« previous next »
Pages: [1]

Author Topic: Easy-Search!! ahh! my hijack log  (Read 12512 times)

Vern

  • Guest
Easy-Search!! ahh! my hijack log
« on: May 15, 2004, 08:06:17 AM »
I would love some advice on getting rid of this bastard!!

I deleted the easy-search.biz items, but they always return.  What should I do?
Thanks very much.
Vern

Logfile of HijackThis v1.97.7
Scan saved at 11:08:06 PM, on 5/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Vet\VetTray.exe
C:\program files\twinmos mobile disk tools\twinmos.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PDF-XChange 2.5\pdfSaver.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HumanClick\hc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\My Documents\download\Internet\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dnanow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.dnanow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dnanow.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\twinmos mobile disk tools\twinmos.exe sys_auto_run C:\Program Files\TwinMOS Mobile Disk Tools
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMW] C:\WINDOWS\CMW.exe
O4 - HKLM\..\Run: [stsvwlsb] C:\WINDOWS\stsvwlsb.exe
O4 - HKCU\..\Run: [pdfSaver] C:\Program Files\PDF-XChange 2.5\pdfSaver.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\system32\wnsintsv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: HumanClick.lnk = C:\Program Files\HumanClick\hc.exe
O4 - Startup: PDF-XChange Capture.lnk = C:\Program Files\PDF-XChange 2.5\pdfSaver.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/por...oliomanager.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7992.0163425926
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
Logged

Guest

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #1 on: May 15, 2004, 08:12:54 PM »
Download and run CWShredder and then post a new log.
Logged

Vern

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #2 on: May 16, 2004, 01:49:45 AM »
Hi,

Thanks for the advice.  I already downloaded and ran spybot, adware6 and CW shredder.

The post is after running the shredder.  I did run again on your advice, but the log is unchanged.

Further help greatly appreciated!

Thanks,
Vern
Logged

JG

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #3 on: May 16, 2004, 11:42:41 AM »
I have been checking out your log and noticed a few things.

C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe

both appear to be trojans,they are running so open task manager and end task before deleting  
http://securityresponse.symantec.com
http://www.ozzu.com/ftopic24717.html

delete:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dnanow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.dnanow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz

delete these and reset your internet connection at IE>tools>internet options>connections tab, uncheck the use proxy box or you will lose  your internet connection:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

delete:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dnanow.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [stsvwlsb] C:\WINDOWS\stsvwlsb.exe

O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

I would remove these two unless you set spybot to lock them:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

I hope this helps.
Logged

Pmhutch

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #4 on: May 21, 2004, 01:27:57 PM »
Yo, Can you put this in dummies terms? tell me what to do or email me at [email protected] PLEEEAAASE!!!
Logged

emiller FLORIDANOW.COM

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #5 on: May 26, 2004, 05:55:39 PM »
Virus detected around the 15th
goto trendmicro.com (free online scan)

after it deletes the files wininet32.exe and runwin32.exe
IE will appear not to work goto TOOLS Inet options
CONNECTIONS  SETTINGS and change from Proxy server
 to automatic detect settings.
STILL inet may not work I went to SETUP  a new connection
on the CONNECTIONS TAB did one for local area
connection and it WORKED
Ie Is back on -line
immediately went to windows updates(which did not work when
machine was infected) and not thet also works

good luck

ed
Logged

Guest

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #6 on: June 16, 2004, 07:34:46 PM »
hey, its unable to runt the free virus scan...it says

trend active update did not update successfully.  It may result from busy server or bad network traffic.

Error code:28
Error string:Generic source network failure

do you want to retry?

nothing is working, what should i do?
Logged

Sneaker22

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #7 on: July 09, 2004, 10:07:31 PM »
I had the same problem and finally got rid of the pesty files.  Here's is what you need to do:

Close all windows and rerun the HijackThis utility.  Remove all the references that 'JG' indicated in an earlier post.  Shutdown and Restart your system in Safe MODE.

After you're in safe mode, Go to Start > Search and under "More advanced search options".  Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\runwin32.exe file and C:\WINDOWS\wininet.exe file

Before exiting from Safe mode, rerun the HijackThis utility to ensure the files are not there.  Then,  go to Control Panel > Internet Options.  On the General page, update your default home page to whatever it was before the virus took it over such as www.yahoo.com.  Then, click on the "Connections" Tab. Click on the "Settings" button under your Dialup connection or on the "LAN Settings" for broadband. Remove the check by "Use a proxy server for this connection" for dialup or for broadband remove the check by "Use a proxy server for your LAN". Click Apply then OK.

Logoff and Restart your system.
Logged

hate easysearch

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #8 on: January 06, 2005, 08:42:24 PM »
Hi

I ran 10 different anti adware programs, did all the things advised I could find on the internet. Bottom line could not get rid of easyserch biz variant I have.

The basic problem is the 127.0.0.1 8080 proxy keeps coming back both in the ie explorer and in the hkey reg area. I think this calls someware and reloads the dam easysearch back into my computor.

I dont use a proxy in my ie explorer not do I use any host files, so I could care less if the proxy works in ie explorer. I use a VPN connetion or just plain connect to internet.

My fix works fine with both of these connections.
The hkey area that the proxy 127.0.0.1 8080 pops up also has a proxy enable and a migrateproxy heading I just modifide the setting  from 0 to 1: I think this tuns the settings from on to off.

I am not an expert at all, I did this just out of off the cuff idea. I have not turned on one to see if both need to be off or one or the other for the final fix to work.

Anyway no more easysearch, with the proxy turned off in ie explorer, the final part of eaysearch that I could not find and no anti adware could get ride of does not work any more.


In a few months the anti adware should be able to clean all of the easysearch out of the system, including the part I could never find that keeps turing the proxy settings back on and then u could turn the proxy settings back on again.

Or if u want to keep the ability to use the ie explorer proxy; reload windows from scratch  UG.

You need to get all the easysearch parts out of your system before doing this last thing I did. I alway needed to remove manually the 6 different exe files that easysearch loads into  my windows folder.

Just run a google search on "127.0.0.1 8080 easysearch biz" to find the other few web pages with the detailed removal instrutions that I found never fully work but got you 90 percent there.

Safe mode of course when you use regedit to change proxy settings I talked about and everything else you do to.


Hope this helps

Regards
Logged

Offline hackologist+

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
    • http://
Easy-Search!! ahh! my hijack log
« Reply #9 on: March 05, 2005, 10:55:49 AM »
Listen to a professional. Try these combinations of antispyware in order:
Ad-aware SE
eTrust Pest Patrol
XoftSpy
SpySweeper

If ran in that order it should work.
Logged

Guest

  • Guest
Easy-Search!! ahh! my hijack log
« Reply #10 on: March 22, 2005, 07:30:28 PM »
DONT USE IE ITS PRONE TO GETTING SPYWARE ETC ETC GET FIREFOX.........WWW.GETFIREFOX.COM
Logged
Pages: [1]
« previous next »