Removing "AllCybersearch"

Discussion in 'other security issues & news' started by tinku, Feb 23, 2005.

Thread Status:
Not open for further replies.
  1. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    hi all

    I get this message when trying to start spywareblaster,

    This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it

    It used to run fine untill i was infected with "AllCybersearch" I have been to many forums EVEN ones suggested by Javacool (Castlecops being a joke the helper didnt know what to say and gave up saying its a problem for windows 98 and ME LOL!!!!!) on the net trying to get help to no avail.

    I have followed a lot of suggestions for removing "AllCybersearch" it seems to be gone off my system, and then it returns sometimes with Norton Antivirus catching it. So something is buried deep down on the system that all the trojan finders are not finding.

    Every time this sp.dll tries to infect my pc spyware blaster`s protection is removed and i have to re add it.

    But my main problem is getting Spywareblaster back up and running as it was before it became dissabled. Please help me beat this sucker as i have been to many boards without succcess.

    I have to agree with the starter of another thread with the same problem if you cant support this program change the name, i have seen many other posts with this same problem so its not just a minor clich.

    best regards

    tinku.
     
    Last edited: Feb 23, 2005
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since Castlecops is one of more productive sites when it comes to the success of cleaning users infections....I'll assume for a moment there was lack of communication and ask if you will Please supply a link to this thread where you were assisted at CC's.

    Also....I have moved your post from the Spywareblaster Forum due to the fact troubleshooting an SB problem is fairly futile until you are successful in removing "AllCybersearch".

    Since I moved your post....I'll supply the link you are referring to below.

    This link---> https://www.wilderssecurity.com/showthread.php?t=66968

    Regards,
    Bubba
     
  3. Pinkyhorse

    Pinkyhorse Guest

    Hi Tinku,

    As you said you have tried nearly everything, have you tried "startdreck"?
    It will show you everything that Windows loads during start-up. I had a similar problem with Spywareblaster, and I found the well hidden dll no other program or virusscanner would show, in the string RunServiceOnce.
    This program is to be found here: http://www.niksoft.at/download/startdreck.htm
    I hope this will help you too, Good Luck!!
     
  4. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    Hi Pinkyhorse

    Im going to give that program a try when i have read the instruction, I found two .dll`s with another program but when i enabled view all hidden folders and files in windows and did a manual myself search for the dll`s i couldnt find them yet running the search program finds them.

    anyways i will take a furthur look, thankyou for the reply.

    Bubba: I will look for that thread, the helper virtualy trashed spywareblaster saying use something else.... some help!!! and that Javacool should look after its own problems.


    regards
    tinku.
     
  5. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    well i tried that program as suggested and it found nothing out of the ordinary, basicly the same as hijack this.

    so it looks like im clean of AllCybersearch, so back to the other problem, spywareblaster how do I fix the problem, anyone with any ideas?

    tinku
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Are you no longer seeing the sp.dll file you mentioned in your first post ?

    For clarification purposes....would you Please scan with HJT and post a new log in this thread.
     
  7. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    Bubba

    here is my hjt log, can i add something that will either make sence or not as im not a native speaker.

    I cleaned my system and here is the log, it can stay clean for days and then posting in hotmail or some other clean site like here Norton will catch sp.dll trying to do its dirty work, this is very very random. yet it just does not exist on my system. your opinion is very welcome. thanks for your time.

    Logfile of HijackThis v1.99.0
    Scan saved at 12:02:45 a.m., on 24/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\ARCHIVOS DE PROGRAMA\CYBERLINK\POWERDVD\PDVDSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\CHAOSSOFT\TRANSTEXT\TRANSTEXT.EXE
    C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    D:\SPYWARE\HIJACKTHIS.EXE

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: TransText.lnk = C:\Archivos de programa\ChaosSoft\TransText\TransText.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted IP range: (HKLM)


    tinku
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    At the risk of repeating the advise from the person trying to help you at CC (which IMO is certainly no joke, but I might be prejudiced ;) )

    Download and run About:Buster http://www.majorgeeks.com/download4289.html
    It ususally takes two runs to get cleaned.

    Download: DelDomains.inf
    To use: right-click and select: Install (no need to restart)
    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    • Prepare CWShredder:
      • Download CWShredder.
      • Save it to your desktop.
      • Do not run it yet. We will run it later.
    • Run Symantec's BackDoor Removal Tool:
      • Download the Backdoor.Agent.B Removal Tool from Symantec.
      • Follow Symantec's instructions for how to run it.
      • Be sure to save the log file. I will need to see it later.
      • Restart your computer.
    • Run CWShredder. Be sure to click Fix as opposed to Scan Only. It should find some things and remove them.
    • Restart your computer once more.
    • Post a new HijackThis log and the log Symantec's tool gave you.

    Regards,

    Pieter
     
  9. Pinkyhorse

    Pinkyhorse Guest

    Hi Tinku,

    In addition to what I told you above, I ran the programm "regmon", which you can find and download easily by searching for it on Google. This programm monitors every action taken in you registry. What you have to do is run regmon, and then try to start Spyblaster. Obviously it won't start, as you said before, but you'll be able to see in regmon that you tried to start it. Look for the icons!
    You should be able to find there what's blocking the Spyblaster programm, maybe something attached to the rundll32.exe, a dll or ini file.
    Once you see the icons for spyblaster, the first line will show that the start up was a "succes", and normally the blocker/hijacker is the second line, which shows as a "succes" as well.
    And this is where startdreck comes in, as HJT won't show this thread.
    When you start Startdreck, choose "configure" at the bottom.
    Then you choose:
    Registry: Run Keys
    System/drivers: Running processes
    Finally: OK

    This will give you a log, where the odd dll or ini should appear in.
    If you do find it, restart Windows in DOS, go to C:\Windows, look for it there and rename it, for example to aaa.old. Give your system a boot, and you should get a notification of "xxxx-file not found".
    Then find the link (mentioned in Startdreck) in HLM in the registry, and remove it. You should be rid of it now.

    Regards,
    Pinkyhorse
     
  10. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    Hi Pieter,

    Pieter I had a problem when reading this thread Norton caught se.dll and not sp.dll and changed my web start page, and so I have been off line fixing the problem to resemble my last HJ log something is buried deep in the system and pops up now and again to cause havoc. I can fix most of it but i cant find this buried file or dll

    here are my logs as requested after following all your instruction.

    Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


    Backdoor.Agent.B has not been found on your computer.


    Logfile of HijackThis v1.99.0
    Scan saved at 07:53:18 p.m., on 24/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\ARCHIVOS DE PROGRAMA\CHAOSSOFT\TRANSTEXT\TRANSTEXT.EXE
    C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    D:\SPYWARE\HIJACKTHIS.EXE

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: TransText.lnk = C:\Archivos de programa\ChaosSoft\TransText\TransText.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll

    thanks for your time Peiter

    tinku
     
  11. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    Hi Pinkyhorse

    I will take a look at what you have suggested but will wait for Peiter for more instruction before changing anything.

    thank you very much for your time too


    tinku
     
  12. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    Hi Pinkyhorse,

    I followed your instructions to the letter and found CDPLAYIR.INI causing the problem, Spywareblaster is now working and i just updated the defs.

    When i went to the location to del the key after getting a message on boot up, I found the key to be empty, but delited it anyways :eek:

    thank you very much for your help, it all seems so simple when it hits you in the face so to speak. THANKS :)

    you people on the forum really do make a difference.

    Peiter, I sill would like help with se.dll if it rears its ugly head in the next few hours or days please.


    My best regards

    tinku
     
  13. Pinkyhorse

    Pinkyhorse Guest

    Hi Tinku,

    I'm really glad it all worked out for you, happy to be of assistance!

    The se.dll file means infection with the About Blank Hijack, and it mostly nests itself in your Windows\Temp directory, which HJT will normally also find and fix.
    But again, there's more to this se.dll file, like Regmon pointed out to you.
    And also, if you would ever get infected again (hope not!), this ini or dll file might appear using a completely different name!
    Anyway, just save the instructions I gave you, and you should be OK for now, untill CWS sends us a new pest!

    Good Luck,

    Pinkyhorse
     
  14. tinku

    tinku Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    11
    bubba,

    I think you can close this thread as AlCybersearch seems to have gone with solving the Sywareblaster problem.

    Thanks for your help and time.

    tinku :D
     
  15. completelyflawed

    completelyflawed Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    1
    Hi. I'm having the same problem as everyone else with the se.dll trojan. Can someone tell me what is safe for me to delete? Thank you.
     
    Last edited by a moderator: Aug 13, 2005
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    completelyflawed,

    Welcome to the forums.

    Wilders no longer processes Hijack logs. The only exception is a security expert may request a log at times. See this announcement for alternative forums that will help you with your log.
     
Thread Status:
Not open for further replies.