Hi all
Have had problem of browser being hijacked and PopUps then telling me that
system is infected with Spyware etc. I have run each of the following
multiple times (in both normal and safe mode) : Ad-Aware SE, CWS, Hijackthis,
SpybotSD, Spywarescanner, BHODemon, SpywareBlaster, SpySubtract, NoAdware. My
OS is XP Professional. Ad-Aware always lists at least 20 critical objects,
which I delete.I investigated in detail each entry returned by HijackThis -
fixed those that were suspect. The other apps tell me all is in order. But
then,when I start IE again, the BHO returns and the problem reoccurs. Info
gleaned from BHODemon is as follows:
Registry Entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each time with
a different name). eg C:\Windows\System32\aoapi.dll is picked up by BHODemon.
This is also picked up by Hijackthis, but only after IE has started. I fix it
using HijackThis, but the prob just comes back again.
Any assistance would be greatly appreciated. Thanks.

Panther2000 wrote:

> Hi all
> Have had problem of browser being hijacked and PopUps then telling me
> that system is infected with Spyware etc. I have run each of the
> following multiple times (in both normal and safe mode) : Ad-Aware SE,
> CWS, Hijackthis, SpybotSD, Spywarescanner, BHODemon, SpywareBlaster,
> SpySubtract, NoAdware. My OS is XP Professional. Ad-Aware always lists
> at least 20 critical objects, which I delete.I investigated in detail
> each entry returned by HijackThis - fixed those that were suspect. The
> other apps tell me all is in order. But then,when I start IE again,
> the BHO returns and the problem reoccurs. Info gleaned from BHODemon
> is as follows: Registry Entry:
>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
> Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each
> time with a different name). eg C:\Windows\System32\aoapi.dll is
> picked up by BHODemon. This is also picked up by Hijackthis, but only
> after IE has started. I fix it using HijackThis, but the prob just
> comes back again. Any assistance would be greatly appreciated. Thanks.

Follow the instructions here at SilentRunners:

http://www.silentrunners.org/sr_cwsremoval.html

I had a client's box infected just like yours and it was a b*tch to
finally kill the malware, but I did it. You can, too!

Good luck,

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *

Dave



"Panther2000" <(E-Mail Removed)> wrote in message
news:F1B501BC-551E-4DD3-AC37-(E-Mail Removed)...
| Hi all
| Have had problem of browser being hijacked and PopUps then telling me that
| system is infected with Spyware etc. I have run each of the following
| multiple times (in both normal and safe mode) : Ad-Aware SE, CWS, Hijackthis,
| SpybotSD, Spywarescanner, BHODemon, SpywareBlaster, SpySubtract, NoAdware. My
| OS is XP Professional. Ad-Aware always lists at least 20 critical objects,
| which I delete.I investigated in detail each entry returned by HijackThis -
| fixed those that were suspect. The other apps tell me all is in order. But
| then,when I start IE again, the BHO returns and the problem reoccurs. Info
| gleaned from BHODemon is as follows:
| Registry Entry:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
| Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each time with
| a different name). eg C:\Windows\System32\aoapi.dll is picked up by BHODemon.
| This is also picked up by Hijackthis, but only after IE has started. I fix it
| using HijackThis, but the prob just comes back again.
| Any assistance would be greatly appreciated. Thanks.

Malke,
Good find. The article worked like a charm.

- Vikram

"Malke" wrote:

> Panther2000 wrote:
>
> > Hi all
> > Have had problem of browser being hijacked and PopUps then telling me
> > that system is infected with Spyware etc. I have run each of the
> > following multiple times (in both normal and safe mode) : Ad-Aware SE,
> > CWS, Hijackthis, SpybotSD, Spywarescanner, BHODemon, SpywareBlaster,
> > SpySubtract, NoAdware. My OS is XP Professional. Ad-Aware always lists
> > at least 20 critical objects, which I delete.I investigated in detail
> > each entry returned by HijackThis - fixed those that were suspect. The
> > other apps tell me all is in order. But then,when I start IE again,
> > the BHO returns and the problem reoccurs. Info gleaned from BHODemon
> > is as follows: Registry Entry:
> >
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
> > Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each
> > time with a different name). eg C:\Windows\System32\aoapi.dll is
> > picked up by BHODemon. This is also picked up by Hijackthis, but only
> > after IE has started. I fix it using HijackThis, but the prob just
> > comes back again. Any assistance would be greatly appreciated. Thanks.
>
> Follow the instructions here at SilentRunners:
>
> http://www.silentrunners.org/sr_cwsremoval.html
>
> I had a client's box infected just like yours and it was a b*tch to
> finally kill the malware, but I did it. You can, too!
>
> Good luck,
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>

Vikram Thakur wrote:

> Malke,
> Good find. The article worked like a charm.
>
Yay! Hurray! I'm so pleased for you. Thanks so much for letting me know.

Very much cheers,

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

Hi there Malke
Mate, it did the job beautifully. I owe you a beer. I have waited until now
to state that system is now clean cos so many times previously I had thought
everything OK but the blighter just kept coming back. Not coming back this
time.
Thanks again.

"Malke" wrote:

> Panther2000 wrote:
>
> > Hi all
> > Have had problem of browser being hijacked and PopUps then telling me
> > that system is infected with Spyware etc. I have run each of the
> > following multiple times (in both normal and safe mode) : Ad-Aware SE,
> > CWS, Hijackthis, SpybotSD, Spywarescanner, BHODemon, SpywareBlaster,
> > SpySubtract, NoAdware. My OS is XP Professional. Ad-Aware always lists
> > at least 20 critical objects, which I delete.I investigated in detail
> > each entry returned by HijackThis - fixed those that were suspect. The
> > other apps tell me all is in order. But then,when I start IE again,
> > the BHO returns and the problem reoccurs. Info gleaned from BHODemon
> > is as follows: Registry Entry:
> >
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
> > Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each
> > time with a different name). eg C:\Windows\System32\aoapi.dll is
> > picked up by BHODemon. This is also picked up by Hijackthis, but only
> > after IE has started. I fix it using HijackThis, but the prob just
> > comes back again. Any assistance would be greatly appreciated. Thanks.
>
> Follow the instructions here at SilentRunners:
>
> http://www.silentrunners.org/sr_cwsremoval.html
>
> I had a client's box infected just like yours and it was a b*tch to
> finally kill the malware, but I did it. You can, too!
>
> Good luck,
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>

Panther2000 wrote:

> Hi there Malke
> Mate, it did the job beautifully. I owe you a beer. I have waited
> until now to state that system is now clean cos so many times
> previously I had thought everything OK but the blighter just kept
> coming back. Not coming back this time.
> Thanks again.

Awesome. I'm so glad you got it sorted. Thank you for letting me know.

Cheers,

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"