There is no "automated" anti-spyware removal tool for this type infection.
There are 2 DLLs involved, the "BHO" DLL which you see in your log and the
main culprit which is totally hidden. Removing the "BHO" DLL has no effect
as it (main culprit) will simply generate a new BHO DLL.
Ok, here goes ... this is my "How To:" (Hint: print out the below)
[Tools and files needed]
Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.
Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.
Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.
Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.
Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.
Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.
[Step1]
Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:
Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.
[Step2]
Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)
[Step3]
Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows
Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.
IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.
[Step 4]
Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)
Open Winfile
Navigate to System32 folder. N.B. File may have HIDDEN attribute.
Click File (up top) select: Move
Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
Note: where "<filename>" = culprit dll from "output.txt"
Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.
At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)
[Step 5]
Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt
[Step 6]
Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next
Note: where "<filename>" = culprit dll from "output.txt"
Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.
Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"
[Step 7]
Run CWShredder and reboot.
[Step 8]
Run Ad-Aware
Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html
Launch the program, and click on the Gear at the top of the start screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard
drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
After the above post a fresh log ...
--
Disclaimer: Renaming the "Windows" key modified some security settings.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Right-click the "Windows" key, select: Permissions
[Example]
Before renaming the "Windows" key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"
--
[Example]
After Renaming the key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--
You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.
Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.
Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".
