easy-search SOB story

Discussion in 'adware, spyware & hijack cleaning' started by chickenminer, May 15, 2004.

Thread Status:
Not open for further replies.
  1. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    Oh man...
    I am pulling my hair out trying to get rid of this IE hijacker easy-search.biz.
    I must be missing something because then I delete everything with Ad-aware, HJT, and go into regedit to clean out the runwin32.exe file it still comes back !
    Please help folks!
    Here is HJT log:


    Logfile of HijackThis v1.97.3
    Scan saved at 4:36:22 PM, on 5/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
    C:\WINDOWS\runwin32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProxyToggleToo.exe
    C:\Program Files\Gilat\QMS\QMS.exe
    C:\Program Files\Gilat\GSU\GSU.exe
    C:\Program Files\Gilat\IBQoS\ibqossvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
    C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    C:\Program Files\Gilat\NetAgent.exe
    C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
    C:\Program Files\temp2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877;https=127.0.0.1:9877
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
    O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
    O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
    O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
    O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ProxyToggleToo.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
    O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    chickenminer, May 15, 2004
    #1
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi chickenminer,

    Can you first download and run this program? :

    CWShredder

    Open -> 'fix' -> click 'next'

    Repost another HijackThis log after doing so please

    Thnx!

    Cheers,
     
    Unzy, May 15, 2004
    #2
  3. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    Hi Unzy,
    I have run CWshredder already (ver. 1.57), but I did again and I'll post the new HJT log. This hijacker is insidious.... the registry keys come back as fast as I can delete them !! I have run Ad-aware, Spybot.... you name it ! I have the dllfix program too if you want me to run that .
    Really appreciate the help !!
    Cheers- Chickenminer

    Logfile of HijackThis v1.97.3
    Scan saved at 6:03:54 PM, on 5/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
    C:\WINDOWS\runwin32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProxyToggleToo.exe
    C:\Program Files\Gilat\QMS\QMS.exe
    C:\Program Files\Gilat\GSU\GSU.exe
    C:\Program Files\Gilat\IBQoS\ibqossvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
    C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    C:\Program Files\Gilat\NetAgent.exe
    C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
    C:\Program Files\temp2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877;https=127.0.0.1:9877
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
    O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
    O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
    O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
    O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ProxyToggleToo.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
    O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    chickenminer, May 15, 2004
    #3
  4. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    Hi Unzy,
    I also ran FindAll.
    Here is output.txt and windows.txt files ;

    --===**'FIND-ALL' VERSION 3.1, 5/13**===--


    Sat May 15 18:26:57 2004 -- Results:
    *System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "DRIVE_C" (A49F:A63C) - FS:NTFS clusters:4k
    Total: 19 962 753 024 [19G] - Free: 12 367 826 944 [12G]


    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\SQL.DLL +++ File read error
    \\?\C:\WINDOWS\System32\SQL.DLL +++ File read error


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
    windows.txt file ...
    regf       Pugf hbin  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨ÿÿÿnk, °P~0×:Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 8 _ A  Windows ÿÿÿskÿÿx x  Ô  „¸ È   ¤       !  €  !  ?          ?               ÿÿÿÿÐÿÿÿvk  ˜   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  Pâ  h Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  Ð àÿÿÿvk     °ºSpooler2ðÿÿÿy e s
    Ñ_åàÿÿÿvk  €   5swapdisk h ° ð  X Ðÿÿÿvk  à   . TransmissionRetryTimeoutÐÿÿÿvk  €'   K USERProcessHandleQuotaE àÿÿÿh ° ð  X ˆ Ø Øÿÿÿvk  €   5 AppInit_DLLs: 0
    ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿoðÿÿÿÿÿÿýÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿïÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿ¿ ÿÿÿÿïÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ*gkûoì_Pó÷þþšýç¯ofç ûÿý¿ÿßúÿÿÿÿÿíÿùíïÚÿêÔ¬ºÍçÿç~¯ÿfq*ï¿ç/òŠ¹Jmíþßÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿïÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿöÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ÷ÿÿûÿïÿ+Üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿ ÿÿÿÿïÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿiøÿÿÿûßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿûÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿöÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿßþÿûÿöøÏûÿÿýÿÿÿßþÿ÷ÿÏûÿÿÿÿÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿïÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ÷ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿçÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ__gÿÿÙ·ß|îÿ ÿÿÿÿÿÿÿÿÿÿÿï§ÿÿÿÿÿÿÿÿÿÿÿÿÿön®ÿæ_îßqã9B !¯;½ïÿìÿÿ_çÿ_·{×}ý~ÿÿÿßÿÿÿïýÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿGÿ^z·ó¼ VR»mþ*^0`€þo(*ôÛgDA€#â‚€Q2”2éãvþ÷¾ÓbÈÁ"@ Pâ¦5 %è".îŸXBÿ? ¨Q7 W\ó+ D9¤ €€¢ À <     @ @    € € D `  0   @ ÿÿÿÿ €Âþþ€  ˆP  € € @ Œ Dÿÿÿÿÿÿÿÿÿÿÿ{ÿÿþÿ’€bæÿÿÿÿÿÿlÌýÿÿ×?è Êÿ Œ¶ò÷®=…ñûÿÿÿÿÿÿÿÿ¿üÇ÷ÿæ m @ 8
    ôpþs‡ M^BQ! €H¡¢‚ZAH ˆ(B € —,î©àÿß½5ÿÞÿñ#Û¯ rÝ_ýþ³ÿïßÁÿÿ‹òÿÿÿßýý ÿÿÿÿÿ¿[¿÷¿îëWý¹¿ÿÕïëïûÿ/
    °hȃ‚§èüÿ¿Às¾ÿ¿ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿÿoî[7,Iù Ä\9öA#ýF†ƒJ§©ÜÿåÌí{ùÿÿ¯ùùÿû?ÿ?ý¿Ïçïþ*pþ²ÿ~kÇw¿ïÿ¯ûÿÿÿÿÿÿÿÿÿÿïÿÿÿÿÿŸÏ»¿ÿ¿÷ûï?ÉýþÏ€ÿïÿ÷ÿïÿûÿÿÿõ2c…61OHÄÂ.ÏþýÿÿÿûÿHƒàZ쀀 Ä D¸šCÝÿêþN DO:¨À¿Îÿÿ»»«úÿû¿þþªªªªö½ïïÏÿ½ÿÿ»ïß¿Ümÿÿ ßÇÿÿÿÿïû þÿß* ªªª?“oÿÿýÿÿÿÿÒUQ‰þš¢€’ƒ±—ÏÒùÂn¬ÿéûÕßNp•³(¨Œ ™…âç¼£A€¶Úàþu®ÿÿÿÿÿ‹L PîDFêÉäZâÙº‚¶v¤ÿûÿÿÿëþÿÓÿÞÿÇñºëþÿÿß¿æ¯Û 6î‡?¿ˆSùÿ?»ºþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿþÿÿÿ+ÿÿÿÿÿÿÅòÿÿ?ÿ;ÿþÿÿÿÿÿÿÿÿÿw]ïûûáþÏ÷ÿ¿ÿZg®\n®¿²¶ù+Êq±˜Uz~ áPyÝ=ÿÿ®º§ïé_ºÿªŠÌ.†ÿÿÿ'ÿ÷ÿÿÿÿÿÿÿ‡ÿÿÿÿ¢ÿÿÿÿ<“ÿýo üU"×ÃÞjVÇÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿû~ß~Ûöÿÿ¿ÿÿÿÿÿÿÿþÿÿÿÿ ÿÿÿÿþóÿÿÿÿÿßÿïÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿÿÿÿ?þÿÿÿÿÿÿÿÿÿÿ¿ÿÿ÷þÿÿûþÿs@¢´Æ?üïÿv„ûãƒÂo  q ÒÀíæžÿñÿÿÿÿÿwö¯w¹ÿíø·÷ïG¾f÷G²®ÿÿÿÿÙÿÜG& ¢ƒ‚u~
     
    Last edited by a moderator: May 16, 2004
    chickenminer, May 15, 2004
    #4
  5. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    I also ran Registrar Lite.
    Under "AppInit_Dlls" I get
    Type: REG_SZ
    Size: 1
    Value: nothing listed here

    Does this help any ?
    Thanks for the help folks

    Best, Chickenminer
     
    chickenminer, May 16, 2004
    #5
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Well this is another type of Hijack, the AppInit key is not involved here.

    But xfind did catch a suspicious dll, just to make sure it's not a legit one can you pelase email me :

    C:\WINDOWS\System32\SQL.DLL <- this dll (if it's visible that is)

    unzyATwilderssecurity.com (AT = @)

    Also post a fresh hijackthis log

    Thnx!

    Cheers,
     
    Unzy, May 16, 2004
    #6
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    unless you are runni ng a proxy server on your computer for a genuine reason then fix this one
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877;https=127.0.0.1:9877
    and go to ie/tools/options/connections and untick use a proxy server


    several of these pests are using a hidden proxy on the computer to redirect you and always download updates

    and what is this
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProxyToggleToo.exe

    I can't find anything about it and suspect it to be a part of the problem

    If you knowingly installed it yourself then please give us a link to where you downloaded it, if not then send me the file to look at please
    submit@thespykiller.co.uk



    Edit:

    I've just seen you use starburst so the proxy server ois probabaly genuine and not a bad one, but if the proxy toggle too is the starburts version, make sure you are actually using starburst's proxy and not a "strange or funnyone"
     
    Last edited: May 16, 2004
    dvk01, May 16, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    and

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    and delete

    C:\WINDOWS\runwin32.exe
     
    dvk01, May 16, 2004
    #8
  9. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    Hey Unzy and dvK01.....
    THANKS for the help !!
    First... Unzy I couldn't copy the SQL.DLL , kept giving me "access denied, file in use" even in safe mode.
    As for the rest.
    dvK01.... the proxy and proxy toggle are legit. No problem there, they are usefull tools for my Starband internet connection .
    I went into Safe Mode, ran Ad-aware, Spybot, CWshredder and regedit. Deleted runwin32.exe and everything else I could find on easy-search, about.blank, coolwebsearch ..... i searched for everything!!!
    Booted back into XP and here is the latest HJT log;

    Logfile of HijackThis v1.97.3
    Scan saved at 9:12:01 AM, on 5/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
    C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProxyToggleToo.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Gilat\QMS\QMS.exe
    C:\Program Files\Gilat\GSU\GSU.exe
    C:\Program Files\Gilat\IBQoS\ibqossvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
    C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
    C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    C:\Program Files\Gilat\NetAgent.exe
    C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
    C:\Program Files\temp2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877;https=127.0.0.1:9877
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
    O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
    O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
    O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
    O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ProxyToggleToo.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
    O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    chickenminer, May 16, 2004
    #9
  10. chickenminer

    chickenminer Registered Member

    Joined:
    May 15, 2004
    Posts:
    6
    Hey Guys,
    I think I've got it :D !!
    No more hijack by easy-search and the HJT log looks clean now.
    Really appreciate the help! You guys are awesome to help out so many folks, I know how frustrating it is trying to fix on of these blasted hijacks :mad: !

    THANKS AGAIN !!
    ~Chickenminer~
     
    chickenminer, May 16, 2004
    #10
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...