Problems with pop-ups and allaboutsearching!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by oakknoll, Jun 19, 2004.

  1. oakknoll

    oakknoll Private E-2

    I can't get rid of allaboutsearching!! Listed below is my Hijack This log....Please help!

    Logfile of HijackThis v1.97.7
    Scan saved at 12:55:16 AM, on 6/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\ati2plab.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
    C:\WINNT\System32\nslsvice.exe
    C:\ePOAgent\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\CCM\CcmExec.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\ltmsg.exe
    C:\WINNT\system32\Atiptaxx.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    C:\ePOAgent\UpdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\PROGRA~1\Mags dent second\locks bias.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\iPass\iPassConnect\idialer.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\DOCUME~1\DILWOR~1\LOCALS~1\Temp\HijackThis.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Sect Amen - {8E0D3F8A-D63B-6093-DAFD-50D4C4B11FE5} - C:\PROGRA~1\16LOUD~1\TRAYPROC.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Barb plus] C:\PROGRA~1\Mags dent second\locks bias.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38057.6308796296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CS1\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CS2\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
     
    oakknoll, Jun 19, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the directions here first. And then if still having a problem, shut down all applications and run a new HijaakThis scan and post a log.
     
    chaslang, Jun 19, 2004
    #2
  3. oakknoll

    oakknoll Private E-2

    Hi Chaslang,

    Thanks for your reply. Where do I find your directions? Were they supposed to be attached or do I find them on the site somewhere?
     
    oakknoll, Jun 19, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry Oak! I left them out: http://www.majorgeeks.com/vb/showthread.php?t=33201

    They are at the top of the SpyWare Forum thread as a sticky.
     
    chaslang, Jun 19, 2004
    #4
  5. nickson2

    nickson2 Master Sergeant

    did he mean the directions for hijack this, that major posted?
     
    nickson2, Jun 19, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are in they link I jut gave. I forgot to put it in my first message.
     
    chaslang, Jun 19, 2004
    #6
  7. nickson2

    nickson2 Master Sergeant

    lol, i guess that. I went getting the link and when i got back you had already posted it.
     
    nickson2, Jun 19, 2004
    #7
  8. oakknoll

    oakknoll Private E-2

    Okay...I attempted to do all of the stuff listed from the link provided. I ran Spybot. I then ran Adaware, but it froze each time it was performing Quarantine. It found the allaboutsearching and an infected Reg Key (secondthought) and some other various trackers. I tried an online scan several times, but each time, it timed out during setup. I ran a virus scan with McAffee, which turned up nothing and also ran CWShredder, which didn't find anything either. I then ran the startup managing program and did as told for that. Then restarted. When I tried running Hijack This, it said the shortcut had been changed or moved and no longer worked. So I tried to download another copy and it didn't work either. AAAHHH!

    HELP!
     
    oakknoll, Jun 19, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do not run HijaakThis as a startup program. Just use Win Explorer and double click on it. You could make a new shortcut to it and put it on your desktop if you really feel that is necessary.

    Try running both Ad-aware and SpyBot S&D in safe mode (before booting into safe mode UPDATE both of them first).
     
    chaslang, Jun 19, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ooops! I just remembered you have Windows 2K. There is no safe mode! Sorry!
     
    chaslang, Jun 19, 2004
    #10
  11. oakknoll

    oakknoll Private E-2

    Okay...I think this should do it...


    Logfile of HijackThis v1.97.7
    Scan saved at 3:52:30 PM, on 6/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\ati2plab.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
    C:\WINNT\System32\nslsvice.exe
    C:\ePOAgent\FrameworkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\CCM\CcmExec.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    C:\ePOAgent\UpdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\PROGRA~1\Mags dent second\locks bias.exe
    C:\WINNT\system32\ltmsg.exe
    C:\WINNT\system32\svchost.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Sect Amen - {8E0D3F8A-D63B-6093-DAFD-50D4C4B11FE5} - C:\PROGRA~1\16LOUD~1\TRAYPROC.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Barb plus] C:\PROGRA~1\Mags dent second\locks bias.exe
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CS1\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.bordenchem.net
    O17 - HKLM\System\CS2\Services\Tcpip\..\{36772F19-EEFD-43ED-BB22-2A0616D7A5CC}: NameServer = 10.70.1.61,10.71.1.62 10.70.1.61,10.71.1.62 10.71.1.115 10.71.1.115 10.71.1.115 10.71.1.115
     
    oakknoll, Jun 19, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the following program is:

    C:\PROGRA~1\Mags dent second\locks bias.exe
     
    chaslang, Jun 19, 2004
    #12
  13. oakknoll

    oakknoll Private E-2

    I don't know what that is... I can find it by doing a search on My Computer, but the moment I right click on it to look at properties, a window pops up that says there is an error in explorer.exe and "Memory could not be written". Then asks if I want to terminate or debug the program.
     
    oakknoll, Jun 20, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would have HijaakThis fix that line. Then try to delete the file. If you can try rebooting and then deleting it.
     
    chaslang, Jun 20, 2004
    #14
  15. oakknoll

    oakknoll Private E-2

    I went into regedit and deleted the file that had "allaboutsearching" in it, also got rid of reg keys the same way that had infected my computer. That seemed to work so far. My homepage is back anyways and some other minor errors aren't coming up anymore. Just one more thing though...I can't seem to get rid of a file called "VX2.BetterInternet". The location is C:\winnt\system32\ausmib.dll. Any ideas?
     
    oakknoll, Jun 21, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 21, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds