Spyware Help Please

Katie, ALL steps of the READ ME are to be followed. I do not see any indication of the TrendMicro online scan being run. Is there a reason you skipped it? Did you skip anything else?

 

Please do the following:

Download: "StartDreck", from here:
http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

After installing it and depending on what options you chose during install, it may have an icon on your Desktop or in you Start list (the icon looks something like a purple Rubics cube). If not in those places than run it like any other application by clicking Start, All Programs, and find the Registar Lite entry and select it and run the application.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file appfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the appfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes

Now use Registrar Lite again and tell me if the same filename appears in AppInit_DLLs or is it gone.

 

Okay! Try this method:


Run Registrar Lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\ctlp.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows

Now just to be sure, exit Registrar Lite and then restart it and look at that same registry key now. Is it blank?

 

Okay make sure your follow these next steps exactly. You need to print these or save locally on your PC in a text files for you to refer to if needed because you MUST phyiscally unplug your cable to the internet and exit all browsers (do not run any browsers again until requested.)

Exit browsers now and unplug your cable too!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\rcraig\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\rcraig\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {F9A0266F-0C9C-42AB-A8B5-5385E8508718} - C:\WINDOWS\system32\cnipn.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\rcraig\LOCALS~1\Temp\se.dll,DllInstall
O4 - Startup: PowerReg Scheduler V3.exe
O18 - Filter: text/html - {47F21DCA-4EFC-4FEA-82D5-ACD0221748FE} - C:\WINDOWS\system32\cnipn.dll
O18 - Filter: text/plain - {47F21DCA-4EFC-4FEA-82D5-ACD0221748FE} - C:\WINDOWS\system32\cnipn.dll

After clicking Fix, exit HJT.

Pull the power cord into your PC now. YES THAT'S WHAT I SAID. I do not want a normal shutdown. Then wait two minutes and reboot into safe mode.
In safe mode use Windows Explorer to delete:
C:\Documents and Settings\rcraig\Local Settings\Temp\se.dll
C:\WINDOWS\system32\cnipn.dll
C:\WINDOWS\System32\ctlp.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find these files or have a problem deleting them make sure you tell me later when you come back.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode, reconnect your cable and get a new HJT log. Run your browser and post a new HJT log. And tell us how things are working.

 

Make sure you understand all of those steps and ask questions before starting. Pulling the power cord is an important step to prevent the malware from respawning on a normal windows shut down.

 

Have HJT fix the below line while no browsers are open:

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\rcraig\LOCALS~1\Temp\se.dll,DllInstall

Then reboot again and see how things look. See if you get anymore error messages.

You may need to uninstall, reboot, and reinstall you antivirus application later too. Some of the service names are messed up.

 

You're welcome! Make sure you complete the equivalent of all steps in the below link:

How to Protect yourself from malware!

This will help to avoid (but not completely prevent - which is impossible) future problems!