Author Topic: Help with easy-search.biz please! (Read 1458 times)

Jorge · « **on:** February 08, 2005, 12:35:37 AM »

Hi, someone used my computer and now everytime i open IE easy-search.biz appers and i can't access any other web page, i don't care because i always can use dogzilla, but don't know why i can't use messenger 7.0 either, it's says Im unable to connect to .net account, and i also get a message saying i got spyware and if i want to remove it and if i click on it, it sends me to a url. I used, adaware SE, spybot, and microsoft spyware removal. any help guys? Please, im going crazy

Logfile of HijackThis v1.99.0
Scan saved at 11:33:33 p.m., on 07/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
c:\archiv~1\intern~1\iexplore.exe
c:\archiv~1\intern~1\iexplore.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\mozilla.org\Mozilla\mozilla.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xknqthnyzgsdqlfi.uk/E_tFKiQ/X_L...m4IkqyGQlT8.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rkqehxpcyglucfqopg.com/E_tFKiQ/...m4IkqyGQlT8.jpg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Archivos de programa\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Updater Service] wmiprvsa.exe
O4 - HKLM\..\Run: [System Update Service] wmiprvsc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ssweeper] XTermInit.exe
O4 - HKLM\..\Run: [media64] StartCpl.exe
O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Windows Updater Service] wmiprvsa.exe
O4 - HKLM\..\RunServices: [System Update Service] wmiprvsc.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Archivos de programa\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\ntvdm.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [wipe cash] C:\DOCUME~1\Default\DATOSD~1\CAKEPH~1\software glue.exe
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Archivos de programa\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Archivos de programa\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103100032406
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A07F92F-BCE7-4582-985C-0D6677E3B8FE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2988D54-0967-4E7E-9DB3-40528A34F2EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: PCTEL Speaker Phone - Unknown - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

guestolo · « **Reply #1 on:** February 08, 2005, 03:15:19 PM »

Sorry for the delay Jorge

Here's some info. about EasySearch from Symantec, we should be able to clear it all with Hijackthis
http://sarc.com/avcenter/venc/data/adware.easysearch.html

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this on the Desktop, don't run it yet

Quote

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

I've upload a file at the bottom of this reply box>>Remv3.zip
Please download and save it to desktop
UNZIP the contents to a folder

Please Print this out, or save it to a Notepad file on your desktop
Also, know how to start in safe mode, I provided a link below
Close all browser windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xknqthnyzgsdqlfi.uk/E_tFKiQ/X_L...m4IkqyGQlT8.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rkqehxpcyglucfqopg.com/E_tFKiQ/...m4IkqyGQlT8.jpg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://

O4 - HKLM\..\Run: [Windows Updater Service] wmiprvsa.exe
O4 - HKLM\..\Run: [System Update Service] wmiprvsc.exe

O4 - HKLM\..\Run: [ssweeper] XTermInit.exe
O4 - HKLM\..\Run: [media64] StartCpl.exe
O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKLM\..\RunServices: [Windows Updater Service] wmiprvsa.exe
O4 - HKLM\..\RunServices: [System Update Service] wmiprvsc.exe

O4 - HKCU\..\Run: [Clock] C:\WINDOWS\ntvdm.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [wipe cash] C:\DOCUME~1\Default\DATOSD~1\CAKEPH~1\software glue.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A07F92F-BCE7-4582-985C-0D6677E3B8FE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2988D54-0967-4E7E-9DB3-40528A34F2EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your Computer in SAFE MODE

Find and delete these files or folders if they exist
It's very important that you find files with the EXACT spelling, don't get confuse with legitimate files
FILES

C:\WINDOWS\System32\dnsping.exe <--file
C:\WINDOWS\System32\vbsys2

C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\lssas.exe
c:\x.cab
Also look for these next ones, possibly in your
WINDOWS or System32 folder
But do a search for them
wmiprvsa.exe
wmiprvsc.exe
XTermInit.exe
StartCpl.exe

C:\Documents and Settings\Default\DATOSD~1 <--this folder
I'm not sure of the exact name but it begins with DATOSD

Stay in safe mode
Double click on fix.reg and allow it to merge to the registry

IMPORTANT
Access your Control Panel>>Internet Options
Open the Connections tab
Under Dialup setting and VP network settings
Click the Settings button if highlighted and Uncheck
"Use Proxy Server"
Do the same for LAN Settings
This is important to keep Internet connection and you must be offline well doing this

IMPORTANT>>and you must be In safe mode for this too work
With windows set to Show Hidden Files and Folders

In safe mode open the folder you unzipped the contents of remv3.zipand Double click on
remv3.bat
Let it run until the dos window closes

RESTART back to Normal mode

Don't open a browser and go back to Control Panel>>Internet options
and ensure that the Proxy Servers are still UNCHECKED

Remv3.bat would of produced a log
Navigate to c:\log.txt and post the whole contents of this log, thanks

Also post back a fresh hijackthis log

[attachment=17:attachment]

jorge · « **Reply #2 on:** February 09, 2005, 12:42:25 AM »

thanks man, seems it's working, i just got the you got spyware in your computer, a message that seems from windows, but that's all here is what you asked for:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished

and hijack
Logfile of HijackThis v1.99.0
Scan saved at 11:40:51 p.m., on 08/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tlqgagpuholwwfhthmt.uk/E_tFKiQ/X_Lm...34IkqyGQlT8.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Archivos de programa\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Archivos de programa\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Archivos de programa\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103100032406
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: PCTEL Speaker Phone - Unknown - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

thank you

guestolo · « **Reply #3 on:** February 09, 2005, 01:07:36 AM »

Microsoft's Anti-Spyware Protection is probably getting in the way
Disable it's realtime protection permanently until we have you clean

Download and Install this small program
to help clean your temp folders,cookies,prefeth folder, etc...
Windows Cleanup
Don't run it yet

Print this out or save to a notepad file

RESTART into SAFE MODE

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete these files or folders if they exist

C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\System32\netcfg.dll

Do another scan with Hijackthis in safe mode and put a tick next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tlqgagpuholwwfhthmt.uk/E_tFKiQ/X_Lm...34IkqyGQlT8.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dl

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{256ED802-2912-4C09-ACD0-7E398841F7F3}: NameServer = 69.50.188.180 195.225.176.31

Stay in safe mode and access your Internet Options via Control Panel
Under the connections tabs..Settings... ensure there is no check in Proxy Servers

Stay in safe mode and Open Windows CleanUp!
START>>All programs>>CleanUp
Let it finish scanning for files
When it's done restart back to Normal mode

But stay Disconnected from the Internet
Go back and ensure there isn't a check in Proxy Servers

Post back a fresh Hijackthis log
Let me know if you were able to delete those files
They should be there, I see them in your running processes

EDIT>>>Can you look for the existence of these files on your computer
Let me know they exist>>>Could be part of the problem
Runwin32.exe
wininet32.exe

Guest · « **Reply #4 on:** March 09, 2005, 07:03:38 PM »

thank you very much for this post, it help me so much to delete this fuc*** spyware.

See u!

TheTechGuide Forum

News:

Author Topic: Help with easy-search.biz please! (Read 1458 times)

Jorge

Help with easy-search.biz please!

guestolo

Help with easy-search.biz please!

jorge

Help with easy-search.biz please!

guestolo

Help with easy-search.biz please!

Guest

Help with easy-search.biz please!