Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - dotydude


  • This topic is locked This topic is locked
5 replies to this topic

#1 dotydude

dotydude

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 28 April 2005 - 12:04 AM

I'm having trouble removing the Huntbar or IBIS Toolbar from my Windows XP Pro system. I've tried using Spybot Search and Destroy, Adaware SE, and Microsoft Antispyware but none of those are able to remove it permanently. The following registry entries keep reappearing:

HKEY_LOCAL_MACHINE\software\btiein
HKEY_LOCAL_MACHINE\software\btiein\BTIEIN ITime

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:21 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\spoolsv.exe
E:\program files\navnt\defwatch.exe
E:\program files\navnt\rtvscan.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
E:\PROGRA~1\navnt\vptray.exe
E:\Program Files\ViewMail\LFfaxtomail\lfsndmng.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
D:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\System32\hphmon04.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\SOUNDMAN.EXE
E:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
E:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\rundll32.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\HPHipm11.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\News10 Now Desktop\TrueWeather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 192.104.34.15 exch01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\navnt\vptray.exe
O4 - HKLM\..\Run: [lfsndmngav] E:\Program Files\ViewMail\LFfaxtomail\lfsndmng.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [InstantAccess] D:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] D:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Regx10EXE] <REMOTEPATH_HERE>\ATIX10.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] E:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] D:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [seticlient] E:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] E:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: cleanup.bat
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = E:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: News10 Now Desktop.lnk = C:\Program Files\Common Files\News10 Now Desktop\TrueWeather.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://*.amazon.com
O15 - Trusted Zone: http://www.cmgsccc.com
O15 - Trusted Zone: http://www.creaf.com
O15 - Trusted Zone: http://us.creative.com
O15 - Trusted Zone: http://www.gbgm-umc.org
O15 - Trusted Zone: http://*.irs.gov
O15 - Trusted Zone: http://*.musicmatch.com
O15 - Trusted Zone: http://www.sprinklerwarehouse.com
O15 - Trusted Zone: http://*.symantec.com
O15 - Trusted Zone: http://*.tvguide.com
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://www.weatherbug.com
O15 - Trusted Zone: http://*.wellsfargo.com
O15 - Trusted Zone: http://*.yimg.com
O15 - Trusted IP range: http://192.168.133.254
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Serome Web2Phone - http://dialpad.com/applet/vscp.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://pcco.peoplemed.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/s...119/CTSUEng.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://usage.smud.org/download/CfxIEAx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {40F07A91-8E6F-11D0-8A0A-00A0C90C9B67} (MCSiLabelCtl Class) - http://activex.microsoft.com/activex/contr...si/mcsilabl.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - http://vmsvr01/saweb/MediaMasENU.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25b2b329b3e92cfd3219/...ip/RdxIE601.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex/contr...x86/ietimer.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/s...12119/CTPID.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BEI Scheduler - Unknown owner - \\?\E:\Program Files\ultrabac\UBSCHED.EXE (file missing)
O23 - Service: DefWatch - Symantec Corporation - E:\program files\navnt\defwatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\program files\navnt\rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - E:\orant\BIN\ONRSD80.EXE (file missing)
O23 - Service: OracleCMAdminService80 - Unknown owner - E:\orant\BIN\CMADM80.EXE (file missing)
O23 - Service: OracleCManService80 - Unknown owner - E:\orant\BIN\CMGW80.EXE (file missing)
O23 - Service: OracleNamesService80 - Unknown owner - E:\orant\BIN\NAMES80.EXE (file missing)
O23 - Service: OracleTNSListener80 - Unknown owner - E:\orant\BIN\TNSLSNR80.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - Unknown owner - C:\WINNT\System32\vmnetdhcp.exe (file missing)
O23 - Service: VSOCKS Light Proxy Server (VSOCKSLight) - Unknown owner - E:\PROGRA~1\VSOCKS\VSOCKS~1.EXE (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:46 AM

Posted 29 April 2005 - 01:21 AM

Hi dotydude and welcome to the BC forums. Your log shows no signs of btien or any other viruses or malware. If btien is present on your system then try this to delete it:
  • Start regedit and delete the following keys:
    • HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {63B78BC1-A711-4D46-AD2F-C581AC420D41} (if it exists)
      'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {63B78BC1-A711-4D46-AD2F-C581AC420D41} (if it exists)
  • Close regedit
  • Restart your computer.
  • Open Windows Explorer and delete the following file:c:\winnt\system32\btiein.dll
Now reboot your system and see if Huntbar comes back.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 dotydude

dotydude
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 April 2005 - 01:08 PM

Howdy OldTimer,

Thanks for the welcome and response to my message. Unfortunately, none of those objects exists on my computer so I can't delete them. The "HKEY_LOCAL_MACHINE\software\btiein" and
"HKEY_LOCAL_MACHINE\software\btiein\BTIEIN ITime" registry entries still won't go away. Any other suggestions?

Thanks,
dotydude

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:46 AM

Posted 30 April 2005 - 01:36 PM

Hi dotydude. If the files do not exist then IBIS is not installed on your computer. It might have been removed but simply left the registry entires behing. To remove them we can try a different tool. Please do the following.

Download and install Registrar Lite
  • Start RegLite
  • Navigate to the registry key below: (You can copy/paste the bold text into the address bar).
    • HKEY_LOCAL_MACHINE\software\
  • In the right-hand pane locate the entry for btiein and right-click on it. Choose Delete from the popup menu.
Note: If you have trouble deleting a key. Click once on the key name to highlight it and click on the Security menu option and then the Edit Permissions item. Then Uncheck Allow inheritible permissions, click on Everyone in the uppder box and put a checkmark in Full control in the lower box. Click the Apply button and then the Ok button and attempt to delete the key again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 dotydude

dotydude
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 April 2005 - 10:16 PM

That was it, just a permissions problem. None of the anti-spyware programs clued me into that possibility. I managed to get the permissions sorted out in regedit so that I could remove it. Thank you very much for your help.
--dotydude

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:46 AM

Posted 30 April 2005 - 10:39 PM

Great! dotydude! I'm glad that we could help take care of that.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users