Jump to content


Photo

Appropos adware just won't go away...


  • Please log in to reply
6 replies to this topic

#1 cchappa

cchappa

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 June 2004 - 07:52 AM

I have managed to clean up most of the junk I got a few weeks ago by repeated use of AdAware, SpyBot, SpySubtract, HijackThis, and AVG (CWS always finds nothing).

I am still having two slight problems with my computer:


1) On start-up, a blank Document window (My Computer ---> Documents) always opens up, but seems to take forever to do (i.e. 20 or 30 seconds).

2) I am still getting AdServe pop-ups. They usually start with the following address, then redirect to a web ad:
C:\Documents and Settings\Chris\Local Settings\Temp\~DlfnTmp2\index.html



Whenever I run any spyware detection software, I inevitably run across something like ApproposPlugin.dll. Regardless of how often I THINK I have it cleaned, it always comes back.




I've learned to clean up my registry manually (I know, don't tamper with stuff I'm unsure of), and that seems to have helped some. But AdAware always finds this:

HKLM/SOFTWARE/BTIEIN

related to HuntBar, and never seems to be able to clean it up. When I try it manually, I get "Cannot open taskcache: Error while opening key". This is from the folder (key?) HKLM/SOFTWARE/BTIEIN/BTIEIN/taskcache




I guess my HJT log might help:

Logfile of HijackThis v1.97.7
Scan saved at 7:46:04 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\wnstssu.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O4 - HKLM\..\Run: [Hyperception Update Wizard] C:\Program Files\Hyperception\VABINF\TrayUpdate.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [j7] c:\documents and settings\chris\local settings\temp\j7.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AutoLoaderws3p1WXkaQXd] "C:\WINDOWS\System32\odfmdlg.exe" /PC="AM.WILD" /HideUninstall
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Chris\Application Data\rncr.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Chris\HXIUL.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab


Any advice is apreciated.

Thank you

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 June 2004 - 10:31 AM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.


Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O4 - HKLM\..\Run: [j7] c:\documents and settings\chris\local settings\temp\j7.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoaderws3p1WXkaQXd] "C:\WINDOWS\System32\odfmdlg.exe" /PC="AM.WILD" /HideUninstall
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Chris\Application Data\rncr.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Chris\HXIUL.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Locate and delete the following:

C:\WINDOWS\System32\wnstssu.exe <--this file
C:\WINDOWS\System32\bridge.dll <--this file
C:\WINDOWS\System32\odfmdlg.exe <--this file
C:\Documents and Settings\Chris\Application Data\rncr.exe <--this file
C:\Program Files\Alset <--this folder
DLHelperEXE.exe <--this file

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 cchappa

cchappa

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 June 2004 - 03:24 PM

Ok, did all you instructed, with a slight problem: I could not locate the following items:


C:\WINDOWS\System32\bridge.dll <--this file
C:\WINDOWS\System32\odfmdlg.exe <--this file
DLHelperEXE.exe <--this file

I tried to locate these AFTER running HJK and fixing the porblems you suggested.

There were two files with DLHelperEXE.exe in their name, but not that file alone (I deleted them anyways).


I ran Ad-Aware again after updating and resetting said settings, and it caught a LOT more stuff than before.

Here is the most recent HJT log after all of this (by the way, the pop ups seem to have vanished, as well as the empty Documents folder at start-up).

Logfile of HijackThis v1.97.7
Scan saved at 3:24:38 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O4 - HKLM\..\Run: [Hyperception Update Wizard] C:\Program Files\Hyperception\VABINF\TrayUpdate.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 June 2004 - 06:34 PM

Hi,
Your log looks clean now ... good job!

Just one minor item, have HijackThis "fix" the following: (and reboot)

R3 - Default URLSearchHook is missing

You should "Flush System Restore" (see below)

Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 cchappa

cchappa

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 June 2004 - 07:24 PM

Removed "R3 - Default URLSearchHook is missing"

Rebooted, ran AVG, came up clean.

BUT I did re-run AdAware, and it caught the following:



Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN




This just won't seem to go away!


All seems to be running smoothly, but I am relucntant to turn System Restore back on as long as this keeps showing up. Or is it nothing to be worried about?

thanks for all your help!

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 June 2004 - 08:16 PM

Hi,
Unable to Remove BTIEIN Registry Subkey Using Ad-aware
http://www.lavahelp....04/02/0302.html

Follow the above instructions, then turn System Restore back on.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 umiame

umiame

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 12:40 PM

Sorry didn't mean to post here/ :D

Edited by umiame, 14 June 2004 - 12:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button