View Full Version : easy search - HELP!!!
how do i get rid of this trojan (easy search.biz)! it
keeps coming back!
thanks.
Mike M
June 22nd 04, 06:58 PM
Not a trojan but what is called a browser hijack.
This would be a good time to download yourself a copy of the free Ad-Aware 6.0
from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
Search & Destroy (http://www.safer-networking.org/) and use them to check your
system for other commercial parasites remembering that they are only as good
as when you last updated their reference files. I also use a program called
BHODemon (http://www.definitivesolutions.com/bhodemon.htm that checks for
unwanted Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can help prevent
some parasites getting a grip on your PC.
Then there is CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip) which is the best way
of getting rid of the many forms of the CoolWebSearch hijacker details of
which can be found at http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..
Finally if you still continue to experience problems download a copy of
HijackThis from (http://www.spywareinfo.com/~merijn/downloads.html). Create a
folder called hijackthis on C: and copy the file you downloaded to that
folder. Close as many applications as you can including all instances of
Internet Explorer and then run hijackthis.exe and post back the log, provided
that it isn't too long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable someone to
identify the cause of your problem.
--?
Mike Maltby MS-MVP
>
wrote:
> how do i get rid of this trojan (easy search.biz)! it
> keeps coming back!
> thanks.
Hi ! - I have all of these programs installed and they=20
arestill not removing the hijacker. it keeps changing my=20
proxy settings. Any advice on how to get rid of it?
thanks!
>-----Original Message-----
>Not a trojan but what is called a browser hijack.
>
>This would be a good time to download yourself a copy of=20
the free Ad-Aware 6.0
>from Lavasoft=20
(http://www.lavasoftusa.com/software/adaware/) and also=20
SpyBot
>Search & Destroy (http://www.safer-networking.org/) and=20
use them to check your
>system for other commercial parasites remembering that=20
they are only as good
>as when you last updated their reference files. I also=20
use a program called
>BHODemon (http://www.definitivesolutions.com/bhodemon.htm=20
that checks for
>unwanted Browser Help Objects and SpywareBlaster
>(http://www.wilderssecurity.net/spywareblaster.html)=20
which can help prevent
>some parasites getting a grip on your PC.
>
>Then there is CWShredder
>(http://www.zerosrealm.com/downloads/CWShredder.zip or
>http://www.spywareinfo.com/~merijn/files/cwshredder.zip)=20
which is the best way
>of getting rid of the many forms of the CoolWebSearch=20
hijacker details of
>which can be found at=20
http://www.spywareinfo.com/~merijn/cwschronicles.html
>and also http://www.pestpatrol.com/pestinfo/c/cws.asp..
>
>Finally if you still continue to experience problems=20
download a copy of
>HijackThis from=20
(http://www.spywareinfo.com/~merijn/downloads.html). =20
Create a
>folder called hijackthis on C: and copy the file you=20
downloaded to that
>folder. Close as many applications as you can including=20
all instances of
>Internet Explorer and then run hijackthis.exe and post=20
back the log, provided
>that it isn't too long, to this thread, otherwise to the=20
HijackThis Forum at
>http://www.spywareinfo.com/forums/ and hopefully this=20
will enable someone to
>identify the cause of your problem.
>--=81
>Mike Maltby MS-MVP
>
>
=20
>=20
>wrote:
>
>> how do i get rid of this trojan (easy search.biz)! it
>> keeps coming back!
>> thanks.=20
>
>.
>
Mike M
June 22nd 04, 08:15 PM
Please read my entire post through to the very end and you will find that the
last paragraph tells you exactly what you need to be doing next.
--
Mike Maltby MS-MVP
>
wrote:
> Hi ! - I have all of these programs installed and they
> arestill not removing the hijacker. it keeps changing my
> proxy settings. Any advice on how to get rid of it?
> thanks!
thanks so much for the help - here is the log:
Scan saved at 12:59:21 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
\HIJACKTHIS[1].EXE
C:\WINDOWS\DIALUP.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Touch Manager] C:\Program
Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
FILES\MCAFEE\MCAFEE SHARED
COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program
Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check
2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: RealDownload.lnk = C:\Program
Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(IEAnimBehaviorFactory Class) -
http://download.microsoft.com/download/vizact2000/Install/1
0/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
B?37874.8720138889
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.c
ab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
Mike M
June 22nd 04, 09:43 PM
Are you sure that you have run AdAware and SpyBot and that they found none of
what follows? I am surprised. This isn't really the best place to post such
a log, the HijackThis forum being better but at a quick glance I don't like
the look of:
You certainly need to boot into Safe Mode and open MSConfig (Start, Run, enter
MSConfig and click OK), open the startup tab and uncheck these four entries:
[w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
[windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
[runwin32] C:\WINDOWS\runwin32.exe
[wininet32] C:\WINDOWS\wininet32.exe
All of which are malicious. See below for runwin32.exe and wininet32.exe.
For w32sup.exe see http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
Windll32.exe is equally malicious but am not sure as to what this is but it
could be part of Traitor21 (See
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)
Running Processes:
C:\WINDOWS\RUNWIN32.EXE
This is a password stealer
See http://www.kephyr.com/spywarescanner/library/runwin32/index.phtml
C:\WINDOWS\WININET32.EXE
Therse are then launching all those rogue DIALUP.EXE processes
What follows are the easy-search hijacks you don't want.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://easy-search.biz
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
O4 - HKCU\..\Run: [windll32.exe]
C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
I'm not familiar with the following controls some of which may be malicious.
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
I hope you can now clean up some of your system and hopefully get rid of those
easy-search.
--
Mike Maltby MS-MVP
>
wrote:
> thanks so much for the help - here is the log:
> Scan saved at 12:59:21 PM, on 6/22/2004
> Platform: Windows ME (Win9x 4.90.3000)
> MSIE: Internet Explorer v5.50 (5.50.4134.0100)
>
> Running processes:
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
> C:\WINDOWS\SYSTEM\mmtask.tsk
> C:\WINDOWS\SYSTEM\MPREXE.EXE
> C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
> C:\WINDOWS\SYSTEM\STIMON.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
> C:\WINDOWS\SYSTEM\MSTASK.EXE
> C:\WINDOWS\SYSTEM\SSDPSRV.EXE
> C:\WINDOWS\EXPLORER.EXE
> C:\WINDOWS\SYSTEM\RPCSS.EXE
> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
> C:\WINDOWS\TASKMON.EXE
> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
> C:\WINDOWS\LOADQM.EXE
> C:\WINDOWS\SYSTEM\WMIEXE.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
> COMPONENTS\GUARDIAN\CMGRDIAN.EXE
> C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
> C:\WINDOWS\SYSTEM\QTTASK.EXE
> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
> C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
> C:\WINDOWS\RUNWIN32.EXE
> C:\WINDOWS\WININET32.EXE
> C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
> C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
> \PROGRAMS\ALARM.EXE
> C:\WINDOWS\SYSTEM\SPOOL32.EXE
> C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
> C:\WINDOWS\SYSTEM\DDHELP.EXE
> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\RUNDLL32.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\DIALUP.EXE
> C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
> \HIJACKTHIS[1].EXE
> C:\WINDOWS\DIALUP.EXE
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
> Bar = http://easy-search.biz
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
> Page = http://easy-search.biz
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://easy-search.biz
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://easy-search.biz
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
> Bar = http://easy-search.biz
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
> Page = http://easy-search.biz
> R0 - HKLM\Software\Microsoft\Internet
> Explorer\Search,CustomizeSearch = http://easy-search.biz
> R0 - HKLM\Software\Microsoft\Internet
> Explorer\Search,SearchAssistant = http://easy-search.biz
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
> (Default) = http://easy-search.biz
> R1 -
> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
> Settings,ProxyServer = 127.0.0.1:8080
> R1 -
> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
> Settings,ProxyOverride = local
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
> Page_bak = http://www.hotmail.com/
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,HomeOldSP = about:blank
> O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
> 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
> BHODemon)
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
> 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
> (disabled by BHODemon)
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
> 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
> O4 - HKLM\..\Run: [ScanRegistry]
> C:\WINDOWS\scanregw.exe /autorun
> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
> O4 - HKLM\..\Run: [PCHealth]
> C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [Touch Manager] C:\Program
> Files\Netropa\Touch Manager\TouchMgr.exe
> O4 - HKLM\..\Run: [LoadQM] loadqm.exe
> O4 - HKLM\..\Run: [Alogserv] C:\Program
> Files\McAfee\McAfee VirusScan\alogserv.exe
> O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
> FILES\MCAFEE\MCAFEE SHARED
> COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
> O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
> Files\Real\Update_OB\evntsvc.exe -osboot
> O4 - HKLM\..\Run: [QuickTime
> Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
> O4 - HKLM\..\Run: [REGSHAVE] C:\Program
> Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
> O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
> Files\Common Files\EPSON\EBAPI\SAgent2.exe
> O4 - HKLM\..\RunServices: [StillImageMonitor]
> C:\WINDOWS\SYSTEM\STIMON.EXE
> O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
> C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
> O4 - HKLM\..\RunServices: [SSDPSRV]
> C:\WINDOWS\SYSTEM\ssdpsrv.exe
> O4 - HKLM\..\RunServices: [*StateMgr]
> C:\WINDOWS\System\Restore\StateMgr.exe
> O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
> MESSENGER\MSNMSGR.EXE" /background
> O4 - HKCU\..\Run: [windll32.exe]
> C:\WINDOWS\SYSTEM\windll32.exe
> O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
> O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
> O4 - Startup: EPSON Status Monitor 3 Environment Check
> 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
> O4 - Startup: Exif Launcher.lnk = C:\Program
> Files\FinePixViewer\QuickDCF.exe
> O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
> Files\Corel\WordPerfect Office 2000\programs\alarm.exe
> O4 - Startup: RealDownload.lnk = C:\Program
> Files\Real\RealDownload\REALDOWNLOAD.EXE
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
> (Shockwave Flash Object) -
> http://download.macromedia.com/pub/shockwave/cabs/flash/swf
> lash.cab
> O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
> Class) -
> http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
> (QuickTime Object) -
> http://www.apple.com/qtactivex/qtplugin.cab
> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
> (Shockwave ActiveX Control) -
> http://download.macromedia.com/pub/shockwave/cabs/director/
> sw.cab
> O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
> (PWMediaSendControl Class) -
> http://216.249.25.152/code/PWActiveXImgCtl.CAB
> O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
> (TDServer Control) -
> http://www.bitstream.com/wfplayer/tdserver.cab
> O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
> (IEAnimBehaviorFactory Class) -
> http://download.microsoft.com/download/vizact2000/Install/1
> 0/WIN98Me/EN-US/msorun.cab
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
> Class) -
> http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
> B?37874.8720138889
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
> (MessengerStatsClient Class) -
> http://messenger.zone.msn.com/binary/MessengerStatsClient.c
> ab
> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
> (InstallShield International Setup Player) -
> http://www.installengine.com/engine/isetup.cab
> O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
> Object) -
> http://www.microsoft.com/security/controls/SassCln.CAB
> O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
> (EPSImageControl Class) -
> http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
> 0.cab
thanks so much. i let somebody stay at my house while i
was away for 2 weeks and came back to this mess! it
appears to be cleaned up due to your help. Do you think I
should remove those 4 entries that you werent sure about
but thought may be malicious? let me know - and thanks
again - I REALLY appreciate it!
>-----Original Message-----
>Are you sure that you have run AdAware and SpyBot and
that they found none of
>what follows? I am surprised. This isn't really the
best place to post such
>a log, the HijackThis forum being better but at a quick
glance I don't like
>the look of:
>
>You certainly need to boot into Safe Mode and open
MSConfig (Start, Run, enter
>MSConfig and click OK), open the startup tab and uncheck
these four entries:
>[w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>[windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
>[runwin32] C:\WINDOWS\runwin32.exe
>[wininet32] C:\WINDOWS\wininet32.exe
>
>All of which are malicious. See below for runwin32.exe
and wininet32.exe.
>For w32sup.exe see
http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
>Windll32.exe is equally malicious but am not sure as to
what this is but it
>could be part of Traitor21 (See
>http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)
>
>Running Processes:
>C:\WINDOWS\RUNWIN32.EXE
>This is a password stealer
>See
http://www.kephyr.com/spywarescanner/library/runwin32/index
..phtml
>C:\WINDOWS\WININET32.EXE
>Therse are then launching all those rogue DIALUP.EXE
processes
>
>What follows are the easy-search hijacks you don't want.
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>Bar = http://easy-search.biz
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>Page = http://easy-search.biz
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
>Page = http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
>Page = http://easy-search.biz
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>Bar = http://easy-search.biz
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>Page = http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet
>Explorer\Search,CustomizeSearch = http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet
>Explorer\Search,SearchAssistant = http://easy-search.biz
>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
>(Default) = http://easy-search.biz
>R1 -
>HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>Settings,ProxyServer = 127.0.0.1:8080
>R1 -
>HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>Settings,ProxyOverride = local
>
>O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>O4 - HKCU\..\Run: [windll32.exe]
>C:\WINDOWS\SYSTEM\windll32.exe
>O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
>O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
>
>I'm not familiar with the following controls some of
which may be malicious.
>
>O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
>Class) -
>http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
>O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
>(PWMediaSendControl Class) -
>http://216.249.25.152/code/PWActiveXImgCtl.CAB
>O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
>(TDServer Control) -
>http://www.bitstream.com/wfplayer/tdserver.cab
>O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
>(EPSImageControl Class) -
>http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
>0.cab
>
>I hope you can now clean up some of your system and
hopefully get rid of those
>easy-search.
>--
>Mike Maltby MS-MVP
>
>
>
>wrote:
>
>> thanks so much for the help - here is the log:
>> Scan saved at 12:59:21 PM, on 6/22/2004
>> Platform: Windows ME (Win9x 4.90.3000)
>> MSIE: Internet Explorer v5.50 (5.50.4134.0100)
>>
>> Running processes:
>> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>> C:\WINDOWS\SYSTEM\mmtask.tsk
>> C:\WINDOWS\SYSTEM\MPREXE.EXE
>> C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
>> C:\WINDOWS\SYSTEM\STIMON.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
>> C:\WINDOWS\SYSTEM\MSTASK.EXE
>> C:\WINDOWS\SYSTEM\SSDPSRV.EXE
>> C:\WINDOWS\EXPLORER.EXE
>> C:\WINDOWS\SYSTEM\RPCSS.EXE
>> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
>> C:\WINDOWS\TASKMON.EXE
>> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
>> C:\WINDOWS\LOADQM.EXE
>> C:\WINDOWS\SYSTEM\WMIEXE.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
>> COMPONENTS\GUARDIAN\CMGRDIAN.EXE
>> C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
>> C:\WINDOWS\SYSTEM\QTTASK.EXE
>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
>> C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
>> C:\WINDOWS\RUNWIN32.EXE
>> C:\WINDOWS\WININET32.EXE
>> C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
>> C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
>> \PROGRAMS\ALARM.EXE
>> C:\WINDOWS\SYSTEM\SPOOL32.EXE
>> C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
>> C:\WINDOWS\SYSTEM\DDHELP.EXE
>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\RUNDLL32.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\DIALUP.EXE
>> C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
>> \HIJACKTHIS[1].EXE
>> C:\WINDOWS\DIALUP.EXE
>>
>> R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
>> Bar = http://easy-search.biz
>> R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
>> Page = http://easy-search.biz
>> R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
>> Page = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start
>> Page = http://easy-search.biz
>> R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search
>> Bar = http://easy-search.biz
>> R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search
>> Page = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet
>> Explorer\Search,CustomizeSearch = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet
>> Explorer\Search,SearchAssistant = http://easy-search.biz
>> R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,
>> (Default) = http://easy-search.biz
>> R1 -
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>> Settings,ProxyServer = 127.0.0.1:8080
>> R1 -
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>> Settings,ProxyOverride = local
>> R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start
>> Page_bak = http://www.hotmail.com/
>> R1 - HKCU\Software\Microsoft\Internet
>> Explorer\Main,HomeOldSP = about:blank
>> O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
>> 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
>> BHODemon)
>> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
>> 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
>> (disabled by BHODemon)
>> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-
423F-
>> 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
>> O4 - HKLM\..\Run: [ScanRegistry]
>> C:\WINDOWS\scanregw.exe /autorun
>> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>> O4 - HKLM\..\Run: [PCHealth]
>> C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
>> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>> O4 - HKLM\..\Run: [Touch Manager] C:\Program
>> Files\Netropa\Touch Manager\TouchMgr.exe
>> O4 - HKLM\..\Run: [LoadQM] loadqm.exe
>> O4 - HKLM\..\Run: [Alogserv] C:\Program
>> Files\McAfee\McAfee VirusScan\alogserv.exe
>> O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
>> FILES\MCAFEE\MCAFEE SHARED
>> COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
>> O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
>> Files\Real\Update_OB\evntsvc.exe -osboot
>> O4 - HKLM\..\Run: [QuickTime
>> Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
>> O4 - HKLM\..\Run: [REGSHAVE] C:\Program
>> Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
>> O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>> powrprof.dll,LoadCurrentPwrScheme
>> O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
>> Files\Common Files\EPSON\EBAPI\SAgent2.exe
>> O4 - HKLM\..\RunServices: [StillImageMonitor]
>> C:\WINDOWS\SYSTEM\STIMON.EXE
>> O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
>> C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
>> O4 - HKLM\..\RunServices: [LoadPowerProfile]
Rundll32.exe
>> powrprof.dll,LoadCurrentPwrScheme
>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>> O4 - HKLM\..\RunServices: [SSDPSRV]
>> C:\WINDOWS\SYSTEM\ssdpsrv.exe
>> O4 - HKLM\..\RunServices: [*StateMgr]
>> C:\WINDOWS\System\Restore\StateMgr.exe
>> O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
>> MESSENGER\MSNMSGR.EXE" /background
>> O4 - HKCU\..\Run: [windll32.exe]
>> C:\WINDOWS\SYSTEM\windll32.exe
>> O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
>> O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
>> O4 - Startup: EPSON Status Monitor 3 Environment Check
>> 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
>> O4 - Startup: Exif Launcher.lnk = C:\Program
>> Files\FinePixViewer\QuickDCF.exe
>> O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
>> Files\Corel\WordPerfect Office 2000\programs\alarm.exe
>> O4 - Startup: RealDownload.lnk = C:\Program
>> Files\Real\RealDownload\REALDOWNLOAD.EXE
>> O9 - Extra button: Messenger (HKLM)
>> O9 - Extra 'Tools' menuitem: MSN Messenger Service
(HKLM)
>> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
>> (Shockwave Flash Object) -
>>
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
>> lash.cab
>> O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
>> Class) -
>>
http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
>> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
>> (QuickTime Object) -
>> http://www.apple.com/qtactivex/qtplugin.cab
>> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
>> (Shockwave ActiveX Control) -
>>
http://download.macromedia.com/pub/shockwave/cabs/director/
>> sw.cab
>> O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
>> (PWMediaSendControl Class) -
>> http://216.249.25.152/code/PWActiveXImgCtl.CAB
>> O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
>> (TDServer Control) -
>> http://www.bitstream.com/wfplayer/tdserver.cab
>> O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
>> (IEAnimBehaviorFactory Class) -
>>
http://download.microsoft.com/download/vizact2000/Install/1
>> 0/WIN98Me/EN-US/msorun.cab
>> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
(Update
>> Class) -
>>
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
>> B?37874.8720138889
>> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
>> (MessengerStatsClient Class) -
>>
http://messenger.zone.msn.com/binary/MessengerStatsClient.c
>> ab
>> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
>> (InstallShield International Setup Player) -
>> http://www.installengine.com/engine/isetup.cab
>> O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E}
(SassCln
>> Object) -
>> http://www.microsoft.com/security/controls/SassCln.CAB
>> O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
>> (EPSImageControl Class) -
>> http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
>> 0.cab
>
>.
>
Mike M
June 23rd 04, 12:27 AM
Hi,
I'm glad to read that you appear to be on the way to solving your problems.
Well done.
No, I don't now think you need remove any of the following:
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
Class) -
http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
(PWMediaSendControl Class) -
http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
(TDServer Control) -
http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
Regards,
--
Mike Maltby MS-MVP
>
wrote:
> thanks so much. i let somebody stay at my house while i
> was away for 2 weeks and came back to this mess! it
> appears to be cleaned up due to your help. Do you think I
> should remove those 4 entries that you werent sure about
> but thought may be malicious? let me know - and thanks
> again - I REALLY appreciate it!
>
>> -----Original Message-----
>> Are you sure that you have run AdAware and SpyBot and
> that they found none of
>> what follows? I am surprised. This isn't really the
> best place to post such
>> a log, the HijackThis forum being better but at a quick glance I don't
>> like the look of:
>>
>> You certainly need to boot into Safe Mode and open
> MSConfig (Start, Run, enter
>> MSConfig and click OK), open the startup tab and uncheck these four
>> entries: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>> [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
>> [runwin32] C:\WINDOWS\runwin32.exe
>> [wininet32] C:\WINDOWS\wininet32.exe
>>
>> All of which are malicious. See below for runwin32.exe
> and wininet32.exe.
>> For w32sup.exe see
> http://www.pestpatrol.com/PestInfo/w/w32sup.asp.
>> Windll32.exe is equally malicious but am not sure as to what this is but
>> it could be part of Traitor21 (See
>> http://www.pestpatrol.com/PestInfo/T/Traitor21.asp)
>>
>> Running Processes:
>> C:\WINDOWS\RUNWIN32.EXE
>> This is a password stealer
>> See
> http://www.kephyr.com/spywarescanner/library/runwin32/index
> .phtml
>> C:\WINDOWS\WININET32.EXE
>> Therse are then launching all those rogue DIALUP.EXE processes
>>
>> What follows are the easy-search hijacks you don't want.
>>
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>> Bar = http://easy-search.biz
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>> Page = http://easy-search.biz
>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
>> Page = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
>> Page = http://easy-search.biz
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>> Bar = http://easy-search.biz
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>> Page = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet
>> Explorer\Search,CustomizeSearch = http://easy-search.biz
>> R0 - HKLM\Software\Microsoft\Internet
>> Explorer\Search,SearchAssistant = http://easy-search.biz
>> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
>> (Default) = http://easy-search.biz
>> R1 -
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>> Settings,ProxyServer = 127.0.0.1:8080
>> R1 -
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>> Settings,ProxyOverride = local
>>
>> O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>> O4 - HKCU\..\Run: [windll32.exe]
>> C:\WINDOWS\SYSTEM\windll32.exe
>> O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
>> O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
>>
>> I'm not familiar with the following controls some of
> which may be malicious.
>>
>> O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
>> Class) -
>> http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
>> O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
>> (PWMediaSendControl Class) -
>> http://216.249.25.152/code/PWActiveXImgCtl.CAB
>> O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
>> (TDServer Control) -
>> http://www.bitstream.com/wfplayer/tdserver.cab
>> O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
>> (EPSImageControl Class) -
>> http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
>> 0.cab
>>
>> I hope you can now clean up some of your system and hopefully get rid of
>> those easy-search.
>> --
>> Mike Maltby MS-MVP
>>
>>
>>
>>
> >
>> wrote:
>>
>>> thanks so much for the help - here is the log:
>>> Scan saved at 12:59:21 PM, on 6/22/2004
>>> Platform: Windows ME (Win9x 4.90.3000)
>>> MSIE: Internet Explorer v5.50 (5.50.4134.0100)
>>>
>>> Running processes:
>>> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>>> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>>> C:\WINDOWS\SYSTEM\mmtask.tsk
>>> C:\WINDOWS\SYSTEM\MPREXE.EXE
>>> C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
>>> C:\WINDOWS\SYSTEM\STIMON.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
>>> C:\WINDOWS\SYSTEM\MSTASK.EXE
>>> C:\WINDOWS\SYSTEM\SSDPSRV.EXE
>>> C:\WINDOWS\EXPLORER.EXE
>>> C:\WINDOWS\SYSTEM\RPCSS.EXE
>>> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
>>> C:\WINDOWS\TASKMON.EXE
>>> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
>>> C:\WINDOWS\LOADQM.EXE
>>> C:\WINDOWS\SYSTEM\WMIEXE.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED
>>> COMPONENTS\GUARDIAN\CMGRDIAN.EXE
>>> C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
>>> C:\WINDOWS\SYSTEM\QTTASK.EXE
>>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
>>> C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
>>> C:\WINDOWS\RUNWIN32.EXE
>>> C:\WINDOWS\WININET32.EXE
>>> C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
>>> C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000
>>> \PROGRAMS\ALARM.EXE
>>> C:\WINDOWS\SYSTEM\SPOOL32.EXE
>>> C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
>>> C:\WINDOWS\SYSTEM\DDHELP.EXE
>>> C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MMUSBKB2.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\RUNDLL32.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
>>> C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\DIALUP.EXE
>>> C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DKSF1HO1
>>> \HIJACKTHIS[1].EXE
>>> C:\WINDOWS\DIALUP.EXE
>>>
>>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>>> Bar = http://easy-search.biz
>>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
>>> Page = http://easy-search.biz
>>> R0 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Start
>>> Page = http://easy-search.biz
>>> R0 - HKLM\Software\Microsoft\Internet
> Explorer\Main,Start
>>> Page = http://easy-search.biz
>>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>>> Bar = http://easy-search.biz
>>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
>>> Page = http://easy-search.biz
>>> R0 - HKLM\Software\Microsoft\Internet
>>> Explorer\Search,CustomizeSearch = http://easy-search.biz
>>> R0 - HKLM\Software\Microsoft\Internet
>>> Explorer\Search,SearchAssistant = http://easy-search.biz
>>> R1 - HKCU\Software\Microsoft\Internet
> Explorer\SearchURL,
>>> (Default) = http://easy-search.biz
>>> R1 -
>>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>>> Settings,ProxyServer = 127.0.0.1:8080
>>> R1 -
>>> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>>> Settings,ProxyOverride = local
>>> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Start
>>> Page_bak = http://www.hotmail.com/
>>> R1 - HKCU\Software\Microsoft\Internet
>>> Explorer\Main,HomeOldSP = about:blank
>>> O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-
>>> 0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by
>>> BHODemon)
>>> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
>>> 206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
>>> (disabled by BHODemon)
>>> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
>>> 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
>>> O4 - HKLM\..\Run: [ScanRegistry]
>>> C:\WINDOWS\scanregw.exe /autorun
>>> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>>> O4 - HKLM\..\Run: [PCHealth]
>>> C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
>>> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>>> O4 - HKLM\..\Run: [Touch Manager] C:\Program
>>> Files\Netropa\Touch Manager\TouchMgr.exe
>>> O4 - HKLM\..\Run: [LoadQM] loadqm.exe
>>> O4 - HKLM\..\Run: [Alogserv] C:\Program
>>> Files\McAfee\McAfee VirusScan\alogserv.exe
>>> O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM
>>> FILES\MCAFEE\MCAFEE SHARED
>>> COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
>>> O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
>>> Files\Real\Update_OB\evntsvc.exe -osboot
>>> O4 - HKLM\..\Run: [QuickTime
>>> Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
>>> O4 - HKLM\..\Run: [REGSHAVE] C:\Program
>>> Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
>>> O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\SYSTEM\w32sup.exe
>>> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>>> powrprof.dll,LoadCurrentPwrScheme
>>> O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program
>>> Files\Common Files\EPSON\EBAPI\SAgent2.exe
>>> O4 - HKLM\..\RunServices: [StillImageMonitor]
>>> C:\WINDOWS\SYSTEM\STIMON.EXE
>>> O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
>>> C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
>>> O4 - HKLM\..\RunServices: [LoadPowerProfile]
> Rundll32.exe
>>> powrprof.dll,LoadCurrentPwrScheme
>>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>>> O4 - HKLM\..\RunServices: [SSDPSRV]
>>> C:\WINDOWS\SYSTEM\ssdpsrv.exe
>>> O4 - HKLM\..\RunServices: [*StateMgr]
>>> C:\WINDOWS\System\Restore\StateMgr.exe
>>> O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN
>>> MESSENGER\MSNMSGR.EXE" /background
>>> O4 - HKCU\..\Run: [windll32.exe]
>>> C:\WINDOWS\SYSTEM\windll32.exe
>>> O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
>>> O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
>>> O4 - Startup: EPSON Status Monitor 3 Environment Check
>>> 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
>>> O4 - Startup: Exif Launcher.lnk = C:\Program
>>> Files\FinePixViewer\QuickDCF.exe
>>> O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program
>>> Files\Corel\WordPerfect Office 2000\programs\alarm.exe
>>> O4 - Startup: RealDownload.lnk = C:\Program
>>> Files\Real\RealDownload\REALDOWNLOAD.EXE
>>> O9 - Extra button: Messenger (HKLM)
>>> O9 - Extra 'Tools' menuitem: MSN Messenger Service
> (HKLM)
>>> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
>>> (Shockwave Flash Object) -
>>>
> http://download.macromedia.com/pub/shockwave/cabs/flash/swf
>>> lash.cab
>>> O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE
>>> Class) -
>>>
> http://207.188.7.104/213841bc6fd5e8314e04/netzip/RdxIE.cab
>>> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
>>> (QuickTime Object) -
>>> http://www.apple.com/qtactivex/qtplugin.cab
>>> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
>>> (Shockwave ActiveX Control) -
>>>
> http://download.macromedia.com/pub/shockwave/cabs/director/
>>> sw.cab
>>> O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}
>>> (PWMediaSendControl Class) -
>>> http://216.249.25.152/code/PWActiveXImgCtl.CAB
>>> O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}
>>> (TDServer Control) -
>>> http://www.bitstream.com/wfplayer/tdserver.cab
>>> O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB}
>>> (IEAnimBehaviorFactory Class) -
>>>
> http://download.microsoft.com/download/vizact2000/Install/1
>>> 0/WIN98Me/EN-US/msorun.cab
>>> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
> (Update
>>> Class) -
>>>
> http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
>>> B?37874.8720138889
>>> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
>>> (MessengerStatsClient Class) -
>>>
> http://messenger.zone.msn.com/binary/MessengerStatsClient.c
>>> ab
>>> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
>>> (InstallShield International Setup Player) -
>>> http://www.installengine.com/engine/isetup.cab
>>> O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
>>> Object) -
>>> http://www.microsoft.com/security/controls/SassCln.CAB
>>> O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
>>> (EPSImageControl Class) -
>>> http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
>>> 0.cab
>>
>> .
vBulletin® v3.6.4, Copyright ©2000-2024, Jelsoft Enterprises Ltd.