Jump to content


Photo

esearch.cc


  • This topic is locked This topic is locked
3 replies to this topic

#1 gigi

gigi

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 July 2004 - 03:08 PM

I would like to receive some help in getting rid of the esearch.cc hyjacking. I tried several times to remove it with ad-aware, it seemed to work for the very 1st IExplorer call, but the second time it was still there. I googled and found your group, and poking around I was able to got rid of the about blank, and the silly windows saying that my system was under attack ... But esearch is still here, and may be something else.
Anyway, here is Hyjack this log
Logfile of HijackThis v1.98.0
Scan saved at 21.53.39, on 26/07/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SysTray.Exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmi\Microsoft Firewall Client\ISATRAY.EXE
C:\Programmi\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ddhelp.exe
D:\users\glp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER:8080
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\WIN32A~1.DLL
O2 - BHO: (no name) - {5D521A0A-6A34-41AB-A63B-879409830975} - C:\WINNT\system32\HKFFLA~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: Desktop Application Director 9.LNK = Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = Microsoft Firewall Client\ISATRAY.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O16 - DPF: Online Banking F24 - https://www.cooperba...x=1059504946605
O16 - DPF: Online Banking Impresa - https://www.isideonl...x=1076575919988
O18 - Filter: text/html - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL
O18 - Filter: text/plain - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

Do you have any suggestion ? TNX in advance Gigi

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 31 July 2004 - 03:06 PM

Hello gigi,

Just so that you know you are not being ignored - I will handle this case for you but
I need to ask for your patience while I review the log.
Please keep an eye on this message for a resolution.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 31 July 2004 - 07:36 PM

Hello gigi,

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\WIN32A~1.DLL

O2 - BHO: (no name) - {5D521A0A-6A34-41AB-A63B-879409830975} - C:\WINNT\system32\HKFFLA~1.DLL (file missing)

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

O13 - WWW. Prefix: http://

O18 - Filter: text/html - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL
O18 - Filter: text/plain - {0B655F8F-9689-4027-9229-3CB859E2284E} - C:\WINNT\system32\HKFFLA~1.DLL

*
Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
*
Next, reboot, on restart, restart in "Safe Mode".

How To
http://service1.syma...src=sec_doc_nam

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Also, Delete/Empty your Temporary Internet Cache completely
How To: and with most operating system.
http://www.mvps.org/...02/delcache.htm

Remove all files in BOLD if still present.

C:\WINNT\WIN32A~1.DLL <-- File only
C:\WINNT\system32\HKFFLA~1.DLL <-- File only
*
Remove any remnants of the CoolWebSearch infection.

Download CWShredder.exe CoolWebSearch removal tool from
http://www.spywarein.../CWShredder.exe

Place the download file in it's own folder.

Make sure all browsers and all Windows Explorer windows are closed.

Run the application and be sure to click on the "Fix" button.

When the scan is completed and all files removed, close it.
*
You are not presently running the latest copy of Internet Explorer (The SP 1 version).
I suggest you get it from this site: http://v4.windowsupdate.microsoft.com/ and follow the intructions for the download. When installed return to the site and install all of the latest security patches that will protect your computer much better then IE 5.

Internet Explorer SP1. and all updates to February 2004 are included in this free CD from Micorsoft. If you have a slow connection or are not pressed for time you can order it and install later. You must use the update site for any updates issued after that date.
How to obtain and use the Windows Security Update free CD (February 2004)
http://support.micro...om/?kbid=833242
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051
*
Run HijackThis and post a fresh log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 September 2004 - 11:16 AM

No response since July - Topic closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button