Hi All

My friend's WinXP SP1 machine has Microsoft Anti-Spyware Beta (latest
updates), AVG 7.0 free (latest updates) and the built-in firewall on, but
has been infested with some kind of virus/trojan that does the following:

1) Always tries to bounce their browser to www.absoearch.com

2) Shows bogus pages in their browser asking them to send login details such
as Tiscali, etc

3) Fills their hosts file with hundreds of crap web sites

I've MS Anti-Spywared it, AdAware-d it, SpyBot-ed it, AVG 7-d it,
CoolWebShredded it, looked in the Add/Remove Progs and the MSConfig startup
list, but I can't get rid of the above problem.

When I did a HijackThis it found and deleted the offending abosearch
entries, but then when you restart back they come.

If possible, could you please let me know of a solution.

Many thanks.

Regards Mac

Did you mean: absearch?? abcsearch??

It would help to know what search hijacker your trying to get rid of.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:%23sMJS9%(E-Mail Removed),
Macsicarr <(E-Mail Removed)> hunted and pecked:
> Hi All
>
> My friend's WinXP SP1 machine has Microsoft Anti-Spyware Beta (latest
> updates), AVG 7.0 free (latest updates) and the built-in firewall on,
> but has been infested with some kind of virus/trojan that does the
> following:
>
> 1) Always tries to bounce their browser to www.absoearch.com
>
> 2) Shows bogus pages in their browser asking them to send login
> details such as Tiscali, etc
>
> 3) Fills their hosts file with hundreds of crap web sites
>
> I've MS Anti-Spywared it, AdAware-d it, SpyBot-ed it, AVG 7-d it,
> CoolWebShredded it, looked in the Add/Remove Progs and the MSConfig
> startup list, but I can't get rid of the above problem.
>
> When I did a HijackThis it found and deleted the offending abosearch
> entries, but then when you restart back they come.
>
> If possible, could you please let me know of a solution.
>
> Many thanks.
>
> Regards Mac

have you gone into the registry and took it out of there, goto start , all
programs, run, type in regedit, then ctrl +f in the search box type in
abosearch and see if you get any thing. if so hit delete. to continue the
search for mor just hit the F3 key , i would delete all entries that the
search finds pertaining to abosearch. leave out the dot com part.

matt

"Macsicarr" wrote:

> Hi All
>
> My friend's WinXP SP1 machine has Microsoft Anti-Spyware Beta (latest
> updates), AVG 7.0 free (latest updates) and the built-in firewall on, but
> has been infested with some kind of virus/trojan that does the following:
>
> 1) Always tries to bounce their browser to www.absoearch.com
>
> 2) Shows bogus pages in their browser asking them to send login details such
> as Tiscali, etc
>
> 3) Fills their hosts file with hundreds of crap web sites
>
> I've MS Anti-Spywared it, AdAware-d it, SpyBot-ed it, AVG 7-d it,
> CoolWebShredded it, looked in the Add/Remove Progs and the MSConfig startup
> list, but I can't get rid of the above problem.
>
> When I did a HijackThis it found and deleted the offending abosearch
> entries, but then when you restart back they come.
>
> If possible, could you please let me know of a solution.
>
> Many thanks.
>
> Regards Mac
>
>
>
>

Hi Mac,

It seems that there are some third party applications are effected the
system.

First, you can try the Matt's suggestion that getting rid of the related
items from registry.

Second, give the detailed search hijacker's information as MS-MVP-Wes has
mentioned so that we can perform further research on this spyware.

Third, I would give you some suggestions as following:

Let's delete all the cookies, temporary files, downloaded objects and
plug-ins to see if it helps.

Deleting Cookies
============

1. Click Start, click Search and click For Files or Folders

2. Type "Cookies" (without the quotation marks) and click Search Now

3. Delete files in the cookie directory

Deleting Temporary Files
==================

1. Open Internet Explorer

2. Click Tools, click Internet Options and click Delete Files button in the
General tab

Deleting Downloaded Objects
=====================

1. Open Internet Explorer

2. Click Tools, click Internet Options and click settings button in the
General tab.

3. Press View Objects.

4. Remove all the Objects there.

Removing Plug-Ins in Internet Explorer
==============================

1. Close all Internet Explorer windows.

2. Open a Windows Explorer window by right Click My Computer and choose
Explore.

3. Locate the following folder:
C:\Program Files\Internet Explorer\PLUGINS

4. Remove all the files in this folder.

If the problem is still exists, please follow these steps to troubleshoot
the issue:

Step 1: Refer to the following article to perform a Clean Boot
======================
310353 - How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/default...b;en-us;310353

The main steps are as following:

Please follow this suggestion to narrow down this problem:

1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
(without the quotation marks). Click OK.

2. In the System Configuration Utility (MSConfig) window, click to select
the Selective Startup button.

3. Click to clear the check mark from the "Load startup items" below
Selective Startup.

4. Click the Services tab, click to check the "Hide All Microsoft Services"
box, and remove all the check marks from the remained Non-Microsoft
Services. *note that please make sure that you do not uncheck the Microsoft
services.

5. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.

6. After restarting, please check whether this issue will reoccur.

If this issue does NOT reoccur following the Selective Startup, please
continue these steps to find the exact cause:

1. Click Start, click Run, in the Open box type "MSCONFIG" (without the
quotation marks), and click OK.

2. In the System Configuration Utility (MSConfig) window, click the Startup
tab or the Services tab.

3. Add one check mark at a time to the entries under the Startup tab or the
Services tab, and then restart each time to see if the additional entry
reproduces the original problem.

Step 2: Remove all suspicious items from the registry
===============================
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall Windows. Microsoft cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved.
Use Registry Editor at your own risk.

1. Find and delete the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects
2. Find and delete the all the sub keys in the following registry key
(don't delete the following registry key).
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension

Step 3: Clean Adware/Spyware (You have tried this steps before by yourself,
please try to use them again after you have clear the all kinds of files
and registry keys above to make sure the system is clean.)
================================
Please download and launch at least two tools below to remove
Adware/Spyware again to make sure that there won't be any Spyware/Adware on
the system. (Please launch these tools under Safe Mode)

Ad-Aware:
http://www.lavasoft.de/software/adaware/

Spybot:
http://www.spykiller.com/index4.asp?ref=2400

HijackThis direct Download:
http://download.softpedia.com:8080/A...hijackthis.zip

CWShredder direct Download:
http://209.133.47.200/~merijn/files/CWShredder.exe

Note: The third-party product discussed is manufactured by a vendor
independent of Microsoft; we make no warranty, implied or otherwise,
regarding this product's performance or reliability.

Please take your time in trying the steps above and let me know the result
at your earliest convenience. If you have any other questions or concerns
regarding the issue, please don't hesitate to post back.

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

It's customary to include previous message in replies here, Amanda. Thanks.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (Shell, IE/OE) & Security

In Memoriam, MVP Alex Nichol (1935-2005)
http://www.microsoft.com/windo*wsxp/...s/ni*chol.mspx

Amanda Wang [MSFT] wrote:
> Hi Mac,
>
> It seems that there are some third party applications are effected the
> system.
>
> First, you can try the Matt's suggestion that getting rid of the related
> items from registry.
>
> Second, give the detailed search hijacker's information as MS-MVP-Wes has
> mentioned so that we can perform further research on this spyware.
>
> Third, I would give you some suggestions as following:
>
> Let's delete all the cookies, temporary files, downloaded objects and
> plug-ins to see if it helps.
>
> Deleting Cookies
> ============
>
> 1. Click Start, click Search and click For Files or Folders
>
> 2. Type "Cookies" (without the quotation marks) and click Search Now
>
> 3. Delete files in the cookie directory
>
> Deleting Temporary Files
> ==================
>
> 1. Open Internet Explorer
>
> 2. Click Tools, click Internet Options and click Delete Files button in
> the
> General tab
>
> Deleting Downloaded Objects
> =====================
>
> 1. Open Internet Explorer
>
> 2. Click Tools, click Internet Options and click settings button in the
> General tab.
>
> 3. Press View Objects.
>
> 4. Remove all the Objects there.
>
> Removing Plug-Ins in Internet Explorer
> ==============================
>
> 1. Close all Internet Explorer windows.
>
> 2. Open a Windows Explorer window by right Click My Computer and choose
> Explore.
>
> 3. Locate the following folder:
> C:\Program Files\Internet Explorer\PLUGINS
>
> 4. Remove all the files in this folder.
>
> If the problem is still exists, please follow these steps to troubleshoot
> the issue:
>
> Step 1: Refer to the following article to perform a Clean Boot
> ======================
> 310353 - How to Perform a Clean Boot in Windows XP
> http://support.microsoft.com/default...b;en-us;310353
>
> The main steps are as following:
>
> Please follow this suggestion to narrow down this problem:
>
> 1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
> (without the quotation marks). Click OK.
>
> 2. In the System Configuration Utility (MSConfig) window, click to select
> the Selective Startup button.
>
> 3. Click to clear the check mark from the "Load startup items" below
> Selective Startup.
>
> 4. Click the Services tab, click to check the "Hide All Microsoft
> Services"
> box, and remove all the check marks from the remained Non-Microsoft
> Services. *note that please make sure that you do not uncheck the
> Microsoft
> services.
>
> 5. Click OK to close the MSConfig window. Click Yes when you are asked to
> restart your computer in order to enable the changes.
>
> 6. After restarting, please check whether this issue will reoccur.
>
> If this issue does NOT reoccur following the Selective Startup, please
> continue these steps to find the exact cause:
>
> 1. Click Start, click Run, in the Open box type "MSCONFIG" (without the
> quotation marks), and click OK.
>
> 2. In the System Configuration Utility (MSConfig) window, click the
> Startup
> tab or the Services tab.
>
> 3. Add one check mark at a time to the entries under the Startup tab or
> the
> Services tab, and then restart each time to see if the additional entry
> reproduces the original problem.
>
> Step 2: Remove all suspicious items from the registry
> ===============================
> WARNING: Using Registry Editor incorrectly can cause serious problems that
> may require you to reinstall Windows. Microsoft cannot guarantee that
> problems resulting from the incorrect use of Registry Editor can be
> solved.
> Use Registry Editor at your own risk.
>
> 1. Find and delete the following registry key.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
> r Helper Objects
> 2. Find and delete the all the sub keys in the following registry key
> (don't delete the following registry key).
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension
>
> Step 3: Clean Adware/Spyware (You have tried this steps before by
> yourself,
> please try to use them again after you have clear the all kinds of files
> and registry keys above to make sure the system is clean.)
> ================================
> Please download and launch at least two tools below to remove
> Adware/Spyware again to make sure that there won't be any Spyware/Adware
> on
> the system. (Please launch these tools under Safe Mode)
>
> Ad-Aware:
> http://www.lavasoft.de/software/adaware/
>
> Spybot:
> http://www.spykiller.com/index4.asp?ref=2400
>
> HijackThis direct Download:
> http://download.softpedia.com:8080/A...hijackthis.zip
>
> CWShredder direct Download:
> http://209.133.47.200/~merijn/files/CWShredder.exe
>
> Note: The third-party product discussed is manufactured by a vendor
> independent of Microsoft; we make no warranty, implied or otherwise,
> regarding this product's performance or reliability.
>
> Please take your time in trying the steps above and let me know the result
> at your earliest convenience. If you have any other questions or concerns
> regarding the issue, please don't hesitate to post back.
>
> Thanks & Regards
>
> Amanda Wang [MSFT]
>
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================================

Ok, thanks for your suggestion. )
--------------------
>Reply-To: "PA Bear" <moc.liamg@PVMraeBAP>
>From: "PA Bear" <(E-Mail Removed)>
>References: <#sMJS9#(E-Mail Removed)>
<0C2A711C-1658-4C28-BC0C-(E-Mail Removed)>
<(E-Mail Removed)>
>Subject: Re: abosearch.com browser hijacker (I think)
>Date: Mon, 14 Mar 2005 02:55:02 -0500
>Lines: 176
>MIME-Version: 1.0
>Content-Type: text/plain;
> format=flowed;
> charset="Windows-1252";
> reply-type=original
>Content-Transfer-Encoding: 8bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>Message-ID: <(E-Mail Removed)>
>Newsgroups: microsoft.public.windowsxp.general
>NNTP-Posting-Host: 24.229.124.113.cmts.brd.ptd.net 24.229.124.113
>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0
9.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windowsxp.general:1237600
>X-Tomcat-NG: microsoft.public.windowsxp.general
>
>It's customary to include previous message in replies here, Amanda.
Thanks.
>--
>~Robear Dyer (PA Bear)
>MS MVP-Windows (Shell, IE/OE) & Security
>
>In Memoriam, MVP Alex Nichol (1935-2005)
>http://www.microsoft.com/windo*wsxp/...s/ni*chol.mspx
>
>Amanda Wang [MSFT] wrote:
>> Hi Mac,
>>
>> It seems that there are some third party applications are effected the
>> system.
>>
>> First, you can try the Matt's suggestion that getting rid of the related
>> items from registry.
>>
>> Second, give the detailed search hijacker's information as MS-MVP-Wes has
>> mentioned so that we can perform further research on this spyware.
>>
>> Third, I would give you some suggestions as following:
>>
>> Let's delete all the cookies, temporary files, downloaded objects and
>> plug-ins to see if it helps.
>>
>> Deleting Cookies
>> ============
>>
>> 1. Click Start, click Search and click For Files or Folders
>>
>> 2. Type "Cookies" (without the quotation marks) and click Search Now
>>
>> 3. Delete files in the cookie directory
>>
>> Deleting Temporary Files
>> ==================
>>
>> 1. Open Internet Explorer
>>
>> 2. Click Tools, click Internet Options and click Delete Files button in
>> the
>> General tab
>>
>> Deleting Downloaded Objects
>> =====================
>>
>> 1. Open Internet Explorer
>>
>> 2. Click Tools, click Internet Options and click settings button in the
>> General tab.
>>
>> 3. Press View Objects.
>>
>> 4. Remove all the Objects there.
>>
>> Removing Plug-Ins in Internet Explorer
>> ==============================
>>
>> 1. Close all Internet Explorer windows.
>>
>> 2. Open a Windows Explorer window by right Click My Computer and choose
>> Explore.
>>
>> 3. Locate the following folder:
>> C:\Program Files\Internet Explorer\PLUGINS
>>
>> 4. Remove all the files in this folder.
>>
>> If the problem is still exists, please follow these steps to troubleshoot
>> the issue:
>>
>> Step 1: Refer to the following article to perform a Clean Boot
>> ======================
>> 310353 - How to Perform a Clean Boot in Windows XP
>> http://support.microsoft.com/default...b;en-us;310353
>>
>> The main steps are as following:
>>
>> Please follow this suggestion to narrow down this problem:
>>
>> 1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
>> (without the quotation marks). Click OK.
>>
>> 2. In the System Configuration Utility (MSConfig) window, click to select
>> the Selective Startup button.
>>
>> 3. Click to clear the check mark from the "Load startup items" below
>> Selective Startup.
>>
>> 4. Click the Services tab, click to check the "Hide All Microsoft
>> Services"
>> box, and remove all the check marks from the remained Non-Microsoft
>> Services. *note that please make sure that you do not uncheck the
>> Microsoft
>> services.
>>
>> 5. Click OK to close the MSConfig window. Click Yes when you are asked to
>> restart your computer in order to enable the changes.
>>
>> 6. After restarting, please check whether this issue will reoccur.
>>
>> If this issue does NOT reoccur following the Selective Startup, please
>> continue these steps to find the exact cause:
>>
>> 1. Click Start, click Run, in the Open box type "MSCONFIG" (without the
>> quotation marks), and click OK.
>>
>> 2. In the System Configuration Utility (MSConfig) window, click the
>> Startup
>> tab or the Services tab.
>>
>> 3. Add one check mark at a time to the entries under the Startup tab or
>> the
>> Services tab, and then restart each time to see if the additional entry
>> reproduces the original problem.
>>
>> Step 2: Remove all suspicious items from the registry
>> ===============================
>> WARNING: Using Registry Editor incorrectly can cause serious problems
that
>> may require you to reinstall Windows. Microsoft cannot guarantee that
>> problems resulting from the incorrect use of Registry Editor can be
>> solved.
>> Use Registry Editor at your own risk.
>>
>> 1. Find and delete the following registry key.
>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
>> r Helper Objects
>> 2. Find and delete the all the sub keys in the following registry key
>> (don't delete the following registry key).
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension
>>
>> Step 3: Clean Adware/Spyware (You have tried this steps before by
>> yourself,
>> please try to use them again after you have clear the all kinds of files
>> and registry keys above to make sure the system is clean.)
>> ================================
>> Please download and launch at least two tools below to remove
>> Adware/Spyware again to make sure that there won't be any Spyware/Adware
>> on
>> the system. (Please launch these tools under Safe Mode)
>>
>> Ad-Aware:
>> http://www.lavasoft.de/software/adaware/
>>
>> Spybot:
>> http://www.spykiller.com/index4.asp?ref=2400
>>
>> HijackThis direct Download:
>> http://download.softpedia.com:8080/A...hijackthis.zip
>>
>> CWShredder direct Download:
>> http://209.133.47.200/~merijn/files/CWShredder.exe
>>
>> Note: The third-party product discussed is manufactured by a vendor
>> independent of Microsoft; we make no warranty, implied or otherwise,
>> regarding this product's performance or reliability.
>>
>> Please take your time in trying the steps above and let me know the
result
>> at your earliest convenience. If you have any other questions or
concerns
>> regarding the issue, please don't hesitate to post back.
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ====================================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================================
>
>