Help - Spyware has me at wit's end

I can't get rid of the Hunt tool bar or Fun Web Tools.
I have completed all of the steps in the "read first" sticky. I was unable to run the Trend Micro Online virus scan in safe mode. When I ran it in normal mode, it found 8 trojans and deleted them. 2 of them were NailA, which seems tocome back repeatedly no matter what I do.
Symantec Security Check said my machine is fairly secure. It could not check antivirus protection, however I run Norton Antivirus with frequent updates.

When I run Spybot in safe mode, it finds HotSearchbar, Fun Web Products, and Mywebsearch. It is never able to delete Fun Web Products. The others delete okay, but usually come back, even without internet activity. The Fun Web Tools problems are identified as:
Hkey_Users\S-1-5-18\Software\Fun Web Products
Hkey_Users\S-1-5-20\Software\Fun Web Products
Hkey_Users\S-1-5-19\Software\Fun Web Products
Hkey_Users\Default\Software\Fun Web Products

MY HJT logs show some weird script in 04-HKLM and 04-HKCU areas but I'm afraid to do anything without expert help.
I know you guys are overwhelmed - thanks for whatever help you can give.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fwpfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fwpfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

HijackThis log attached. Thanks for the quick response!

 

The first thing I notice is that your Operating System is WAY out dated. This is a major security risk and should be updated ASAP. After we get your system cleaned up you need to surf in to Windows Updates and get updated.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [r38X3qP] tdldeb.exe
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKCU\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

tdldeb.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I got an error message (actually 6 of them) when using the FIX function of HJT. The message said Error 52 Bad file name or number... and indicated the 6 HKLM lines that remain in the attached log.
Could not find tdldeb.exe. Ran CCleaner and Spybot per instructions. Spybot did not find any problems to fix. Ran cleanmgr.
I used my son's login to see how things were going. I noticed right away that Hunt bar and about:blank were attempting to load. I ran AdAware SE under his log on and found another 400 infected files. I tried to go thru the process in the read me sticky under his log on, but I can't get to his log on button in Safe Mode. Should I be doing this with each user on my computer? There are 3 others besides me.

Attached is the HJT log from my login.

 

Yes, you need to clean each user account. Run the READ ME on every user account. Afterwards, post HJT logs from each account. It may take 2 post but in order to completely clean your system we need to make sure nothing is hiding.

 

Okay, I think I have it. First two HJT logs attached here.

 

Second two are here.

 

It got caught up in all that html mess, agreed it should not have been fixed.

 

Scan with HJT and have it fix the below entries on each account:

After you remove these entries, reboot and see if they come back!

O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?
campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');

O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');

O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>

 

When I try to remove these entries, I get variations of the following error message:

Unexpected Error Occurred!
Error # 52 (Bad file name or number) in Sub GetLongPath(></iframe>');,.exe).
Please send a report to merjin@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.
This message has been copied to your clipboard.

(The variation is that the location of the error changes with each line.)

I did get the Symantec line restored.

 

Glad you got it restored, I apologize for having you fix it. It just got caught up in all that html mess I didnt catch it.

Boot into Safe Mode and try to fix those entries again.

 

I get the same result in Safe mode. Same error message. Lines won't delete.

 

Okay! Now, I want you to run HJT and have it generate a startup list.

Just in case you do not know how to do this, please follow below:

Run HJT and select Open the Misc Tools section, now under Startuplist (intergrated: v1.52) click the button Generate StartupListLog and attach this log to your next post.

 

Startup list attached.

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right hand side, search for document.write & <noscript>. Right click and delete any entries that are found.

Afterwards reboot and attach a fresh HJT log.

 

In the HijackthislogK file, after I followed your instructions I found 3 entries remained in the log. I checked in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and found and deleted them. Attached are HJT logs for 2 users. Next post will have the other two.

 

Other two users logs.

 

Also, please note that when I log on as the user in the HijackthislogM, I still get a Microsoft Antispyware Alert saying that HuntBar Browser Modifier is trying to install. The software says it successfully removed the threat, but it seems to detect it again on reboot.

 

All of your HJT logs are clean!

Can you post the results from the MSAS scan so I can see what exactly its finding as in location and name.

Also, since your pretty clean you need to surf into Windows Updates and install Service Pack 2. Without this critical update you will continue to have problems.

 

Just when I thought it was safe to go back in the water...
My Windows update page is blank. Also, when attempting to search for a file in Explorer, I get an error message that a file the Search Assistant needs is missing.
A thousand thanks for the the help so far, by the way.

 

Have you installed Service Pack 2 yet?

 

I couldn't get it from the Windows update page. I'll try to download it from another computer.

 

It looks like it's only available as a direct download, and I can't get the Windows update page to display. I've followed instructions for restoring the Windows update page on the Microsoft website, but that didn't work. Is SP2 the same for Home Edition and XP Pro? If it is, I can probably get SP2 on a CD from work.

 

Yes, if you have an SP2 disk for WindowsXP that will get it installed.

 

Okay, I'm back. I got SP2 loaded and running. When I logged in, MSAS found HuntBar attempting to load again and appears to have successfully removed it. I logged on as each user and the only problems that appeared were MSAS messages that something was trying to change the internet and intranet browser security settings. This occurred with each of the other three users. I selected block and remember this setting, which appears to have resolved that issue on subsequent log-ins. I am attaching one final HJT log to see if you can see what might be trying to change the security settings.
One final thing (I hope):
In Add or Remove Programs, I show two programs installed that I can't remove. The first is Coupons and Offers. When I click on Change/Remove, I get a window titled WJView Error with the message "ERROR: Could not execute Main : The system cannot find the file specified."

The second is called Roll (It's Roller Coaster Tycoon.) This generates a message window titled FISH UnInstaller Version 2.00 containing the message: "Unknown project:- 'C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\RollerCoaster Tycoon.log'."

Thanks again for all your help. You have been a sanity saver!

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Now, look for Coupons and Offers & Roll on the right hand side. Once located right click and delete the entry. Exit registry editor and be sure you have the folders removed.

Navigate to C:\Prorgam Files, delete any folder referring to Coupons & Offers.


Also, your HJT log looks clean to me!

 

I think I'm clean now. Thanks so much for your help!

 

Great!

You should see this article on How to Protect yourself from malware!