Hi Michael, I'll try to help until an
expert is available.
First and foremost, let's try to get rid of the nasty Chinese malware infection your PC has.
You might want to print this out or save it to a text file for reference from within safe mode.
Download the attached URLSearchHookFix zip file.
Boot into safe mode again and turn system restore off if you haven't already.
Click Start > Control Panel > Add or Remove Programs and remove WinPcap. Also remove any entries related to CNNIC (might be written in Chinese characters)
Run another HJT scan and put a check next to the following entries if still present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
O2 - BHO: CNNIC ÍøÂ繤¾ßDrag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - (no file)
O2 - BHO: (no name) - {79B8A2B5-CCAB-40CD-B939-A18B916FAD95} - (no file)
O2 - BHO: (no name) - {B10343BD-1DC6-442F-9BA2-D44C708CEE83} - (no file)
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)Click "
Fix checked"
Close HiJackThis
Remove the following folder (including all files and sub-directories):
C:\Program Files\CNNICUnzip the URLSearchHookFix.reg from the attached file and right-click the .reg file and choose
MergeRename HiJackThis.exe to something else (e.g. HJT2K6.exe)
Run another HJT scan and save the logfile, rename the logfile to HJTnewSafe.log
Reboot back into normal mode, run another HJT scan from normal mode.
Zip up both new HJT logfiles and attach them to your next post.
- JPH