404Search, AtPartners etc...

Question

caperjoe 0 Newbie Poster

20 Years Ago

I've had a problem for months now with the following list of adware on my system: 404Search, ATPartners (AT Games), eMusic, Instafinder, Bargain Buddy, TOPicks, Favoriteman/F1 and NetPal.

I have followed all the usual steps for removal - nothing helps. They keep respawning the next time I start IExplorer. I used Control Panel to unistall, I used programs like EasyUnustaller, I ran regsvr32 to remove the dlls in System 32 in Safe Mode, I ran newest Adaware, Spybot S&D, CWShredder, HiJackThis, Spyware Doctor, Registry Mechanic, Registrar Lite, SpywareBlaster and AboutBlaster. All of them say the offending files have been deleted, but or restart they are back.

Is there any way at all to get rid of these problem adware files. I need to know how to stop them from respawning. I think the problem may be the im64.dll. It is the one file I do not seem to be able to get rid of with Adaware.

Here is my latest HJT log, made prior to running any of the above noted remover programs:

Logfile of HijackThis v1.98.2
Scan saved at 9:13:11 AM, on 26/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Utilites\Spyware Doctor\spydoctor.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eMusic\eMusicClient.exe
C:\Program Files\Utilites\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=????????????????????????
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Utilites\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Burner Stuff\CloneCd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Utilites\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Run Time.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149031 (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {08C818C3-2F1E-11D0-9223-00A0244D2920} (ChartFX IE Client Object) - http://www.fundlibrary.com/download/cfxax.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectNT.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093732424078
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

Thanks for any help you can provide!

Joe

windows-virus

3 Contributors
3 Replies
133 Views
1 Day Discussion Span
Latest Post 20 Years Ago Latest Post by caperjoe

DaveSW 15 Master Poster

20 Years Ago

This is my guess. Wait for Crunchie or someone knowledgable to confirm it/tell me what I've missed before proceeding. (I'm currently practising till one day I'll be as knowledgable as them. Unlikely but there we go!)

alt+ctrl+del and kill C:\Program Files\eMusic\eMusicClient.exe (the process).

Then fix the following:

F3 - REG:win.ini: load=????????????????????????
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Run Time.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149031 (file missing)

Then boot in safe mode by presssing the f8 key during startup, and delete:
C:\WINDOWS\system32\ATPART~1.DLL
C:\WINDOWS\DOWNLO~1\instafin.dll
C:\Program Files\404Search\404Search.dll

Before doing this open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
[REVERSE THIS PROCESS AFTER YOUR CLEAN!!]

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 1 · 2004-10-27T15:28:58+00:00

When you have received a reply at the other forum you posted your log, let us know if you still require assistance :).

caperjoe 0 Newbie Poster · Answer 2 · 2004-10-27T23:54:07+00:00

I did a few things suggested from another forum and had great success so far:

1) Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
[REVERSE THIS PROCESS AFTER YOUR CLEAN!!]

2) In Safe Mode I ran a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F3 - REG:win.ini: load=????????????????????????
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Run Time.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\ATPART~1.DLL
C:\WINDOWS\DOWNLO~1\instafin.dll
C:\Program Files\404Search\
PowerReg Scheduler V3.exe
Run Time.exe

Some of these files were not present - others were there and removed.

Reboot into Normal Mode

3) This third step made all the major changes to correct the "hidden" respawning ads.

Go to your folder C:\Windows\Prefetch and delete all of the contents (not folder itself).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart you the file should run by itself and startup and clean all those files.

Download StartCHM and run it.

There may be a lot of junk entries left behind in the registry by spyware and other programs. Download Regseeker. Install the program and run it. Click on Clean the Registry and hit OK. After it finishes the search, click on Select all and hit the Del key on your keyboard.

After all these steps I rebooted into Safe Mode, ran Ad-aware, Spybot, CWShredder, and cleaned a few loose registry entries with Registrar Lite. It's a day later now and everything seems clean.

Thanks for all the help.