If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
easy search - HELP!!!
how do i get rid of this trojan (easy search.biz)! it
keeps coming back! thanks. |
#2
|
|||
|
|||
easy search - HELP!!!
Not a trojan but what is called a browser hijack.
This would be a good time to download yourself a copy of the free Ad-Aware 6.0 from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot Search & Destroy (http://www.safer-networking.org/) and use them to check your system for other commercial parasites remembering that they are only as good as when you last updated their reference files. I also use a program called BHODemon (http://www.definitivesolutions.com/bhodemon.htm that checks for unwanted Browser Help Objects and SpywareBlaster (http://www.wilderssecurity.net/spywareblaster.html) which can help prevent some parasites getting a grip on your PC. Then there is CWShredder (http://www.zerosrealm.com/downloads/CWShredder.zip or http://www.spywareinfo.com/~merijn/files/cwshredder.zip) which is the best way of getting rid of the many forms of the CoolWebSearch hijacker details of which can be found at http://www.spywareinfo.com/~merijn/cwschronicles.html and also http://www.pestpatrol.com/pestinfo/c/cws.asp.. Finally if you still continue to experience problems download a copy of HijackThis from (http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called hijackthis on C: and copy the file you downloaded to that folder. Close as many applications as you can including all instances of Internet Explorer and then run hijackthis.exe and post back the log, provided that it isn't too long, to this thread, otherwise to the HijackThis Forum at http://www.spywareinfo.com/forums/ and hopefully this will enable someone to identify the cause of your problem. --? Mike Maltby MS-MVP wrote: how do i get rid of this trojan (easy search.biz)! it keeps coming back! thanks. |
#3
|
|||
|
|||
easy search - HELP!!!
Hi ! - I have all of these programs installed and they=20
arestill not removing the hijacker. it keeps changing my=20 proxy settings. Any advice on how to get rid of it? thanks! -----Original Message----- Not a trojan but what is called a browser hijack. This would be a good time to download yourself a copy of=20 the free Ad-Aware 6.0 from Lavasoft=20 (http://www.lavasoftusa.com/software/adaware/) and also=20 SpyBot Search & Destroy (http://www.safer-networking.org/) and=20 use them to check your system for other commercial parasites remembering that=20 they are only as good as when you last updated their reference files. I also=20 use a program called BHODemon (http://www.definitivesolutions.com/bhodemon.htm=20 that checks for unwanted Browser Help Objects and SpywareBlaster (http://www.wilderssecurity.net/spywareblaster.html)=20 which can help prevent some parasites getting a grip on your PC. Then there is CWShredder (http://www.zerosrealm.com/downloads/CWShredder.zip or http://www.spywareinfo.com/~merijn/files/cwshredder.zip)=20 which is the best way of getting rid of the many forms of the CoolWebSearch=20 hijacker details of which can be found at=20 http://www.spywareinfo.com/~merijn/cwschronicles.html and also http://www.pestpatrol.com/pestinfo/c/cws.asp.. Finally if you still continue to experience problems=20 download a copy of HijackThis from=20 (http://www.spywareinfo.com/~merijn/downloads.html). =20 Create a folder called hijackthis on C: and copy the file you=20 downloaded to that folder. Close as many applications as you can including=20 all instances of Internet Explorer and then run hijackthis.exe and post=20 back the log, provided that it isn't too long, to this thread, otherwise to the=20 HijackThis Forum at http://www.spywareinfo.com/forums/ and hopefully this=20 will enable someone to identify the cause of your problem. --=81 Mike Maltby MS-MVP =20 =20 wrote: how do i get rid of this trojan (easy search.biz)! it keeps coming back! thanks.=20 . |
#4
|
|||
|
|||
easy search - HELP!!!
Please read my entire post through to the very end and you will find that the
last paragraph tells you exactly what you need to be doing next. -- Mike Maltby MS-MVP wrote: Hi ! - I have all of these programs installed and they arestill not removing the hijacker. it keeps changing my proxy settings. Any advice on how to get rid of it? thanks! |
#5
|
|||
|
|||
easy search - HELP!!!
thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\RUNWIN32.EXE C:\WINDOWS\WININET32.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000 \PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1 \HIJACKTHIS[1].EXE C:\WINDOWS\DIALUP.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL, (Default) = http://easy-search.biz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43- 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by BHODemon) O2 - BHO: (no name) - {53707962-6F74-2D53-2644- 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...cabs/director/ sw.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/downlo...2000/Install/1 0/WIN98Me/EN-US/msorun.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37874.8720138889 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...rStatsClient.c ab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3- 0.cab |
#7
|
|||
|
|||
easy search - HELP!!!
thanks so much. i let somebody stay at my house while i
was away for 2 weeks and came back to this mess! it appears to be cleaned up due to your help. Do you think I should remove those 4 entries that you werent sure about but thought may be malicious? let me know - and thanks again - I REALLY appreciate it! -----Original Message----- Are you sure that you have run AdAware and SpyBot and that they found none of what follows? I am surprised. This isn't really the best place to post such a log, the HijackThis forum being better but at a quick glance I don't like the look of: You certainly need to boot into Safe Mode and open MSConfig (Start, Run, enter MSConfig and click OK), open the startup tab and uncheck these four entries: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe [runwin32] C:\WINDOWS\runwin32.exe [wininet32] C:\WINDOWS\wininet32.exe All of which are malicious. See below for runwin32.exe and wininet32.exe. For w32sup.exe see http://www.pestpatrol.com/PestInfo/w/w32sup.asp. Windll32.exe is equally malicious but am not sure as to what this is but it could be part of Traitor21 (See http://www.pestpatrol.com/PestInfo/T/Traitor21.asp) Running Processes: C:\WINDOWS\RUNWIN32.EXE This is a password stealer See http://www.kephyr.com/spywarescanner...runwin32/index ..phtml C:\WINDOWS\WININET32.EXE Therse are then launching all those rogue DIALUP.EXE processes What follows are the easy-search hijacks you don't want. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL, (Default) = http://easy-search.biz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\In ternet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\In ternet Settings,ProxyOverride = local O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe I'm not familiar with the following controls some of which may be malicious. O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3- 0.cab I hope you can now clean up some of your system and hopefully get rid of those easy-search. -- Mike Maltby MS-MVP wrote: thanks so much for the help - here is the log: Scan saved at 12:59:21 PM, on 6/22/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\RUNWIN32.EXE C:\WINDOWS\WININET32.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000 \PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1 \HIJACKTHIS[1].EXE C:\WINDOWS\DIALUP.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL, (Default) = http://easy-search.biz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43- 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by BHODemon) O2 - BHO: (no name) - {53707962-6F74-2D53-2644- 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...cabs/director/ sw.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/downlo...2000/Install/1 0/WIN98Me/EN-US/msorun.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37874.8720138889 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...rStatsClient.c ab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3- 0.cab . |
#8
|
|||
|
|||
easy search - HELP!!!
Hi,
I'm glad to read that you appear to be on the way to solving your problems. Well done. No, I don't now think you need remove any of the following: O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab Regards, -- Mike Maltby MS-MVP wrote: thanks so much. i let somebody stay at my house while i was away for 2 weeks and came back to this mess! it appears to be cleaned up due to your help. Do you think I should remove those 4 entries that you werent sure about but thought may be malicious? let me know - and thanks again - I REALLY appreciate it! -----Original Message----- Are you sure that you have run AdAware and SpyBot and that they found none of what follows? I am surprised. This isn't really the best place to post such a log, the HijackThis forum being better but at a quick glance I don't like the look of: You certainly need to boot into Safe Mode and open MSConfig (Start, Run, enter MSConfig and click OK), open the startup tab and uncheck these four entries: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe [runwin32] C:\WINDOWS\runwin32.exe [wininet32] C:\WINDOWS\wininet32.exe All of which are malicious. See below for runwin32.exe and wininet32.exe. For w32sup.exe see http://www.pestpatrol.com/PestInfo/w/w32sup.asp. Windll32.exe is equally malicious but am not sure as to what this is but it could be part of Traitor21 (See http://www.pestpatrol.com/PestInfo/T/Traitor21.asp) Running Processes: C:\WINDOWS\RUNWIN32.EXE This is a password stealer See http://www.kephyr.com/spywarescanner...runwin32/index .phtml C:\WINDOWS\WININET32.EXE Therse are then launching all those rogue DIALUP.EXE processes What follows are the easy-search hijacks you don't want. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL, (Default) = http://easy-search.biz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe I'm not familiar with the following controls some of which may be malicious. O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3- 0.cab I hope you can now clean up some of your system and hopefully get rid of those easy-search. -- Mike Maltby MS-MVP wrote: thanks so much for the help - here is the log: Scan saved at 12:59:21 PM, on 6/22/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\RUNWIN32.EXE C:\WINDOWS\WININET32.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000 \PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\DIALUP.EXE C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1 \HIJACKTHIS[1].EXE C:\WINDOWS\DIALUP.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL, (Default) = http://easy-search.biz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43- 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by BHODemon) O2 - BHO: (no name) - {53707962-6F74-2D53-2644- 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/213841bc6fd5e83...tzip/RdxIE.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...cabs/director/ sw.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/downlo...2000/Install/1 0/WIN98Me/EN-US/msorun.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37874.8720138889 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...rStatsClient.c ab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3- 0.cab . |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unable to search my own computer... | Norm Mowry | General | 1 | July 25th 04 07:53 AM |
Browser hijacked - "about:blank" - "search for..." page hijacked my web browser. | sergusha78 | Internet | 2 | July 9th 04 03:15 AM |
Browser hijacked: "search for..." page hijacked my web browser. HELP!!! | sergusha78 | Internet | 2 | July 7th 04 03:13 AM |
right click search is gone | Matt Meerian | General | 4 | June 22nd 04 08:24 PM |
Re-Installation of WindowsMe | AAH | General | 2 | June 5th 04 05:49 PM |