4 replies to this topic

[Mikeee P]

I was under the impression after searching the net that ads234 "is" BIDADDLE. I know I started having problems with continuous ads234 stuff, and then found "bidaddle" in my "common files" though it won't let me delete it. I also have read that there could be 2 more hidden (with changing fake names) portions of biddadle that reinstall it ever couple days if you are sucessful in removing it - and that they have to be removed as well... Here are my questions... 1) Is ads234 and bidaddle the same thing? So that when I get rid of one, I automatically get rid of the other ie: when bidaddle is gone, so will ads234? 2)Not sure I understand what Hijack This is. Do I download your software and then still use ad aware 6.0 to try and remove it or am I misunderstanding what I'm supposed to do? Thanks. Mike

[shelf life]

hello,

to answer the questions:

1) yes could be related, if you get rid of one will other be gone? maybe hard to say all cases are different

2) getting, installing,updating running ad aware is a good idea:

ad aware SE personal edition:
http://www.lavasoft.de/

ad aware tutorial:http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

also suggest;

Spybot - Search & Destroy from http://security.kolla.de

Spybot tutorial: http://www.bleepingc...showtutorial=43


HJT here:(a tool for displaying and removing some spy/malware apps, >>>unless you are confident in what you are removing, dont do it<<<

http://www.spywarein.../downloads.html
or>>

http://www.majorgeek...ownloads31.html

tutorial for HJT here:

http://www.bleepingc...tutorial42.html

post your HJT log in this thread, use add reply button and i will look at it for you....

[Mikeee P]

SHELF LIFE - I apologize I didn't see your note stating to post my log here. I posted it in the other forum. It's gotten really bad now. Every single time I jump from one page to another, hit forward or back - a dead white page with Ads234 jumps up - talk about annoying and almost impossible to navigate! I will repost my logs here for you. Thanks so much for your help. I run ad aware 6.0 daily as well as Yahoo's little spyware program which amazingly catches about a dozen that Ad Aware 6.0 doesn't... I ran spybot a few times, and it doesn't seem to catch whatever this Ads234 thing is either. Thanks. Mike

[Mikeee P]

Hi there - actually midaddle "is" ads234

Here is my latest log file and a bit of info I dug up. There are three items causing this. One in common files is named "midaddle". Two hidden ones will restore it if/when I am able to delete the first one that is obviously named - but it won't allow you to delete it. According to some sites, these two hidden files or ??? whatever they are, can actually change their name! No fun... especially since I'm far-far from being knowledgeable in this stuff we're doing.

Here is my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 5:51:01 PM, on 12/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe
C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe
C:\WINDOWS\System32\browser1.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\computer 1\local settings\temp\rpylB.exe
C:\windows\system32\rk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Computer 1\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Computer 1\Local Settings\Temp\UOS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ORQ7r5NLX] C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\QoleB1Kc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [xVxpXl2Nk] C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe
O4 - HKLM\..\Run: [L8OADwU] C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe
O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "new.net" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...363/mcfscan.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[shelf life]

hello Mikeee P,

sorry for delay. lets try this:

could you put HJT into its own folder.
ok on to the log:
before we start look in add/remove programs panel and uninstall the following if present :
new.net or new dot .net and any search/web "helpers"
if present uninstall then reboot computer.

next:

Make sure your PC is configured to show hidden files

Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Scan with HijackThis and place an check next to the following entries,close all windows,then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R3 - Default URLSearchHook is missing

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Computer 1\Local Settings\Temp\UOS.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [ORQ7r5NLX] C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\QoleB1Kc.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [xVxpXl2Nk] C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe

O4 - HKLM\..\Run: [L8OADwU] C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe

O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe

O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot

O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe

O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot

ok now boot into SAFE MODE by tapping F8 Key at restart.
Chose SAFE MODE from the options, once in safe mode;

find and delete:
only-browser1.exe>> located here>>C:\WINDOWS\System32
only-dp-him.exe>> located here>> C:\WINDOWS\System32
entire folder>Viewpoint>> located here>>C:\Program Files\Viewpoint

still ion SAFE MODE:

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-------------------------------
next:

Click Start>Run then type %temp%
Hit OK. Delete all the files you can, some wont delete

using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\


afterwards post a new HJT log......................