IBIS Toolbar/HuntBar/Btiein

[Darlid01]

I can't get rid of this.

I can't delete the key from the registry
Pest Detected in HKEY_LOCAL_MACHINE\software\btiein
Pest: IBIS Toolbar
Action taken: Ignored this time

I can't delete the folders or the file cursors.xml
Pest Detected in C:\Program Files\toolbar
Pest: IBIS Toolbar
Action taken: Ignored this time


Pest Detected in C:\Program Files\toolbar\Cursors
Pest: IBIS Toolbar
Action taken: Ignored this time


Pest Detected in C:\Program Files\toolbar\Cursors\cursors.xml
Pest: IBIS Toolbar
MD5: 6708a6451fb960dc98302fabbf6820d8
Action taken: Ignored this time


StartupList report, 6/26/2004, 12:36:01 PM
StartupList version: 1.52
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
C:\WINNT\System32\ctfmon.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MSN Manager = C:\WINNT\System32\mscmgr.exe
PestPatrol Control Center = C:\PROGRA~1\PESTPA~1\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
PestPatrolCL = C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
Ad-aware = "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

PPClean Remove at boot = C:\PPCleanDeleteAtReboot.bat
Pest Cleaning = "C:\PROGRA~1\PESTPA~1\ppclean.exe" ts:20040625212620625 clean suite 2 2 2 2 2 2 2 2 2 2

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}

--------------------------------------------------

Enumerating Download Program Files:

[ppctlcab]
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[NetVueX Control]
InProcServer32 = C:\WINNT\DOWNLO~1\netvuex.ocx
CODEBASE = http://www2.platsystems.com/plat/henn/netvuex.cab

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINNT\Downloaded Program Files\PPSDKActiveXScanner.ocx
CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

[{4855C21B-E452-4661-A702-ED3493CE74DF}]
CODEBASE = http://sp.ask.com/docs/toolbar/download/askbar-inst.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 5,534 bytes
Report generated in 0.406 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
~~~

[GrandDad]

Welcome to WD Darlid01 .

Have looked at the sticky post at the the top of Anti-Virus section ?
Here's a link to it ;

http://forums.windrivers.com/showthread.php?t=57348

and let us know if you questions or how it went .

[Darlid01]

Thanks for the welcome. As you may have noticed from the running processes, I have adaware, pestpatrol, and bho daemon running. I also posted my Hijack log. I have identified the key in the registry and a file, but using regedit I cannot delete the entries, starting in safe mode command prompt, I cannot delete the file. Any further ideas on how to remove it would be very helpful.

Thanks.

Quote:

Originally Posted by GrandDad

Welcome to WD Darlid01 .

Have looked at the sticky post at the the top of Anti-Virus section ?
Here's a link to it ;

http://forums.windrivers.com/showthread.php?t=57348

and let us know if you questions or how it went .

[Darlid01]

I suppose I should mention that I have run all the programs individually from safe mode. Pest Patrol and Adaware both detect it, thus two of the names of this thread. But nothing removes it. I have identified the culprit and I have neutered the key in the registry, but I can't delete it. I also can't delete the file.

Any ideas?

[NooNoo]

have you looked at pestpatrol's manual removal instructions?

[Darlid01]

Yes, unfortunately, I cannot delete the keys from the registry and the dll it refers to is not there to unload. I also canot delete the files. Of the keys to delete, only one is there. HKEY_LOCAL_MACHINE\software\btiein
I cannot delete the key, however I have "zeroed out" the key. I'm not sure how useful that is, but that's the only thing I've been able to do.

So to summarize, I've tried deleting the keys and deleting the files, from command prompt only and from safe mode and have been unable to manually remove this. None of the scanners have been able to remove it either.

Any ideas?

Quote:

Originally Posted by NooNoo

have you looked at pestpatrol's manual removal instructions?

[NooNoo]

Did you Unregister the programfilesdir+\sep\sep.dll suggested first?

looks like you have the variant, try these removal instructions

Please post the standard hijack this log.

[NooNoo]

the last post on this page may be the answer you have to take ownership of the key, or set permissions to allow you to manipulate it.

[Darlid01]

That looks very promising. I'll try that as soon as I get home.

I'll let you know the results.

Quote:

Originally Posted by NooNoo

the last post on this page may be the answer you have to take ownership of the key, or set permissions to allow you to manipulate it.

[ADS_Tech]

Noo - maybe you should change the subject line of the sticky for this thread to something big and catchy such as IMPORTANT - READ FIRST BEFORE POSTING ABOUT SPYWARE, as a lot of posts are being posted before any checks made at all.

The spyware thread seems to be very popular at the moment - it certainly reflects the quantity of calls im making, as at least half are now spyware related.
Bloody internet, bah - who needs it!

[NooNoo]

8244 views, impressive....

Good idea ADS_tech, but the reason they don't find the sticky thread is that they google for their answers, if they hit on someone who complains of the exact problem, they will use that thread.

Can't blame them, and I certainly don't want to get all anal about using the search first as so many other boards do. Yeah it is annoying that so many people don't know how to read instructions, but lets face it, we are here to solve problems, not allocate blame.

[ADS_Tech]

True. Hadnt thought about it from their perspective in that they would just google it and find the specific thread.

[Darlid01]

I'm one of the few, who had actually tried everything you mentioned first before posting my thread. Unfortunately, none of the tried and true methods worked. I actually posted here, because a friend of mine is already a member here.

More to the subject, I have been able to neuter the virus so it doesn't do anything anymore, but although I can change the keys in the registry, I can't delete it. I get "Unknown error" and then about 50% of the time regedit crashes after I try to delete it. Sound interesting? I have posted the info on Spybots bbs and adaware's bbs and pestpatrol's BBS. I'll try and keep you updated on the results.

Quote:

Originally Posted by ADS_Tech

True. Hadnt thought about it from their perspective in that they would just google it and find the specific thread.

[NooNoo]

Quote:

Originally Posted by Darlid01

I'm one of the few, who had actually tried everything you mentioned first before posting my thread. Unfortunately, none of the tried and true methods worked. I actually posted here, because a friend of mine is already a member here.

More to the subject, I have been able to neuter the virus so it doesn't do anything anymore, but although I can change the keys in the registry, I can't delete it. I get "Unknown error" and then about 50% of the time regedit crashes after I try to delete it. Sound interesting? I have posted the info on Spybots bbs and adaware's bbs and pestpatrol's BBS. I'll try and keep you updated on the results.

Thanks, I'll make a sticky of the results...

[Darlid01]

Not looking for more advice, just keeping you posted on the progress. Pest patrol requested I send them a iso of the entire hard drive. (Actually they didn't need certain sections) A professional there will look it over and get back to me. Apparently I have the first of a new wave of viruses. It's infecting regedit so it can't run.

Quote:

Originally Posted by NooNoo

Thanks, I'll make a sticky of the results...