what do I have? 'Only the best" pop-up, BHO value added, AIM automatically logs off

(This is my first post, so I apologize in advance for not knowing all the etiquette.)

I'm not sure what I have, or if it's multiple problems. Here are my symptoms, which all appeared at about the same time:

When I open IE, I often, but not always, get pop-up adds - mostly about tools for removing spyware - with 'Only the best' in the blue title bar. I just close them, but they always come back later.

Before the problems started I had already downloaded Spybot Search & Destroy & had 'Immunize' on. Now I randomly get messages about "Browser Helper Object' value added to registry. I click 'Deny change' & it goes away, but then comes back. I keep denying change, but it keeps coming back.

AOL Instant Messenger lets me log on, but then when I try to send a message or receive one, it logs me off.

I've read a number of threads about spyware & how to get rid of it, but I'm not sure which one, if any, is appropriate for my symptoms.

Thanks for your advice!

 

Hi aretinVA,
A good place to start is this link:
http://forums.majorgeeks.com/showthread.php?t=35407

Do all the steps that you can and post your results. There is also another thread within that link that deals directly with "only the best" hijacker
http://forums.majorgeeks.com/showthread.php?t=38772

You can try that also.
BJ or Chas will be glad to assist your after that.

Good Luck,
T.Blue

 

Thanks, T.Blue,

I did all the steps in the 'Read Me First' instructions, and everything went successfully, except that I couldn't run the Symantec Security Scan in safe mode (the window never went anywhere & the hourglass just sat there). When I ran the Symantec Scan in normal mode, it didn't find anything. A lot of stuff was found and cleaned up, though, and the pop-ups appear to have been eliminated.

I'm still getting warning messages from Spybot, though, about registry changes. Only now I'm not able to accept OR deny the changes because the buttons aren't working (their outlines are partly missing and nothing happens when I click there.) Each time I click the 'x' to close the message, another one pops up, but not necessarily the same one. Now I'm also getting messages from 'Resident' (looks like more Spybot stuff, but I'm not sure) that say the registry changes have been denied. I wrote down a bunch of the messages, if that helps.

Should I send a Hijack This log? I've looked at the thread with instructions for removing the "Only the Best" hijacker, and it looks pretty daunting... I'm not sure I understand everything it says to do.

What now?

Thanks again!

 

Your welcome,
Glad to see it helped you. Hold off on attaching the HJ log until BJ or Chas requests it. They might want you to do something else before running HJ. Hang in there and they will get to your thread as soon as they can.

T.Blue

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Re: what do I have? 'Only the best" pop-up, BHO value added, AIM automatically logs o

I've attached my Hijack This log. I haven't tried fixing anything - wanted to hear from you all first.

Thanks so much for your help!

 

First, you need to disable Spybot's TeaTimer as it will cause problems with this fix.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ipcf32.exe] C:\WINDOWS\system32\ipcf32.exe
O4 - HKLM\..\Run: [appic.exe] C:\WINDOWS\appic.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://nt-nci41-ts.nci.nih.gov/ica32t.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\ipcf32.exe

C:\WINDOWS\appic.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Re: what do I have? 'Only the best" pop-up, BHO value added, AIM automatically logs o

I followed all the steps you described, and I've attached the most recent Hijack This log.

Everything seemed to go well, with only 1 unexpected thing. When I ran Hijack This in Safe Mode, the 'R3 - Default URLSearchHook is missing' line did not appear in the scan. (I tried to look very carefully to make sure I didn't miss it.) Then when I ran HJT in Normal Mode, it showed up again.

I haven't had a chance to test the system much yet, but I haven't seen the problems again so far. (Yea!!!)

Some questions - We have Norton Internet Security & Anti-Virus installed, we use the automatic live update feature and we do a full system scan once a week, but now I'm wondering if Norton is effective enough. Is McAffee or something else better? Or is it ok to keep using Norton, but regularly run all the other programs too? (Before the problems started I had Adaware and Spybot installed too, but I didn't realize they weren't the latest versions, and I probably didn't run them often enough). How often should I run the other programs?

Thank you again for all your help. It's been tremendous!

 

I spoke too soon. Once I turned the Spybot TeaTimer back on, I got the same Resident message I'd been getting before. It says:

Registry change denied
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} (category User-specific browser toolbar) based on your black list

I rebooted in Safe Mode and did another HJT scan (no fixes yet). The second scan is attached, and I see that some (but not all) of the items I removed earlier have reappeared.

Also, the R3 line shows up in the attached log, when it didn't show up the first time I ran HJT to fix the items you recommended.

Thanks again -

 

You must leave TeaTimer disabled until we get everything removed.

Scan with HijackThis and Check the Boxes for the following:

R3 - Default URLSearchHook is missing

Make sure All Browser Windows are Closed when you Click FIX.

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, reboot and let me know how things are running.

 

I disabled TeaTimer and rebooted in safe mode, then ran another HJT scan with no browsers open. The log file is attached, and I can't find the R3 line in order to fix it.

 

Attach a fresh HJT log from normal mode not safe mode. Also, comlpete the FINAL STEP in my last fix before attaching the new log.

 

OK, here's what I did. (I hope I did it in the right order.)

1. Ran HJT in normal mode and saved scan. (No fixes done, though the R3 line was there. Not sure if I was supposed to fix it at that point.)

2. Reset Web Settings

3. Reset to Default Security Settings

3. Rebooted in normal mode

4. Attached HJT log here.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbho.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixbho file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and post a fresh HJT log.

 

I've saved and run the fixhsa.reg and fixbho.reg files.

I rebooted (normal mode) and ran a new HJT scan, which is attached.

Thanks for your amazingly fast responses!

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file IE.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the IE.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing
(This should be gone)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot, Scan with HijackThis and attach the new log.

 

1. I saved and ran the IE.reg file
2. I scanned with HJT and fixed all the items you listed. (The R3 line was indeed gone.)
3. I ran CCleaner
4. I ran cleanmgr
5. I rebooted (normal mode), scanned with HJT and attached the new log.

 

Need to log off now.
Will check back in the morning.

Thanks again for your terrific help!

 

Your Welcome!

Your HJT log is now clean, are you having any further problems?

 

So far so good! Thanks SO much for your help! Any time I hear of someone having problems, I'll be sure to recommend your site.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Re: what do I have? 'Only the best" pop-up, BHO value added, AIM automatically logs o

It's been a couple of days now since you helped clean up my system, and so far it seems to be staying clean. I went to the link re: how to protect yourself & have downloaded & run the recommended programs. How often should they be run for maintenance?

 

Re: what do I have? 'Only the best" pop-up, BHO value added, AIM automatically logs o

You should scan at least once a week for malware/viruses and run CCleaner everyday.

As long as you have the protection from the programs in the sticky you will be ok.