help with unwanted IE program www.allaboutsearching.com

Somehow I have gotton some kind of program loaded on my computer that redirects my browser through a site www.allaboutsearching.com then on to my homepage. It also opens a window(like a toolbar) below my browser.

This is my sons compute3r and I knwo he downloaded some games and some music using kazzaa lite. my only guess is something must have come with it.

I ran spybot search and destroy and had a bunch of things and then couldn't get to any website.

Called a computer store and they said to download winsock fix did that and ws able to connect again to the internet but the allabout searching is showing up like a tool bar and shows as an open window on my toolbar.

How do I get rid of this??

thanks and again I really am not that technical so please give me step by steop instructions!!

Thanks this is a tremendous resource!!!!

 

What you should do is download HiJackThis, run it and post what it finds back here, and then we can help you out.

 

Thats some good info from Greyhound

You might want to try running this as well
http://www.majorgeeks.com/download4086.html

 

Unwanted IE program

Hi There,
Download a freebie called BHO Demon and run it. It could solve your problem and save you the onerous task of posting lines and lines of Hijack on here in the hope that one of the Geeks will nail a nasty. Cw Shredder as previously mentioned may or may not pick the buggar out and BHO Demon may not also.
There is another freebie called Start Page Guard which could also help and you could search for it using Google. I use both BHO and SPG and each does a good job. In summary my order of approach would be BHO Demon followed by Start Page Guard followed by CW Shredder and if all that fails HiJack for it's million lines for the experts to paw thru.
Hope this helps
Robert (Geek L Plater)

 

results of hijack this

Here is the list from hijack this. thanks for ttaking a look and giving me some ideas on how to get rid of the added toolbar and anything to do with www.allaboutsearching.com (and for that matter anything else I dont need!!)

Thanks sorrry its a long one



Logfile of HijackThis v1.97.7
Scan saved at 10:27:02 AM, on 4/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.virtualweberbullet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
O1 - Hosts: £`‘ auto.search.msn.com
O1 - Hosts: £`‘ search.netscape.com
O1 - Hosts: £`‘ ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: Rect dale media - {44C89206-6C66-5B89-5B26-D25DFD842457} - C:\PROGRA~1\USERAT~1\Rdr mp3.dll
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Nameknob] C:\PROGRA~1\wmagluebody\poll exit.exe
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Virtual Bouncer.lnk = C:\RECYCLER\NPROTECT\00010365.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

 

Did you try any of those tools that have already been posted

I would reccomend reading the frequently asked questions forum here at majorgeeks for help with Hijack this as these lists can really take some time to go through

BTW just had a quick browse as im here you really need to sort out this
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
Its a Backdoor trojan info here
http://www.kephyr.com/spywarescanner/library/backdoor.msconfig45/index.phtml

and do you have any idea what this is, sure looks suspect
O4 - HKLM\..\Run: [Nameknob] C:\PROGRA~1\wmagluebody\poll exit.exe

 

There is an uninstaller for allaboutsearching here: http://lop.com/new_uninstall.exe

Some people are reporting success using it, YMMV. Careful at that site tho, lop.com is known spyware.

 

ok well i started with cws shredder as previously advised and it did not get rid of it

It did ask me about one program c:\winnt\gwmdmu.exe

it said if I didnt know that it was random to not delete it so I didn't. What would you recommend next? Is it safe to delete ? Should I delete it or which steps would you recommend next?



also no clue about
O4 - HKLM\..\Run: [Nameknob] C:\PROGRA~1\wmagluebody\poll exit.exe

 

gwmdu.exe is a Gateway modem driver

 

thanks augie

 

You have a particularly persistent baddie called "Look2Me." You really need to get rid of it. I suggest you post your log at www.TomCoyote.com where it can be viewed by an expert as this is a nasty that won't be solved by just selecting it in HJT and "fixing" it. It also won't be deleted by CWShredder. By the way, this is the nasty that messed up your internet connection.

When you post your log, be sure to mention that you previously had to do a Winsock fix because of broken internet access. That's important for them to know!

Right now, you have HijackThis in a temporary folder. Please create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT.

Unzip HijackThis into the new folder. Now, when you run HijackThis from this folder and have it "Fix checked," it will create a backup file of modifications to use if restore is necessary. Delete the old copy of HJT please. PLEASE DO THIS BEFORE POSTING YOUR LOG AT TOM COYOTE!

Additionally, you're in serious need of performing updates to XP and IE. Right now, you're a sitting duck just waiting to be picked off by spyware, adware, and worse.

 

Simplicity

If he has Look2Me, there is a removal tool: http://www.majorgeeks.com/download4166.html

 

That's a good tool and certainly part of the process, but he's got more than that going on and really needs some help with this.

 

IE and XP Updates

did as you recommended nonsuch waiting for a reply off of tomcoyote. Can i proceed with the windows and ie updates or should I wait until i get this isssue resolved?

I did use teh 2killme and it said removal was successful but my browser is still hijacked to allaboutsearching.

 

Good job!

You should just go ahead and get your updates while you wait for your reply at Tom Coyote. They do a lot of logs there, so it may take a bit but they will do a great job for you.

Did you download Kill2Me here? If so, I don't believe they've had a chance to put up the latest version which is 1.04. You may want to download the new version from the author's site at www.spywareinfo.com/~merijn, although I'm certain that Major Geeks will have their download site updated very soon. This site really stays on top of things. (Actually, you may have knocked out the Look2Me already and only need to nail the rest of the baddies!)

You have several different issues going on, which is why I recommended that you go to a specialized forum to address them. Get your updates all done and the folks at Tom Coyote will help you with the remaining hijack problems. You'll soon be in fine shape.

 

thanks your link didnt work but i did find v1.04 and i needed it. I had runthe version off of www.majorgeeks again and it said I had no infection but when I ran 1.04 it indicated it found one.


I am trying to update windows and IE while I wait for a response off of www.tomcoyote.com

thanks to all I am learning!!