Jump to content


Photo

http://easy-search.biz PROBLEMS


  • This topic is locked This topic is locked
19 replies to this topic

#1 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 19 May 2004 - 04:44 AM

I dont know what to do anymore.easy-search is killing me.also,on my desktop i have an icon named SEXDIAL and it pops up "Cassinopalazzo" page every few minutes.I often recieve 404 error pages and some wierd "google cannot find" pages... PLEASE HELP! I tried deleting all that is affiliated with easy-search in the log but it appears over and over...


Logfile of HijackThis v1.97.7
Scan saved at 11:37:52, on 19.5.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\System32\iexplore.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\WINDOWS\wininet32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALURIA~1\ASE\ASE.exe
C:\Documents and Settings\jurcicd\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [teaibdh] rundll32 C:\WINDOWS\System32:teaibdh.dll,Init 1
O4 - HKLM\..\Run: [winwan 0l7064] "C:\Program Files\winwan\winwan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.1607986111
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 19 May 2004 - 05:41 AM

PLEASE SOMEONE!

#3 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 19 May 2004 - 05:47 AM

ScumwareH8er

Please download CWShredder and unzip it to a folder.

Run it in Windows Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode') while no other programs running. Hit the Fix-button, not the Scan-button, and let it finish.

Boot to normal mode again and post a fresh Hijack This log.
_______
Wiskonst

Edited by Wiskonst, 19 May 2004 - 05:50 AM.


#4 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 19 May 2004 - 05:52 AM

okay,i will do that ,thanks

#5 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 19 May 2004 - 05:59 AM

i did all as you said
after the "fixing" was done the prog. said that there were no infections.
here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 12:57:42, on 19.5.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jurcicd\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [teaibdh] rundll32 C:\WINDOWS\System32:teaibdh.dll,Init 1
O4 - HKLM\..\Run: [winwan 0l7064] "C:\Program Files\winwan\winwan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.1607986111
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 19 May 2004 - 06:35 AM

ScumwareH8er

Go to Task Manager and finish the following processes if you find them:
- C:\WINDOWS\runwin32.exe
- C:\WINDOWS\wininet32.exe
- C:\WINDOWS\System32\iexplore.exe

Then do an online virusscan.

Download Rapidblaster Killer and run it.

Have Hijack This fix the following lines (if they are still there after the scan):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O4 - HKLM\..\Run: [teaibdh] rundll32 C:\WINDOWS\System32:teaibdh.dll,Init 1
O4 - HKLM\..\Run: [winwan 0l7064] "C:\Program Files\winwan\winwan.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

Set Explorer to display hidden files and delete the following files:
- C:\Program Files\winwan\winwan.exe
- C:\WINDOWS\runwin32.exe
- C:\WINDOWS\wininet32.exe
- C:\WINDOWS\System32\iexplore.exe
If you can't find or delete any of these find them in Safe Mode.
(It is also possible the virusscan already deleted them.)

Then please post a fresh log here again.

Do you have an internet connection on the machine at hand?
If not, download WinsockXPfix and Lspfix. In the next post I will give instructions how to use them.
_______
Wiskonst

Edited by Wiskonst, 19 May 2004 - 06:55 AM.


#7 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 19 May 2004 - 05:24 PM

if i end these processes and delete them in virus scan then i cannot browse pages anymore.what should i do?

#8 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 03:58 AM

ok this is what i did
i didnt end or delete those applications because i do not have other internet connection at hand.
i have scanned pc with av and removed several trojans,but not those in wiwninet and runwin32 (iexplore seems to be uninfected) cuz i will loose my browsing abilitiy that way.
i found no infections with rapidblaster killer.
ive fixed all those lines from laog that u said but most of them appears again.(i guess its cuz there are still infected files).
Tell me what should i do. (ive downloaded those 2 progs too)

thank you

#9 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 20 May 2004 - 06:42 AM

ScumwareH8er

You can savely finish, fix with HJT and delete runwin32.exe and wininet32.exe as in my previous post. It will not influence your internet connection. They are viruses.

As for iexplore.exe, look in C:\Program files whether there is a folder called 'Internet Explorer'. It should contain the file 'iexplore.exe'.
This is the proper Internet Explorer; if it is present you can savely delete the file with the same name in the C:\Windows\system32 folder. Also fix the entry in Hijack This.

With my question on your internet connection I meant whether your internet connection works properly at the moment. There is a line in the log that this might not be the case. If the connection is allright now we don't need the programs WinsockXPfix and Lspfix.

So the two files runwin32.exe and wininet32.exe can be deleted, for iexplore.exe first look in C:\Program files\Internet Explorer.
_______
Wiskonst

#10 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 06:49 AM

okay i will do that now
then i will remove the lines that you said me to
then i'll reboot in safe mode and post a fresh log?

#11 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 06:58 AM

before i do anythink i have to tell you this:

i found a file named windial32 in my sytem folder
it has the same icon as the shortcut that appears on my desktop (if i delete it it reappears when window pops up) so i delted it.
After a while it came back.
So i searched my drive for windial and i also found a file named: windial32.exe-044303.pf in c: \ windows \ prefetch
ive deleted it too but all reappear
also the icon that appears on the desktop,when i click on it and clikc "find target" this is what i get: "C:\Program Files\Internet Explorer\iexplore.exe" http://www.casinopal...sourceid=100336

as can be seen i have iexplore in this directory and in sytem dir too

now i'll wait for your response on this
then do all you said on the previous post

#12 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 07:02 AM

btw
i have internet acess but my browsing is buggy
often i recieve 404 error and wrong link and when im on google.com i cannot type any adress in the adress bar (redirects me to goole) , i have to type it in search engine then click on it when google finds it (that is how i reach this site all the time) :(

#13 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 07:11 AM

re hello

the fact is that before i didnt fix those problems with HJT and thats why i couldnt load my browser. now it works.and for the first time i am able to use adrees bar. omg! the progress :)
i couldnt find iexplore in my sytem folder. i think adaware fixed it because new reference file found a process that was running and removed it.if i remember correctly it was named ZZAt or zomething like that.

#14 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 07:20 AM

okay. this is my new log:
Logfile of HijackThis v1.97.7
Scan saved at 14:17:32, on 20.5.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\jurcicd\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.1607986111
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 20 May 2004 - 07:38 AM

Scumwareh8ter

Windial32.exe is also a virus. If they come back when you delete them it is because they are still active in memory.

The iexplore.exe in the C:\Windows\system32 folder must also be deleted if you find it.

You log looks good now.

If you still find one of them delete these:
- C:\Windows\system32\Windial32.exe
- C:\WINDOWS\runwin32.exe
- C:\WINDOWS\wininet32.exe
- C:\WINDOWS\System32\iexplore.exe
- All files in the C:\Windows\Prefetch folder
- The folder C:\Windows\Prefetch itself
Delete all these permanently (with Shift-Delete keys).
_______
Wiskonst

#16 ScumwareH8er

ScumwareH8er

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 May 2004 - 07:50 AM

- C:\Windows\system32\Windial32.exe - not found
- C:\WINDOWS\runwin32.exe - not found
- C:\WINDOWS\wininet32.exe - not found [i found wininit config file,but i guess im just beeing paranoic :) ]
- C:\WINDOWS\System32\iexplore.exe - not found
- All files in the C:\Windows\Prefetch folder - found 96 / deleted
- The folder C:\Windows\Prefetch itself -done

What can i say... than THANK YOU.
If i could only buy you a beer or an astronomy book if you prefer :)
Thanks for everyhing.
see you

Edited by ScumwareH8er, 20 May 2004 - 07:51 AM.


#17 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 20 May 2004 - 12:07 PM

ScumwareH8er

OK
Glad we could help.
_______
Wiskonst

#18 drumh

drumh

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 20 May 2004 - 10:20 PM

Hi, I've got the same problem, but I'm using WINDOWS ME. Will the above removal technique work, or will I have to modify some stuff? I'm really computer illiterate, so I'm a bit scared I'll delete something I shouldn't.
Occasionally I get a new dialup connection appearing. It's called "lynx 18". Is this related?
Thanks.

Edited by drumh, 23 May 2004 - 03:09 AM.


#19 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 21 May 2004 - 07:07 AM

Drumh

Can you start a topic of your own please?
_______
Wiskonst

#20 drumh

drumh

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 22 May 2004 - 03:21 AM

sorry, I'll do that.
Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button