[susanne]

Hi,

I can't get rid of allaboutsearching. I run ad-aware (free version from lavasoft) but it did not detect anything.
Can anybody please help me!!!!!
I am not very good with computers - so I probably need a step by step instruction.

Any help is appreciated!!

Susanne

[Advertisements]

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[admin]

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[susanne]

Hi,

thank you for answering so fast. I hope I am not spoiling your eastern.

after my panik went away a little bit, I went through the posted messages again and did the following:
I downloaded Spybot search and destroy - and run it. it cleared 17 items. I restarted my computer and run it again and it does not show anything anymore.
This morning, there was a new update available from ad-aware. it detected a lot!!! the allaboutsearching that always came up with my home page seems to be gone - BUT (as always), there are still a lot of pop ups coming up out of nowhere (like winsweepstakes, sweepstake survey etc). Ad-aware also gave this message: Unable to remove windows/system32/aetiveds.cpy.dll. I restarted, run the program again but it is still unable to remove.

here are the results from HijackThis after a restart:

Logfile of HijackThis v1.97.7
Scan saved at 1:36:16 PM, on 4/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\Documents and Settings\Susanne Mohr\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: ds.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: NameMapi - {9FE5FCB5-70FE-FFDC-5448-02C49DE7FA99} - C:\PROGRA~1\WAVEFA~1\gram remote.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.5577314815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I hope I did not do any mistakes and you can find the problem.

Thank you again and HAPPY EASTERN

Susanne

[admin]

Ad-aware has just been updated to remove this one (VX2.BetterInternet). Be sure you have the latest reference file: 01R285 11.04.2004

Using Ad-aware: Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

When finished, Reboot your computer.

CLICK HERE to download Ad-aware

[susanne]

Hi,

I run ad-aware with the newest update at least 10 times yesterday!! It still gives the message: unable to remove c:/windows/system32/aetiveds.cpy.dll

I looked in the folder, 2 files with aetiveds are still in there - it did not touch them.

Every time, I open the internet, I still get pop ups and a RUNDLL box, which gives the following message when you click on it:
an exeption has occured with trying to run c:/windows/system32/aetiveds.cpy.dll, U monitor

These are the 2 items always coming up running ad-aware after getting out of explorer:
1 Reg Key VX2. BetterInternet .....windowsNT/current version/winlog...(can't read any further)
2 file VX2.BetterInternet c:/windows/system32/aetiveds.cpy.dll


besides the RUNDLL and others stated above, the newest pop up was 216.235.125.4/mdn-questionpage.cfm?.......
and a lot of satelite dish advertising

Please help!!!

1 question out of curiosity: what does the black point on the light blue envelop mean that appears on the left of the list of posted messages next to my name?

susanne

[admin]

Please verify you have the latest Ad-aware reference file 01R285 11.04.2004. It should fix this problem, and can be very difficult to remove manually.

1 question out of curiosity: what does the black point on the light blue envelop mean that appears on the left of the list of posted messages next to my name?

That simply means you've made a post in that topic.

[susanne]

Hi,

okay, I downloaded another version this evening from Ad-aware - 01R288 -12/04/2004.

And I am sorry to tell you but it still gives the same message:
unable to remove c:/windows/system32/aetiveds.cpy.dll
(I restarted the computer twice - same message)

I also still get the RUNDLL box, which gives the message:
an exeption occurs when trying to run c:/windows/system32/aetiveds.cpy.dll

I looked in the windows/ system 32 folder and 2 files (aetiveds.cpy.dll and aetiveds.dll) are still there and laughing at me.

Any other suggestions how to get rid of these files???!! It's driving me crazy.

Susanne

Thanks for the answer - at least, you don't label troublemakers with black points. That makes me feel better.

[admin]

Hi Susanne,

I think I finally found a fix. Currently, none of the standard aps will get rid of it, including: ad-aware, spybot, spy sweeper, cwshredder, killbox, hijackthis, etc... The latest Ad-aware removes some infections.

You have to manually remove this one, although the average user should be able to do this, if you're unsure of your ability to perform this fix, please stop. I'm sure Ad-aware will issue a fix in one of their next reference files (I know they're actively working on it).

First run ad-aware to see the name of the .dll, as it varies (changes its name) for everyone. You will see a line like this in your ad-aware logs:

Deep scanning and examining files
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
VX2.BetterInternet Object recognized!
Type : File
Data : aetiveds.cpy.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\

I used the last name you provided in this example (aetiveds.cpy.dll). The name (Data) may be diferrent, just write it down. Disconnect from the internet (unplug is best so you wont connect on re-boot). Then empty all your temp files from within your browser (Tools, Internet Options, Delete Temporary Internet Files). Next, you'll need your Windows XP CD. Put the Windows CD in the tray and reboot the computer...

-You should get a "press any key to boot from CD" message, so do that.

-It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing R... press R.

-You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.

-Administrator password is next: it's probably blank, so just press enter. Unless you've created one, in which case enter it.

-With all that done you'll end up with a C:\Windows> prompt

Now to delete these files:

At the command prompt type del c:\windows\system32\aetiveds.dll

and

del c:\windows\system32\aetiveds.cpy.dll

(Remember, these dll names may be different for you. Also, ad-aware may have only seen the .cpy one, the other is there as well and needs to be removed)

Then when that is complete, remove the CD from the tray and type Exit and it will reboot.

Rescan with Ad-aware and let it remove the registry entry. When done, reconnect to the Internet, and let us know how it works. Hope this helps!

[susanne]

Hi,

there was a new version today from ad-aware. Didn't quite work. It was able to remove the aetiveds.cpy.dll file but the other one aetivdes.dll was still there. I restarted the computer and it re-installed the aetiveds.cpy.dll file right back - so both files are back again.
Tomorrow, somebody is going to help me fix the computer using your instructions. I let you know if it worked.

Thanks

Susanne

Okay, while I was writing this a number of pop ups showed up out of nowhere. Guess it's going to take a while to get my computer clean.

[admin]

I agree this could be easier. Experts are working on an easier fix, and I hope a "single click" automatic fix will be available soon. The only good news is that besides the popups being served, this infection isn't causing any harm to your system.

These spyware authors are getting craftier. The infections are getting harder to spot, and the fixes are getting harder. Claria/Gator just lost a first-of-its-kind lawsuit in Germany. Hopefully, we're begining to see legislation and litigation start to stem the explotion of spyware.

[susanne]

Hi,

YOU ARE A GENIUS!!!!!!! IT WORKED!!!!!!

My computer is unbelievable fast now - what a difference.

The funny thing is, I became some kind of a hero at work. Everybody wanted to know how I got all the ideas to clean up the computer. It felt really cool but I did not take any credit for it - I directed everybody to your webpage.

Thank you so much - do you have suggestions on how to prevent that from ever happening again?

A really happy and smiling Susanne

[Smokey]

We are very glad we could be a help !

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.javacools...areblaster.html

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

If you keep them up-to-date, these two security tools will virtually eliminate the chance of ever getting spware again !

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.