• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gigi

esearch.cc

4 posts in this topic

I would like to receive some help in getting rid of the esearch.cc hyjacking. I tried several times to remove it with ad-aware, it seemed to work for the very 1st IExplorer call, but the second time it was still there. I googled and found your group, and poking around I was able to got rid of the about blank, and the silly windows saying that my system was under attack ... But esearch is still here, and may be something else.

Anyway, here is Hyjack this log

Logfile of HijackThis v1.98.0

Scan saved at 21.53.39, on 26/07/04

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\nddeagnt.exe

C:\WINNT\system32\RpcSs.exe

C:\WINNT\system32\tapisrv.exe

C:\WINNT\Explorer.exe

C:\WINNT\system32\rasman.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\SysTray.Exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Programmi\Microsoft Firewall Client\ISATRAY.EXE

C:\Programmi\Corel\WordPerfect Office 2000\programs\dad9.exe

C:\WINNT\System32\RUNDLL32.EXE

C:\WINNT\System32\ddhelp.exe

D:\users\glp\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER:8080

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\WIN32A~1.DLL

O2 - BHO: (no name) - {5D521A0A-6A34-41AB-A63B-879409830975} - C:\WINNT\system32\HKFFLA~1.DLL (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - Startup: Desktop Application Director 9.LNK = Corel\WordPerfect Office 2000\programs\dad9.exe

O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = Microsoft Firewall Client\ISATRAY.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE

O12 - Plugin for .pdf: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\nppdf32.dll

O13 - WWW. Prefix: http://

O16 - DPF: Online Banking F24 - https://www.cooperbank.it/bv/HBF24/Installa...x=1059504946605

O16 - DPF: Online Banking Impresa - https://www.isideonline.it/bv/HBDISPOBCC/In...x=1076575919988

O18 - Filter: text/html - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

O18 - Filter: text/plain - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

 

Do you have any suggestion ? TNX in advance Gigi

Share this post


Link to post
Share on other sites

Hello gigi,

 

Just so that you know you are not being ignored - I will handle this case for you but

I need to ask for your patience while I review the log.

Please keep an eye on this message for a resolution.

Share this post


Link to post
Share on other sites

Hello gigi,

 

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.

 

1 - Close all open Explorer windows and browsers

2 - Run HijackThis

3 - Click on the Scan button and when complete

4 - Put a check beside all of the items listed below

5 - Click on the "Fix Checked" button

6 - When complete and all files removed, close the application

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/

R3 - Default URLSearchHook is missing

 

F0 - system.ini: Shell=

 

O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\WIN32A~1.DLL

 

O2 - BHO: (no name) - {5D521A0A-6A34-41AB-A63B-879409830975} - C:\WINNT\system32\HKFFLA~1.DLL (file missing)

 

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

 

O13 - WWW. Prefix: http://

 

O18 - Filter: text/html - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

O18 - Filter: text/plain - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

*

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

*

Next, reboot, on restart, restart in "Safe Mode".

 

How To

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Also, Delete/Empty your Temporary Internet Cache completely

How To: and with most operating system.

http://www.mvps.org/winhelp2002/delcache.htm

 

Remove all files in BOLD if still present.

 

C:\WINNT\WIN32A~1.DLL <-- File only

C:\WINNT\system32\HKFFLA~1.DLL <-- File only

*

Remove any remnants of the CoolWebSearch infection.

 

Download CWShredder.exe CoolWebSearch removal tool from

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Place the download file in it's own folder.

 

Make sure all browsers and all Windows Explorer windows are closed.

 

Run the application and be sure to click on the "Fix" button.

 

When the scan is completed and all files removed, close it.

*

You are not presently running the latest copy of Internet Explorer (The SP 1 version).

I suggest you get it from this site: http://v4.windowsupdate.microsoft.com/ and follow the intructions for the download. When installed return to the site and install all of the latest security patches that will protect your computer much better then IE 5.

 

Internet Explorer SP1. and all updates to February 2004 are included in this free CD from Micorsoft. If you have a slow connection or are not pressed for time you can order it and install later. You must use the update site for any updates issued after that date.

How to obtain and use the Windows Security Update free CD (February 2004)

http://support.microsoft.com/?kbid=833242

*

Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :

  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

I also recommend reading this article.

How did I get infected in the first place?

http://forums.net-integration.net/index.php?showtopic=3051

*

Run HijackThis and post a fresh log for review.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0