searchingbooth.com+some and some trojans! Oh geez!!

I followed your basic removal guide, but it didn't seem to do the trick. None of the current programs I am using seem to be recognizing the spyware and if it does, it does not remove it because it comes back - right away!

I may also have trojan's left on my computer. TDS-3 has found 2 trojans so far and has cleaned them or so it said. I believe HouseCall has also found one and removed it. I seriously need professional help in removing all of this. I was fighting the urge to maybe solve the problem by reformatting the drive, but I don't want it to come to that. Wow, just as I typed that the endless banner parade has started up again. Please HELP! It's even disturbing firefox, which I downloaded since IE is temporarily indisposed.

These are the current programs I am using. I do update these everytime I use them and I have used these in both regular and safe mode, still a no go.

AboutBuster
Adaware 6.0
Adaware SE Personal (Build 1.05)
Avast! Antivirus
CCleaner
CWShredder
EasyCleaner
HijackThis (v1.99.1)
HSRemove
Kill2Me
Killbox
McAfee VirusScan Professional
Pest Patrol
Spybot - Search and Destroy (v. 1.3)
Spyware Blaster
Stinger
TDS-3
TuneUp Utilities

And 4 pop-up killers, which help most of the time but not with this nasty little bugger!

PopUp Killer
Pop-Up Stopper
Pop-Up Stopper Basic
Pop-Up Stopper Companion

I've used these online searches.

Trend Micro's HouseCall
Symantec Security Check

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser and e-mail. Please close these before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Here's my HJT log.

 

Your log looks clean! Also I notice that you are running 2 different Antivirus programs. This is NOT recommended as they can cause conflicts with one another. Only run ONE antivirus and one firewall.

For the trojans download the following program.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

 

After this let me know how things are running.

 

TrojanHunter found 3 trojans and cleaned them, but I'm still getting endless searchingbooth.com and "something"wizz.com banners. I don't think my HJT log is even recognizing those ones. I looked through my add/remove programs and haven't found anything that would be considered spyware as in search toolbars, etc.

What is this? Is that one of those things that tracks your every move online? If so how do I get rid of it?

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

 

The other "something"wizz.com" banners is called apps.deskwizz.com/pubanrs.html.

 

This is an application that gets bundled with a particular series of the Compaq Presario systems. msCMTSrvc is called the Content Monitoring Tool Service (CMTS). The Compaq Offer Zone, displayed on the desktop as the Hot Deals icon, uses the CMTS to update the computer when new merchandise is available for purchase by the user. You can fix this line with HJT. If it return then no biggie, the new version will do this. Just leave it, nothing serious.

 

NOW:
Reboot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following file if it should remain:


C:\WINDOWS\aoehka.dll


Reboot and see if problem remains.

 

Download the following items:

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox


Extract the Generic Detection Tool to your Desktop. Rn find.bat and allow it as much time as it needs to run. Once the scan is complete attach this log.

 

Well, I did what you said above including showing hidden files and folders and I couldn't find that file. Could it be another one? It's gotta be something. Should I download those programs now since I couldn't find that file?

As for "O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)" thank you for letting me know. I had no idea what that was and I attempted to fix it before , but it did keep coming back. Well, now that I know it's okay I'll stop worrying about that.

 

That was just to see if it existed, yes procede with those downloads and attach the log from find.bat

 

Okay, I downloaded all those program and ran them. Here are 2 of the logs. I'll have to post the third in another reply.

 

Here's the 3rd.

 

The only thing that jumps out at me is aunbho.dll and im not 100% on this.

I will have Chaslang or PP double check to be sure. Hang in there.

 

Lets trys this, Locate these files below.

aunbho.dll

aunps.dll

luivh.dll

Once these files are located, rename them as follows.

Rename aunbho.dll to aunbho.bad

Rename aunps.dll to aunps.bad

Rename luivh.dll to luivh.bad

Note: If you have any problems renaming these files, reboot into Safe Mode and try renaming them. It would be best to print this out where you can do this with all browsers closed.

After you do this, reboot!

Let me know if any problems still remain. If they do please explain in detail what problems your currently having.

Thanks Bj

 

Okay, I did that and rebooted. My computer is still a little slow at startup (more than usual). Don't know if that has anything to do with this whole mess or not.

Also, I was just now browsing my program files C:\ProgramFiles\
and noticed that the trojan file that TrojanHunter had found and cleaned is still there. Did it re-create itself? I added a .bad extension to it just in case. Not sure if that will do anything, but if I delete the file it may just come back anyway. The file folder is called r003mwh31. Should I leave it like it is?

I don't know if what re what you had said about changing the extensions will work yet. The pop-ups come at a random time and when they do the whole screen goes beserk so I don't know if that is solved yet, but I did find all three of those files and changed their extension's to .bad so hopefully that will do it.

 

Delete the folder r003mwh31 from the Program Files directory. Can you attach an image of the popups your getting so I can get more information about it. Thanks!

 

Hello all. I had a co-worker that recently was infected with the searchingbooth trojan. I worked for two days using several tools to try and get rid of it. I found it the old fashion way. I watched the processes in the Windows Task Manager.
I used: adware Se, MicroSoft's new Antispyware, spybot, Norton, HJT, and a couple other tools to no avail. The searchingbooth ads kept coming. I finally started deleting processes running in the Windows Task Manager until I found the culprit. For the infected system, it turned out out be a file named ceiim.exe. The exe was infecting the restore point program as well.
Steps I took
1) disable restore point
2) searched for and deleted the ceiim.exe
3) searched the registry and deleted all references to ceiim
4) ran all the above mentioned tools above to clean out all the cookies and other crap it left behind.
5) open Internet Explorer and cleared cache, deleted files, and history
5) enabled the restore point
6) rebooted

I haven't seen any popups yet. Later on by testing the above metioned file I found out that Trend Micro can detect this trojan.

 

Was you able to sucessfully complete my instructions? Was you able to delete the folder r003mwh31 from the Program Files directory as I requested?

Are you currently experiencing ANY problems?