StarDestroyer.Net BBS

Posted: **2004-06-13 07:21am**

Been having fun with allaboutsearching.com.

I've tried the following to change it:

1) ran Ad-aware Build 6.181
2) Ran Spybot S&D v1.3
3) Ran CWSShredder v1.59

Yet it still is present. What files do I need to put up on this site, so other members can properly diagnose the trouble?

Essentially, I will change the home page to home.knology.net, but every time I reopen Internet Explorer (I know, key problem there), it gets directed to allaboutsearching.com.

Other symptoms:

1) On the http://major geeks.com/ download2859.html website, I get these "Sponsored Links" hovering over the various key words present.

2) The CCPROXY.exe file keeps getting accessed whenever try to load a web page. This is version 2.1.2.800, it attempts connections to variuos ports (increasing the port number by 1 every time). If I allow it, I get to access the web page I click on. If I don't allow it, I cannot access the web page.

Sorry for the spam, if I didn't report this correctly.

Hijackthis wrote: Logfile of HijackThis v1.97.7
Scan saved at 7:25:10 AM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\documents and settings\administrator\local settings\temp\55g6dVe0.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\shristub.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\SLOWDATE\ANTE BLEH.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\System32\sigebdvd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\IuiTdA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\IuiTdA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [55g6dVe0.exe] C:\documents and settings\administrator\local settings\temp\55g6dVe0.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\HotEkc.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [x3FT36h] shristub.exe
O4 - HKLM\..\Run: [Phone Program] C:\PROGRA~1\SLOWDATE\ANTE BLEH.exe
O4 - HKLM\..\Run: [bndlwr_bundle.exe] C:\WINDOWS\TEMP\EACDownload\bndlwr_bundle.exe bndlwr -k
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [g0w3RWN9Q] sigebdvd.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Administrator\Desktop\Todd Darkspace\Misc\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/y ... r1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/ ... porter.cab?
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/ ... rAxWin.cab

The following items Adaware triggered on:

Adaware wrote: eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : MSEaid.Gd\GLSID

eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\eAnthology

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageallaboutsearching.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "allaboutsearching.com"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "allaboutsearching.com"

eAcceleration Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : bndlwr_bundle.exe

eAcceleration Object recognized!
Type : File
Data : bndlwr_bundle.exe
Object : c:\windows\temp\eacdownload\
FileSize : 38 KB
FileVersion : 1,0,1,141
ProductVersion : 1,0,1,141
CompanyName : eAcceleration Corp.
FileDescription : eAnthology Download module
InternalName : raven
ProductName : eAnthology
Created on : 6/13/2004 11:00:01 AM
Last accessed : 6/13/2004 1:39:51 PM
Last modified : 6/13/2004 10:59:56 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@0[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 12:47:28 PM
Last accessed : 6/13/2004 12:47:29 PM
Last modified : 6/13/2004 12:47:29 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@0[2].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:00:31 PM
Last accessed : 6/13/2004 1:09:23 PM
Last modified : 6/13/2004 1:09:23 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@casalemedia[2].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:04:59 PM
Last accessed : 6/13/2004 1:04:59 PM
Last modified : 6/13/2004 1:04:59 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@cgi-bin[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:33:54 PM
Last accessed : 6/13/2004 1:33:54 PM
Last modified : 6/13/2004 1:33:54 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@rub[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 10:52:53 AM
Last accessed : 6/13/2004 1:03:19 PM
Last modified : 6/13/2004 10:52:53 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@tribalfusion[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 11:11:23 AM
Last accessed : 6/13/2004 1:40:37 PM
Last modified : 6/13/2004 11:11:23 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@z1.adserver[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\
Created on : 6/13/2004 1:01:53 PM
Last accessed : 6/13/2004 1:05:56 PM
Last modified : 6/13/2004 1:05:56 PM

eAcceleration Object recognized!
Type : File
Data : bndlwr_bundle.exe
Object : C:\WINDOWS\System32\
FileSize : 38 KB
FileVersion : 1,0,1,141
ProductVersion : 1,0,1,141
CompanyName : eAcceleration Corp.
FileDescription : eAnthology Download module
InternalName : raven
ProductName : eAnthology
Created on : 6/13/2004 10:59:56 AM
Last accessed : 6/13/2004 1:40:40 PM
Last modified : 6/13/2004 10:59:56 AM

eAcceleration Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : MSEaid.Gd

Spybot S&D triggered on the following:

SD wrote: eAcceleration - 1 entry (provide data to third parties) - they track your computer, and add other thrid party advertisers at any time
DSO Exploit - 5 entries (Security Hole) - Microsoft - grabbing fix now
IGetNet - 1 entry (www. igetnet.com) - Hijacker/Malware

Posted: **2004-06-13 08:20am**

http://www.spywareinfo.com/downloads/to ... ckThis.exe

That might help.

Posted: **2004-06-13 04:36pm**

Good Lord, what have you done to your computer? Someone should be along shortly to tell you what stuff to remove, though. If not, I'll get around to it.

StarDestroyer.Net BBS

allaboutsearching.com hijack

allaboutsearching.com hijack