Ready for help with HJT!!

Why did you say About:Buster (AB for short) did not find anything? It showed a bunch of things.

You need to update About:Buster. You're using Reference List : 19 and they are already up to Reference List : 21. Start it and do the update. But do not run the scan yet.

Also make sure you have HSremove (from the READ ME FIRST).

Make sure during the scans below you are not connected to the internet and DO NOT open any browsers until told to. You should print these instructions of save them locally. Because you must close all browsers and disconnect from the internet before running the following steps.

Then exit all programs do a new AB scan. Make sure you click yes to run it a second pass. When it completes make sure you do not run anything at all. Immediately reboot but boot to safe mode and run AB again and again let it do both passes. Save both AB logs.

Now while in safe run an HSremove scan. After it completes, reboot in normal mode. And get a fresh HJT log (make sure you have put HJT in the proper directory) and save it to hjtlog1.log. Now finally open a browser and then close a browser. Now get a second HJT log (call it hjtlog2.log).

Now reopen your browser and come back here and post both AB and both HJT logs (that will require two messages). And also give me feedback on anything you noticed or any problems you had.

 

First a question, I am assuming that www.sharpsystems.com is related to your ISP and am ignoring the following two lines. Just let me know if that is a correct assumption.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sharpsystems.com/
O14 - IERESET.INF: START_PAGE_URL=http://www.sharpsystems.com/

You have a few additional problems beyond the hijacker which we need to get fixed before concentrating on the hijacker. So I don't expect after the below that the hijacker will be completely gone.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Using HijackThis to kill processes:
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\system32\ati3duag.exe
C:\Documents and Settings\Peter\Application Data\toro.exe
C:\WINDOWS\system32\w?nspool.exe
After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\izdiy.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4982D30C-67C2-4EDC-B9FB-50B7DB64D84D} - C:\WINDOWS\system32\mfchb32.dll
O4 - HKLM\..\Run: [Kzvwwqm6s] C:\documents and settings\peter\local settings\temp\Kzvwwqm6s.exe
O4 - HKLM\..\Run: [cdf8b1a7a6a0] C:\WINDOWS\system32\ati3duag.exe
O4 - HKCU\..\Run: [Oaad] C:\Documents and Settings\Peter\Application Data\toro.exe
O4 - HKCU\..\Run: [Lvmx] C:\WINDOWS\system32\w?nspool.exe

Do you know what this TriDef Control is in the next line? For your Video card? If so, skip it? Otherwise I'm considering fixing it too. Let's just skip for now.
O4 - Global Startup: TriDef Control Panel.lnk = C:\WINDOWS\system32\rundll32.exe

Then continue fixing the following.
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\ati3duag.exe
C:\Documents and Settings\Peter\Application Data\toro.exe
C:\WINDOWS\izdiy.dll
C:\WINDOWS\system32\mfchb32.dll
C:\documents and settings\peter\local settings\temp\Kzvwwqm6s.exe
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! Let me know when you finish the other steps.

 

Delete the C:\WINDOWS\prefetch\toro.exe-28D5173.pf file (in fact you can delete all files in the prefetch folder as a safety precaution). Also make sure you empty your Recycle Bin.

Then goto: C:\documents and settings\peter\local settings\temp
and delete everything in that temp folder.

Does HSremove give you any indication of the filenames it is removing?

Download this tool: Generic Detection Tool
Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

 

If you run Windows Explorer and go to C:\WINDOWS\System32, can you see the below files:

12/27/2004 08:56 PM 98,816 mfchb32.dll
12/22/2004 01:17 PM 389,120 w?nspool.exe

Note the w?nspool.exe may show up differnently but it is not the same thing as winspool.exe. Note the file size and dates. Make sure you can view hidden and also system file. If you can locate those two files, delete them. You may need to do this in safe mode.