sure you select Fix

Reboot to Normal Mode and post a fresh HijackThis log.

 

Ok.... logged off to NORMAL mode and used HJT to fix the issues listed. I then rebooted to SAFE mode and scanned with CWShredder, which found nothing. Rebooted to NORMAL mode and rescanned with HJT, which will be posted here as "highjackthis11". I then went ONLINE and rescanned with HJT, which will be posted here as "highjackthis12".

 

Double check your Lan Settings under Network Connections in the Control Panel that you don't have Connect with Proxay and Proxy Override enabled.

 

Went to Control Panel/ Internet Options/ Connections/ LAN Settings and both the Automatic Configuration boxes (Automatically detect settings) and (Use automatic configuration script) are NOT checked. Also, under Proxy Server, the (Use proxy server) box was NOT checked as well, which does not apply to dial-up connections anyway.

In the Automatic Configuration category, it tells me that using Auto Config may override my proxy, so to prevent this, do not check the boxes, which they are NOT.

The word "stubborn" comes to mind once again...

 

Forgot to ask in last post... should I delete the backup logs that are saved in HJT, particularly the entry that's causing us problems?

 

Yes, you can delete the back up logs.

Download the following two files, create a folder on your desktop, and call it TSC. Save these 2 files there!

Sysclean Package
Pattern.zip

Unzip Pattern.zip, then delete the zip file.

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode, double click the file sysclean.com; when system cleaner loads, click SCAN to start the scanner.

 

Did as instructed, and GOOD GOD that's a loooong scan. I wanted to save a log file, but it wouldn't allow me in any capacity. Nevertheless, it found 0 viruses total. I rebooted back to NORMAL mode, ran HJT.... aaaaaand, well....

 

Going to call it a night tonight... will be back after work... around 5ish. Can't thank you enough for your efforts thus far.

 

From Safe Mode run Regedit, navigate to the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

In the right window locate ProxyEnable if the vaule isn't 0 then change the value to 0. Now locate ProxyServer and ProxyOverride and delete them.

Reboot to Normal Mode and post a fresh HijackThis log.

 

The value of ProxyEnable was indeed 0, and I navigated and deleted both ProxyServer and ProxyOverride (which had the Jimandali entry) in SAFE mode. Rebooted to NORMAL mode and scanned with HJT (#14). Went online, did a scan (#15) and I think you know the words to the rest of this song....

 

It has to be something not shown in any of the logs. Post a startup list.

Using HijackThis to Create a StartupListLog

 

Here's the startup list:

 

Download
- Hoster

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

 

Ok... done. Reboot? HJT scan?

 

HJT show the same lines?

 

Yes... this is a HJT scan without a reboot and ONLINE, right after the Hoster:

 

Download and Install
- Registrar Lite

Run Registrar Lite

Paste HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run into the Address bar and then click Go. Click-on Edit in the file menu, select Select All. Click-on File in the file menu, select Export. Give the file a name and save to your desktop. Right-click the reg file and select edit, paste the contents of the file in your next reply.

 

I'll go ahead and post the file contents here instead of the usual manner:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

 

There's nothing under the registry key.

Do the same thing for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

Here it is:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\(default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AVG7_AMSVR
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AVG7_CC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\StillImageMonitor
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SystemTray
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TaskMonitor

 

I can't find anything that would be causing those entries. How do you connect to the internet? Does your ISP require special connection software?

 

No sir. No special software. All I can tell you is it was a link to a dead website that had been apparently mirrored, and I clicked on this link over a year ago. Its puzzling me to no end due to the fact that it only seems to regenerate upon dialing up to the internet. I suppose the only cure is temporary fixits with HJT every time I log in. Wish I had more info to give.

 

It's somehow tied to your dialup connection settings. Try this delete your connection under Dialup connections reboot and create a new dialup connection.

 

I'm assuming I can do this in Control Panel somehow?

 

My Computer -> Dial-Up Networking

 

Before I call it a night after trying this, there is a conflict in Device Manager involving the Wave Device for Modem.... there's actually 2 of them... identical. Not sure if this is part of the problem, but thought it was interesting.

 

Under MODEMS, there's DSI D-F-VV.90 D13635 and the other is the same number but with a #2 after it. The first one is listed under COM4 and the #2 modem is listed under COM1. If I'm not mistaken, no modem I've ever hooked up has been under COM1.... perhaps I'm wrong though.

 

This will explain Wave Device better than I can http://www.modemsite.com/56k/wave.asp

I would uninstall the Wave Device and the Modem drivers, remove the modem from the computer reboot. Shutdown reinstall the modem, reboot, then reinstall the drivers.

 

Alright.... I'll give it a shot. Consider this a "cliff-hanger", and I'll check back in tomorrow to post results. You've been a huge help and thanks for your continued patience.