allaboutsearching.com hijack

GEC: Discuss gaming, computers and electronics and venture into the bizarre world of STGODs.

Moderator: Thanas

Post Reply

Recommended solution?

Poll ended at 2004-06-27 09:11am

Castrate Coalition for using IE
3
75%
Just smack him upside the head
1
25%
 
Total votes: 4
User avatar
Coalition
Jedi Master
Posts: 1237
Joined: 2002-09-13 11:46am
Contact:
Contact Coalition

allaboutsearching.com hijack

Post by Coalition »

Been having fun with allaboutsearching.com.

I've tried the following to change it:

1) ran Ad-aware Build 6.181
2) Ran Spybot S&D v1.3
3) Ran CWSShredder v1.59

Yet it still is present. What files do I need to put up on this site, so other members can properly diagnose the trouble?

Essentially, I will change the home page to home.knology.net, but every time I reopen Internet Explorer (I know, key problem there), it gets directed to allaboutsearching.com.

Other symptoms:

1) On the http://major geeks.com/ download2859.html website, I get these "Sponsored Links" hovering over the various key words present.

2) The CCPROXY.exe file keeps getting accessed whenever try to load a web page. This is version 2.1.2.800, it attempts connections to variuos ports (increasing the port number by 1 every time). If I allow it, I get to access the web page I click on. If I don't allow it, I cannot access the web page.

Sorry for the spam, if I didn't report this correctly.
Hijackthis wrote: Logfile of HijackThis v1.97.7
Scan saved at 7:25:10 AM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\documents and settings\administrator\local settings\temp\55g6dVe0.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\shristub.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\SLOWDATE\ANTE BLEH.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\System32\sigebdvd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\IuiTdA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\IuiTdA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [55g6dVe0.exe] C:\documents and settings\administrator\local settings\temp\55g6dVe0.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\HotEkc.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [x3FT36h] shristub.exe
O4 - HKLM\..\Run: [Phone Program] C:\PROGRA~1\SLOWDATE\ANTE BLEH.exe
O4 - HKLM\..\Run: [bndlwr_bundle.exe] C:\WINDOWS\TEMP\EACDownload\bndlwr_bundle.exe bndlwr -k
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [g0w3RWN9Q] sigebdvd.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/y ... r1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/ ... porter.cab?
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/ ... rAxWin.cab
The following items Adaware triggered on:
Adaware wrote: eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : MSEaid.Gd\GLSID

eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\eAnthology

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageallaboutsearching.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "allaboutsearching.com"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "allaboutsearching.com"

eAcceleration Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : bndlwr_bundle.exe

eAcceleration Object recognized!
Type : File
Data : bndlwr_bundle.exe
Object : c:\windows\temp\eacdownload\
FileSize : 38 KB
FileVersion : 1,0,1,141
ProductVersion : 1,0,1,141
CompanyName : eAcceleration Corp.
FileDescription : eAnthology Download module
InternalName : raven
ProductName : eAnthology
Created on : 6/13/2004 11:00:01 AM
Last accessed : 6/13/2004 1:39:51 PM
Last modified : 6/13/2004 10:59:56 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@0[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 12:47:28 PM
Last accessed : 6/13/2004 12:47:29 PM
Last modified : 6/13/2004 12:47:29 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@0[2].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:00:31 PM
Last accessed : 6/13/2004 1:09:23 PM
Last modified : 6/13/2004 1:09:23 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@casalemedia[2].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:04:59 PM
Last accessed : 6/13/2004 1:04:59 PM
Last modified : 6/13/2004 1:04:59 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@cgi-bin[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:33:54 PM
Last accessed : 6/13/2004 1:33:54 PM
Last modified : 6/13/2004 1:33:54 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@rub[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 10:52:53 AM
Last accessed : 6/13/2004 1:03:19 PM
Last modified : 6/13/2004 10:52:53 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@tribalfusion[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 11:11:23 AM
Last accessed : 6/13/2004 1:40:37 PM
Last modified : 6/13/2004 11:11:23 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@z1.adserver[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:01:53 PM
Last accessed : 6/13/2004 1:05:56 PM
Last modified : 6/13/2004 1:05:56 PM

eAcceleration Object recognized!
Type : File
Data : bndlwr_bundle.exe
Object : C:\WINDOWS\System32\
FileSize : 38 KB
FileVersion : 1,0,1,141
ProductVersion : 1,0,1,141
CompanyName : eAcceleration Corp.
FileDescription : eAnthology Download module
InternalName : raven
ProductName : eAnthology
Created on : 6/13/2004 10:59:56 AM
Last accessed : 6/13/2004 1:40:40 PM
Last modified : 6/13/2004 10:59:56 AM

eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : MSEaid.Gd
Spybot S&D triggered on the following:
SD wrote: eAcceleration - 1 entry (provide data to third parties) - they track your computer, and add other thrid party advertisers at any time
DSO Exploit - 5 entries (Security Hole) - Microsoft - grabbing fix now
IGetNet - 1 entry (www. igetnet.com) - Hijacker/Malware
Last edited by Coalition on 2004-06-13 09:57am, edited 2 times in total.
Top
User avatar
Shroom Man 777
FUCKING DICK-STABBER!
Posts: 21222
Joined: 2003-05-11 08:39am
Location: Bleeding breasts and stabbing dicks since 2003
Contact:
Contact Shroom Man 777

Post by Shroom Man 777 »

http://www.spywareinfo.com/downloads/to ... ckThis.exe

That might help.
Image "DO YOU WORSHIP HOMOSEXUALS?" - Curtis Saxton (source)
shroom is a lovely boy and i wont hear a bad word against him - LUSY-CHAN!
Shit! Man, I didn't think of that! It took Shroom to properly interpret the screams of dying people :D - PeZook
Shroom, I read out the stuff you write about us. You are an endless supply of morale down here. :p - an OWS street medic
Pink Sugar Heart Attack!
Top
User avatar
phongn
Rebel Leader
Posts: 18487
Joined: 2002-07-03 11:11pm

Post by phongn »

:shock: :shock:

Good Lord, what have you done to your computer? Someone should be along shortly to tell you what stuff to remove, though. If not, I'll get around to it.
Top
Post Reply

Return to “Gaming, Electronics and Computers”