easy-search hijack

Discussion in 'adware, spyware & hijack cleaning' started by chris, May 9, 2004.

Thread Status:
Not open for further replies.
  1. chris

    chris Registered Member

    Joined:
    May 3, 2004
    Posts:
    6
    Hi,
    My Internet Explorer homepage is being hijacked by easy-search.biz. I've run Hijack This and Spybot before and after rebooting but the evil little devil lingers. Here is my latest log.

    Logfile of HijackThis v1.95.0
    Scan saved at 4:43:03 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    C:\WINNT\runwin32.exe
    C:\WINNT\wininet32.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://easy-search.biz
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.7029166667
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

    Any help or suggestions would be greatly appreciated.

    Thank You Very Much,

    Chris
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Chris,

    You are using an outdated version of Hijackthis, first follow fixes and after doing so post a follow-up log using the latest version : HijackThis 1.97.7

    have only Hijackthis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://easy-search.biz

    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab

    Restart PC after doing so and remove :

    C:\WINNT\runwin32.exe <- this file
    C:\WINNT\wininet32.exe <- this file

    Hope this helps

    Cheers,
     
  3. chris

    chris Registered Member

    Joined:
    May 3, 2004
    Posts:
    6
    Hi Unzy,
    Your suggestions seemed to have done the trick. Thank you very much. Here is my latest log, just in case:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:13:52 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.7029166667
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3F2E26-16B0-43D3-9E24-96FDE8899462}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3F2E26-16B0-43D3-9E24-96FDE8899462}: NameServer = 205.188.146.146

    Love your beautiful country...love your exquisite Belgian beer perhaps even more. Thanks again.

    Chris
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Chris,

    You're welcome

    Glad we were able to help and good job cleaning up

    Thnx :D I second that!

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.