Another about:blank victim

I know this is getting very tedious but there seems to be an epidemic of home-page hijacking going on at the moment and I'm just hoping that CWShredder will soon get on top of this latest outbreak.

I've been into Safe Mode and emptied temp files etc., but don't really know which other files need to be deleted.

Is there any way in which you can restore the registry to a point where you know it hadn't been hijacked? I know that System Restore will enable you to re-establish the last configuration when you computer booted up OK, but to restore it to a point where it was free of spyware and hijack programmes would seem to be a much better idea.
SpyWare Blaster only works temporarily. I reset to the previous System Snapshot and within minutes it's altered back again which is a great shame because up until today, I really believed that to be a faultless piece of software in preventing HP hijacking.

Anyway, I'd be really grateful for any help with looking at the log:-

Logfile of HijackThis v1.97.7
Scan saved at 16:18:16, on 23/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Business Software\PopKill\PopKill.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E7A13FF-7854-4468-9F56-B40F2995F0B8} - C:\WINDOWS\System32\kaiffh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill\PopKill.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe "
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/294130595c435cbd6216/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.4415393519
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A50753F0-D4C0-42FA-AAEC-5915CFCD763D}: NameServer = 69.50.166.94,69.31.80.244

 

Hi Fitz,
The first thing that jumps out at me is the version of hijackthis that you are using. Please see my thread in this post:
http://www.windowsbbs.com/showthread.php?t=40418

 

OK. I now have the latest version of HJT and here is its scan:
Don't know about the 017 and 018 entries. They look dodgy, but I welcome comment and any suggestion to remove the parasite which is generating the Home Page takeover which I'm preventing with the use of SpywareGuard, but it's a nuiscance to have to keep doing this.

Logfile of HijackThis v1.99.0
Scan saved at 17:59:30, on 24/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Business Software\PopKill\PopKill.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill\PopKill.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe "
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/294130595c435cbd6216/netzip/RdxIE601.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A50753F0-D4C0-42FA-AAEC-5915CFCD763D}: NameServer = 69.50.166.94,69.31.80.244
O18 - Filter: text/html - {8FD1AE81-A77E-49D4-9006-D584ECB4970F} - C:\WINDOWS\System32\kaiffh.dll
O18 - Filter: text/plain - {8FD1AE81-A77E-49D4-9006-D584ECB4970F} - C:\WINDOWS\System32\kaiffh.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

Download and install Reglite. Open and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Double click on the AppInit_DLLs entry to open a "Data Editor" properties window. If the Value line contains a .dll filename, copy/paste it here.

 

Fitz--Do not be too angry at SpywareBlaster. Before using the Snapshot, you have to get rid of the baddy's executable file. Otherwise it just re-infects. I think the same will happen with System Restore.

 

See the "about:blank" in some of the R0 and R1 entries? Fix them. Search your computer with spybot, ad-aware, and go hunting in windows explorer for the hijack's files. The use hijackthis to remove any traces. That's how I removed it from my system .

 

Dave932932 - unfortunately he has worse problems than the 'about:blank' part although it needs to be cleared up. Dave (noahdfear) will get him cured though if he follows along with the advice.

 

Thanks for all your advice and help.

Before embarking on any further restorative paths, I zapped entries 17 and 18 in the HJT log and, to my surprise, the hijack activity has stopped completely. I don't know if this eliminated the underlying exe file but it now comes up with my home page every time, and ditto with other users of my PC so it seems to have been sorted.
After the initial infection I looked around for suitable Spyware, and installed SpyWareGuard which has been letting me know when a hijack attempt has been made throughout the last day or so, and will also let me know if anything illicit is being downloaded from now on.
I have the latest editions of Spybot, Adaware, and SpyWareBlaster.
I suppose SpyWareBlaster can't destroy any file that is causing the hijack but it would be really helpful if it could! Up until now, I really thought that the System Snapshot was a brilliant means of defence and system restoration.

 

Fitz--

I assume that means you also update all of these every ten days or so with the latest reference files?
SWB actually does claim to neutralize some CoolWebSearch variants, but they have been multiplying like rabbits so it is hard to keep up.

 

I am particularly careful to update the SpyWareBlaster version because I've delved into the CoolWebSearch database and am staggered by the number of these there have been and how many continue to evolve.
Why do people create these things? What kind of minds and lives do they have?
Some very cynical people, some on the help boards even, have suggested that it might just be the spyware companies who are creating them, but I'm sure that can't be true.

 

I've been advised to check the settings in the Security area of Internet Options but when trying to reconfigure the security settings on the "Trusted sites" the "Custom Level" button remains greyed out so that I cannot change the settings.
Can anyone advise why that might be ad what I can do to regain control of this area so that I can check which sittes are considered "safe "?

The reason I particularly need to know is that on my HJT logs I cannot remove two files from this area that I think should not be there.

 

You have a Domains hijack which will require you to download this zip, extract it and run the RemoveDomains.reg, then the ResetDomains.reg.

 

Thanks for that.
I downloaded and installed the programme, rebooted, but still have those buttons greyed out

 

Fitz--This fix is for the situation when the entire Folder Option window is blanked out. Do not know if it will help your more limited problem.
http://www.dougknox.com/security/scripts/internetoptions.vbs
However, if the spyware causing the problem is still on your PC, I would expect it to cause the problem again when you next boot. So you might still have to get rid of the spyware that is causing the problem.

 

There isn't really any other sign of hijacking at the moment and the latest HJT log now indicates that the two files in the safe zone have gone, which is good news.
However, as you can see from the log I now have two entries as 06 which are a little puzzling:-

"O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present "
Should I fix these or leave them?

Scan saved at 20:40:10, on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Business Software\PopKill\PopKill.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill\PopKill.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe "
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc

 

Fitz--The link I suggested in my post above was in response to your statement

So you still have a problem (although not a hijacking), for which I was suggesting a possible fix.
I see you have started a new thread on this matter.
http://www.windowsbbs.com/showthread.php?t=40572

 

Yes I realised it was in response to the greyed buttons problem.
I don't know if it is related to the spyware problem which I think is probably fixed thanks to Derek's lengthy instructions, all of which I've now followed and implemented, or whether it's an entirely separate issue to do with some setting somewhere in Control Panel, which is why I started a spearate thread.

When I installed the script file, it disabled access to internet settings whilst online whether the settings read "Enabled" or "Disabled ". Anyway fixing those 06 entries in the HJT remedied that problem.

 

Those 06 entries are what have your IE control panel locked (not being able to change security settings) and are sometimes placed there with Spybot, if you used that function. In Spybot, advanced mode, click the tools button, then IE tweaks. If lock control panel isn't checked, fix those entries with HijackThis, with ALL other windows closed, reboot and run another scan, then post the log.

 

I do have Spybot though I haven'yt used it since it knocked out my internet router connection inadvertently a few months ago.
I've gone into "Advanced" mode and clicked on Tools but don't see anything called IE Tweaks. Was that your name for Browser pages? In any case, I cannot find any panel where Control Panel settings may be locked or unlocked.

Anyway, I fixed the 06 entries using HJT and, as you can see they haven't reappearesd:

Logfile of HijackThis v1.99.0
Scan saved at 17:06:53, on 28/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Business Software\PopKill\PopKill.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner\My Documents\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill\PopKill.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe "
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


Those security setting buttons still remain greyed out.

 

Looks like the problem lay in the REgistry settings for the Zones.
In the Registry I found the 2 in Zones, found Flags, changed the value from zero and now the buttons are no longer greyed out.

There are no sites in there, but now I can also tweak the security settings.

Thanks for your help, patience, and suggestions.
I've learned a great deal from the exercise!