A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows ME » Monitors & Displays
Reload this Page easy search - HELP!!!
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

easy search - HELP!!!


« Previous Thread | Next Thread »

 
 
Thread Tools Display Modes
  #1  
Old June 22nd 04, 06:13 PM
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
how do i get rid of this trojan (easy search.biz)! it
keeps coming back!
thanks.
  #2  
Old June 22nd 04, 06:58 PM
Mike M
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
Not a trojan but what is called a browser hijack.

This would be a good time to download yourself a copy of the free Ad-Aware 6.0
from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
Search & Destroy (http://www.safer-networking.org/) and use them to check your
system for other commercial parasites remembering that they are only as good
as when you last updated their reference files. I also use a program called
BHODemon (http://www.definitivesolutions.com/bhodemon.htm that checks for
unwanted Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can help prevent
some parasites getting a grip on your PC.

Then there is CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip) which is the best way
of getting rid of the many forms of the CoolWebSearch hijacker details of
which can be found at http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..

Finally if you still continue to experience problems download a copy of
HijackThis from (http://www.spywareinfo.com/~merijn/downloads.html). Create a
folder called hijackthis on C: and copy the file you downloaded to that
folder. Close as many applications as you can including all instances of
Internet Explorer and then run hijackthis.exe and post back the log, provided
that it isn't too long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable someone to
identify the cause of your problem.
--?
Mike Maltby MS-MVP
wrote:

how do i get rid of this trojan (easy search.biz)! it
keeps coming back!
thanks.
  #3  
Old June 22nd 04, 07:56 PM
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
Hi ! - I have all of these programs installed and they=20
arestill not removing the hijacker. it keeps changing my=20
proxy settings. Any advice on how to get rid of it?
thanks!

-----Original Message-----
Not a trojan but what is called a browser hijack.

This would be a good time to download yourself a copy of=20
the free Ad-Aware 6.0
from Lavasoft=20
(http://www.lavasoftusa.com/software/adaware/) and also=20
SpyBot
Search & Destroy (http://www.safer-networking.org/) and=20
use them to check your
system for other commercial parasites remembering that=20
they are only as good
as when you last updated their reference files. I also=20
use a program called
BHODemon (http://www.definitivesolutions.com/bhodemon.htm=20
that checks for
unwanted Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html)=20
which can help prevent
some parasites getting a grip on your PC.

Then there is CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip)=20
which is the best way
of getting rid of the many forms of the CoolWebSearch=20
hijacker details of
which can be found at=20
http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..

Finally if you still continue to experience problems=20
download a copy of
HijackThis from=20
(http://www.spywareinfo.com/~merijn/downloads.html). =20
Create a
folder called hijackthis on C: and copy the file you=20
downloaded to that
folder. Close as many applications as you can including=20
all instances of
Internet Explorer and then run hijackthis.exe and post=20
back the log, provided
that it isn't too long, to this thread, otherwise to the=20
HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this=20
will enable someone to
identify the cause of your problem.
--=81
Mike Maltby MS-MVP



=20
=20
wrote:

how do i get rid of this trojan (easy search.biz)! it
keeps coming back!
thanks.=20

.
  #4  
Old June 22nd 04, 08:15 PM
Mike M
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
Please read my entire post through to the very end and you will find that the
last paragraph tells you exactly what you need to be doing next.
--
Mike Maltby MS-MVP
wrote:

Hi ! - I have all of these programs installed and they
arestill not removing the hijacker. it keeps changing my
proxy settings. Any advice on how to get rid of it?
thanks!
  #5  
Old June 22nd 04, 08:58 PM
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
\HIJACKTHIS[1].EXE
C:\WINDOWS\DIALUP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Touch Manager] C:\Program
Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program
Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check
2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: RealDownload.lnk = C:\Program
Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/s...cabs/flash/swf
lash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/s...cabs/director/
sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(IEAnimBehaviorFactory Class) -
http://download.microsoft.com/downlo...2000/Install/1
0/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA
B?37874.8720138889
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...rStatsClient.c
ab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
  #6  
Old June 22nd 04, 09:43 PM
Mike M
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
Are you sure that you have run AdAware and SpyBot and that they found none of
what follows? I am surprised. This isn't really the best place to post such
a log, the HijackThis forum being better but at a quick glance I don't like
the look of:

You certainly need to boot into Safe Mode and open MSConfig (Start, Run, enter
MSConfig and click OK), open the startup tab and uncheck these four entries:
[w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
[windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
[runwin32] C:\WINDOWS\runwin32.exe
[wininet32] C:\WINDOWS\wininet32.exe

All of which are malicious. See below for runwin32.exe and wininet32.exe.
For w32sup.exe see http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
Windll32.exe is equally malicious but am not sure as to what this is but it
could be part of Traitor21 (See
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)

Running Processes:
C:\WINDOWS\RUNWIN32.EXE
This is a password stealer
See http://www.kephyr.com/spywarescanner...32/index.phtml
C:\WINDOWS\WININET32.EXE
Therse are then launching all those rogue DIALUP.EXE processes

What follows are the easy-search hijacks you don't want.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

I'm not familiar with the following controls some of which may be malicious.

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab

I hope you can now clean up some of your system and hopefully get rid of those
easy-search.
--
Mike Maltby MS-MVP
wrote:

thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
\HIJACKTHIS[1].EXE
C:\WINDOWS\DIALUP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Touch Manager] C:\Program
Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program
Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check
2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: RealDownload.lnk = C:\Program
Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/s...cabs/flash/swf
lash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/s...cabs/director/
sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(IEAnimBehaviorFactory Class) -
http://download.microsoft.com/downlo...2000/Install/1
0/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA
B?37874.8720138889
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...rStatsClient.c
ab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
  #7  
Old June 23rd 04, 12:10 AM
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
thanks so much. i let somebody stay at my house while i
was away for 2 weeks and came back to this mess! it
appears to be cleaned up due to your help. Do you think I
should remove those 4 entries that you werent sure about
but thought may be malicious? let me know - and thanks
again - I REALLY appreciate it!

-----Original Message-----
Are you sure that you have run AdAware and SpyBot and
that they found none of
what follows? I am surprised. This isn't really the
best place to post such
a log, the HijackThis forum being better but at a quick
glance I don't like
the look of:

You certainly need to boot into Safe Mode and open
MSConfig (Start, Run, enter
MSConfig and click OK), open the startup tab and uncheck
these four entries:
[w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
[windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
[runwin32] C:\WINDOWS\runwin32.exe
[wininet32] C:\WINDOWS\wininet32.exe

All of which are malicious. See below for runwin32.exe
and wininet32.exe.
For w32sup.exe see
http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
Windll32.exe is equally malicious but am not sure as to
what this is but it
could be part of Traitor21 (See
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)

Running Processes:
C:\WINDOWS\RUNWIN32.EXE
This is a password stealer
See
http://www.kephyr.com/spywarescanner...runwin32/index
..phtml
C:\WINDOWS\WININET32.EXE
Therse are then launching all those rogue DIALUP.EXE
processes

What follows are the easy-search hijacks you don't want.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\In ternet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\In ternet
Settings,ProxyOverride = local

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

I'm not familiar with the following controls some of
which may be malicious.

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab

I hope you can now clean up some of your system and
hopefully get rid of those
easy-search.
--
Mike Maltby MS-MVP





wrote:

thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
\HIJACKTHIS[1].EXE
C:\WINDOWS\DIALUP.EXE

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-
423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Touch Manager] C:\Program
Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program
Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile]
Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check
2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: RealDownload.lnk = C:\Program
Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service
(HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/s...cabs/flash/swf
lash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -

http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -

http://download.macromedia.com/pub/s...cabs/director/
sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(IEAnimBehaviorFactory Class) -

http://download.microsoft.com/downlo...2000/Install/1
0/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
(Update
Class) -

http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA
B?37874.8720138889
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...rStatsClient.c
ab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E}
(SassCln
Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab

.
  #8  
Old June 23rd 04, 12:27 AM
Mike M
external usenet poster
  
Posts: n/a
Default easy search - HELP!!!
Hi,

I'm glad to read that you appear to be on the way to solving your problems.
Well done.

No, I don't now think you need remove any of the following:
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab

Regards,
--
Mike Maltby MS-MVP
wrote:

thanks so much. i let somebody stay at my house while i
was away for 2 weeks and came back to this mess! it
appears to be cleaned up due to your help. Do you think I
should remove those 4 entries that you werent sure about
but thought may be malicious? let me know - and thanks
again - I REALLY appreciate it!

-----Original Message-----
Are you sure that you have run AdAware and SpyBot and
that they found none of
what follows? I am surprised. This isn't really the
best place to post such
a log, the HijackThis forum being better but at a quick glance I don't
like the look of:

You certainly need to boot into Safe Mode and open
MSConfig (Start, Run, enter
MSConfig and click OK), open the startup tab and uncheck these four
entries: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
[windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
[runwin32] C:\WINDOWS\runwin32.exe
[wininet32] C:\WINDOWS\wininet32.exe

All of which are malicious. See below for runwin32.exe
and wininet32.exe.
For w32sup.exe see
http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
Windll32.exe is equally malicious but am not sure as to what this is but
it could be part of Traitor21 (See
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)

Running Processes:
C:\WINDOWS\RUNWIN32.EXE
This is a password stealer
See
http://www.kephyr.com/spywarescanner...runwin32/index
.phtml
C:\WINDOWS\WININET32.EXE
Therse are then launching all those rogue DIALUP.EXE processes

What follows are the easy-search hijacks you don't want.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

I'm not familiar with the following controls some of
which may be malicious.

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab

I hope you can now clean up some of your system and hopefully get rid of
those easy-search.
--
Mike Maltby MS-MVP





wrote:

thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
\HIJACKTHIS[1].EXE
C:\WINDOWS\DIALUP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Touch Manager] C:\Program
Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program
Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile]
Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check
2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: RealDownload.lnk = C:\Program
Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service
(HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/s...cabs/flash/swf
lash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -

http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -

http://download.macromedia.com/pub/s...cabs/director/
sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(IEAnimBehaviorFactory Class) -

http://download.microsoft.com/downlo...2000/Install/1
0/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
(Update
Class) -

http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA
B?37874.8720138889
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...rStatsClient.c
ab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab

.
 



« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to search my own computer... Norm Mowry General 1 July 25th 04 07:53 AM
Browser hijacked - "about:blank" - "search for..." page hijacked my web browser. sergusha78 Internet 2 July 9th 04 03:15 AM
Browser hijacked: "search for..." page hijacked my web browser. HELP!!! sergusha78 Internet 2 July 7th 04 03:13 AM
right click search is gone Matt Meerian General 4 June 22nd 04 08:24 PM
Re-Installation of WindowsMe AAH General 2 June 5th 04 05:49 PM


All times are GMT +1. The time now is 04:34 PM.

Feed Icon - Contact Us - Win98banter Windows 98 help home - FAQ - Links - Privacy Statement - Top

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.