Cleane spysheriff & secure32.html but still in trouble

Hi Guys,

Just to start thank you for all your help so far, I have followed the spyware cleanup procedure in the "Before you ask for help", but unfortunately I am still in trouble.

I originally had spyware sheriff and paytime.exe (secure32.htm) problems. I cleared these, and found out I had CoolWWWSearch about:blank. Followed the steps and the scans says I am still infected.

I work on a Dell 510M laptop with Windows XP Home edition SP Pack 2 installed.

Results of the steps are as follows:

- Step 0: clean installed software: Could not remove Search extender and Shopping wizard. I am supposed to download an unistaller, but the PC security prevents it.

- Step 1 - Shut off System Recover: not done as I am still seeing problems.

- Step 2 - DONE

- Step3 - My only Anti-virus is EZ Antivirus (I deinstalled Norton)

-Step 4 - DONE

- Step 5 - All in SAFE MODE - Wireless Network disabled.

Ran Ad-Aware: it worked only in safe mode, in normal mode it froze at 40% (deep registry scan). Identified CoolWWWSearch and some MRU removed it all.

Ran Spybot: Found and fixed CoolWWWSearchIELinks

MicrosoftAntiSpyware: Came back with Clean result

CWShredder: No infection found

WindowsMalicious Software removal: no malicious software found.

Step 6:
- BitDefender scan: Reported 3 viruses and deleted 723 files. --End of scan Computer still infected result.

- Panda Active Scan: 15 Spyware detected. Could not access log due to laptop resolution in Safe Mode

HighJackThis log below:

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

Any help welcome, I am at a loss. Thanks so much!

 

I need the Panda log and the Bit Defender log.

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Hi BJGarrik, Happy New Year!

Thanks for the advice on Ewido, I ran the scan and it has at least partially cleaned the CoolSearch about:blank, unfortunately scans with bitdefender and panda active scan still show infection. I attach the logs here, if you cannot get them let me know if you want me to mail them to you.

The new HJT log after Ewido scan is also attached.

ManyThanks.
Mariecle

 

Please download ADS Spy, save to your desktop.

Once you have downloaded this utility, extract the contents and double click "ADSSpy.exe" to run the utility. Once the utility has loaded, make sure the first 2 boxes are checked. Now click ""Scan the system for alternate data streams" and remove any that are found.


After you complete the above, please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

After you have completed the above steps to relocate HJT, run it from the new location. Please save your HJT log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Hi BJGarrick,

Thanks for the follow up.

I have run the ADSSPY and removed 36 alternative streams (including one occurence of secure32.html). Attached is the requested HJT log in txt format. Let me know what you want me to do next.

Thanks again for all your help.

Cheers,
mariecle

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {18294F8D-6F9D-D77F-49D8-87964829337F} - C:\WINDOWS\system32\apitm.dll (file missing)
O2 - BHO: Class - {452F1EE7-C91B-B623-8E14-7CE36CAC51A7} - C:\WINDOWS\system32\adduo32.dll (file missing)
O2 - BHO: Class - {9D7AD1A1-D86E-4CC3-76A8-49207E8BA72B} - C:\WINDOWS\javatx32.dll (file missing)

O4 - HKLM\..\Run: [sdkto.exe] C:\WINDOWS\system32\sdkto.exe
O4 - HKLM\..\Run: [ieyy.exe] C:\WINDOWS\system32\ieyy.exe
O4 - HKLM\..\Run: [apidb32.exe] C:\WINDOWS\system32\apidb32.exe
O4 - HKLM\..\Run: [sysze32.exe] C:\WINDOWS\system32\sysze32.exe
O4 - HKLM\..\Run: [apipc.exe] C:\WINDOWS\system32\apipc.exe
O4 - HKLM\..\Run: [crdl32.exe] C:\WINDOWS\crdl32.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\crdl32.exe

C:\WINDOWS\system32\sdkto.exe

C:\WINDOWS\system32\ieyy.exe

C:\WINDOWS\system32\apidb32.exe

C:\WINDOWS\system32\sysze32.exe

C:\WINDOWS\system32\apipc.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you complete the above, reboot to normal windows and procede with the below...

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Finally, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot and attach a fresh HJT log.

 

Hi BJGarrick,

I am attaching the latest HJT log (hopefully the last). Everything looks clean and spybot and Microssoft anti-spyware returned a cleansheet. Ad-aware only had a few cookies to complain about and they've been flushed now.

Thank you so much for all your help.
Cheers,
Marie

 

Your HJT log is clean, are you having any further problems?

 

No, no problems, juts had to spend the afternoon reinstalling a few things I had cleaned up .

Thank you so much for all your help, I would have never managed on my own.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!