Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91680 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Bidaddle


  • Please log in to reply
4 replies to this topic

#1 Mikeee P

Mikeee P

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 16 December 2004 - 01:14 PM

I was under the impression after searching the net that ads234 "is" BIDADDLE. I know I started having problems with continuous ads234 stuff, and then found "bidaddle" in my "common files" though it won't let me delete it. I also have read that there could be 2 more hidden (with changing fake names) portions of biddadle that reinstall it ever couple days if you are sucessful in removing it - and that they have to be removed as well... Here are my questions... 1) Is ads234 and bidaddle the same thing? So that when I get rid of one, I automatically get rid of the other ie: when bidaddle is gone, so will ads234? 2)Not sure I understand what Hijack This is. Do I download your software and then still use ad aware 6.0 to try and remove it or am I misunderstanding what I'm supposed to do? Thanks. Mike

    Advertisements

Register to Remove


#2 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 16 December 2004 - 09:16 PM

hello,

to answer the questions:

1) yes could be related, if you get rid of one will other be gone? maybe hard to say all cases are different

2) getting, installing,updating running ad aware is a good idea:

ad aware SE personal edition:
http://www.lavasoft.de/

ad aware tutorial:http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

also suggest;

Spybot - Search & Destroy from http://security.kolla.de

Spybot tutorial: http://www.bleepingc...showtutorial=43


HJT here:(a tool for displaying and removing some spy/malware apps, >>>unless you are confident in what you are removing, dont do it<<<

http://www.spywarein.../downloads.html
or>>

http://www.majorgeek...ownloads31.html

tutorial for HJT here:

http://www.bleepingc...tutorial42.html

post your HJT log in this thread, use add reply button and i will look at it for you....
How Can I Reduce My Risk?

#3 Mikeee P

Mikeee P

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 21 December 2004 - 01:13 PM

SHELF LIFE - I apologize I didn't see your note stating to post my log here. I posted it in the other forum. It's gotten really bad now. Every single time I jump from one page to another, hit forward or back - a dead white page with Ads234 jumps up - talk about annoying and almost impossible to navigate! I will repost my logs here for you. Thanks so much for your help. I run ad aware 6.0 daily as well as Yahoo's little spyware program which amazingly catches about a dozen that Ad Aware 6.0 doesn't... I ran spybot a few times, and it doesn't seem to catch whatever this Ads234 thing is either. Thanks. Mike

#4 Mikeee P

Mikeee P

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 22 December 2004 - 04:55 PM

Hi there - actually midaddle "is" ads234

Here is my latest log file and a bit of info I dug up. There are three items causing this. One in common files is named "midaddle". Two hidden ones will restore it if/when I am able to delete the first one that is obviously named - but it won't allow you to delete it. According to some sites, these two hidden files or ??? whatever they are, can actually change their name! No fun... especially since I'm far-far from being knowledgeable in this stuff we're doing.

Here is my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 5:51:01 PM, on 12/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe
C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe
C:\WINDOWS\System32\browser1.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\computer 1\local settings\temp\rpylB.exe
C:\windows\system32\rk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Computer 1\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Computer 1\Local Settings\Temp\UOS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ORQ7r5NLX] C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\QoleB1Kc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [xVxpXl2Nk] C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe
O4 - HKLM\..\Run: [L8OADwU] C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe
O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "new.net" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...363/mcfscan.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#5 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 23 December 2004 - 08:34 PM

hello Mikeee P,

sorry for delay. lets try this:

could you put HJT into its own folder.
ok on to the log:
before we start look in add/remove programs panel and uninstall the following if present :
new.net or new dot .net and any search/web "helpers"
if present uninstall then reboot computer.

next:

Make sure your PC is configured to show hidden files

Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Scan with HijackThis and place an check next to the following entries,close all windows,then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R3 - Default URLSearchHook is missing

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Computer 1\Local Settings\Temp\UOS.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [ORQ7r5NLX] C:\documents and settings\computer 1\local settings\temp\ORQ7r5NLX.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\QoleB1Kc.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [xVxpXl2Nk] C:\documents and settings\computer 1\local settings\temp\xVxpXl2Nk.exe

O4 - HKLM\..\Run: [L8OADwU] C:\documents and settings\computer 1\local settings\temp\L8OADwU.exe

O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe

O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot

O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\System32\browser1.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [rpylB] C:\documents and settings\computer 1\local settings\temp\rpylB.exe

O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot

ok now boot into SAFE MODE by tapping F8 Key at restart.
Chose SAFE MODE from the options, once in safe mode;

find and delete:
only-browser1.exe>> located here>>C:\WINDOWS\System32
only-dp-him.exe>> located here>> C:\WINDOWS\System32
entire folder>Viewpoint>> located here>>C:\Program Files\Viewpoint

still ion SAFE MODE:

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-------------------------------
next:

Click Start>Run then type %temp%
Hit OK. Delete all the files you can, some wont delete

using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\


afterwards post a new HJT log......................
How Can I Reduce My Risk?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users