esearch search bar

hello,

wondering if you could spare some time to offer any tips on how to fix my computer problems.

i found an old thread dealing with a similar problem to mine: 'Hijacked by eSearch' dated the 23/7/04. after reading through the replies i followed the directions given...but with no luck.

i have read these two documents as requested and followed all the subseqent steps in #2:

1. NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File 2. READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

basically i think i need someone in the know to check over my log file and point me in the right direction as to what i should and shouldnt be deleting.

hope you can help.
eloc

 

Hi Eloc,

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I am getting ready to shut it down for the night and get some sleep, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

Welcome

 

thanks for the reply,

yer im pretty sure ive exhausted all the options presented in the tutorial and basic removal techniques.

attached is a copy of my HJT log file in .txt format.

see what you think. i havent attempted to delete anything but did notice a few problems.

thanks eloc.

 

Hi Eloc,

Please have About:buster and HSRemove from the Cleanup Tutorial on hand, updated and ready to go. Let's see if we can make a dent in this!



Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Task Manager for the following running process and try to end it: l?ass.exe

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: Name - {23D79A52-66AA-43A6-861D-C32A4F465438} - C:\WINNT\system32\msnwp.dll
O2 - BHO: (no name) - {30D8382E-EB12-0FEA-D724-67557F83783A} - C:\WINNT\system32\ndhz.dll (file missing)
O2 - BHO: Name - {46475AA8-56DA-452D-96C1-FA95215DF930} - C:\WINNT\system32\msnwp.dll
O2 - BHO: Name - {486E3EB9-EB2C-4986-BEBE-B707C984B56E} - C:\WINNT\system32\msnwp.dll
O2 - BHO: Name - {85315BA2-98CA-4AD9-86EC-D40B4DE021D7} - C:\WINNT\system32\msnwp.dll
O2 - BHO: Name - {8B45C342-D8DB-4602-9346-1AE504FE5AC4} - C:\WINNT\system32\msnwp.dll
O2 - BHO: Name - {974FBE0A-5716-4D66-AFCF-45EB8041698D} - C:\WINNT\system32\msnwp.dll
O2 - BHO: Name - {988E110E-113A-458D-BA37-605E1FB84BC5} - C:\WINNT\system32\msnwp.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll
O2 - BHO: Name - {C1ACB8CF-653B-47A6-90F5-B59F6EACCB15} - C:\WINNT\system32\msnwp.dll
O2 - BHO: (no name) - {E96C6427-ECDD-42E2-95EA-616021A9FEF8} - C:\WINNT\system32\qwsxp.dll

O4 - HKLM\..\Run: [mhcdcb] C:\WINNT\mhcdcb.exe
O4 - HKCU\..\Run: [Hars] C:\Documents and Settings\Chris Cole\Application Data\shca.exe --> Do you know what this is? If not, suggest dump it.
O4 - HKCU\..\Run: [Rjj] C:\WINNT\system32\l?ass.exe

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{C968EB3B-AA22-4BC4-9949-5074D6D9C966}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31

O18 - Filter: text/html - {A33C3D08-904B-4F5C-B5E6-8D3412CF924E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò EÆR - {D60C870B-1B49-4C8F-9ED7-FBE67358F30E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò MÆR - {7BCD681E-4923-4A3A-8C8E-C543606031E2} - (no file)
O18 - Filter: tœ†5?ò EÆR - {42EC2355-BD0C-4212-9B61-A2B085F7347E} - (no file)
O18 - Filter: tœ†5?òwEÆR - {95C1E985-243A-475D-9FBB-7017B6FA9750} - (no file)
O18 - Filter: tœ†5?ò°GÆR - {0A675271-B0F6-4445-8B82-D97A80DF70FC} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò´DÆR - {95CDA9A4-BD2F-461F-8AE0-99C23512A750} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òêBÆR - {AB79ADD5-645A-4ED8-B358-4C8AFBC02F1A} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òìFÆR - {A33C3D08-904B-4F5C-B5E6-8D3412CF924E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òðFÆR - {056D1B26-6C73-47BF-B141-FC1FBDC3488C} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò“FÆR - {84DED681-17EB-4ED1-A3F7-F841E4586C00} - (no file)
O18 - Filter: tœ†5?ò‹FÆR - {D806DC21-1B53-499F-ACDC-634EDA2E2569} - C:\WINNT\system32\qwsxp.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\system32\qwsxp.dll
C:\WINNT\system32\msnwp.dll
C:\WINNT\system32\l?ass.exe --> Not to be confused with lsass
C:\WINNT\mhcdcb.exe
C:\Documents and Settings\Chris Cole\Application Data\shca.exe
C:\WINNT\webdir.dll

NEXT:
Please run About:Buster and HSRemove.

NOW:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Hopefully we've made a dent in this!

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

thanks very much for that last message...ill give it all a go tomorrow when i have some time spare and send you the resulting .log.

eloc

 

AllRightyThen!

Note that I added the bit about Clicking FIX in HJT - I forgot it, but probably obvious

PP

 

hi pp,

sorry about the late reply...bigger weekend than i expected.

i followed the steps outlined in your thread and have attached the subsequent log file attained once in normal mode again.

see what you think.

i have a little more information about what was found etc in the scans if your interested:

hsremoved 8 items - did not name them though
spybot sd removed 3 itmes -
findspy.a 1 entry
coolwwwsearch.bootconf 2 entries
dso exploit 1 entry

you said to make sure system restore was off. i have windows 2000 so am i right in saying i dont have to worry about that step?

the esearch home page seems to have disappeared...

thanks again
eloc

 

oh forgot to mention that i looked in task manager for the l?ass.exe running process but it wasnt there.

there was the lsass.exe file and another one luass.exe. is that last one suspicious??

anyway look forward to your reply.
eloc

 

luass.exe looks suspicious to me as well.

Let's try this:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: Name - {23D79A52-66AA-43A6-861D-C32A4F465438} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: (no name) - {30D8382E-EB12-0FEA-D724-67557F83783A} - C:\WINNT\system32\ndhz.dll (file missing)
O2 - BHO: Name - {46475AA8-56DA-452D-96C1-FA95215DF930} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: Name - {486E3EB9-EB2C-4986-BEBE-B707C984B56E} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: Name - {85315BA2-98CA-4AD9-86EC-D40B4DE021D7} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: Name - {8B45C342-D8DB-4602-9346-1AE504FE5AC4} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: Name - {974FBE0A-5716-4D66-AFCF-45EB8041698D} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: Name - {988E110E-113A-458D-BA37-605E1FB84BC5} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll (file missing)
O2 - BHO: Name - {C1ACB8CF-653B-47A6-90F5-B59F6EACCB15} - C:\WINNT\system32\msnwp.dll (file missing)
O2 - BHO: (no name) - {E96C6427-ECDD-42E2-95EA-616021A9FEF8} - C:\WINNT\system32\qwsxp.dll (file missing)

O4 - HKLM\..\Run: [mhcdcb] C:\WINNT\mhcdcb.exe
O4 - HKCU\..\Run: [Hars] C:\Documents and Settings\Chris Cole\Application Data\shca.exe
O4 - HKCU\..\Run: [Rjj] C:\WINNT\system32\l?ass.exe

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-au/aup/games1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C968EB3B-AA22-4BC4-9949-5074D6D9C966}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31

O18 - Filter: text/html - {A33C3D08-904B-4F5C-B5E6-8D3412CF924E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò
EÆR - {D60C870B-1B49-4C8F-9ED7-FBE67358F30E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òMÆR - {7BCD681E-4923-4A3A-8C8E-C543606031E2} - (no file)
O18 - Filter: tœ†5?òEÆR - {42EC2355-BD0C-4212-9B61-A2B085F7347E} - (no file)
O18 - Filter: tœ†5?òwEÆR - {95C1E985-243A-475D-9FBB-7017B6FA9750} - (no file)
O18 - Filter: tœ†5?ò°GÆR - {0A675271-B0F6-4445-8B82-D97A80DF70FC} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò´DÆR - {95CDA9A4-BD2F-461F-8AE0-99C23512A750} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òêBÆR - {AB79ADD5-645A-4ED8-B358-4C8AFBC02F1A} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òìFÆR - {A33C3D08-904B-4F5C-B5E6-8D3412CF924E} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?òðFÆR - {056D1B26-6C73-47BF-B141-FC1FBDC3488C} - C:\WINNT\system32\qwsxp.dll
O18 - Filter: tœ†5?ò“FÆR - {84DED681-17EB-4ED1-A3F7-F841E4586C00} - (no file)
O18 - Filter: tœ†5?ò‹FÆR - {D806DC21-1B53-499F-ACDC-634EDA2E2569} - C:\WINNT\system32\qwsxp.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\mhcdcb.exe
C:\Documents and Settings\Chris Cole\Application Data\shca.exe
C:\WINNT\system32\l?ass.exe --> may be luass.exe??
C:\WINNT\system32\qwsxp.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

I am not going to be around too much this week, but will try to check on this thread as time permits.

Best luck
PP

 

ok...

stuffed up last time when using HJT. when it asked if i wanted to fix these problems and something about a backup i said no thinking it would just fix the checked files and not make a backup. this time however i clicked yes and it actually got rid of them. der...

this log looks alot better.

cws was not found this time in the spybot sd scan only the dso exploit which it said it fixed.

i quickly checked the log and couldnt find anything suspicious. see how you go.

thanks again for your help.
eloc.

 

Hi Eloc,

You're Welcome That log looks good!
It is a good idea to let HJT create backups in case a mistake is made. You can always delete them later if you want.

For Spybot's DSO Exploit: Spybot - Search and Destroy DSO Exploit Fix

Also, have a peek at Chaslang's Suggestions!!

Happy Computing
PP