esearch.cc browser hijacking

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by forallthecows, Sep 1, 2004.

  1. forallthecows

    forallthecows Private E-2

    Hello, I am new to this forum. I am trying to rid a friends computer of the esearch.cc browser hijacker. While reading a few of the threads already posted on this topic it seemed this is a knowledgeable forum. So I would greatly appreciate it if you could help me to be rid of this annoyance. This is what I got after running HiJackThis on the laptop the problem is occurring on:
     

    Attached Files:

    forallthecows, Sep 1, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HijackThis is not the first step.

    Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. NOT A .DOC FILE! AND GET THE CURRENT VERSION OF HJT TOO.

    Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

    So follow all the steps above and when completed if you still have a problem, tell use what you have tried and upload a new HJT log (.txt file) and use the correct version. And get HJT off the Desktop and into its own directory.

    By the way is this your ISP:
    207.172.252.117 = [ 207-172-252-117.c6-0.atw-ubr1.atw.pa.cable.rcn.com ]
    OrgName: RCN Corporation OrgID: RCN Address: 105 Carnegie Center City: Princeton StateProv: NJ PostalCode: 08540 Country: US NetRange: 207.172.0.0 - 207.172.255.255
     
    Last edited: Sep 1, 2004
    chaslang, Sep 1, 2004
    #2
  3. forallthecows

    forallthecows Private E-2

    trojan

    Thanks for you quick response. I apologize for posting my Log file from HiJackthis, I was in too much of a hurry to fix the problem and didn't take time to read the other threads. However after seeing them I did all the steps described in the READ ME FIRST:Basic Spyware, Trojan and Virus Removal thread. When I ran Trend Micro Housecall it came back with one infected file, A trojan. TROJ STRTPAGE.K any advice on this specific trojan would be greatly appreciated. Once again I apologize for the last post, had I known of the other threads it wouldn't have happened, I appreciate any and all help, thanks.
     
    forallthecows, Sep 2, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Sep 2, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: trojan

    Did it fix the problem! Were you set to Auto Clean?

    Complete the other stuff items in the READ ME FIRST including the PandaSoftware online scan.
     
    chaslang, Sep 2, 2004
    #5
  6. forallthecows

    forallthecows Private E-2

    No it didnt fix the problem, it said it could not clean it because it was in use. It's in a dll file. C://Windows/Win32app.dll to be exact. I am goin to class right now but when i return ill try the pandasoftware. thanks for the help.
     
    forallthecows, Sep 2, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Get the correct version of HijackThis as I mentioned earlier (ver 1.98.2) and do not install it to your Desktop. Put it in its own directory where Backups can be saved more safely.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all Internet Explorer sessions including the one you are reading this in:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
    O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe

    Enable viewing of hidden files and folder: http://forums.majorgeeks.com/showthread.php?t=37650
    Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Now run Windows Explorer and locate the below files and delete them:
    C:\WINDOWS\win32app.dll
    c:\windows\system32\setup1.exe

    Now reboot normal mode and let me know how things are working.
     
    Last edited: Sep 3, 2004
    chaslang, Sep 2, 2004
    #7
  8. forallthecows

    forallthecows Private E-2

    It's gone, what you told me worked great. Thanks for the help and bearing with me.
     
    forallthecows, Sep 3, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent!!! You're welcome!
     
    chaslang, Sep 3, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds