|
-
June 26th, 2004, 01:08 PM
#1
Registered User
IBIS Toolbar/HuntBar/Btiein
I can't get rid of this.
I can't delete the key from the registry
Pest Detected in HKEY_LOCAL_MACHINE\software\btiein
Pest: IBIS Toolbar
Action taken: Ignored this time
I can't delete the folders or the file cursors.xml
Pest Detected in C:\Program Files\toolbar
Pest: IBIS Toolbar
Action taken: Ignored this time
Pest Detected in C:\Program Files\toolbar\Cursors
Pest: IBIS Toolbar
Action taken: Ignored this time
Pest Detected in C:\Program Files\toolbar\Cursors\cursors.xml
Pest: IBIS Toolbar
MD5: 6708a6451fb960dc98302fabbf6820d8
Action taken: Ignored this time
StartupList report, 6/26/2004, 12:36:01 PM
StartupList version: 1.52
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
C:\WINNT\System32\ctfmon.exe
C:\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN Manager = C:\WINNT\System32\mscmgr.exe
PestPatrol Control Center = C:\PROGRA~1\PESTPA~1\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
PestPatrolCL = C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
Ad-aware = "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
PPClean Remove at boot = C:\PPCleanDeleteAtReboot.bat
Pest Cleaning = "C:\PROGRA~1\PESTPA~1\ppclean.exe" ts:20040625212620625 clean suite 2 2 2 2 2 2 2 2 2 2
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINNT\System32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\scrnsave.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
--------------------------------------------------
Enumerating Download Program Files:
[ppctlcab]
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[NetVueX Control]
InProcServer32 = C:\WINNT\DOWNLO~1\netvuex.ocx
CODEBASE = http://www2.platsystems.com/plat/henn/netvuex.cab
[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINNT\Downloaded Program Files\PPSDKActiveXScanner.ocx
CODEBASE = http://www.pestscan.com/scanner/axscanner.cab
[{4855C21B-E452-4661-A702-ED3493CE74DF}]
CODEBASE = http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
[ActiveDataInfo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[ActiveDataObj Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
[Hotmail Attachments Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll
--------------------------------------------------
End of report, 5,534 bytes
Report generated in 0.406 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
~~~
-
June 26th, 2004, 01:33 PM
#2
Registered User
Welcome to WD Darlid01 .
Have looked at the sticky post at the the top of Anti-Virus section ?
Here's a link to it ;
http://forums.windrivers.com/showthread.php?t=57348
and let us know if you questions or how it went .
-
June 27th, 2004, 02:46 AM
#3
Registered User
Thanks for the welcome. As you may have noticed from the running processes, I have adaware, pestpatrol, and bho daemon running. I also posted my Hijack log. I have identified the key in the registry and a file, but using regedit I cannot delete the entries, starting in safe mode command prompt, I cannot delete the file. Any further ideas on how to remove it would be very helpful.
Thanks.
 Originally Posted by GrandDad
-
June 27th, 2004, 03:06 AM
#4
Registered User
I suppose I should mention that I have run all the programs individually from safe mode. Pest Patrol and Adaware both detect it, thus two of the names of this thread. But nothing removes it. I have identified the culprit and I have neutered the key in the registry, but I can't delete it. I also can't delete the file.
Any ideas?
-
June 27th, 2004, 01:14 PM
#5
Driver Terrier
-
June 27th, 2004, 03:30 PM
#6
Registered User
Yes, unfortunately, I cannot delete the keys from the registry and the dll it refers to is not there to unload. I also canot delete the files. Of the keys to delete, only one is there. HKEY_LOCAL_MACHINE\software\btiein
I cannot delete the key, however I have "zeroed out" the key. I'm not sure how useful that is, but that's the only thing I've been able to do.
So to summarize, I've tried deleting the keys and deleting the files, from command prompt only and from safe mode and have been unable to manually remove this. None of the scanners have been able to remove it either.
Any ideas?
Originally Posted by NooNoo
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks