Helppppp!!!

Hi peeps, this is a bit of an emergency..... got some stoopid stuff on the pc, have no idea HOW, but its getting annoying.

Everytime I try and go to a webpage it gets hijacked... tried to download some stuff from the good major, and had to reload the pages several times.

Have adaware and spybot search and destroy and cwshredder AND hijack this.. and none of them have touched the problem.

I have the hijack this log file and await anyone asking me to post it...

Please, please, obey one kenobi your my only hope.... erm wrong forum...lol

right, no, please, any help would be most appreciated

Jay

 

also, I'm gettting script errors on everypage and a wordtracker page keeps loading itsself up.

On top of that, any page that has the word L O A D on it L O A D is missing.

Please help

Jay

 

hi still having problems.... so have attached the hijackthis txt log file.

getting annoyed with the ruddy thing now.... so any help would be most appreciated

Jay

 

try the mcafee avert stinger, this is a solo running program so there is no install. targets the latest trojans and worms

 

right, ok... well.. thanks, I had read the sticky you posted... and gone thru several of teh fixes.

Problem I had was that I couldent always download the file..... it justcame up in the explorer bar...

Anyway.... NONE of the programs worked to either find, or clean the nasty little buggers I had on the pc.

Hijack this listed them,

files were.. iau.exe
stisvsq.exe
svhost.exe (yes I know what your all going to say.. but.. this one was in the c:\windows\ folder....)
msqdevl.exe

and a couple of others.....
I managed to track this down to them via a process of trial and error, and also just reading thru the taskmanager list of what was running....
16 hours later... i found the above and deleted them.

What may have helped was someone having a quick look at my hijack this file/log and saying.. jay, your problems this... this is how you get rid, rather that posting, have you read the sticky!!!!!!!!!!!

Sorry to be a little pedantic, but.... I'm one of those people that FOLLOWS the rules... and only posts AFTER he hasent had any joy with the posted STICKY!

Liljohn, cheers buddy, thanks for trying to point me in the right direction, rather than harping on about a ruddy sticky.

Sorry if i have offended anyone with this post, but, this is a forum where people are allowed to speak their minds. If someone decides to ban me or berate me then so be it....

Jay
(32 year old, former IT lecturer, who, needed help with something he couldent sort out and got told several times to read a post he had read AND printed off)

 

go ahead and post your hijackthis log file.

 

cheers Kodo, but theres no real point at the mo, since its clean.

What does come up every now and again, are

iau.exe
stisvsq.exe
svshost.exe
msqdevl.exe
mservice.exe

and then several ip address's in the the 1st couple of lines...

relevent bits are
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

so.. there ya go, any ideas on what the hell it is/was would be helpful...

Jay

p.s. this isent the entire list, just the bits I know are dodgy.

 

Trojans..

 

cheers... how do i get rid of em for good... THERE HEREEEEEE... lol

have to laugh... they're back.... just when you thought it was safe to surf teh net...

so...

how do i get rid of teh buggers?

Jay

 

hi peeps.. well as said before... its back... spent 3 hours deleting various files and no back in normal mode, its back... I have, as said tried almost everything.. the only thing i havent done is a re-install of windows xp.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab


please, anyone, help me get RID OF THIS STOOOPID STUFF!

Jay

 

Jay,

Please run these:

TrojanScan online scan

a-squared (a²) Free edition

RavAntivirus online scan <-- select Auto Clean then click Scan My PC

Then, attach a COMPLETE HijackThis Log. Please follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll try to check back when I get a chance - Please note that there are only a few of us volunteers contributing our time for FREE in this forum.

PP

 

Hi Philliephan, I realise that that people give their time to the forums for free, the knowledge I've gained here at the major geeks forum and other forums, I give out to friends freely.

Friends that dont have a broadband connection or dont know where to look or how to download, I burn a cd off with the various recommended software....

this issue on my machine has got me so wound up.. and I cant seem to get rid of it... I even did a search for the various file names on google, and went to the symantic security centre and followed their instructions on how to get rid.. none of its working. Norton antivirus 2005, found the little buggers but couldent delete them or quarentine them.

I followed you advice in the previous post.... did a lot of work in safe mode and normal.. and they are still there.

Have attached the hjt txt file...(i hope i have anyway... last time i tried it dident upload)

hear back soon... going to take the bog out for a long walk!

Jay

 

Hi Jay,

I don’t know why you have three of these running - wuauclt.exe - unless you have updates waiting to be installed.

Also, your HijackThis log shows no signs of the Online Scans having been run. The Trend Micro scan prescribed in the Tutorial should detect and clean this particular Trojan.

Anyhoo, make sure to have an Updated SpybotSD and CCleaner on hand – as per the tutorial. Please print these instructions so you can operate with All Browser Windows Closed.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the Tutorial.

Now boot into Safe Mode.

Please run HijackThis and Check the Boxes for the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

Again, make sure ALL Browser Windows are Closed when you Click FIX.

Now, while still in Safe Mode, navigate to and DELETE the following if found:

C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe

Be careful - These look similar to legitimate files. Again, you must be able to view Hidden Files.
If you do not find the above files, you may want to use Windows Explorer to run a search of your machine for them.
Also, look and see if you find Runwin32.exe & let me know.

Now, Run C Cleaner and Spybot SD.

Next, Open Internet Explorer. Click TOOLS > INTERNET OPTIONS and Click DELETE COOKIES. Then, Click DELETE FILES and check the box for ALL OFFLINE CONTENT and Click OK.
Then Open the C>WINDOWS>TEMP folder and delete all files and sub-folders if any remain. Also, make sure Recycle bin is empty.

Reboot to Normal Windows and scan with HJT. Attach a new log and tell us how things are working or if you ran into any problems with the above instructions. I'll check back when I can.

Best luck
PP

 

cheers for getting back to me Philliephan...

right printed out your post and followed to the letter...

Yes I have some updates to download and install....

couldent find a file called runwin32.exe, and I even had a look for it manually as well.

went thru, did everything in safe mode, rebooted machine.

Ran hjt again, and found that they were still there, so, "fixed" them via hjt.

following so far... kewl

Also had the proxy overide AND also a weird ip address
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

took ages to get rid of, because it wouldent let me connect ot the net...
I'll upload the hjt file in a bit, as I need to urgent ly check my email...

Catch you in a bit
Jay

 

I doubt these are causing any problems.

Are there multiple user accounts on your computer?

pp

 

hi dude... no, just the one account as theres only ickle me using the machine.

Well.. seems to be no resurgance of the nasties so far... (touch wood)
Nortons run whilst I was out, and founs a load of others that it deleted automatically.

Still have no idea what or where this load came from...
When I was trying to download files from the majorgeeks site, the word LOAD would be missing so I couldent download them, urls/link with the word LOAD in them wouldent work as LOAD would be missing.
A true nightmare.

Thank you very very much for you help, Havent had a chance to save a hjt log and attach it yet. been busy.

But anytime your in the UK, and near me, I owe you several beers buddy.

Cheers very much
Jay

 

hey dude... I spoke too soon... BUT.. i think I found where it all stems from, and would like you opinion to see if my hunch would make sense.

I tried to open a txt file by double clicking on the file.... nothing happened apart from a quick eggtimer on screen, then nothing...

I used run from the start button, to open notepad, then open from the drop down menus to open the .txt file i wanted to read.

I then dit ctrl alt del, and low and behold all the ruddy stuff is back.

So, quick search in explorer, and I find 2 notepad.exe files... one WITH the notepad icon one without, i double clicked on the one with the icon, and it opened notepad, doubleclicked on the other and nothing.

Could it be that the loverly people who make nasty spyware/adware/trojans, have created a program called "notepad.exe" and somehow got it onto my machine, and everytime I try to open a .txt file it s the nasty crud onto my machine?

Hope the above makes sense.
oh, also, the genuine notepad is 65k, and the fake is 11k.
I've deleted the fake, and am about to reboot into safe mode and go through the steps you advised to take again.

Pc was clear, until that fake notepad ran... not saying that it was that.. but cicumstancial evedence points to it...

btw, still owe you several beers buddy

Jay

 

Hi Jay,

I don't know where we are going wrong. The bit with Notepad is unfamiliar to me - I'm no help there.

Here's some additional info:

A problem similar to yours

Easy-search has uninstall info on their site---- If you are feeling brave enough to visit

I am pretty certain that your entire problem is Easy-search related.

You might try Googling Easy-search dot biz for more info - I think all of the bad HJT log entries are a result of a single Trojan. I just can't see it.

Go ahead and attach a fresh log - maybe it'll tell us something. I'll try to check back when I can.

Best,
PP