allwebsearcher Hijack

Symptoms:

1. When I start up, two dialog boxes titled "Internet Sharing Configuration" pop up (and stay up). They read: "C:\WINDOWS\Explorer.exe is attempting to change or view this computer's internet protection settings. [ETC]" When I deny access, the boxes and my toolbar at the bottom of my screen both disappear for a second, then come back.

2. Sometimes a start up will launch IE (or even Firefox), which has been re-directed to www.allwebsearcher.com/1212

3. The computer is continually trying to reset my homepage to the allwebsearcher address. (I get multiple notices from one of my anti-spyware programs.)

Clean-up:

I followed all suggested steps on your Spyware, Trojan, and Virus Removal tutorial. Results:

1. Trend-Micro scan found Troj_Istbar.aj, Troj_Vidlo.j, Troj_Startpag.ct, Troj_Istbar.ey. The program couldn't delete these files on its own; I had to do so manually (one-by-one). Second scan was clean.

2. McAfee Avert Stinger: no problems detected.

3. CCleaner: deleted temp files (used default settings).

4. Ad-Aware SE: 0 critical objects detected.

5. Spybot: found & fixed the following: Media Plex, Avenue A, Inc., Double Click, DSO Exploit, DyFuCA.Internet Optimizer, DyFuCA, and ISearchTech.Powerscan.

Other details:

1. Problem files that keep appearing in different contexts: qtsfnlh.exe (now deleted) and istsvc.exe (or something like that). Don't know if/how they connect to the situation.

2. A friend suggested that I might have Bizex. Something about a SYSMON.exe file, but I can't find it.

3. Attempts to remove the allwebsearcher redirects via HijackThis have only been temporarily successful. When I restart, they reappear in the R0/R1 lines of the logfile.


Thanks very much for any suggestions you can give me.

BB

 

Welcome

If you still have a problem after doing the TUTORIAL then do the following:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

Good Luck

 

HijackThis log file is attached.

Thanks so much.

BB

 

Hi BB,

I'll get you started.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
O4 - HKLM\..\Run: [hiden.exe] hiden.exe

O21 - SSODL: NTWSMON - {3E3E1C70-2763-4F57-A205-D79C3B4FA9AA} - C:\WINDOWS\System32\wldac009.dll
O21 - SSODL: MSMserv - {6A4AE1B1-6FB8-45EE-ACB3-17F9AD4C1AF6} - C:\WINDOWS\System32\wmvdetup.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\wldac009.dll
C:\WINDOWS\System32\wmvdetup.dll
hiden.exe ---> You'll need to search for this one with Windows Explorer

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.

Let us know how things are running now.

Best luck
PP

 

Thanks for your suggestions, PP. Things are looking up.

The annoying dialog boxes (see original post) are now gone.

According to one of my antispyware programs (Microsoft's, I think), "allwebsearcher" is still trying to reset IE's home page. But it is being blocked.

I've attached the new log file.

Thanks again!

Brian

 

Hi Brian,

Happy to help I do not see anything left in your HJT Log to worry about! You could fix the following if the files are indeed missing:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

M$ Anti-Spyware still a bit rough around the edges. Are any of your other tools alerting on Allwebsearcher?

PP

 

No, just the Microsoft one, PP. (I'm not exactly sure which other programs count in the same category.) Spyware Blaster shows no problem. I haven't "heard" from my McAfee firewall in the last couple days. A recent scan on SpyBot shows nothing.

BUT: I did another scan with Microsoft Antispyware and it showed a "possible hijack" problem associated with "about: blank," which I fixed. Don't know if it'll come back. Right now IE seems to use the home page I've selected, though I've moved on to using Firefox anyway...

Someone else mentioned that the MS program isn't the best ..... but right now I'm happy it's blocking whatever residual demon I've got!

This is quite a war. You guys rock.

Brian

 

Hi Brian,

M$ Anti-Spyware shows some false-positives and has been known to bork the built in Windows Firewall, so I am not a big fan yet. I trust you are using SpyBotSD's Immunize feature? I also suggest installing Spyware Guard and perhaps even BHO Demon and see if they give you similar warnings. I like both of those tools . . . Though might be a little overkill Your HJT log was pertty clean, though I'm not sure what you might have removed on your own.
Perhaps a fresh one is in order? Let's see what it looks like now, to be safe.

PP

 

Thanks for the tips, PP. I'm out of town until Monday for work... but I hope I can take you up on your offer to look at one more log file when I get back.

Best,
Brian

 

No Problem!

Just be sure to find and post in this thread so I don't get confused!

PP

 

Hey Phillie Phan,

I'm back now... here's the latest log file. I haven't seen much in terms of other signs that I'm still under siege...

One other question: my system restore is still off. Can I put it back on now?

Thanks for getting me back in order. Wish I could lend a hand in the fight, but I got no skills...

BB

 

oops... here's the logfile.

 

Your HJT log looks OK! You can turn System Restore back on if all seems to be working as it should.

You should also visit Windows Updates and get Updated. There are some really nasty baddies floating around right now that are impossible to remove at this moment - Anything that you can do to protect yourself, should be done.

In fact, I noticed that you had a file accociated with one of these baddies in your log and we removed it (Its friends were not there to protect it!) hiden.exe. Perhaps before turning System Restore back on, you should look for hiden.exe on your machine and make sure it is gone.

PP