[Icthus]

Hello Lew. I had a problem related to this same thing last night. After some work, I came up with a solution that you may be able to use.

Here is what happened to me. Since my file names were different than yours, you will need to adjust the names to solve your problem.

First, this was the same ATLEvents problem you have had. When I ran Spybot, it found the ATLEvents adware and removed the registry entries. However, the active program always put the entries back as soon as I removed them. I found some adware items in the HKEYLM\software\microsoft\windows\currentversion\runonce and run areas of the registry. When I deleted them (so they would not start on the next boot), the active program reinserted them immediately. You are probably experiencing the same problems.

In my case, the program "*oledvd" was the culprit and I knew it. In your case, it appears to be "apinet.exe". I could not tell where the program was located (although it is very evident where it is in your situation), so I ran Taskinfo 2003 (found at http://www.iarsn.com/taskinfo.html as a mostly full featured "try before you buy program"). Simply highlighting the task allowed me to see where it was located and even what process started it.

I then attempted to delete the file in Windows Explorer (it was a hidden system file), but it would not go away because it was being used. I then right clicked the task in TaskInfo and told it to kill the task. It died and came right back again. This time, TaskInfo said that it was started by Regedit, which I was using at the time. Somehow, the adware hooked itself into the system and had the registry editor start it. I truly wanted to know how this happened, but didn't want to spend the time figuring it out. I shut down Regedit and killed the task with Taskinfo again. The program died and came back to life again. This time Taskinfo revealed that IT started the adware program. This was starting to get old.

The computer I was fixing had Windows XP Pro on it, so I found the file, Right clicked and went to Properties. I selected Security. Under the Advanced button, I told it to not inherit the properties from it's parents. I then turned off all access to all users in all ways to the file. That way, no matter what program under any user tried to start it again, it would be denied access. If you are running Windows XP Home edition, you will need to use the command line utility CACLS to change the security properties of "apinet.exe" to none for everyone (Start, Run, CMD [enter] and then type "CACLS /?" to see how to use it).

I went back to TaskInfo again and killed the task one final time. This time, it stayed dead. I went into Regedit and deleted the startup items in Run and Runonce and noted that they stayed deleted this time (you have to hit F5 in Regedit to refresh the screen after deleting the items to see for sure). I ran Spybot and it found the ATLEvents again and deleted them as before. I ran Spybot again and it did NOT find the ATLEvents registry entries. Success!

Finally, I changed permissions on the pesky adware program to full for Administrator (that is who I was logged onto) and deleted it.

Now, the site administrator at Geekstogo.com suggested that you use Killbox to kill the file and it may do the same thing that I just described. If it does not, I suggest my way. It is very effective, you have full control over every step, and you can see exactly what is going on.

As a final suggestion to anyone reading this because they have a problem LIKE this that they need help to stop, you may find that adware registry entries are being set but you do not know what program is doing it. In this case, consider using Systernals Regmon ( http://www.sysintern...e/regmon.shtml) to monitor the registry. It can monitor all changes to the registry and tells what program is accessing the registry to make those changes. Start Regmon and begin capturing the registry changes. Run Spybot to kill the adware registry entries. Make a note of those entries and let Spybot kill them. Then go to Regmon and stop the capturing. You will have a huge capture log at that point. Use the filter to show only the registry entry you are looking for. Then you will see that Spybot and one other program accessed it. That other program is your culprit. Proceed with the previously mentioned steps to kill it.

I regularly clean systems of adware as a part of my profession and this was the hardest adware I have ever had to remove. So, Lew, don't give up and don't feel bad about this. This one is really tough to kill and not even Adaware or Spybot have gotten a bead on all of it yet.

BTW, did Symantec have any luck at getting rid of it?

[Advertisements]

Thank you Admin and Icthus.

Unfortunately, Killbox did not work. I will attempt the other solution this afternoon and post the results. Symantec did find a new different virus, but the previous adware problem has was not removed. I am using Firefox, but cbssportsline.com works much better with a clean IE, so I am anxious to see if this solution works!

Thanks again!

[Lew]

Thank you Admin and Icthus.

Unfortunately, Killbox did not work. I will attempt the other solution this afternoon and post the results. Symantec did find a new different virus, but the previous adware problem has was not removed. I am using Firefox, but cbssportsline.com works much better with a clean IE, so I am anxious to see if this solution works!

Thanks again!

[Lew]

Using Hijack this, I found that somehow the apinet/tenipa files could be erased and a new file name was causing the same type of AltEvent BHO from a new location within windows/security/database. Anyhow,

I followed your directions and deleted what I could, then removed the inherit properties and permissions, then deleted the rest and ran Spybot and IT WORKED! One note was that I used HijackThis instead of the regedit stuff I was unfamiliar with.

THANKS!

[Lew]

Ah, one cerrection, I used CTRL ALT DELETE then clicked the Task Manager tab, then the Processes tab to shut down the process that was keeping me from changing the permissions....

[Icthus]

Hey, Lew, great to hear you got it fixed! There are multiple pieces of spyware out there that are causing the same problems. Apparently there is more than one way to skin this cat, also. The main trick was to knock out all permissions so that tenacious pest couldn't start up again - then add permissions back so you could delete it!

Taskinfo is really nice because it locates subprocesses that do not show up in Windows Task manager. It also tells you who is starting those tasks. In this case, I found out that any open program could restart the spyware. It was a fine piece of programming on THEIR part to accomplish this. After all of this, I can see ways they can actually improve their spyware, but it would be foolish to write about it.

Glad we could work this out together!

[cjon]

Interesting solution. Saved & printed.

I, too had a long round of this. Only in my case, it was with a WinME machine, so the permissions fix was out. I ended up doing an F&F and reinstalling, but if someone has a better fix, I'd appreciate hearing about it. As Icthus noted, I "clean" 4 or 5 machines a week, mostly as a hobby, and this was the toughest I've run across.

[thejokker]

i've been working on a customers computer with the same problem; i've found the information here very helpful. the machine in question is a windows 98 machine but i was successful in correcting the problem without formating.

the files on this machine was cab.exe (in the windows\help folder) and bac.dat (in the windows\temp folder). i edited the registry to stop the launching of cab.exe and then disconnected the hdd and connected it to a windows xp machine. i manually deleted the files but i discovered it had recreated a wunt.exe and a tnuw.dat file which i deleted. i opened the system.dat file of the d:\ hdd with wordpad and deleted the run references to wunt.exe.

when i reconnected the hdd to the customers machine the files remained gone...

hope this helps!