search-about.net and best of popups

Hello everyone. I am sure many of you are sick of dealing with this issue (or at least tired of it) but I have been hijacked by 'search-about.net' and have been plagued by the 'best of' pop ups. Both problems surfaced at the same time. I have done a full virus scan with PC-cillin and I have run Adaware build 1.81, Spybot S&D v1.3 and CW Shredder and still have the problem(s). I am wondering if anyone has mastered this one yet. I appreciate any help that I can get. It sucks to be hijacked. Here is a Hijackthis log:

Logfile of HijackThis v1.97.3
Scan saved at 10:10:42 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\system32\crck.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\system32\winza.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dywle.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dywle.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dywle.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dywle.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dywle.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dywle.dll/sp.html#96676
O2 - BHO: (no name) - {99368009-0A9B-D27D-477D-7DCB633E7E12} - C:\WINDOWS\msdl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Explore] C:\WINDOWS\system32\Explore.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [winza.exe] C:\WINDOWS\system32\winza.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [crck.exe] C:\WINDOWS\system32\crck.exe
O4 - HKLM\..\RunOnce: [ipjz32.exe] C:\WINDOWS\system32\ipjz32.exe
O4 - HKLM\..\RunOnce: [javakq32.exe] C:\WINDOWS\system32\javakq32.exe
O4 - HKLM\..\RunOnce: [netay.exe] C:\WINDOWS\system32\netay.exe
O4 - HKLM\..\RunOnce: [ntos.exe] C:\WINDOWS\ntos.exe
O4 - HKLM\..\RunOnce: [sdkco32.exe] C:\WINDOWS\system32\sdkco32.exe
O4 - HKLM\..\RunOnce: [sdkgs.exe] C:\WINDOWS\sdkgs.exe
O4 - HKLM\..\RunOnce: [winbj32.exe] C:\WINDOWS\system32\winbj32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Shaw Help (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37420.5515740741
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

I have BHO Demon running at startup and it always detects 2 (so far) new things that I disable after booting. I have deleted many different things along the way but I am not having any luck. Trying to clean this up and contribute but not getting much done.

 

I am still infected with this piece of crazy malware and unfortunately after about 3 days it seems to 'open avenues' in your computer to let viruses in. Why do I say this you may ask? Well, I have antivirus running all of the time and do regular scans AND auto updates also careful enough to manually check for updates too. I have been running scans more often due to this recent problem (hijack of homepage and pop ups) and have not detected anything until today. Today, being my 3rd or 4th day after being hijacked, my virus scan found 112 viruses. Look out people. This one is an EVIL one.

 

Smorgdonkey,


I too have the same problem now only I have just been hijacked today by this website....I was hijacked by searchmall link and now I have been hijacke by allabout searching.net.....Have you fixed your problem and how????

Regards,
NKKRAKER

 

Hey guys, I to WAS infected by "only the best". I found the key to getting rid of it was NOT being connected to the internet while you destroy it. It seems to regenerate itself every time you delete part of it. I posted everything I did to get rid of it yesterday. I have been FREE for about 5 days now. I accidently called it "best of" in my post. Take a look if your interested.
Good luck

 

Hey...thanks for your response to my thread re: malware. Did you also have a 'homepage hijack'?
Secondly...how did you check if a file was 'good' before deleting it using 'hijack this'?
Thanks.

 

You just type the file into google and hit search. If it doesn't give you some info about the creator of the software, you can be 90% sure that it is a spyware file. And yes, my homepage was hijacked. I spent about a week talking with microsoft techs, but they were unable to help. Actually, these techs are the one's who told me about using google to tell if a process is bad or good. It is what they were doing when they were trying to help me.

 

If you guys are interested, this is what I did to clear up my system. I just copied and pasted it from my earlier post. I see that alot of people have alot of different methods for dealing w/this thing but again, this did the trick, and it's pretty straight fwd. If you have any questions, feel free to email me. I'm no expert, but I'll try to help you out.



To Anyone dealing w/ this @#$%#$ worm, it takes a while, but you CAN kill it.

This is what worked for me.

First thing is to run task manager and look up all the running processes. (just the letters/numbers.exe). Some examples of bad files are: atloz32.exe, msme.exe, addbi32.exe, and about 20 more that I had to remove because every time I stopped a process, another bad file would plant itself in my processes folder. In actuallity, there are probaly hundreds of these files out there. Also, the avg. size of these files is about 3000kb, so you know what to focus on.
Be careful what you delete! Some of these files are very important to your computers operation. For instance, csrss.exe, smss.exe, and isass.exe are all needed precesses on my computer. Depending on what programs you have on yours, you may have several more of these *.exe files that are "good".
So here goes CLOSE OR EXIT ANY UNNECESARY PROGRAMS
INCLUDING MESSANGERS, PRINTERS, I/O DEVICES, ETC.
STEP 1 open task manager and write down all of the *.exe programs that are running that you don't recognize.
2 google search each of these files, and if google doesn't turn up an answer, then it is a nasty. (this is exactly what the "techs"at microsoft do!)
3 run hijack this. Print the log and Google all the files you don't recognize
Anything with -----.dll/sp.html96676 is definately bad
Also, my system had alot of runonce files that weren't supposed to
be there. ie. google had no idea what they were.
4 You can also cross reference files w/ ones listed at :http://www.liutilities.com/products...processlibrary/ , this has pretty much all of the normal windows processes, I printed all these out as well.
5 Now that you know what all the good files are (from checking google), you can start the clean-up process.
STEP 6 This is the most important part, I think. DISCONNECT FROM THE INTERNET
Every time I deleted a bad file, another one replaced it. I think this is how
it survives.
6.5 this might be overkill, but I deleted all messsenger services(you can always get them back again later)
7 Open task manager and "end process" on all the files you can't confirm belong there.
8 Run hijackthis and "fix" all the files that you can't confirm belong there. If you're not sure about a specific file, ask someone before "fixing" it!
9 Go to search "all files and folders" and enter the "bad" file names( ex. netqx.exe). It will find 2 files; the main program file and a prefetch file. Delete them both. I clicked on properties and if the description was unknown, it was out-a-there.
10 empty recycle bin
11 run ad-aware and delete all the nasties ( by the way, norton is useless for this worm)
12 now defrag the hard drive. Reason: even when you empty recycle bin, the files still exist untill they are overwriten. defrag moves files around, writing over some of these areas. It may be overkill again, but I was getting frustrated.
13 enter the home page of your choice in internet options, apply, and restart your computer. Internet still disconnected.
14 see if your selected home page is still in internet options.
14 check task manager for any new nasties and run hijackthis. Hopefuly all the nasties are still gone. If not, you may have to do it again, but this is what totaly got rid of this crap on my system.
15 fire up the internet........................GOOD LUCK!!!!!!!!!!


PS I think the big key here is to not be on-line when your cleaning up your system!!

 

Thanks again zephod. I think I am making some progress...mainly on the virus front though so far. I got the file name from PC cillin and deleted it in safe mode.

People MUST be careful...in their desparation to find an answer they (like I did) can run into things on the net that say "download this crack" and there is a TROJAN in it. In the one I got...TROJAN AGENT.Z2

It's a byatch too. As you can see by my third post...it gets a bunch of others to follow it.

I'll let you know how the rest is going when I can determine where I am with it.

 

also...are these useful at all?

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37420.5515740741
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

I have not gotten rid of Java Virtual Machine yet so what are the ramifications of deleting them using HJT?

 

I have since rid my system of all 4 of those items that I questioned. I will look for updates for windows and if my system needs it I am sure it will be detected and install what I am missing. I got rid of messenger as well as there seemed to be a virus in a 'mesenger update' which gave me a lot of 'outgoing connection' BS that I got sick of.

Zephod...I used the 'halt internet traffic' feature on my PC cillin whenever I worked on this problem based on your advice to 'disconnect from the internet while cleaning'. I now seem to be virus free and 'only the best' free and 'homepage hijack' free.
I didn't follow any specific method but I gleaned info from a few different threads and tried a lot of things. I guess time will tell if it holds up.

Thanks to all for the time and energy.

 

Peoples if it is trojan agent.z2 I had huge issue but fixed eventually. Trend antivirus picked it up and deleted file - kept on re installing each time I connected to net. I cleaned as they described in solution file but still didnt fix. Got hold of their tech support who advised remove ie6 and then reinstall and should fix - not as easy as thought with xp however found following articles from pc mag and microsoft - I tried and it worked.

pcmag: www.pcmag.com/article2/0,1759,1559298,00.asp this details how to fool computer to think ie6 not installed which allows complete ie6 reinstall

also microsoft technet article www.support.microsoft.com/default.aspx?kbid=320159&product=ie

once I re installed IE6 and updated and restarted I did another virus check - it picked up one which related to the trojan deleted it and I havent had an issue since.

Worth trying!http://www.majorgeeks.com/vb/images/icons/icon7.gif