help needed with spyware

What about regmon?

 

Nope! You'll have to do it again! This time before starting, shut down all other processes including your Avast antivirus application (should help to reduce the size).

Do not start filemon until everything else is ready to go!

 

Did you configure the parameters again? Is the line actually back in your HJT log right now?

Make sure you exit every unncessary application (AV and Firewall too) especially Internet Explorer before starting Filemon. Make sure everything is setup (ready to click fix in HJT, and regmon is already running and setup) before starting filemon. Otherwise the file gets too big and hard to analyze. After the capture is done you should make sure you stop the Filemon asap. Also restart your PC to get your AV and firewall running. You do not want to run without them too long.

 

Try erasing the filter settings and OKing that. Then exit Regmon and hopfully it is like starting over. You said you were able to get it to capture last time on the filters I had you set? Is that true?

 

Try using nothing for the filter and then try making the R1 line fix.

For filemon, set the filter to c:\windows\user.dat

 

We need to get Regmon to trigger! Make sure you do not have capture disabled. Look at the magnifier glass and make sure does not have a red mark in it. You can also see it under the File menu. Make sure Capture is checked.

Try setting the Regmon filter to:
CurrentVersion; ProxyOverride

 

I have to get some sleep now! See if you can experiment here and get this to work. Otherwise we will have to continue later.

Good Night!

 

Looks to me like something you have setup with Avast, is changing your dial settings:

1342 16.95480960 Ashserv:FFE1CCE7 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS hKey: 0xC29E2000
1343 16.95482320 Ashserv:FFE1CCE7 QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial SUCCESS 1 0 0 0
1344 16.95483360 Ashserv:FFE1CCE7 QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial SUCCESS 0 0 0 0
1345 16.95484800 Ashserv:FFE1CCE7 SetValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial SUCCESS 0x0
1346 16.95485760 Ashserv:FFE1CCE7 SetValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial SUCCESS 0x0
1347 16.95486800 Ashserv:FFE1CCE7 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS

As far as the ProxyOverride R1 line, I see the HJT fixing of it but I do not see anything bringing it back in your log. Perhaps at this time when you captured it. It did not come back yet. We need to see that. What filter settings did you have on Regmon?

Try these:
ProxyOverride;Internet Settings;EnableAutodial

Don't bother with Filemon this time. Make sure you wait long enough or do something than makes the R1 line come back before stopping Regmon. I guess something like, Fix with HJT and then open a browser is sufficient based on what you said. If so, as soon as you open the browser, stop Regmon's capture.

 

Well according to that log, it looks like your system is configured to use a proxy server and Internet Explorer is changing the settings to add https:// back in. You need to check you configuration to make sure you're connection is setup properly.

Boy it was a bad idea to use Internet Settings in the filter!

 

Run Regedit and navigate to the below key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Then click on File and select Export. Give it a filename like IEsetttings (a .reg will automatically be added to it). And save it where you can find it. You will need to compress this into a ZIP file and the upload it here.

Did you take a look at you Avast settings like I suggested?

 

I'm still looking at all of your settings. You have a bunch of items in there that I do not know what they are. But one thing is for sure, you have AutoDial enabled. There is a key saying:

"EnableAutodial"=dword:00000001

Here is a full list of items that are either different than I expect (compared to my settings) or that I do not have at all.

You also show a bunch of connections (I thought you said you are not on dialup? Did you use to use dialup? Do you have to do anything special to connect to the internet?

Here are the names of the additonal (other than defaults) connections I see:
"CallNet"
"Direct Connection"
"Freeserve For Eastdon"
"OneRel.Net"
"Freeserve for ryders.fslife.co.uk"
"Connection to onetel.net"
"tiscali new"

You must be using some kind of special connection mechanism.

 

What is your Security level set to in Internet Explorer?

 

You should see step 7 in the below thread and configure items as it indicates but before setting any of those options, after you click the Custom Level button, at the bottom in the Reset custom settings area, first Reset to Medium and click the Reset button. Then make sure you other settings are as I give in step 7.

How to Protect yourself from malware!