Annoying, and perhaps potential risky BHO's I can't get rid of

Hi there,

Tired of seeing the same 7-8 Registry BHO settings popping up in my Spybot S&D scans and which it couldn't remove, I decided to follow the strict road of malware/addware/spyware removal instructions from this Majorgeeks site, starting with this this new Required Reading Article:
http://forums.majorgeeks.com/showthread.php?t=35407

I have to say, I also use the SpyWareBlaster in connection with Spybot S&D, and normally let it protect what it recommends. But I started with this protection early this autumn, unfortunately after I got the spyware entries in my registry .

Doing the tools downsload from all the suggested, which I did'nt already had, I started booting in Safe Mode.
1. Ran CCleaner,
using standard the removal of TempFiles
2. Ran MS Windows Malicious SW Remover,
which didn't find anything.
3. Ran Ad Aware SE,
with a Full Systems Scan. Now booting in Safe mode without Network, gave me no option to refresh the never definitions which was 206 days old.
It found 564 objects, and accepting to remove whats found, told it removed more than 600 objects.
4. Ran SpyBot S&D,
which found 9 problems, of which it could only fix 2, thus 7 left (see below).
5. Ran MS AntiSpyware,
Well, the Installer would not run in Safe Mode, so I decided to restart in Normal mode. Did the Install, and I got repeatedly 'Error 101'.
Googled a bit, and found doing this shortcut with 'embedding' parameter, helped:
"C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe" -embedding
Removed what it found after a Full Scan.
6. Ran PandaSoftware ActiveScan,
Took veeery long time (overnight actually), which gave me a few entries saved in a log file (see later).
7. Finally did a HJT, which I attach too.

Now in Normal mode, I also did a refresh of Ad Aware SE. Re-ran it again, and now it found 132 objects, that I asked to remove.

End of this story: Spybot S&D still report these (sometimes 7 and sometime 8):
- CoolWWWSearch
- DyFuCA
- Exact Advertising.BargainsBuddy
- Huntbar
- ISearchTech.YSB
- NewDotNet
Which I can't get rid of in Registry. Manual removal impossible, REGEDIT does not allow the key to be removed, since it tells me the key is invalid. I suppose this is the way the key is protected from being deleted by Spyware removal tools !

But, can anyone help me get around this ?

 

You skipped a scan in ou Tutorial. The BitDefender scan is not optional. Run the scan and post the log.

 

Sorry, yes I can see its not optional.
I ran BiDefender (Should be Step 7 in the procedure), in Report Mode without letting it fixe anything (I hope thats what I was supposed to do).
I have attached the BitDefender Scan Report, which also seems to look deep inside the Norton AntiVirus Quarantine too.
I Save the report via a spreadheet program instead, so the file is TAB-delimited (this option is not avail. if saving from MS IE).

Thanks
P.S. Just found than the file exceeds the 250KB limit , so if you dont mind, I remove the entries noted in Quarantine. I can repost is as ZIP later if you really would look at the whole lot.

 

Go back and follow the Read Me first closely, you have programs installed that should have been uninstall at the beginning of the Read Me. I need all 3 logs, ran one after another not 2 days apart.

 

Well, perhaps I didn't explain myself thorough. I did actually perform Step 0 (Removal of malware programs using Add/Remove), months ago.
The left-overs surely is on the list of malware, shown in the step, but clearly the un-install did not remove everything, as one can see in my registry in particular.
So the Add/Remove programs has been done.
I did, once again a total re-run, except that CCleaner won't start and run anymore. I did un-inst/Re-inst, same occurred.
Doing the tools downsload from all the suggested, which I did'nt already had, I started booting in Safe Mode.
1. Ran CCleaner, but it ended quickly (a problem exists somewhere)
2. Ran MS Windows Malicious SW Remover,
which didn't find anything.
3. Ran Ad Aware SE
4. Ran SpyBot S&D
5. Ran MS AntiSpyware,
6. Ran PandaSoftware ActiveScan,
Took veeery long time (overnight actually), which gave me a few entries saved in a log file (see later).
7. Finally did a HJT, whose Log file I attach.

I do apologize if the elapsed time is too long between the creation of log-files. The 7-step procedure takes one night to run if you, like me, doesn't sit by the PC from morning to midnight

 

You have a lot of stuff that is Quarantined by Norton Antivirus, empty the quarantine folder. You also haave several emails that contain a virus in Outlook, delete those emails the empty the Deleted Items folder.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite.

Post teh Ewido log and a fresh HijackThis log when finished.

 

Thanks for the quick reply.
I did remove all items in Quarantine and also some Outlook mails that were affected.
I also removed the MSGPLUS1, after the process was killed.
I did let HJT fix the list of items, but hereafter my PC was unable to go to the Internet. I did expect this, due to the manual setup I have of DNS servers that showed up in the first O17 HJT entry.
I did re-enter these into the TCPIP settings, and I came on the network again. I don't think we should remove this one entry afterall.
Starting Pocket Killbox, under 'Tools ---> Delete Temp Files', there's no RED X showing up (as the Ewido instructions said)! The RED X is only in the main window. Otherwise I got the MSGPLUS1.exe removed, and then did a manual reboot into SAFE Mode.
Removed the files listed, and ran CCleaner (this time it started) and then cleanmgr (for drive C boot-drive). Reboot'ed then into NORMAL mode.
Installed ewido Security Suite, but it would not start . I did see a process related to it that started, but it never opened a UI Window.
I then rebooted into SAFE mode again, and now ewido started . I did update the ewido SW & Virus Signatures (network was there), and did 2 scans - one registry scan and then one full scan. I have attached both scan reports.
Finally a HJT log was created, and I attach that one too.

I admit, there seems to be no registry entries left to worry about, although ewido seems to have found something it wasn't able to cure.
Anxious to hear what you think about it, but tomorrow (wed) I will not be able to follow-up.

P.S. After I came from running ewido (in SAFE) mode back into NORMAL mode, it would start though !

 

Copy and Paste the contents of the below quote box to notepad, Save As FixReg.reg to your desktop.

Close notepad, double-click FixReg.reg on your desktop and answer 'Yes' when asked if yo want to merge with the registry.

REBOOT

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Post WinPFind.txt and a fresh HijackThis log.

 

Did all what you suggested, except that I wasn't able to run CCleaner . Again, the program icon I double-clicked did not respond for some odd reason I ran the DLL Dependency Walker and profiled CCleaner, and found a DLL load error: VB6DA.DLL not found
This apparently caused CCleaner to terminate without any error message.
I figured, the CCleaner was to delete temp files (again), so I proceeded with WinPFind.
HJT and WinPFind scan logs attached.

Trying in parallel, to find what/why VB6DA.DLL is missing.

 

Boot to Safe Mode.

Open Windows Explorer; navigate to and delete the following:

Reboot to Normal Mode.

How is your computer running?

 

I did what you suggested.
My PC run's OK and I believe the Trojans and Spyware is removed.
BUT, my original posting, is still valid :
Spybot S&D still reports these as malware:
- Huntbar
- CoolWWWSearch
- DyFuCA
- Exact Advertising.BargainsBuddy
- Huntbar
- ISearchTech.YSB
- NewDotNet
- SurfAccuracy
All of them are Registry keys. Not even HJT was able to remove them, it seems and I had not made any System Restore's or anything actively that could bring them back to life.
So, maybe I should live with them forever !

 

Post the Spybot log.

 

Sure, here is the SpyBot Log from the the scan I ran just around the same time as HJT.

Happy New Year too !

 

Open REGEDIT and delete the following registry keys:

REBOOT

Run Spybot; if Spybot still finds problem, post the log.

 

Hi again, sorry for the latency,
I've been off a few days.

I tried to delete the registry keys you suggested, but its not possible for some of them.
I get error prompts by REGEDIT if I try to open/delete the ones in question.
Therefore, I believe the Malware/Spyware removal programs also have difficulties in removing them.
I attach a ZIP'd RTF file, with screenshots for the keys giving problems.
A few of the keys suggested to be removed wasn't even in registry.
So I did not run SD, due to the problems encountered.

Cheers

 

Boot to Safe Mode and try deleting those keys.

 

Well, finally I got my hand on the PC from the family members

Booted in Safe mode, but without luck. The keys which couldn't be deleted in the first place (the first 4 and the last one) could not be deleted in Safe mode either. Same error message came.
I could export the keys though, of which I attach the 4 of them as TXT files.

Hope it helps debugging.

 

In Safe Mode.

Start -> Run, type regedit.

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinTools <<------ Delete the Key
TB_setup <<------ Delete the Key
TB_setup <<------ Delete the Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{87766247-311C-43B4-8499-3D5FEC94A183} <<------ Delete the Key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
WinToolsSvc <<------ Delete the Key

REBOOT to Normal Mode.

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

Open ExplorerXP, Navigate to and delete the following:

To clean up, you can also open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and delete any of the subkeys ‘MSIETS’, ‘MSIEIN’, ‘MSLINK’, ‘BTIEIN’, ‘BTLINK’, ‘Search Toolbar’ and ‘WinTools’ in the Software subkey of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
For WinTools, you can also delete the keys inside HKEY_CLASSES_ROOT\CLSID with numbers {26E8361F-BCE7-4F75-A347-98C88B418322} and {87067F04-DE4C-4688-BC3C-4FCF39D609E7}. Inside HKEY_CLASSES_ROOT\PROTOCOLS, the Name-Space Handler\res\WToolsB.ResProtocol key can also go. Next, open Microsoft\Windows\CurrentVersion\Installer\UserData in HKEY_LOCAL_MACHINE\Software, and delete the ‘AUI’ and ‘STO’ subkeys, and the ‘TUID’ entry.

Delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal.
How to Reset Web Settings

Run Spybot and post the log.