BHO/Spyware That Keeps Coming Back

[Guest]

Hi all
Have had problem of browser being hijacked and PopUps then telling me that
system is infected with Spyware etc. I have run each of the following
multiple times (in both normal and safe mode) : Ad-Aware SE, CWS, Hijackthis,
SpybotSD, Spywarescanner, BHODemon, SpywareBlaster, SpySubtract, NoAdware. My
OS is XP Professional. Ad-Aware always lists at least 20 critical objects,
which I delete.I investigated in detail each entry returned by HijackThis -
fixed those that were suspect. The other apps tell me all is in order. But
then,when I start IE again, the BHO returns and the problem reoccurs. Info
gleaned from BHODemon is as follows:
Registry Entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each time with
a different name). eg C:\Windows\System32\aoapi.dll is picked up by BHODemon.
This is also picked up by Hijackthis, but only after IE has started. I fix it
using HijackThis, but the prob just comes back again.
Any assistance would be greatly appreciated. Thanks.

 

[Malke]

Hi all
Have had problem of browser being hijacked and PopUps then telling me
that system is infected with Spyware etc. I have run each of the
following multiple times (in both normal and safe mode) : Ad-Aware SE,
CWS, Hijackthis, SpybotSD, Spywarescanner, BHODemon, SpywareBlaster,
SpySubtract, NoAdware. My OS is XP Professional. Ad-Aware always lists
at least 20 critical objects, which I delete.I investigated in detail
each entry returned by HijackThis - fixed those that were suspect. The
other apps tell me all is in order. But then,when I start IE again,
the BHO returns and the problem reoccurs. Info gleaned from BHODemon
is as follows: Registry Entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each
time with a different name). eg C:\Windows\System32\aoapi.dll is
picked up by BHODemon. This is also picked up by Hijackthis, but only
after IE has started. I fix it using HijackThis, but the prob just
comes back again. Any assistance would be greatly appreciated. Thanks.

Follow the instructions here at SilentRunners:

http://www.silentrunners.org/sr_cwsremoval.html

I had a client's box infected just like yours and it was a b*tch to
finally kill the malware, but I did it. You can, too!

Good luck,

Malke

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *

Dave



| Hi all
| Have had problem of browser being hijacked and PopUps then telling me that
| system is infected with Spyware etc. I have run each of the following
| multiple times (in both normal and safe mode) : Ad-Aware SE, CWS, Hijackthis,
| SpybotSD, Spywarescanner, BHODemon, SpywareBlaster, SpySubtract, NoAdware. My
| OS is XP Professional. Ad-Aware always lists at least 20 critical objects,
| which I delete.I investigated in detail each entry returned by HijackThis -
| fixed those that were suspect. The other apps tell me all is in order. But
| then,when I start IE again, the BHO returns and the problem reoccurs. Info
| gleaned from BHODemon is as follows:
| Registry Entry:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
| Helper Objects\{EEE866F9-E8F2-4342-8A40-A1E63330417D}. A dll (each time with
| a different name). eg C:\Windows\System32\aoapi.dll is picked up by BHODemon.
| This is also picked up by Hijackthis, but only after IE has started. I fix it
| using HijackThis, but the prob just comes back again.
| Any assistance would be greatly appreciated. Thanks.

 

[Guest]

Malke,
Good find. The article worked like a charm.

- Vikram

 

[Malke]

Malke,
Good find. The article worked like a charm.

Yay! Hurray! I'm so pleased for you. Thanks so much for letting me know.

Very much cheers,

Malke

 

[Guest]

Hi there Malke
Mate, it did the job beautifully. I owe you a beer. I have waited until now
to state that system is now clean cos so many times previously I had thought
everything OK but the blighter just kept coming back. Not coming back this
time.
Thanks again.

 

[Malke]

Hi there Malke
Mate, it did the job beautifully. I owe you a beer. I have waited
until now to state that system is now clean cos so many times
previously I had thought everything OK but the blighter just kept
coming back. Not coming back this time.
Thanks again.

Awesome. I'm so glad you got it sorted. Thank you for letting me know.

Cheers,

Malke