Explore hijacked to easy search!

  1. 05-11-2004  #1
    jcgb
    jcgb is offline Newbie

    Cool Explore hijacked to easy search!

    Hello, my explorer is redirected to easy-search.biz., and I can't change the home page. I've already run spybot and ad-aware, but the problem is still there. My norton antivirus 2003 also seems to be affected (won't update properly), not sure if it's related though. Thanks for the help.

    The following is my Hijack This Log:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:28:22 AM, on 11/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\logon.scr
    C:\WINNT\system32\rdpclip.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\iau.exe
    C:\WINNT\stisvsq.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\svshost.exe
    C:\WINNT\msqdevl.exe
    C:\WINNT\lssas.exe
    C:\WINNT\mservice.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    C:\Documents and Settings\dhaynes.SCHULZEHAYNES\Desktop\hijackthis. exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
    O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
    O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
    O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schulzehaynes.la
    O17 - HKLM\Software\..\Telephony: DomainName = schulzehaynes.la
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C6174334-52FB-4CCB-9FEB-F6966753C3DC}: NameServer = 192.168.254.81,192.168.254.86
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schulzehaynes.la
  2. 05-11-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Could you please download and run CWShredder which will get rid of the majority of CWS Browser Hijacker infections. Please ensure that you click Fix and click Ok to any prompts. Make sure you don't only scan.

    Then reboot and post a fresh log
  3. 05-11-2004  #3
    jcgb
    jcgb is offline Newbie
    Owen, thanks for the reply . I used CWshredder as you instructed and rebooted, but the problem is still there. CWshredder said it fixed two reg entries....before rebooting I checked with Hijack This and the easy-search entries were gone, however, after rebooting I scanned with Hijack This and the easy-search entries were right back.

    Below is the new log:

    Logfile of HijackThis v1.98.2
    Scan saved at 4:43:31 PM, on 11/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\rdpclip.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\stisvsq.exe
    C:\WINNT\svshost.exe
    C:\WINNT\msqdevl.exe
    C:\WINNT\lssas.exe
    C:\WINNT\mservice.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\iau.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Documents and Settings\dhaynes.SCHULZEHAYNES\Desktop\hijackthis. exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
    O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
    O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
    O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schulzehaynes.la
    O17 - HKLM\Software\..\Telephony: DomainName = schulzehaynes.la
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C6174334-52FB-4CCB-9FEB-F6966753C3DC}: NameServer = 192.168.254.81,192.168.254.86
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schulzehaynes.la
  4. 06-11-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    CWShredder isn't always guaranteed to work, if it leaves some of the files responsible for installing Easy Search on your system, its likely that it will come back.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
    O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
    O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
    O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders. Some of the files to delete below may have notes about similar files, please read them and take care!:

    C:\WINNT\iau.exe
    C:\WINNT\stisvsq.exe
    C:\WINNT\svshost.exe (Note: Don't delete the valid svchost.exe file in C:\WINNT\System32!)
    C:\WINNT\msqdevl.exe
    C:\WINNT\lssas.exe (Note: Don't delete the valid lsass.exe file in C:\WINNT\System32!)
    C:\WINNT\mservice.exe

    Reboot and post a fresh log
+ Reply to Thread
« Hijack This Log | I Can't Click Anything Except Firefox »