- Executable Files: dwvem.exe; file_0.exe; iau.exe; lssas.exe ; mservice.exe; msqdevl.exe; runwin32.exe; stisvsq.exe; svshost.exe; tibs3.exe [a.k.a. Troj/HideDial-A]; wininet32.exe.
- Dynamic Link Libraries: csrss.dll.
- Directory/Search Page: http://www.easy-search.biz.
- Uninstall page URL:
- Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
- Notes: The url http://www.easy-search.biz/ is no longer an active search engine. More recent versions of this infection appear to involve single ad pages, pop-ups and pop-unders, and redirects to hard porn sites. They utilize a CHM exploit to execute through an unpatched Microsoft hole. If you have "iau.exe" on your machine without "runwin32.exe" you have the far more virulent, newer, heavily bundled CHM exploit version. This version somehow hides in the Windows text files areas, if removed, and reinstalls on the next reboot. As of March 2005, this infection can be removed by Lavasoft's Ad-Aware freeware.
VGS encourages you to post comments about the service it offers, and, in particular, about your experiences with the removal tools suggested in its pages. Removal tool comments will be most effective in helping those who come after you if you post them to the individual detail page for the malware item you used the tool to remove. Please be as clear and as detailed as possible. The most effective comments might include such information as: 1) What browser and operating system you are are running on your computer (i.e. Windows 98, NT, XP, Linux, Internet Explorer 6.0, Firefox); 2) What updates are installed (i.e. SP1, SP2); 3) What anti-virus/malware package(s) are resident in your computer; and 4) the actions you took in the order you took them.